Relationships between Controllers and Authorised Persons in the Processing of Personal Data
In October 2025, the National Centre for Personal Data Protection of the Republic of Belarus (the “Centre”) published updated recommendations on the relationship between controllers and authorised persons when processing personal data (the “Recommendations”).
First and foremost, a controller is an entity (a legal entity or an individual, as well as a state body) that processes personal data in its own name and for the purposes of carrying out its professional or entrepreneurial activities.
An authorised person is an entity that processes personal data not for the purposes of its own activities, but in the interests of the controller or on its behalf.
The amendments introduced into the Recommendations affected such aspects of the relationship between controllers and authorised persons in the processing of personal data as: the status of the controller and the authorised person; the agreement between the controller and the authorised person; the engagement of an authorised person that is a resident of a foreign state; and others.
Below we consider the main changes.
1. Status of the controller and the authorised person
The main differences between the statuses of the controller and the authorised person are as follows:
- The controller independently decides which personal data should be processed and for what purposes;
- The authorised person acts on the basis of the controller’s instructions or instructions/mandate.
- The controller organises and carries out (in full or in part) the processing of personal data;
- The authorised person carries out the processing within the framework of the process organised by the controller.
- The controller bears direct responsibility towards the individual whose data is being processed;
- In the event of violations, the authorised person bears responsibility towards the controller.
| By way of example: LLC “A” entered into an agreement with LLC “B” for the provision of bookkeeping/accounting services. In this case, LLC “A” acts as the controller and LLC “B” as the authorised person. Thus, LLC “B” will obtain access to certain personal data of LLC “A”’s employees and counterparties; however, LLC “B” may process such data only for the purposes of providing the bookkeeping/accounting services. If, for instance, LLC “B” breaches the procedure governing its employees’ access to LLC “A”’s data and a minor data leak occurs, LLC “B” will be liable directly to LLC “A” for breach of the service-provision arrangements. LLC “A”, in turn, will be held liable for breach of personal data legislation and will also bear responsibility towards the individuals affected by such leak. |
2. Agreement between the controller and the authorised person
The relationship between the controller and the authorised person is formalised by concluding an agreement. Law of the Republic of Belarus No. 99-Z dated 7 May 2021 “On Personal Data Protection” (the “Law”) sets out a list of mandatory terms for such agreements; however, the Centre’s clarifications provide additional recommendations.
In particular, it is proposed that the agreement should include provisions on:
- the authorised person’s engagement of other persons for the processing of personal data;
- the mechanism for the authorised person’s participation in the controller’s fulfilment of its obligations towards personal data subjects;
- and the authorised person’s obligation, upon expiry of the agreement, to cease processing of the relevant personal data.
3. Authorised person resident in a foreign state
Pursuant to the Law, it is permissible to engage authorised persons that are residents of foreign states. In such case, a cross-border transfer of data arises; therefore, it is necessary to ensure that the foreign state to which the data is transferred provides an adequate level of personal data protection. The list of such states is approved by the Centre.
We note that, pursuant to the Centre’s updated Recommendations, an agreement between the controller and an authorised person that is a foreign organisation is concluded irrespective of whether the foreign state ensures an adequate level of personal data protection. In addition, it is established that the controller bears responsibility for personal data leaks committed by the authorised person outside the Republic of Belarus.
4. What else has changed in the Recommendations?
A detailed procedure has been provided for determining the status of persons who process personal data or may potentially process it, including sub-authorised persons, employees of organisations, and contractors under civil law contracts;
The models of relationships have been expanded and clarified:
- between the controller and authorised persons;
- between a controller and another controller;
- Emphasis has been placed on the need for the controller to ensure the protection of data subjects’ rights and on the controller’s liability for the actions of the authorised person.
Authors: Liudmila Yepikhava, Aliaksandra Mahlysh.
In the context of updates to regulatory approaches to the processing of personal data, it is advisable for controllers and authorised persons to review existing contractual models and internal procedures.
The REVERA legal team is ready to provide legal support in analysing and bringing such processes into compliance with the regulator’s current clarifications.
Contact a lawyer for further information
Contact a lawyer