The PDP, A New Standard for Data Privacy Rights in Belarus

The Law of 7 May 2021 No. 99-Z on Personal Data Protection, also known as the PDP for short, is a data protection law that was recently passed in Belarus in May of 2021 and comes into effect in November of 2021. As Belarus is not a member of the European Union, the country does not fall under the jurisdiction of the General Data Protection Regulation or GDPR. To this point, the PDP provides data subjects within Belarus with a similar level of protection as is offered to residents of EU member states through the General Data Protection Regulation. As such, the PDP lay out the requirements and obligations for data controllers and processors within Belarus as it relates to the collection, processing, and disclosure of personal data.

What is the scope and application of the PDP?

As it relates to the personal scope of the PDP, the law is in contrast to many other data privacy laws around the world in that it sets forth various categories of individuals who are involved in data processing, as opposed to simply data controllers and processors. To this extent, the PDP sets the following roles with respect to the collection, processing, use, transfer, distribution, and disclosure of personal data within Belarus:

• Data subjects.
• Operators.
• Authorized individuals who process personal data on behalf of and in the interest of operators.
• Individuals appointed by operators, or their organizations, that are responsible for the control and processing of personal data.
• State bodies that are specifically authorized to regulate the collection and processing of personal data, such as the Data Protection Authority of DPA for short.

Alternatively, the PDP does not specify any territorial scope as it relates to the law, as the provisions of the law are applicable to data that is processed within Belarus, while the definition of operator theoretically includes foreign data controllers and processors. However, clarification concerning the territorial scope of the law is expected to be provided in the future. Additionally, the material scope of the PDP covers all personal data that is processed within Belarus, irrespective of whether said processing is done using automated or non-automated methods or tools.

What are the obligations of individuals and organizations under the PDP?

In keeping with the similarities between the PDP and the EU’s GDPR law, the PDP also establishes various principles in regard to the safeguarding of personal data. These principles include:

• The legality of data processing is based on either law or the consent of applicable data subjects.
• The proportionality of data processing in relation to the stated purposes for processing, as well as the respect for the interests of applicable data subjects.
• The limitation of the processing of personal data in accordance with the specified and legitimate purpose for processing. These purposes must be stated to data subjects in advance of processing.
• The transparency of the processing of personal data, including providing data subjects with all relevant information.
• The accuracy of personal data that is collected and processed, as well as the actualization of this personal data, where necessary.
• The limitation of the storage of personal data, in relation to the period of time that is required by the stated purposes for data processing.

What are the rights of data subjects under the PDP?

As one of the main reasons for the passing of the PDP was to ensure that data subjects within Belarus were provided with a similar level of data protection and privacy as is afforded to citizens of EU member states, the PDP offers many of the same rights as is offered by the General Data Protection Regulation. Such rights include the right to be informed, the right to access, the right to rectification, and the right to erasure. Additionally, the PDP also provides data subjects with the right to object or opt-out of consent, the right not to be subject to data processing decisions made solely on the basis of automated processing, and the right to data portability. What’s more, the PDP also provides Belarusian citizens with the right to both permit and restrict access to their personal data, as well as to determine the conditions under which their personal data can be processed.

In terms of the punishments that can be imposed against individuals and organizations who fail to maintain compliance with the law, the PDP is enforced by the Belarusian Data Protection Authority of DPA for short. To this end, the PDP contains provisions that allow for criminal, civil, and administrative liabilities to be brought against parties who violate the law. As such, punishment for non-compliance under the law includes:

• Civil liability in the form of damages and monetary compensation.
• The deprivation of the right to occupy certain job positions, arrest, or the restriction or deprivation of his/her liberty for up to three years.
• Corrective work for up to one year, arrest, or the restriction of liberty for up to two years, or deprivation of liberty for up to one year.
• A monetary fine ranging from BYN 1,450 ($566) to BYN 5,800 ($2,264).

As the nation of Belarus is not a part of the European Union and has not ratified the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data or Convention 108 for short, the country needed a law that would provide its citizens a level of data protection that was on par with their European counterparts. This was achieved through the passing of the PDP in May of this year, as the provisions of the law are vast and the punishments for failing to comply with these provisions are steep. As such, Belarusian citizens can have the peace of mind that their personal data and by extension their personal privacy are being protected at all times.