Trends and climate
Would you consider your national data protection laws to be ahead or behind of the international curve?
Data protection law in Belarus is still behind the international curve. However, it is expected to be brought into line with existing international trends in the near future.
Are any changes to existing data protection legislation proposed or expected in the near future?
Yes, the new Law on Personal Data is expected to be adopted in late 2017.
What legislation governs the collection, storage and use of personal data?
The basic legislation governing the collection, storage and use of personal data is the Law on Information, Informatisation and Information Protection of 2008 (455-Z).
Scope and jurisdiction
Who falls within the scope of the legislation?
The following subjects fall within the scope of the legislation:
- the Republic of Belarus and its administrative-territorial units;
- state bodies and organisations;
- legal entities and organisations that are not legal entities;
- individuals, including individual entrepreneurs; and
- foreign states and international organisations.
What kind of data falls within the scope of the legislation?
Personal data is defined as the ‘basic’ (eg, name, date of birth and gender) and ‘additional’ (eg, tax registration, military service obligation and educational data) individual personal data that must be submitted to the Population Register under Belarusian law, as well as other data enabling the identification of an individual.
Are data owners required to register with the relevant authority before processing data?
Is there a requirement to appoint a data protection officer?
No, Belarusian law contains no such requirement, although the functions of a data protection officer may be performed in state bodies and legal entities by an employee or group of employees selected to oversee information protection.
Which body is responsible for enforcing data protection legislation and what are its powers?
Two bodies are primarily responsible for enforcing data protection legislation: the Operational and Analytical Centre under the Aegis of the President, and the Ministry of Communications and Informatisation.
The Operational and Analytical Centre under the Aegis of the President has the following powers:
- exercising state control in the sphere of interagency information exchange between state bodies;
- exercising state control and management in the sphere of technical and encrypted information protection; and
- developing drafts of legal acts and adopting acts related to technical and encrypted information protection.
The Ministry of Communications and Informatisation has the following powers:
- establishing the requirements for compatibility of information resources, information systems and information networks;
- organising the technical rate setting and standardisation of information resources, systems and networks; and
- developing and implementing the guidelines for the operation of information resources, systems and networks.
Collection and storage of data
Collection and management
In what circumstances can personal data be collected, stored and processed?
Personal data can be collected, stored and processed provided that:
- written consent is obtained from the personal data subject; and
- certain legal, organisational and technical personal data protection measures are implemented.
Technical personal data protection measures include, in particular, equipping the information systems with information protection systems which use technical and cryptographic means of protection that are certified in accordance with Belarusian law.
If state bodies and legal entities are involved, personal data can be collected, stored and processed on condition that a special department or group of employees is selected to oversee information protection.
Are there any limitations or restrictions on the period for which an organisation may (or must) retain records?
No. There are certain restrictions pertaining to employment – for example, employers must retain the personal files of employees for the period of their employment and submit them to an archive where they are stored for 75 years after dismissal.
Do individuals have a right to access personal information about them that is held by an organisation?
Belarusian law provides a direct right for individuals to access their personal information held by organisations only in regard to certain data – for example, data from the Population Register or connected with employment (eg, personal files or the labour book).
Do individuals have a right to request deletion of their data?
Belarusian law provides no direct right for individuals to request deletion of their data. However, individuals may approach the controlling authority with a notification of wrongdoing if their personal data has been illegally obtained and used.
Is consent required before processing personal data?
Yes, the written consent of the data subject is required before processing personal data.
If consent is not provided, are there other circumstances in which data processing is permitted?
Under certain circumstances, data processing without consent is permitted by state bodies. In particular, Edict 98 on Improving Transmission of Electronic Messages permits state bodies to process personal data without consent for the purpose of tackling the illegal trafficking and unlicensed supply of telecoms services.
What information must be provided to individuals when personal data is collected?
There are no specific requirements regarding what information must be provided to individuals when personal data is collected. However, the collection of personal data – including the purposes of doing so – must comply with Belarusian law.
Data security and breach notification
Are there specific security obligations that must be complied with?
The specific security obligations include legal, organisational and technical data protection measures:
- The legal measures include concluding agreements with individuals whose personal data is collected and processed. The agreements should provide the terms of personal data usage and define parties’ responsibility for breach of such terms.
- The organisational measures include establishing a special regime for entrance to the premises where the collection and processing of the personal data are carried out, and establishing a list of employees with access to such premises and data.
- The technical measures include using cryptography and other measures of control over information protection.
Are data owners/processors required to notify individuals in the event of a breach?
Are data owners/processors required to notify the regulator in the event of a breach?
Electronic marketing and internet use
Are there rules specifically governing unsolicited electronic marketing (spam)?
No rules specifically govern unsolicited electronic marketing. However, the Law on Advertising provides general rules on electronic marketing, including that it may be carried out only with the consent of the recipient and must be halted at the recipient’s earliest request. General rules on advertising and data protection also apply.
As of January 1 2016 Belarusian internet service providers must create and store data on all telecoms services activated by their users, and additional data, including:
- dates and times of connections and disconnections;
- internal and external IP addresses and terminal ports (eg, modem or answerphone);
- domain names and IP addresses visited; and
- volume of data received.
Data transfer and third parties
Cross-border data transfer
What rules govern the transfer of data outside your jurisdiction?
No specific rules govern the transfer of data outside Belarus. However, there is a general requirement that personal data can be collected, processed, stored, used and transferred only with the written consent of the individual.
Are there restrictions on the geographic transfer of data?
Do any specific requirements apply to data owners where personal data is transferred to a third party for processing?
Personal data can be transferred to a third party for processing with written consent.
Penalties and compensation
What are the potential penalties for non-compliance with data protection provisions?
Belarusian law provides no specific penalties for non-compliance with data protection provisions. However, parties that use information protection systems or technical or cryptographic means of protection that are not certified in accordance with Belarusian law face administrative liability in the form of a fine and, possibly, confiscation of the means of protection. The administrative fine can total up to 20 basic units (approximately €190) for individuals and individual entrepreneurs and up to 100 basic units (approximately €947) for legal entities.
Are individuals entitled to compensation for loss suffered as a result of a data breach or non-compliance with data protection provisions by the data owner?
No special compensation is available for loss suffered as a result of a data breach or non-compliance with data protection provisions by the data owner.
Cybersecurity legislation, regulation and enforcement
Has legislation been introduced in your jurisdiction that specifically covers cybercrime and/or cybersecurity?
No legislation specifically covers cybercrime or cybersecurity. Cybercrimes are covered by the Criminal Code as crimes against information security.
What are the other significant regulatory considerations regarding cybersecurity in your jurisdiction (including any international standards that have been adopted)?
Belarus is a party to several international treaties regarding cybersecurity (eg, the Treaty on Cooperation of CIS Member States in Combating Crime in the Computer Information Sphere and bilateral treaties on combating criminality, including cybersecurity). These treaties provide general standards of cooperation between parties for maintaining cybersecurity in their territories.
Which cyber activities are criminalised in your jurisdiction?
The following activities are criminalised in Belarus:
- unauthorised access to computerised information;
- unauthorised modification of computerised information;
- computer sabotage;
- illegal acquisition of computerised information;
- manufacture or sale of special means of gaining illegal access to a computer system;
- development, use or circulation of malicious software;
- breach of computer system or network exploitation rules; and
- theft using computer technology.
Which authorities are responsible for enforcing cybersecurity rules?
The Operational and Analytical Centre under the Aegis of the President is primarily responsible for enforcing cybersecurity rules. The Department of High-Tech Crimes Detection of the Ministry of Internal Affairs, as well as a special department of the Investigation Committee are responsible for dealing with cybercrimes.
Cybersecurity best practice and reporting
Can companies obtain insurance for cybersecurity breaches and is it common to do so?
It is uncommon to obtain insurance for cybersecurity breaches, although it is theoretically possible.
Are companies required to keep records of cybercrime threats, attacks and breaches?
Are companies required to report cybercrime threats, attacks and breaches to the relevant authorities?
Are companies required to report cybercrime threats, attacks and breaches publicly?
Criminal sanctions and penalties
What are the potential criminal sanctions for cybercrime?
The potential criminal penalties for crimes against cybersecurity depend on the crime and may take the form of:
- a fine;
- deprivation of the right to hold certain offices or to engage in certain activities;
- seizure of property;
- restriction of liberty for up to five years; and
- imprisonment for up to 10 years.
What penalties may be imposed for failure to comply with cybersecurity regulations?
The penalty for failure to comply with cybersecurity regulations (ie, gaining unauthorised access to computerised information) is an administrative fine of up to 50 basic units (approximately €473).