Data Dispute Resolution
We represent operators and individuals in data protection disputes — before the NCPD, in administrative proceedings, and in court — working to secure fair outcomes while minimising regulatory and reputational exposure.
Data Protection Disputes in Belarus
Licensed Belarusian advocates advising companies on personal data compliance, handling NCPD investigations and representing clients in data protection disputes.
Our clients
Personal Data Protection in Belarus: Key Issues for Businesses
Personal data protection is an increasingly important area for businesses operating in Belarus. Any company that collects, stores, or processes information about individuals — customers, employees, website visitors — is a personal data operator and is subject to Belarusian data protection law.
Disputes in this area most commonly arise from data breaches, excessive collection of personal data beyond what is necessary for the stated purpose, and non-compliance with consent requirements. Operators that fail to meet their obligations face regulatory investigations by the National Centre for Personal Data Protection (NCPD), administrative fines, and civil claims from affected individuals.
AMBY Legal advises companies on organising personal data processing in compliance with Belarusian law, audits internal data protection documents, and represents clients in disputes with the NCPD and in court.
What Is Personal Data Under Belarusian Law?
Personal data is any information that relates to an identified or identifiable individual. It falls into several categories:
General data: name, date of birth, phone number, workplace, contact details — information used to verify identity that requires standard protection.
Special categories: health records, political views, religious beliefs, racial or ethnic origin, criminal records — sensitive information that demands stricter protection and, in most cases, explicit consent before processing.
Biometric data: unique biological markers such as fingerprints or facial recognition data used for identification purposes. A standard photograph does not constitute biometric data unless it is used specifically for biometric identification.
Online identifiers: IP addresses, cookies, and device identifiers — treated as personal data under Belarusian law when they can be used to trace an individual’s identity.
IT Business in Belarus
Get professional legal support for your IT business in Belarus at every stage.
Who Is Responsible for Personal Data Protection in Belarus?
Any Belarusian organisation or individual entrepreneur that processes personal data — whether collecting, storing, modifying, sharing, or deleting it — is classified as a personal data operator and bears legal responsibility for compliance.
Operators are required to appoint a responsible employee or create a dedicated department to oversee data processing within the organisation. They must also ensure that personal data is processed only in IT systems equipped with certified security tools meeting standards set by the Operations and Analysis Centre (OAC).
The state body responsible for overseeing compliance with personal data legislation is the National Centre for Personal Data Protection (NCPD). The NCPD conducts inspections, considers complaints from individuals, and issues binding orders to operators. Complaints to the NCPD must be filed within three months from the date the complainant became aware of the violation.
The Register of Personal Data Operators
From 1 January 2024, the NCPD maintains a state database — the Register of Personal Data Operators. Operators are required to register information about their IT systems if those systems process personal data of more than 100,000 adult individuals, more than 10,000 individuals under 16 years of age, or biometric or genetic personal data.
Failure to register required information in the Register is a compliance violation. AMBY Legal assists operators in determining their registration obligations and preparing the required documentation.
Disputes Between Individuals and Operators
The most common category of data protection disputes involves excessive data collection — where operators request more personal data from individuals than is objectively necessary for the stated processing purpose. For example, delivery of goods from an online store does not require an individual’s tax identification number or employer details.
An individual who believes their data is being excessively processed can: request directly from the operator that the excess data be deleted, or file a complaint with the NCPD. In the latter case, the operator may face an inspection and administrative fines.
AMBY Legal advises operators on reviewing and correcting their consent forms and data collection lists to minimise the risk of complaints and regulatory action.
Disputes Between the NCPD and Operators
Disputes between the NCPD and operators most commonly arise from: personal data breaches resulting from inadequate security measures, intentional or negligent disclosure of personal data without individual consent, and use of IT systems that do not meet certified security standards.
AMBY Legal conducts audits of companies’ internal data protection documents, identifies compliance gaps, and develops the required documentation. Where an NCPD investigation has already begun, we represent the operator’s interests throughout the proceedings.
Rights of Individuals Under Belarusian Data Protection Law
Belarusian data protection law gives individuals meaningful control over their personal data. Key rights include:
The right to withdraw consent for data processing at any time — operators must stop processing within 15 days of receiving a withdrawal request.
The right to access information about how and why their data is being processed.
The right to correct inaccurate personal data.
The right to know who has received their data.
The right to request deletion or better security of their data.
Operators must respond to information requests within 5 business days and provide complete details within 15 business days. Failure to comply with these obligations can result in NCPD enforcement action and civil claims.
Sharing Personal Data with Third Parties
Transferring personal data to third parties — including contractors, accountants, marketers, or service providers — is permitted under Belarusian law, but only under strict conditions.
A formal data processing agreement must be concluded with each third party that processes data on the operator’s behalf. The agreement must specify: what data is being transferred, the purpose of processing, the specific obligations of each party, and the security measures in place to protect the data from unauthorised access.
Sharing personal data without a proper agreement or outside the scope of agreed processing purposes constitutes a violation of Belarusian data protection law.
Legal Grounds for Processing Personal Data
Personal data may only be processed if there is a clear legal basis for doing so. The main grounds under Belarusian law are:
Individual consent — the most common ground, but not always required. Consent must be freely given, specific, informed, and expressed through a clear active action (not a pre-ticked box).
Contractual necessity — processing required to perform a contract with the individual, such as opening a bank account or delivering an order.
Legal obligation — processing required to fulfil a duty imposed by law on the operator.
Legitimate interests of the state — processing required for national security, anti-corruption, or anti-money laundering purposes.
Many state bodies and organisations process personal data without consent because their legal powers expressly authorise it.
Key Documents Required for Personal Data Compliance
Every organisation processing personal data must maintain the following core documents:
Internal Regulation on Personal Data Processing — sets out internal rules for data handling within the organisation, including processing purposes, data categories, retention periods, access controls, and security measures.
Privacy Policy — published on the company’s website or app, informing users about what data is collected, for what purposes, how long it is retained, and what rights individuals have.
Consent forms — where processing is based on consent, separate, specific consent documents must be provided to individuals before processing begins. A reference to a privacy policy is not sufficient.
Registry of IT systems — a record of all IT systems used to process personal data, including system names, data categories, processing purposes, and security measures in place.
List of authorised employees — a register of staff with access to personal data, specifying their access levels and responsibilities.
Two main documents anchor these processes. The Internal Regulation on Personal Data Processing sets rules inside the company, while the Privacy Policy, published online or in the app, informs clients and users. This policy spells out who collects and uses data, what data is processed, for what purposes, and what rights individuals have — along with how they can exercise them.
When data is processed based on consent, the organization must provide clear, separate details about this before processing begins. Simply pointing to a privacy policy isn’t enough; individuals need explicit, standalone information to make informed choices.
Data Retention and Storage Rules
Personal data must only be retained for as long as necessary to achieve the purpose for which it was collected. Retention periods are often set by law — for example, the Ministry of Justice regulations specify retention periods for financial and accounting documents. Where no statutory period applies, the operator must define one in its internal documents.
Personal data must be processed only in IT systems equipped with certified security tools meeting standards set by the Operations and Analysis Centre (OAC). Using systems without certified protection violates Belarusian law. Belarus does not require data localisation — data may be stored abroad — but the technical protection requirements still apply.
Operators must maintain a detailed internal registry of data processing activities — recording all data types, processing methods, retention periods, legal grounds, and access controls.
Breach Notification Obligations
If an operator’s personal data protection system is compromised, the operator must notify the NCPD promptly — and no later than three business days after discovering the breach.
While there is no direct legal obligation to notify affected individuals, it is considered good practice to publish a notice on the company’s website.
Notification to the NCPD is not required if the breach did not result in: unlawful disclosure of personal data to third parties, or alteration, blocking, or permanent deletion of personal data. This focuses regulatory attention on incidents that genuinely endanger individuals’ data.
The Right to Be Forgotten
Article 28 of the Constitution of the Republic of Belarus guarantees every person protection from unlawful intrusion into private life. As technology has advanced, this principle has been extended to personal data — protecting it from unauthorised use for commercial or other purposes.
Belarusian legislation introduces a right to erasure (“right to be forgotten”) — giving individuals the legal power to request deletion or correction of their data from databases, to be informed about how their data is used, and to object to certain types of processing. AMBY Legal advises both individuals seeking to exercise this right and operators facing deletion requests.
Personal Data of Children, Relatives, and Deceased Persons
Processing personal data of individuals under 16 years of age requires the consent of a parent or legal guardian. This applies to all categories of data, including general and special data.
Processing personal data of deceased individuals is only permitted if the person provided consent during their lifetime, or if close relatives or heirs give their approval. Operators processing data in either of these categories should ensure their consent procedures specifically address these requirements.
Disclosure of Personal Data Without Consent: Liability
Belarusian law provides for serious consequences for unlawful disclosure of personal data. The NCPD can order an operator to correct, delete, or block unlawfully processed data and remedy other violations.
Under Article 22.13 of the Administrative Code, intentional disclosure of personal data obtained through professional activities carries fines of 4 to 20 base units (180 to 900 Belarusian rubles). More serious violations — such as failure to protect personal data — can result in fines ranging from approximately €740 to €1,850.
Our Data Protection Services
Risk Assessment & Legal Review
We audit your data processing practices and internal documents, identify compliance gaps, and provide a clear remediation plan to reduce legal and operational risk.
Cross-Border Data Guidance
We advise on international data transfers — including the conditions under which data can be transferred abroad and the documentation required to support such transfers under Belarusian law.
Support in Enforcement & Disputes
We represent your interests in NCPD investigations, administrative proceedings, and court disputes related to data protection obligations.
Internal Data Protection Policies
We draft Internal Regulations on Personal Data Processing, Privacy Policies, consent forms, and other mandatory documents required under Belarusian data protection law.
Appointing a Data Officer
We advise on appointing a responsible data officer, establishing internal monitoring procedures, and documenting staff training to maintain accountability within the organisation.
Defining Processing Purposes & Methods
We help you clearly define why and how your business processes personal data — establishing a solid legal foundation for all processing activities.
Access Controls Setup
We help structure access levels to personal data within your organisation — ensuring only authorised staff handle sensitive information and reducing the risk of internal breaches.
Managing Data Subject Requests
We develop clear workflows for receiving, reviewing, and responding to individual requests — including access, correction, deletion, and withdrawal of consent — within statutory timeframes.
Video Surveillance Rules
We draft workplace video surveillance policies that balance legitimate security needs with employees' privacy rights and comply with Belarusian data protection requirements.
Website Legal Tools
We prepare Privacy Policies, cookie notices, consent mechanisms, and Terms of Use for websites and apps to ensure compliance with Belarusian personal data legislation.
Employee Data Handling Compliance
We advise on and document procedures for processing employees' personal data — including in employment contracts, HR records, and internal regulations.
Third-Party Contracts
We draft data processing agreements with contractors, service providers, and partners — clearly defining data handling responsibilities and ensuring compliance with third-party sharing rules
Cross-Border Transfer Rules
We determine the legal grounds for transferring data outside Belarus, prepare the required documentation, and advise on technical security requirements for international transfers.
Data Deletion Procedures
We develop formal data retention and deletion policies — defining retention periods for each data category and establishing secure destruction procedures to reduce liability.
Types of Liability for Personal Data Violations
Employee Disciplinary Action
Employees responsible for handling personal data who fail to comply with internal rules or legal requirements can face disciplinary measures — from reprimands and demotion to termination, depending on the severity of the breach.
Fines and Administrative Penalties
The NCPD and courts can impose administrative fines for data protection violations. Intentional disclosure of personal data obtained through professional activities carries fines of 4 to 20 base units (180 to 900 rubles). Failure to adequately protect personal data can result in fines of approximately €740 to €1,850. Administrative decisions can be appealed within 10 days of issuance.
Compensation for Harm
Individuals harmed by unlawful processing or disclosure of their personal data can bring civil claims for damages — including both financial losses and non-material harm (moral damages). It is advisable to first seek voluntary compensation directly from the operator. If refused, court proceedings can secure full recovery with legal support.
Types of Personal Data
Requirements for Collecting, Processing, and Protecting Personal Data
Belarusian law sets clear principles for lawful personal data processing:
Define the purpose: data must only be collected for a clearly defined, legitimate purpose — whether for staff management, marketing, or contract performance. The purpose must be stated before processing begins.
Limit the scope: only data that is strictly necessary for the stated purpose may be collected. Collecting an email address for delivery is not justified if it is only needed for marketing — in that case, the marketing purpose must be separately stated and consented to.
Obtain consent correctly: where consent is the legal basis for processing, it must be freely given, specific, informed, and expressed through a clear active action — not a pre-ticked box or a vague reference to a privacy policy.
Inform individuals: before obtaining consent, individuals must be clearly informed about who is collecting their data, what data is collected, why, how long it will be retained, and how it is protected. This information must be set out in a Privacy Policy or Data Processing Policy made available before consent is requested.
Intellectual Property Protection
Obtain expert intellectual property protection in Belarus for your company.
Why Companies Choose AMBY Legal for Data Protection Matters
Cross-Industry Experience
We have advised clients in technology, finance, healthcare, retail, and other sectors on data protection compliance — bringing practical, sector-specific insight rather than generic legal theory.
We Speak Your Language
We communicate with international clients in English throughout — explaining complex data protection requirements in plain, actionable terms.
Impressive Success Record
We have a strong track record in data protection matters — from successful defence in NCPD proceedings to recovery of damages for individuals whose data was unlawfully processed.
Resolving Complex Legal Issues
We handle multi-layered compliance challenges and contested disputes — bringing clarity and a clear course of action when the legal situation feels overwhelming.
Saving Your Time
We manage the compliance workload — auditing documents, drafting policies, and handling regulatory interactions — so you can focus on running your business.
Saving Clients’ Money
By identifying compliance gaps early and structuring data processing correctly from the start, we help clients avoid the far greater costs of regulatory fines, litigation, and reputational damage.
FAQ
What counts as valid consent to process personal data in Belarus?
Valid consent must be freely given, specific, informed, and expressed through an unambiguous active action by the individual — such as ticking a separate, unchecked box. It must specify the processing purposes, data categories, retention period, and the individual’s right to withdraw consent. Pre-ticked boxes, vague policy references, or implied consent do not meet Belarusian legal standards.
Why can a written consent form be declared invalid?
A consent form can be invalidated if it lacks essential elements — such as clearly defined processing purposes, a list of the personal data being collected, the retention period, or information about the individual’s right to withdraw consent. Generic or ambiguous language that does not accurately reflect the actual processing activities also risks invalidity.
What are the most common mistakes when collecting online consent?
Common errors include: using pre-ticked consent boxes (not a valid active action), not providing the consent text for download or review, treating a general Privacy Policy as a substitute for specific consent, and failing to log the consent record (IP address, date, exact consent text). Each of these violates Belarusian data protection standards.
What are the consequences of consent violations?
Consequences include: administrative fines, binding orders from the NCPD to stop unlawful processing, potential blocking of data processing activities, civil claims from affected individuals, and serious reputational damage. Belarusian regulators actively enforce these rules — particularly following complaints from individuals.
How should consent be properly obtained in person?
Provide a document setting out the processing purposes, data categories, retention period, and the individual’s withdrawal rights before they sign. Retain a signed copy for your records. As best practice, send the individual a duplicate copy by email as documented proof of consent.
How should legally valid online consent be structured?
Use separate, unticked checkboxes for each distinct processing purpose. Log the IP address, date and time, and exact text of the consent given. Do not bury consent within general Terms of Use. Consent must relate specifically to the action being taken — registration, ordering, or subscribing — and must be linked to a clear, accessible Privacy Policy.
Why is tracking consent withdrawal important?
Under Belarusian law, individuals can withdraw consent at any time. The operator must cease processing the relevant data within 15 days of receiving the withdrawal request. Failing to maintain withdrawal records leaves the operator exposed to claims that processing continued without a valid legal basis — which can result in both regulatory action and civil damages claims.
News
How to Enforce a Foreign Arbitration Award in Belarus
You won the arbitration. Months of hearings, written submissions, and legal costs — and the tribunal ruled your way. The award exists on paper. The Belarusian counterparty knows it. And nothing has moved. Getting paid is a different fight entirely. Belarus does recognise foreign arbitral awards — but turning that recognition into actual money involves […]
How to Recover a Debt from a Belarusian Company as a Foreign Creditor
The contract was signed. Goods were delivered, services rendered, money lent. And then — silence. Payment deadlines passed, calls went unanswered, and the emails from your Belarusian partner became increasingly vague. Now you’re sitting on an unpaid invoice and wondering whether there’s anything you can actually do from abroad. The short answer is yes. Belarus […]
Changing the Director of an LLC in Belarus: What You Need to Know
Most companies don’t think much about changing a director until they have to. Then they find out the hard way that getting it wrong — even slightly — can leave the business stuck in an awkward gap: the old director still legally in charge, the new one unable to sign anything or move money. We’ve […]