Personal Data
The topic of personal data protection is increasingly relevant for businesses and individuals. Personal data includes any information about an individual that helps to identify him. In this regard, disputes about the protection of personal data are increasingly arising between individuals and large companies that massively process personal data and risk large amounts of such data. Companies that process personal data are called “operators”. Disputes most often occur in connection with the leakage of personal data or their excessive processing: when operators request more data from individuals than is necessary for the purpose for which they process the data.
Our experienced lawyers will help you understand the specifics of the organization of personal data protection in the company and in resolving disputes that arise in this area. We help to organize the work on the processing of personal data, resolve disputes and fully accompany them during their resolution.
What Are Personal Data?
Personal data is any information that relates to an identifiable individual. It generally falls into two groups. Basic data includes your name, phone number, or birth date—details used to verify who you are and requiring careful protection. Special categories cover more sensitive information like health records, political views, religious beliefs, IP addresses, and cookies.
To decide if something is personal data, ask: Does it identify a specific person? Ties directly to someone, like ownership of a car? Or could it single someone out from a crowd, like a home address or workplace? As technology evolves, even online markers like IP addresses and cookies count as personal data, since they can help trace your identity. That’s why privacy laws now cover them too.
protects personal data
The operators of personal data in the Republic of Belarus include Belarusian organizations and individual entrepreneurs. Operators are obliged to organize the protection of personal data. Operators are companies and individuals who conduct business and at the same time process personal data of individuals themselves or jointly with other operators. The processing of personal data includes any action with them: collection, systematization, storage, modification, depersonalization, distribution, deletion of personal data, etc.
Each company that processes personal data must create a special department or appoint employees who control the processing of data within the organization.
There is a state body in the Republic of Belarus that checks whether operators comply with the legislation on personal data. This is the National Center for Personal Data Protection (NCPD). Importantly, the NCPD considers complaints regarding the processing of personal data. Such a complaint must be filed within three months from the day when the author of the complaint found out about the violations.
What is the Register of Personal Data Operators
The NCPD will create a state database ”Register of Personal Data Operators“ from January 1, 2024. Consequently, the Register will include information about information resources (systems). With the help of which, in particular, personal data of more than 100 thousand adult individuals and more than 10 thousand individuals under 16 years of age, information about resources for processing biometric and (or) genetic personal data are processed.
Personal data operators need to enter information into the Register no later than January 15, 2024.
Common Personal Data Disputes
Disputes in the field of personal data may arise between an individual and the operator or between the operator and the NCPD.
Disputes between an individual and an operator
Such disputes are most often related to excessive personal data that the operator requests from an individual. Such data is not objectively necessary for the purposes for which the operator collects personal data. For example, for the delivery of goods from an online store, data on the identification number of an individual or his place of work is objectively not needed. An individual may complain about the excessive processing of personal data to the operator himself and request that the excess personal data be deleted or send a complaint to the NCPD. In the latter case, the operator may receive a check and fines are possible.
It is important to check and correct, if necessary, the list of personal data and the purposes of their processing, which companies prescribe in the form of consent to the processing of personal data.
Disputes between NCPD and operators
Such disputes may arise as a result of checking the requirements for the protection of personal data in the company. Most often, disputes are related to the leakage of personal data, their insecurity, and dissemination without the consent of individuals.
Rights of Individuals
This is usually caused by imperfection of the software, intentional actions, or happens from ignorance of the legislation on personal data protection.
Our experienced lawyers can audit the company’s internal documents on personal data issues. If necessary, our experts can develop the necessary documents.
Rights of Individuals Under Data Protection Law
With the new data protection law, customers and users gain strong rights that give them real control over their personal information. They can withdraw consent for data processing at any time, actively managing how their details are handled. They also have the right to know how and why their data is used, letting them make informed choices about their privacy.
Importantly, they can correct inaccurate information to keep records up to date, find out who received their data, and even demand that data be deleted or better secured. Companies handling this data must comply. They’re required to respond to information requests within 5 business days and deliver complete details within 15 days. This new legal framework significantly strengthens individual rights, reflecting the critical role of personal data protection in today’s digital world.
Sharing Personal Data
Passing personal data to third parties is allowed, but only under strict legal guidelines. This often includes sharing information with staff like accountants or marketers, or contractors working under private agreements that have clear data protection clauses.
Whenever data is processed or shared, a formal agreement is needed. It must clearly define what data is involved, why it’s being used, and the specific steps each party will take. The contract should also outline measures to keep personal data confidential and secure from unauthorized access, ensuring all parties uphold strong privacy standards.
Legal Grounds for Processing Personal Data
Personal data can only be processed if there’s a clear legal basis for it. Belarusian law spells out these grounds in detail. In the financial sector, processing often relies on four main foundations: the individual’s consent; the need to fulfill a contract with the person, such as opening a bank account; compliance with duties set by law; or requirements tied to national security, anti-corruption, and anti-money laundering regulations.
While consent is a common ground, it’s not always required. Many state bodies and organizations process personal data without consent because their legal powers demand it. This framework ensures personal data isn’t handled arbitrarily but strictly under established legal principles.
Key Documents
To comply with data protection laws, every organization — including those in finance — must establish clear internal rules for handling personal data. This means preparing essential documents that govern processing activities and, where required, publishing them on the company website or app.
A risk-based approach lets each organization decide which safeguards are needed. Still, the National Personal Data Protection Center requires certain mandatory records, like lists of authorized employees with access to data and registers of IT systems holding personal information.
Two main documents anchor these processes. The Internal Regulation on Personal Data Processing sets rules inside the company, while the Privacy Policy, published online or in the app, informs clients and users. This policy spells out who collects and uses data, what data is processed, for what purposes, and what rights individuals have — along with how they can exercise them.
When data is processed based on consent, the organization must provide clear, separate details about this before processing begins. Simply pointing to a privacy policy isn’t enough; individuals need explicit, standalone information to make informed choices.
Storing Personal Data and Maintaining Records
A core rule of personal data processing is limiting how long data is kept. Personal data should only be stored as long as needed for the purpose it was collected. In Belarus, retention periods are often set by law—like the Ministry of Justice regulation that outlines timelines for financial documents. If the law doesn’t set a period, companies must define one themselves.
Breach Notification Duties
It’s also crucial to consider where data is stored. Belarus doesn’t require data localization, but strict rules apply to technical protection. Personal data must be processed only in IT systems equipped with certified security tools that meet standards set by the Operations and Analysis Center (OAC). Using systems without certified protection violates Belarusian law.
On top of this, companies must keep detailed records of data processing activities. An internal registry tracks all data types, processing methods, retention periods, and legal grounds. Access to personal data is carefully controlled within the company, with rules clearly laid out in internal documents to separate duties across departments and staff.
Breach Notification Duties
If a company’s personal data protection system is compromised, it must promptly notify the National Personal Data Protection Center (NPDPC). By law, this notice must be sent without delay, and no later than three business days after discovering the breach.
Though there’s no direct obligation to inform affected individuals, it’s considered good practice to post a notice on the company’s website.
However, notification to the NPDPC isn’t required if the breach didn’t lead to unlawful sharing of personal data or to data being altered, blocked, or deleted in a way that permanently cuts off access. This approach focuses regulatory attention on serious incidents that truly endanger data security.
The Right to Be Forgotten
Belarusian law (Article 28 of the Constitution) guarantees every person protection from unlawful intrusions into private life, including the privacy of their mail, phone calls, and other communications. With technology rapidly advancing, this principle now extends to personal data, shielding it from unauthorized use or exploitation for commercial or governmental purposes.
A new Belarusian legislative initiative strengthens this by introducing a true “right to be forgotten.” This means individuals will have the legal power to request the deletion or correction of their data from databases, to be informed about how their data is used, and to object to certain types of processing. It marks an important step in giving people real control over their digital footprints.
Personal Data of Children, Relatives, and Deceased Persons
As automated data technologies expand into every part of life, children’s privacy faces new risks. To protect minors, the law requires that personal data of anyone under 16 can only be processed with consent from a parent or legal guardian.
Similarly, handling the personal data of deceased individuals demands careful safeguards. It’s only permitted if the person consented while alive, or if close relatives or heirs give their approval. This ensures sensitive information remains respected and secure, even after death.
Sharing Personal Data Without Consent
Belarusian law strictly regulates how personal data is handled, and there are serious consequences for violations. The data protection authority can order a company to change, delete, or block inaccurate or unlawfully obtained data and fix other legal breaches.
Under Article 22.13 of the Administrative Code, anyone who intentionally discloses personal data they learned through their work faces fines ranging from 4 to 20 base units. This underscores how critical it is to handle personal data responsibly and only share it with proper consent.
Our Services
Types of Liability for Personal Data Violations
Employee Disciplinary Action
Staff responsible for handling personal data who fail to follow company rules or legal standards can face disciplinary measures. This might include reprimands, demotion, or even termination, depending on the seriousness of the breach and internal company policies.
Fines & Administrative Penalties
Courts can impose significant fines on individuals and organizations for data protection failures. For example, not safeguarding personal data can result in penalties ranging from roughly $740 to $1,850. These decisions can be appealed within 10 days of issuance.
Compensation for Harm
Individuals harmed by mishandling of their personal data can sue for damages, including both financial losses and emotional distress. Often, it’s wise to seek voluntary compensation first. If refused, court action can secure full reimbursement with expert legal support.
Types of Personal Information
Requirements for Collecting, Processing, and Protecting Personal Data
Belarusian law sets clear principles for how personal data must be collected, processed, and protected. First, it’s essential to define the purpose—whether hiring staff, sending marketing materials, or managing contracts. This ensures data is only gathered for legitimate, clearly stated reasons.
Next is the scope of data collected. It should strictly match the stated purpose. For instance, there’s no need to request an email address when shipping a product if a name, phone, and delivery address suffice. If the email is needed for marketing, that purpose must be separately specified.
Obtaining consent is another critical requirement, unless the law explicitly allows processing without it. Consent should be clear, specific, and easy to understand—more than a vague notice like “by staying on this site, you accept our policy.” It’s best to have users tick a box confirming they’ve read and agreed to your Privacy Policy.
Before giving consent, individuals must also be informed about your business activities, what data you collect, why you need it, how long you’ll keep it, and how it’s protected. All of this should be laid out in a clear Privacy Policy or Data Processing Policy available to them beforehand.
Why Us
Cross-Industry Experience
We’ve worked across tech, finance, healthcare, and beyond. That broad perspective means sharper insights, fewer blind spots, and solutions that actually fit your business reality, not just generic legal theory.
We Speak Your Language
No confusing legal double-speak here. We break it all down into practical terms, so you’re always clear on your options and confident in every decision you make.
Impressive Success Record
Our results speak for themselves—years of securing favorable outcomes, tackling tough cases, and building strategies that stand up under pressure when it matters most.
Resolving Complex Legal Issues
We thrive on untangling the tough stuff. Whether it’s multi-layered compliance or tricky disputes, we bring clarity and direction when your situation feels overwhelming.
Saving Your Time
We handle the heavy lifting, streamline the process, and keep things moving—so you can stay focused on running your business, not chasing down legal paperwork.
Saving Clients’ Money
We’re serious about efficiency. From smarter contract structures to avoiding costly pitfalls, we work to protect your bottom line as fiercely as we protect your rights.
FAQ
It’s a free, specific, informed, and unambiguous declaration by the individual allowing their data to be processed. Under Belarusian law, it must be given in writing or electronically through a clear, active step.
If it lacks key elements like processing purposes, data scope, storage period, or withdrawal rights—or uses generic language that doesn’t reflect real objectives—it risks being declared invalid in court.
Common errors include pre-ticked boxes (not a valid active action), no option to download consent text, or treating privacy policies as substitutes for actual consent. Each violates Belarusian standards similar to GDPR.
They include administrative fines, orders to fix violations, possible blocking of data processing, and serious reputation damage if customers file complaints. Belarusian regulators actively enforce these rules.
Belarusian courts typically support the data regulator. They void consent if it lacks a clear data list or withdrawal method, emphasizing transparent interactions—especially during face-to-face contacts or electronic verification.
Provide a document detailing processing goals, data types, duration, and withdrawal rights. Have the person sign and keep a copy. Best practice: also email them a duplicate for proof.
Use separate, unticked checkboxes, log IP, date, and exact consent text. Don’t bury it in general terms of use. Consent must directly relate to registration, orders, or subscriptions.
By law, individuals can withdraw consent anytime. You must stop processing within 15 days and keep records of withdrawals to avoid disputes or future claims for damages.
Contact us
-
LawyerLegal assistance is provided by advocate Anton Grinewich, Specialized Legal Bar No. 2 in Minsk.
-
E-mail
-
AddressOffice: 1 Krasnaya str., Minsk, Republic of Belarus Postal address: 1 Krasnaya str., Minsk, Republic of Belarus
-
Working hoursMonday-Friday 9:00-19:00
