Principles of Legislation on Personal Data in Belarus

Personal data in Belarus includes any information that allows you to identify a particular person, such as name, address, phone number, passport data, information about the place of work and others. 

According to the Republic of Belarus legislation, companies and state organizations must protect citizens’ data and process them only with consent or other legal grounds. Citizens have the right to access, correct, block, and delete their data in case of illegal use. Violating the legislation on processing personal data in Belarus entails severe consequences, including fines and criminal liability. 

The state protects citizens’ data, guaranteeing its confidentiality and security. To comply with the legislation on personal data, it is recommended that regular audits of information protection documents be conducted and, if necessary, that help be sought from personal data specialists.

What applies to the processing of personal data

Actions related to the processing of personal data include:

1. Collecting;
2. Systematization;
3. Keeping;
4. Change;
5. Using;
6. Depersonalization;
7. Blocking;
8. Distribution;
9. Provision;
10. Deletion of personal data.

Personal data is processed by companies and individual entrepreneurs, called personal data operators. Operators can unite to process personal data jointly or involve other companies under a contract to process personal data—authorized persons.

Basic principles of personal data processing

1. Proportionality of the processing of individual information according to the declared goals

Personal data must be processed for the processing purposes specified by the operator. An example of excessive processing of personal data by an online store is the collection of information unrelated to customers’ needs in delivering goods.

For example, a store may request from customers not only the essential data necessary to make a purchase and communicate with them, such as name, address and contact number but also information about religion, political views or personal life, which does not relate to the purpose of delivering goods. This data is unrelated to the store’s primary task of collecting personal information.

Excessive processing of personal data violates the principle of proportionality of processing personal information for declared purposes established in the legislation protecting personal data. It may violate the confidentiality and security of customer data.

2. Processing of individual data with the consent of the subject

Generally, the operator must obtain an individual’s consent to process his data. The consent must indicate the purposes for which the operator plans to process individual data.

There are exceptions when companies do not need the subject’s consent. For example, permission is not required in the following cases:

• When the company is required to collect personal data by the law.
• When maintaining personalised accounting.
• When concluding employment contracts with individuals.
• To fulfil a contract concluded with an individual.

3. Limiting the processing of personal data to the achievement of processing objectives

When processing personal data based on consent (if the subject’s permission is required) or by the law (if the processing is carried out without consent), the purposes of the processing are determined. Personal data may not be used for purposes not specified in the consent or legislation.

The following requirements apply to processing personal data: the purpose must be legitimate, specific (and not general or abstract) and announced in advance (before the start of data processing).

Examples of personal data processing purposes include:

1. “Processing of a candidate’s resume for a vacancy”;
2. “Conclusion, execution, modification and termination of a certain contract” and others.

If the specified initial purposes of personal data processing need to be changed, companies must obtain new consent from the subjects to process their data.

4. Compliance with the volume and content of personal data for processing

The personal data processed must correspond to the purpose of processing and must not be redundant. You cannot collect personal data that is not relevant to achieving the purpose for which it is collected. For example, collecting personal data about the customer’s home address is unnecessary when placing a pickup order in an online store.

5. Transparency of personal data processing

The subject of personal data must be provided with complete information about the processing of his data. Usually, the operator offers the client a consent form in writing or electronically.

Before obtaining consent, an individual must be informed of the following:

• Regarding the purposes of processing his data.
• About the list of personal data that will be processed after obtaining consent.
• About the personal data processing policy adopted by the operator.
• About the period for which an individual consents to processing his data.
• Regarding the measures that the operator will take regarding his data.

It is also necessary to provide other information related to the processing of personal data.

An individual has explained his rights related to the processing of personal data, the ways of their implementation and the consequences of consent or refusal to process personal data.

All this information can be included in the consent form for the processing of an individual’s personal data.

6. Ensure the accuracy of the processed data and update them regularly

At the request of the personal data subject, whose personal data has changed, the operator must make changes to his records or allow the client to correct and delete his data independently.

7. Store personal data only for as long as necessary to achieve the purposes of their processing.

Personal data must be stored in a format that allows you to identify a specific individual. Usually, the terms of storage of personal data are defined in the Personal Data Processing Policy.

8. Appoint a specialist or department responsible for monitoring the processing of personal data

According to the requirements of the legislation on personal data in Belarus, a person or department must carry out internal control over the processing of personal data. Such duties can be performed by an employee or a company division whose employees have higher education and competence in personal data.

Preparing and regularly updating the relevant documents is necessary for effective work on the processing and protection of personal data.