1. The Law
1.1. Key Acts, Regulations, Directives, Bills (only if highly likely to become law)
- The Constitution of the Republic of Belarus of 1994 (available in English (non-official translation) here);
- Law of 10 November 2008 No. 455-Z on Information, Informatization and Data Protection (available in Russian here) (‘the Law on Information’).
Belarusian laws provide for specific rules regulating relations connected with certain types of limited information, including personal data. At the same time, existing Belarusian data protection legislation is rather uncoordinated and behind the international trends in the sphere of data protection. Nevertheless, within recent years the draft Law on Personal Data (available in Russian here) (‘the Draft Personal Data Law’) was prepared. In 2019 it was adopted by the lower chamber of Belarusian parliament. Therefore, we expect that the Draft Personal Data Law may be adopted by the middle of 2020 and come into force within one year. In many aspects the Draft Personal Data Law follows the basic concept of the EU’s General Data Protection Regulation (Regulation (EU) 2016/679) (‘GDPR’), including the main principles to ensure data privacy, however it is still not so detailed and mostly uses different terminology compared to the GDPR. Once the Draft Personal Data Law is adopted and enters into force, it will introduce the key principles and create general legal framework of personal data protection system in Belarus.
1.2. Guidelines
Currently there are no official personal data protection guidelines of general nature in Belarus. However, in case the Draft Personal Data Law enters into force, the authorised data protection state body, appointed by the President of the Republic of Belarus, will have the right to give official clarifications and interpret provisions of the personal data legislation.
1.3. Case Law
Usually information regarding case practice on violations of confidentiality requirements is not publicly available. To the best of our knowledge, in Belarusian court practice, claims specifically referring to violations of personal data protection requirements are rather rare.
2. Scope of Application
2.1. Who do the laws/regs apply to?
Currently the Law on Information is the key legal act providing for the mainframe regulations related to the collection, storage, usage, processing and transfer of data, including personal data. It also establishes key legal principles of information relations in Belarus. In particular, the Law on Information regulates relations associated with:
- search, access, transfer, collection, processing, accumulation, storage, distribution, provision and usage of information;
- creation and usage of information technologies, information systems and networks, forming of information resources;
- organisation of and ensuring information protection.
According to the Law on Information, information may fall into two categories depending on access regime: publicly available information and information limited for distribution and/or provision (limited information). According to the Draft Personal Data Law the following issues will be covered, once it is adopted:
- the collection, processing, distribution, provision of personal data performed by operators with the use of automation means (tools); and
- non-automated collection, processing, distribution, provision of personal data by operators, if respective information is systemised in such way that personal data could be searched or accessed to on the basis of certain criteria (like, for example, in lists, catalogues, databases).
The Draft Personal Data Law will not apply to relations connected with the usage of personal data for household and personal (non-commercial) purposes.
The following subjects (parties) fall under the scope of the Law on Information:
- the Republic of Belarus and its administrative-territorial units;
- state bodies and organisations;
- legal entities and other organisations;
- individuals, including individual entrepreneurs;
- foreign states and international organisations.
The Draft Personal Data Law provides for the following key roles of the parties participating in collection, processing, distribution, provision of personal data and ensuring data protection measures:
- a personal data subject;
- an operator;
- a person appointed by the operator (or operator’s organisational unit) responsible for the organisation of collection, processing, distribution, provision of personal data; other operator’s employees;
- third parties who receive access to personal data;
- a party collecting, processing, distributing, providing personal data under authorisation of the operator;
- a state body specifically authorised to regulate personal data protection relations (personal data protection authority).
2.2. What types of processing are covered/exempted?
The Law on Information covers the wide range of regulated actions notwithstanding the type of data at issue, including search, receipt, transfer, collection, processing, accumulation, storage, distribution, provision of the information and its use. However, the rules set by the Law on Information in this part are rather incomplete and are not unified with respect to certain types of data. Also named types of actions are not defined precisely in Belarusian legislation. The Personal Data Law, once adopted, will cover the following types of regulated actions with personal data:
- collection;
- distribution (disclosure of personal data to an indefinite number of persons);
- provision (disclosure of personal data to a certain person or limited number of persons);
- processing that includes any other type of actions except those, indicated above (for example, systematisation, storage, alteration, usage, anonymisation, blockage and deleting).
3. Data protection Authority | Regulatory Authority
3.1. Main regulator for data protection
Currently, there is no separate government body in Belarus specifically authorised to regulate data protection issues. According to the Law on Information general governance in the sphere of information protection is performed by the President and the Council of Ministers of the Republic of Belarus. They lay down basic requirements and ensure unified state policy in the sphere of data protection.
The Draft Personal Data Law provides for the establishment of a state body (‘the Data Protection Authority’) specially authorised to regulate relations with personal data and ensure compliance with personal data protection requirements. According to the Draft Personal Data Law the Data Protection Authority will be appointed by the President of the Republic of Belarus.
Other State Authorities
In general (notwithstanding the type of data at issue) the following state authorities are involved in regulating relations with data and data protection issues:
- The Operational and Analytical Centre Under the Aegis of the President of the Republic of Belarus (‘OAC’);
- The Ministry of Communications and Informatisation of the Republic of Belarus (‘the Ministry of Communications’).
Compliance with the legislative requirements related to the protection of confidentiality on certain types of data is controlled by specially authorised state bodies, for example, the National Bank of the Republic of Belarus with respect to banking secrecy; the Ministry of Justice with respect to attorney-client privilege.
3.2. Main powers, duties and responsibilities
Currently the OAC is one of the key state bodies regulating data protection issues, including personal data protection. The OAC performs the following functions:
- carry out state regulation in the sphere of inter-agency (inter-governmental) information collaboration and interaction on the basis of inter-agency and other state information systems, including their operation and improvement;
- performs state regulation and control over technical and cryptographic information protection;
- participates in the development and adoption of legal acts regulating issues of technical and cryptographic information protection.
The OAC also controls and regulates activities connected with the collection, actualisation and provision of personal data of administrators of domain names in Belarusian domain zone. The Ministry of Communications is another key state body involved in the regulation of information relations. It lays down and performs unified state policy in the sphere of informatisation, regulates technical standardisation and ensures standards and requirements for the creation and usage of information resources, systems and networks. The State Committee for Standardisation of the Republic of Belarus and the National Academy of Science of the Republic of Belarus are involved in the drafting and development of legal acts introducing technical data protection requirements. The Draft Personal Data Law provides for creation of the Data Protection Body that will have the following key functions:
- monitor the collection, processing, distribution and provision of personal data by operators and take associated measures to protect the rights of personal data subjects;
- decide claims of personal data subjects;
- prevent violations of the legislation on personal data protection;
- issue permits for cross-border transfer of personal data;
- provide interpretations of the provisions of the personal data protection legislation.
4. Key Definitions | Basic Concepts
- Personal Data, Sensitive Data
- Data Controller
- Data Processor
- Other
Personal Data: According to the Law on Information, personal data is defined as data of an individual (natural person) that could be divided into three categories:
- basic personal data submitted to the Belarusian Population Register;
- additional personal data submitted to the Belarusian Population Register;
- other data enabling identification of respective individual.
Basic Personal Data: Includes person’s ID-number; name, second name and surname; gender; date and place of birth; digital photo; information regarding citizenship; information regarding registration at the place of residence and/or stay; information regarding death or recognition of a person to be dead, untraceable, incapable or partially capable. Additional Personal Data: Includes information regarding a person’s parents, guardians, marital status, spouse, children, higher education, scientific degree and rank, occupation, pension, tax obligations, military service obligations, disability, etc. The definition of any other data enabling identification of the individual is not limited to any particular types of personal data. Moreover, currently there is no unified understanding in Belarusian legislation or legal theory, if such information as mobile telephone number, email address, IP-address identifier can be considered the personal data. The Draft Personal Data Law provides for an updated definition of personal data. It defines personal data as any information, related to identified natural person or natural person that could be identified on the basis of such information. Sensitive Data: The Belarusian legislation in force does not contain the definition of sensitive data. Generally, the Law on Information divides the information into two types: publicly available information and limited information. Limited information: Includes the following types:
- information about a natural person’s private life and personal data;
- state secrets;
- service information with limited circulation (as a general rule, the list of such information is determined by the Resolution of the Council of Ministers of the Republic of Belarus and in the laws; respective files are marked with ‘for official use’);
- trade secrets, professional, banking secrecy and other secrets protected by laws;
- information contained in files related to administrative offences and criminal cases until completion of respective (administrative or criminal) proceeding;
- other information limited for access by the legislative acts.
If the Draft Personal Data Law is adopted, the definition of ‘Special Personal Data’ (which in our opinion is rather similar to the concept of sensitive data) will be for the first time introduced in Belarusian legislation. According to the Draft Personal Data Law special personal data includes data related to:
- race;
- nationality;
- political, religious and other convictions;
- health and sexual activity;
- records of criminal conviction;
- biometric personal data;
- genetic personal data.
Data Controller | Data Processor: There is no definition of either ‘data controller’ or ‘data processor’ in the Law on Information. The Law on Information contains definitions and provides for the requirements to the following subjects in the sphere of information relations:
- an ‘information owner’ is a party to information relations which receive the rights of an owner of information on grounds provided by law or by an agreement;
- an ‘operator of an information system’ is a party to information relations operating an information system and/or providing information services with the use of an information system;
- a ‘user of information’ is a party to information relations obtaining, distributing and/or providing and performing the right to use information;
- an ‘information intermediary’ is a party to information relations providing information services to users and/or owners of the information;
- a ‘user of an information system and/or information network’ is a party to information relations which has obtained access to and using information system and/or information network;
- a ‘possessor of software and technical means, information resources, information systems and networks’ is a party to information relations performing the rights of possession, usage and disposal of respective software and technical means, information resources, information systems and networks within the limitations and in order defined by their owner according to Belarusian legislation;
- an ‘owner of software and technical means, information resources, information systems and networks’ is party to information relations performing the rights of possession, usage and disposal of respective software and technical means, information resources, information systems and networks.
With respect to the limited information, Belarusian laws generally require keeping such information confidential by any person or entity obtaining such information (notwithstanding the grounds for such obtainment). This information can be disclosed only in cases provided by the legislation. The Draft Personal Data Law also does not contain the definitions of data controller and data processor. However, it will introduce the following definitions (which to a certain extent are similar to the concepts of data controller and data processor):
- an ‘operator,’ which is the state authority, natural person, including an individual entrepreneur, Belarusian legal entity, other organisation, that independently or jointly with other named persons/entities performs one or several of the following actions with personal data: collection, processing, distribution, provision; and
- the party, collecting, processing, distributing or providing personal data under authorisation of the operator. Respective authorisation could be based either on the agreement or on the legal act or decision of the operator which is the state body.
Other: Not applicable.
5. Notification | Registration
5.1. Requirements and brief description
Generally, data owners and processors in Belarus are not required to notify any state authority about the processing of data or register with such authorities in this regard. The Draft Personal Data Law adds nothing new in this part. At the same time, it authorises the Data Protection Authority to issue permits on cross-border transfers of personal data, if under the legislation such transfer, as a general rule, is not permitted.
6. Data Controller Rights and Responsibilities
The Law on Information imposes certain obligations and provides certain rights to the above described parties involved in information relations. However, provisions related to respective rights and obligations are rather uncoordinated, not further developed in other legal acts and therefore mostly not effective. The examples of such rights and obligations associated with data processing and protection are outlined below. The information owner is entitled to:
- permit or limit access to the information, determine procedure and conditions of such access under the legislation;
- determine the conditions of processing and usage of data in information systems and networks;
- take data protection measures.
The information owner is obliged to:
- take data protection measures in cases provided by the legislation;
- limit and (or) prohibit access to the information in cases provided by the legislation;
- ensure security of limited information.
The owner of an information resource is entitled to:
- provide another person/entity with the rights to possess and use information resources;
- determine the rules of processing of information, usage of information resources;
- determine conditions for disposal of documented information, if the information is distributed and (or) provided under the agreement.
The owner of information resource(s), as well as the possessor of information resources, systems and networks, is obliged to take information protection measures with respect to processed information. The operator of information system is entitled to:
- operate (exploit) information systems following the procedure and on conditions determined by the agreement concluded with the owner of such systems;
- determine the procedure of operation (exploitation) of the information system (if the operator is the owner of the system).
The operator of information system is obliged to:
- ensure integrity and safety of the information processed in respective information system;
- take measures to prevent the disclosure, loss, distortion, destruction, modification and blockage of legally permitted access to such information, if required, take measures on restoration of lost information.
General Obligations With respect to certain types of data, the Law of Information provides more specific requirements. For example, personal data and information on person’s private life shall be collected, processed, stored, used and transferred to a third party only with written consent of the person. Besides, the Law on Information provides for classification of data protection measures that should be undertaken with respect to such information. These measures include:
- legal measures, including conclusion of the agreements between the owner and user of the information containing conditions of data usage. Such agreements should contain provisions on liability of parties to the agreement for breach of the conditions of data usage;
- organisational measures, including establishing a special entrance regime to premises used for collection and processing of data, differentiation of access levels to such information;
- technical measures, including the usage of cryptography and technical means of information protection and control.
Limited information Limited information (see Section 4) (except for state secrets) should be processed in information systems having systems of information protection certified according to the procedure established by the OAC. This requirement applies also to processing of personal data, since they are referred to the limited information. Operator’s obligations under the Draft Personal Data Law Under the Draft Personal Data Law an operator in connection with collection, processing, distribution and provision of personal data shall fulfill the following key obligations:
- give clarifications to the personal data subject regarding his/her rights related to collection, processing, distribution and provision of personal data;
- obtain consent from the personal data subject for the above-mentioned actions with his/her personal data;
- provide personal data subjects with the information regarding their personal data and provision of the date to third parties;
- upon request of personal data subject amend (update) their personal data, if such data is incomplete, obsolete or inaccurate;
- terminate the performance of the above-mentioned actions with personal data, and delete (block) such personal data in cases provided by law;
- ensure the protection of personal data during the term of their collection, processing, distribution and provision;
- notify the Data Protection Authority about damages of personal data security systems according to the legislation;
- fulfil the requirements of the Data Protection Authority on the elimination of breaches of the personal data legislation.
7. Data Processor Rights and Responsibilities
Not applicable, based on the legislation currently in force. As to the provisions of the Draft Personal Data Law, it impose the following obligations on the party collecting, processing, distributing or providing personal data under the authorisation of an operator:
- to take measures with regard to personal data protection;
- fulfil its obligations under the agreement concluded with the operator with respect to the collection, processing, distribution and provision of personal data;
- remain responsible before the operator for performance of the above obligations.
At the same time, the party collecting, processing, distributing or providing personal data under the authorisation is not responsible for obtaining consent from the personal data subject for respective actions with his/her personal data, if such consent is required. This obligation is imposed on the operator.
8. Data Controller and Processor Agreements
How are data controller and processor relationships managed through contractual agreements and what liabilities are attached?
Generally, the Belarusian legislation in force does not specifically regulate contractual relations that could arise in connection with processing of data on the basis of the agreement. The Law on Information determines that the owner and user of information may conclude an agreement providing for the conditions of usage of the information as a measure of information protection. Such agreement should contain provisions about liability of the parties for violation of respective conditions. According to the Draft Personal Data Law an operator may authorise another person or entity for the collection, processing, distribution of personal data based on the agreement. The agreement between the operator and the authorised party shall contain the following provisions:
- a list of actions (i.e. collection, processing, distribution, provision) with personal data that could be performed by the authorised party;
- the purposes of the above-mentioned actions;
- confidentiality obligations with respect to personal data; and
- data protection requirements.
Notwithstanding the terms of the agreement, the operator (but not the authorised party) is obliged to obtain consent from the personal data subject for respective actions with his/her personal data.
9. Data Subject Rights
The Law on Information does not contain any systematised list of data subject rights. According to the general rule of the Law on Information, no one shall have the right to demand from an individual information about his/her personal life and personal data, including information that constitutes private and family secrecy, privacy of correspondence, phone and other conversations, information about his/her health. Respectively, no one can be authorised to obtain such information in any other way apart from the will of an individual. Rights of Information Owners The Law on Information provides for the status of the information owner (see definition in Section 4 above). The information owner is entitled to:
- prohibit or suspend the processing of information and/or its usage in case of non-compliance with the data protection requirements;
- apply to state authorities for evaluation and examination of the correctness and sufficiency of undertaken data protection measures, as well as for related consultations;
- use, distribute and provide respective information;
- permit and restrict access to the information and determine conditions for such access;
- claim to be identified as a source of information if it becomes publicly available under data owner’s decision;
- determine the conditions for processing and usage of information in information systems and networks;
- provide the rights to use information according to the legislation or based on the agreement;
- protect its rights in the case of unlawful obtainment or usage of the information by third parties;
- take data protection measures.
The rights described above are general in nature and mostly not developed with concrete legal requirements on data protection and processing depending on the type of processed information. For example, under the Law on Information an individual may not request for deletion of his/her personal data. However, individuals may approach the controlling authority with notification about wrongdoing if their personal data has been illegally obtained and used. The rights of the personal data subject will be systematised once the Draft Personal Data Law is adopted. The list of rights will include the following:
- the right to request from the operator information regarding data subject’s rights in connection with the collection, processing, distribution and provision of personal data;
- the right to give consent for the above named actions (except for anonymisation) with his/her personal data and withdraw such consent;
- the right to be familiarised with his/her personal data and require amending of such data as provided by law;
- the right to obtain information regarding provision of his/her personal data to any third party;
- the right to require termination of the above named actions with his/her personal data and also require deleting such data in the following cases:
- absence of grounds for their collection, processing, distribution, provision;
- if the above named actions with personal data are not required for stated goals of respective actions;
- in cases of expiration of the term within which named actions with personal data were permitted;
- the right to appeal against actions (inaction) and decisions of the personal data operator (party authorised by the operator for collection for the collection, processing, distribution of personal data) to the Data Protection Authority.
10. Data Protection Officer
10.1. DPO – compulsory appointment (yes/no)
The Law on Information does not provide for a general requirement on compulsory appointment of a data protection officer. In the meantime, an organisation or other party processing limited information (except for state secrets) in an information system is obliged to create an information protection system to secure information in the system. The information protection system should be certified according to the procedure established by the OAC. As a part of creation of such system the party may be required to establish special organisational unit (e.g. department, division) / appoint responsible official or involve an independent contractor licensed to perform activities in the sphere of information protection that will perform technical works associated with creation of such system. The Draft Personal Data Law, once adopted, will oblige an operator to designate a special organisational unit (e.g. department, division) or appoint a person responsible to arrange collection, processing, distribution and provision of personal data. However, the Draft Personal Data Law does not specify any additional requirements to such unit/person.
10.2. Requirements
Not applicable.
11. Data Breach Notification
11.1. General obligation (yes/no)
The Law on Information does not provide for general obligation to notify any authority, individuals or any other data subjects of a data breach, including in case of unlawful disclosure or use of personal data. Certain requirements on the notification of the OAC are set for specific cases of an information protection system breaches and the inability to remove such breach within five working days. Respective requirements are set forth in the Regulations on the Procedure of Technical Information Protection in Information Systems, Intended for Processing of the Information Limited for Distribution and/or Provision, not related to State Secrets, approved by the Order of the OAC of 30 August 2013 No.62 (available in Russian here). Moreover, notification requirements may be imposed in specific legislation regulating processing of certain types of limited information. For example, in cases of unlawful disclosure, use or other unlawful breach of confidentiality of trade secrets, the recipient of the information, is obliged to notify the owner of trade secrets respectively without delay.
If the Draft Personal Data Law is adopted, respective obligation will be introduced with respect to personal data. The operator will be obliged to inform the Data Protection Authority on any breach in personal data protection systems immediately, but in any case not later than within three days. Exceptions from this requirement may be established by the Data Protection Authority.
11.2. Sectoral obligations
Not applicable.
12. Sanctions
Criminal liability Criminal sanctions in Belarus for the disclosure of specific types of limited and other confidential information could be imposed only on a natural person and in cases provided by the Criminal Code of the Republic of Belarus (available in Russian here) (‘the Criminal Code’). The Criminal Code contains sanctions for various violations related to the disclosure of certain types of limited/confidential information, for example:
- for intentional disclosure of adoption secrecy, a person could be sentenced to community works, criminal fine (as a general rule, the amount of criminal fine is 30-1,000 base units (approx. €340-€11,200), or corrective works for up to one year;
- for intentional disclosure of medical secrecy (depending on certain circumstances), a person could be sentenced to criminal fine, deprivation of the right to occupy certain job positions, arrest, restriction or deprivation of liberty for up to three years;
- for unlawful collection or distribution of information of private life, related to personal or family secrecy of another person without his/her consent (depending on certain circumstances), a person could be sentenced to community works, criminal fine, arrest, restriction or deprivation of liberty for up to three years;
- for intentional unlawful violation of privacy of correspondence, phone, postal, telegraph and other communications (depending on circumstances), a person could be sentenced to community works, criminal fine, corrective works for up to one year, arrest, deprivation of the right to occupy certain job positions or deprivation of liberty for up to two years;
- for intentional unlawful disclosure of trade secrets or banking secrecy without consent of the owner of such information (depending on certain circumstances), a person, who obtained this information in connection with his/her professional activities, could be sentenced to criminal fine, deprivation of the right to occupy certain job positions, arrest, restriction or deprivation of liberty for the term of up to 3 years. The criminal responsibility is imposed if the person performed the violation due to mercenary interests and respective violation caused large damage.
The Criminal Code also provides for the criminal sanctions for unlawful actions associated with breach of security of technological (computer) systems and not connected with the disclosure of confidential information, for example:
- unauthorised access to information stored in a computer system, network accompanied by a violation of the data protection system;
- unlawful modification of information stored in a computer system or network;
- unlawful destruction or blocking of computer information;
- unlawful obtainment of computer information.
Administrative liability The Administrative Offences Code of the Republic of Belarus (available in Russian here) (‘the Administrative Offence Code’) is in a way similar to the Criminal Code as it establishes sanctions for the unlawful disclosure of certain types of confidential information as well as for unlawful actions associated with breach of computer systems or unlawful usage of systems intended for data processing. At the same time, administrative offences are minor ones compared to the criminal. Respectively, administrative sanctions are less severe. The examples of unlawful actions associated with disclosure of limited/confidential information prohibited by the Administrative Offence Code are:
- intentional disclosure of commercial or other protected by laws secrecy or intentional unlawful (including without consent of the owner of such data) disclosure of personal data by the person, who became familiar with this information in connection with his/her professional activity (if such disclosure does not fall under criminal sanctions). For this violation the infringer could be called to the fine in amount 4-20 base units (approx. €45-225);
- unlawful usage or disclosure of the information included in the register of securities owners, or information regarding results of financial and economic activities of securities’ issuers. For violation the infringer could be called to fine in amount 4-20 base units (approx. €45-225);
- unlawful disclosure of service information, loss of the documents or computer data containing such information through negligence of the infringer. For this violation the infringer could be called to administrative fine in amount 4-20 base units (approx. €45-225).
As to the examples of violations associated with breach of computer systems or unlawful usage of systems intended for data processing, they are:
- unauthorised access to computer information stored in computer system, network; and
- usage of information systems, databases and data protection means not attested according to applicable technical regulations (standards) in case attestation is required under the legislation.
Civil liability As a general rule, civil liability in form of monetary compensation of damages is imposed only in cases explicitly provided by laws. For example, in situation of unlawful disclosure of trade secrets. The Law on Information does not provide for a civil liability for the collection, processing and transfer of personal data without consent of the data subject. In practice, the same refers to processing of personal data without implementation of any specific data protection measures. The Draft Personal Data Law, once adopted, will establish compensation of non-pecuniary damage of personal data subject, in case such damage is caused by violation of its rights with respect to personal data.
13. Additional Relevant Topics
Other relevant topics under the Key Acts (very brief)
13.1. Data Transfers and Outsourcing
As a general rule, the Law on Information does not specifically regulate international data transfer and outsourcing issues. If the Draft Personal Data Law enters into force, the issue of international transfer of personal data will become regulated. According to the general rule provided by the Draft Personal Data Law, cross-border transfer of personal data to the countries not ensuring sufficient measures of personal data protection is prohibited. The list of respective countries will be determined by the Data Protection Authority. Exceptions, when transfer to these jurisdictions will be permitted, are provided by the Draft Law. For example, upon respective consent of the personal data subject or under the individual permit for cross-border transfer issued by the Data Protection Authority.
13.2. Employment
General requirements related to the collection, processing, storage, usage and transfer to a third party of personal data, as described above, are also applicable to employees’ personal data. The Draft Personal Data Law does not add anything in this part. However, certain additional requirements related to the collection, systematisation and storage of employees’ personal data included in the personal files of such employees are provided by the Instruction on Formation, Maintenance and storage of Personal files of Employees, approved by the Resolution of the Committee on Archives and Recordkeeping at the Council of Ministers of the Republic of Belarus of 26 March 2004 No. 2 (available in Russian here) (‘Instruction on Personal Files’). According to the Instruction on Personal Files, paper files of an employee (containing, among other information, employee’s autobiography, copies of the documents on education, advanced training and retraining and an order (resolution) on appointments to positions) should be kept in the company’s HR-department and recorded in special journal (register). Personal files of dismissed employees are kept in archive within 75 years.
13.3. Data Retention
In this section we understand ‘data retention’ in the context of legislative requirements related to obligatory or permitted term of storage of received or collected data. Currently the terms for the obligatory storage of different types of data are regulated in general by the legislation on archiving and records management. For example, the terms for storage of different types of documents of the National Archives of the Republic of Belarus (including documents on the appointment of employees to job positions and their dismissal, correspondence on companies’ administrative and operational issues, etc.) are provided by the List of Standard Documents of the National Archives of the Republic of Belarus, Prepared in Cause of Functioning of State Authorities, Other Organisations and Individual Entrepreneurs with Indication of the Terms for Their Storage, approved by the Resolution of the Ministry of Justice of the Republic of Belarus of 24 May 2012 No.140. Respective documents may contain limited/confidential information (e.g. personal data, trade secrets).
The Draft Personal Data Law, once adopted, will establish a general rule according to which personal data could not be collected, processed, distributed or provided in absence of the grounds for such actions provided by the legislation. The law would provide for a specific right for a personal data subject to request deletion of his/her personal date, if the grounds cease to apply. For example, in case the term for which the data subject’s consent for processing of his/her personal data expired.
14. Other Specific Jurisdictional Issues
Data processing and confidentiality requirements associated with certain types of limited/confidential information are covered in specific legal acts. Provisions of such legal acts may apply in addition to the requirements of the Law on Information and other above mentioned legal acts. The following are among such specific legal acts:
- The Law on Population Register of 21 June 2008 No. 418-Z contains a general definition of personal data and provides for the categories of such data;
- The Law on Healthcare of 18 June 1993 No. 2435-XII contains a definition of medical secrecy, requirements and limitations to the provision of information regarding patients’ health (available in Russian here);
- The Law on Advocacy and Activities of Advocates in the Republic of Belarus of 30 December 2011 No. 334-Z provides for the definition of advocate’s secrecy (attorney-client privilege) and associated confidentiality requirement, describes situations when respective information could be disclosed (available in Russian here);
- The Law on Trade Secrets of 5 January 2013 No. 16-Z provides for the definition and key features of trade secrets, determines information that could not be referred to trade secrets (for example, information regarding payable taxes, number of employees and labour conditions, violations of laws, etc.) and outlines the requirements that must be followed in order to establish trade secrets regime and protective measures in relations with employees and counter-parties, describes situations when disclosure of trade secrets without consent of the owner is permitted (only in Russian here).
Specific requirements are also established with respect to banking secrecy, insurance secrecy, tax secrecy and service information with limited circulation. As a general principle, such information should be kept confidential by any person obtaining it and could be disclosed in cases specifically provided by law. Processing of state secrets falls under specific regulatory regime.
This material has originally been provided for OneTrust DataGuidance, view more here.