The Personal Data Protection Law in Belarus
The Personal Data Protection Law was published on 14 May. It will enter into force in 6 months, i.e. on 15 November 2021. Within 3 months, an authorized body for personal data protection is to be established.
The Law fundamentally changes the regulations on personal data in Belarus, as formerly personal data protection legislation was lacking as such in Belarus.
Once the Law comes into force, what will change in the operation of businesses?
A definition of personal data is being implemented
Personal data means any information relating to an identified individual or an individual subject to identification.
This definition is very similar to that stipulated under the GDPR, but it is not accustomed to the Belarusian legal system. Belarus used to have a closed list of personal data, which included only information that is entered into the population register (full name, date of birth, gender, registration address, etc.). The new definition is expected to make the scope of information that will be attributed to personal data much more extensive.
A large part of the data that IT businesses handle is often data about users' devices (IP address, location, advertising identifiers (IDFA, Google Advertising ID), user behavior information (which parts of the website's user accessed and browsed). The law is still unclear as to whether such information is considered personal data, but in line with global approaches, it should be.
The precise grounds for processing personal data are specified
The processing of personal data will be possible with the consent of the data subject. In other words, the Law provides for consent as the main basis for data processing (compared to the GDPR, under which consent can only be applied if other grounds such as vital interest, contract, statutory requirements, public interest, legal interest do not apply.
Consent is not required only in the cases specified in the Law. Specifically, in the context of entering into and executing a contract with a data subject, including within the context of an employment relationship.
It should be noted that the Law does not specify the basis for data processing as a lawful (legitimate interest), which companies, in particular IT companies that operate in the European market, often referred to, for instance for mailings. By way of example, you do a mailing for your customers, offering them your services, discounts and other offers. In this case, under certain conditions according to the GDPR, you may not obtain the user's consent but refer to a legitimate interest. In Belarus, such actions can only occur with the consent of the subject.
The requirements for consent arise
Formerly, the consent had to be obtained in writing, a practically impossible process for an online business. The law solves this problem and provides that consent can be given in writing, in the form of an electronic document or other documents in electronic form, including by ticking a box.
The Law also states that the subject's consent "is a free, unambiguous, informed expression of his will by which he authorizes the processing of his personal data".
The company is subject to a number of obligations regarding the protection of personal data as follows:
1. To appoint a person or department to be responsible for the protection of personal data in the company.
2. To develop the company's personal data processing policy and to make it public accessible (including the internet).
3. To hold training for employees on handling personal data.
4. To establish a procedure for access to personal data.
5. To implement technical and cryptographic protection of personal data.
The Law regulates the transfer of personal data
Currently, Belarusian law stipulates that data transfer to third parties requires the written consent of the respective person. The Law, on the other hand, covers the relationship between the operator and the authorized person, as well as bringing in rules for the transfer of data outside of the Republic of Belarus.
In the case you entrust another person (an authorized person) with data processing on your behalf, the contract between you and the authorized person should stipulate (1) the purposes of the data processing, (2) the data handling, (3) the obligation of confidentiality, (4) the data protection measures.
Internationally, such authorized persons are referred to as "processors" and under certain conditions may include, inter alia, analytics, advertising, payment services and others.
Furthermore, the transfer of data outside the Republic of Belarus to countries that do not ensure an appropriate level of data protection (There is no list of such countries yet, but it should be developed. For the EU, for example, such countries are Belarus, the USA and others) will occur on the certain grounds. For example, where consent has been obtained from the data subject for such a transfer, on condition that the data subject has been informed of the risks of such a transfer.
The subjects are granted the rights to handle their own data
It is important for businesses to be prepared that the Law entitles users to handle their data in a certain way. The users will be entitled to withdraw consent, to receive information on data processing, to amend personal data, to receive information on the disclosure of the data to third parties, and to demand that the data be deleted or that the data be ceased to be processed.
We would like to point out that the exercise of users' rights will be rather more difficult than under the GDPR. For example, a data subject may only request information on the disclosure of their personal data to third parties once a year, and the application itself to exercise any of the rights must be submitted either in the form of a written document or in the form of an electronic document signed with an EDS. The Law also stipulates a number of requirements for the information that the data subject must provide in such an application. The GDPR, by comparison, does not require such a statement; a data subject may submit it electronically (by email, for instance), and in a free form.
The company must fulfill a request for any of the aforementioned rights within 15 days from the date of receipt, except for the provision of information (the time period for this is 5 days). The response period to a user request under the GDPR, by comparison, is 1 month, and this period may be extended.
We reiterate that as of 1 March, administrative liability is applicable in Belarus for violation of personal data protection legislation, namely for illegal collection, processing, storage or provision of personal data, violation of data subject's rights, dissemination of personal data and failure to ensure personal data protection measures.
REVERA is ready to provide full assistance in bringing your processes in compliance with the new Law, as well as to train your employees on the new rules for handling personal data.
You can contact Alena Potorskaya, Leading Associate of REVERA IT&IP practice: anp@revera.by.