Summarising the results of 2023 in the field of personal data processing in the Republic of Belarus
- Control activities carried out by the Centre
- Results of control activities
- Prosecution
- Plans for 2024 in the field of personal data protection
Every year the National Personal Data Protection Center of the Republic of Belarus (the “Centre”) publishes a report on its activities. REVERA law group lawyers analysed the summarised results in the field of personal data processing, and plans for 2024.
Control activities carried out by the Centre
The National Personal Data Protection Center of the Republic of Belarus provides control over personal data processing by operators (authorized persons) in the form of scheduled, unscheduled, and desk inspections.
In 2023, all three forms of inspection were used in the implementation of control. As the Centre notes in its report, violations were detected in each case. This is not surprising and is justified by the fact that business is still adapting to the regulation that appeared in 2021. But despite the presence of violations, the overall level of responsibility of organisations and compliance with the requirements of the legislation on personal data has significantly increased.
Type of inspection and grounds for appointment
Type of inspection | Criteria for scheduling an inspection |
Scheduled inspections (13 scheduled inspections were carried out) |
|
Unscheduled inspections (7 unscheduled inspections were carried out) |
Operators, as well as authorized persons, should pay special attention to the last of these grounds, as outsourcing of some business processes is quite common. In the course of scheduled and unscheduled inspections, the Center shall assess whether the operator has verified whether or not the authorized person has taken mandatory measures to ensure personal data protection. If violations are detected in the personal data processing by the authorized person, the Center has the right to carry out inspections also with regard to this authorized person. |
Desk inspections (18 desk inspections were carried out) |
|
In general, there was a positive trend of compliance with the legislation on personal data in 2023, violations related to the non-implementation of mandatory measures were less frequently.
Results of control activities
The report notes that the operators take insufficiently effective measures for personal data processing, or the approach to their implementation is formal.
Some of the most common violations found include:
- absence of relevant documents (plans for monitoring or inspections of the organisation's structural units, reports on the results of control activities), as well as failure to establish the procedure for internal control;
- formal assignment of responsibilities for internal control;
- formal approach to the issuance of documents defining the operator's (authorized person's) policy on personal data processing (documents are written in complex legal language; documents do not reflect all business processes, etc.);
- ineffective way of familiarisation of the operator's (authorized person's) employees and other persons directly involved in personal data processing with the provisions of personal data legislation, including personal data protection requirements, documents defining the operator's (authorized person's) policy with regard to personal data processing;
- processing of personal data without a legal basis;
- violation of the requirements for the procedure of obtaining the consent of the personal data subject and others.
Consequences for organisations as a result of identified violations:
Based on the results of a scheduled or unscheduled inspection, the Centre may:
issue a written requirement (prescription) to eliminate the identified violations;
to adopt a decision on suspending (terminating) of personal data processing in the information resource (system) with indication of specific actions to be suspended (terminated) and to establish a term of such suspension (termination) not exceeding 6 months.
Besides, there is (1) administrative and (2) criminal liability for violation of the legislation on personal data.
Suspension (termination) of personal data processing in the information resource (system)
The application of the above measure is the most critical for businesses, as organisations carrying out their activities using websites will not be able to collect personal data of subjects through them (e.g. when placing an order on a website, subscribing to a newsletter, etc.).
For this reason, this measure is not applied following the results of every scheduled or unscheduled inspection. The Centre uses this tool in a very precise and balanced manner: in 2023, the decision to suspend the processing of personal data in information resources (systems) was taken regarding to only two operators.
Prosecution
Based on the results of the inspections carried out by the Centre, in 18 cases the materials were sent to the bodies of internal affairs to decide on the initiation of administrative proceedings (under Articles 23.7, 24.1, 24.11 of the Code of Administrative Offences of the Republic of Belarus January 6, 2021 No. 91-Z) for:
- violation of legislation on personal data protection (16 cases);
- failure to fulfill a written request (instruction) (1 case);
- failure to submit documents, reports, and other materials (1 case).
Plans for 2024 in the field of personal data protection
The Centre has identified issues in the field of personal data protection that will be worked on in 2024. These include:
1) Localisation of personal data on the territory of the Republic of Belarus.
The requirement for localisation of personal data is a new tool for controlling of personal data flows for the Republic of Belarus, but it has been applied in neighbouring countries for a long time. For example, in the Russian Federation, such a requirement appeared in 2015 and means that the data collected from data subjects must be stored and processed in the Russian Federation’s territory.
In the Republic of Belarus, it is planned to establish the localisation requirement for certain, particularly sensitive categories of personal data, e.g. special personal data, and personal data of minors. The relevant draft Decree of the President of the Republic of Belarus has already been prepared and is being elaborated with the interested parties.
2) Toughening of liability for violation of personal data legislation.
There are plans to strengthen administrative liability for violations of legislation on personal data. Specific amounts of fines are not yet known. Currently, the maximum fine for failure to take measures to organise the processing of personal data for legal entities is 50 basic units.
3) Empowering the Centre with the authority of an administrative process authority;
4) suspending access to Internet resources whose functioning is carried out in violation of the requirements of the Law of the Republic of Belarus of May 7, 2021 No. 99-Z ‘On personal data protection’ (dissemination of personal data without a proper legal basis, etc.);
5) elaboration of issues related to the processing of personal data, in particular, issues related to the use of video surveillance systems in certain branches (spheres) of activity.