Summarising the results of 2023 in the field of personal data processing in the Republic of Belarus

Every year the National Personal Data Protection Center of the Republic of Belarus (the “Centre”) publishes a report on its activities. REVERA law group lawyers analysed the summarised results in the field of personal data processing, and plans for 2024.

Control activities carried out by the Centre

The National Personal Data Protection Center of the Republic of Belarus provides control over personal data processing by operators (authorized persons) in the form of scheduled, unscheduled, and desk inspections.

In 2023, all three forms of inspection were used in the implementation of control. As the Centre notes in its report, violations were detected in each case. This is not surprising and is justified by the fact that business is still adapting to the regulation that appeared in 2021. But despite the presence of violations, the overall level of responsibility of organisations and compliance with the requirements of the legislation on personal data has significantly increased.

Type of inspection and grounds for appointment

Type of inspection Criteria for scheduling an inspection
Scheduled inspections
(13 scheduled inspections were carried out)
  • the scope of the processing of personal data;
  • carrying out activities in respect of which a large number of justified complaints have been lodged by data subjects in 2022.
Unscheduled inspections 
(7 unscheduled inspections were carried out)
  • breaches of personal data protection systems, which resulted in their leakage;
  • failure to fulfill the recommendations given on the results of desk audits;
  • failure of the authorized person to comply with mandatory measures to ensure personal data protection.

Operators, as well as authorized persons, should pay special attention to the last of these grounds, as outsourcing of some business processes is quite common.

In the course of scheduled and unscheduled inspections, the Center shall assess whether the operator has verified whether or not the authorized person has taken mandatory measures to ensure personal data protection. If violations are detected in the personal data processing by the authorized person, the Center has the right to carry out inspections also with regard to this authorized person.

Desk inspections
(18 desk inspections were carried out)
  • complaints of personal data subjects;
  • notifications received from operators on the breach of personal data protection systems (in 2023, the Center received 17 notifications on the breach of personal data protection systems).

In general, there was a positive trend of compliance with the legislation on personal data in 2023, violations related to the non-implementation of mandatory measures were less frequently.

Results of control activities

The report notes that the operators take insufficiently effective measures for personal data processing, or the approach to their implementation is formal.

Some of the most common violations found include:

  • absence of relevant documents (plans for monitoring or inspections of the organisation's structural units, reports on the results of control activities), as well as failure to establish the procedure for internal control;
  • formal assignment of responsibilities for internal control;
  • formal approach to the issuance of documents defining the operator's (authorized person's) policy on personal data processing (documents are written in complex legal language; documents do not reflect all business processes, etc.);
  • ineffective way of familiarisation of the operator's (authorized person's) employees and other persons directly involved in personal data processing with the provisions of personal data legislation, including personal data protection requirements, documents defining the operator's (authorized person's) policy with regard to personal data processing;
  • processing of personal data without a legal basis;
  • violation of the requirements for the procedure of obtaining the consent of the personal data subject and others.

Consequences for organisations as a result of identified violations:

Based on the results of a scheduled or unscheduled inspection, the Centre may:

issue a written requirement (prescription) to eliminate the identified violations;

to adopt a decision on suspending (terminating) of personal data processing in the information resource (system) with indication of specific actions to be suspended (terminated) and to establish a term of such suspension (termination) not exceeding 6 months.

Besides, there is (1) administrative and (2) criminal liability for violation of the legislation on personal data.
Suspension (termination) of personal data processing in the information resource (system)
The application of the above measure is the most critical for businesses, as organisations carrying out their activities using websites will not be able to collect personal data of subjects through them (e.g. when placing an order on a website, subscribing to a newsletter, etc.).

For this reason, this measure is not applied following the results of every scheduled or unscheduled inspection. The Centre uses this tool in a very precise and balanced manner: in 2023, the decision to suspend the processing of personal data in information resources (systems) was taken regarding to only two operators.

Prosecution

Based on the results of the inspections carried out by the Centre, in 18 cases the materials were sent to the bodies of internal affairs to decide on the initiation of administrative proceedings (under Articles 23.7, 24.1, 24.11 of the Code of Administrative Offences of the Republic of Belarus January 6, 2021 No. 91-Z) for:

  • violation of legislation on personal data protection (16 cases);
  • failure to fulfill a written request (instruction) (1 case);
  • failure to submit documents, reports, and other materials (1 case).

Plans for 2024 in the field of personal data protection

The Centre has identified issues in the field of personal data protection that will be worked on in 2024. These include:

1) Localisation of personal data on the territory of the Republic of Belarus. 

The requirement for localisation of personal data is a new tool for controlling of personal data flows for the Republic of Belarus, but it has been applied in neighbouring countries for a long time. For example, in the Russian Federation, such a requirement appeared in 2015 and means that the data collected from data subjects must be stored and processed in the Russian Federation’s territory.

In the Republic of Belarus, it is planned to establish the localisation requirement for certain, particularly sensitive categories of personal data, e.g. special personal data, and personal data of minors. The relevant draft Decree of the President of the Republic of Belarus has already been prepared and is being elaborated with the interested parties.

2) Toughening of liability for violation of personal data legislation.

There are plans to strengthen administrative liability for violations of legislation on personal data. Specific amounts of fines are not yet known. Currently, the maximum fine for failure to take measures to organise the processing of personal data for legal entities is 50 basic units.

3) Empowering the Centre with the authority of an administrative process authority;

4) suspending access to Internet resources whose functioning is carried out in violation of the requirements of the Law of the Republic of Belarus of May 7, 2021 No. 99-Z ‘On personal data protection’ (dissemination of personal data without a proper legal basis, etc.);

5) elaboration of issues related to the processing of personal data, in particular, issues related to the use of video surveillance systems in certain branches (spheres) of activity.