|
|
Home
| Databases
| WorldLII
| Search
| Feedback
National Data Privacy Legislation |
LAW OF THE REPUBLIC OF BELARUS
7 May 2021,
no. 99-Z
On the protection of personal data
Adopted by the House of Representatives on 2 April
2021
Ratified by the Council of the Republic 21 on April
2021
The purpose of the present Law is to ensure the protection of the
personal data, rights and freedoms of natural persons in the processing
of their
personal data.
CHAPTER 1
GENERAL PROVISIONS
Article 1. Main terms used in the present Law and their definition
The main terms used in the present Law and their definitions are as
follows:
biometric personal data –
information characterising the physiological and biological make-up of an
individual which are used
for their unique identification (fingerprints, palm
prints, iris, facial features and imaging
etc);
blocking of personal data – prevention
of access to personal data without their deletion;
genetic data –
information relating to the inherited or acquired genetic characteristics of an
individual which contains unique
data on their physiology or health and may be
detected inter alia when analysing a biological sample
thereof;
anonymisation of personal data – activities making it
impossible, without the use of additional information, to determine that
the
personal data belongs to a specific data
subject;
processing of personal data –
any action or series of actions performed on personal data, including the
gathering, systematisation,
storage, modification, use, anonymisation, blocking,
distribution, provision and deletion thereof;
publicly accessible personal
data – personal data distributed by the data subject concerned or
with their agreement or distributed
in conformity with the requirements of
legislative acts;
processor – state agency or legal entity of the
Republic of Belarus, another organisation or a natural person, including
individual
entrepreneurs (hereinafter, if not defined as otherwise –
natural person), who/which independently or jointly with other stated
entities/persons organises and/or carries out the processing of personal
data;
personal data – any information relating to an identified or
identifiable natural person;
provision of personal data – actions
intended to enable defined persons/entities or a defined circle of
persons/entities to
consult personal data;
distribution of personal data
– actions intended to enable an undefined circle of persons/entities to
consult personal data;
special-category personal
data – personal data relating to racial or ethnic origin, political
opinions, trade union membership,
religious or other beliefs, health or sex
life, administrative or criminal prosecutions, as well as biometric and genetic
data;
data subject – physical person in respect of whom personal
data are
processed;
transborder
transmission of personal data – transmission of personal data to the
territory of a foreign State;
deletion of personal data –
activities resulting in it becoming impossible to restore personal data in
information resources/systems
containing personal data and/or in physical
supports holding personal data being destroyed;
authorised person –
state agency or legal entity of the Republic of Belarus, another organisation or
a natural person who, in
accordance with a legislative act or a decision of the
state agency which is the processor or on the basis of an agreement with the
processor, carries out processing of personal data on behalf of or in the
interest of the processor;
physical person who may be identified –
a physical person whose identity may be directly or indirectly determined,
notably through
their surname, first name, patronymic name, date of birth,
identification number or through one or more identifying physical,
psychological,
intellectual, economic, cultural or social characteristics.
Article 2. Scope of application of the present Law
1. The
present Law regulates activities relating to the protection of personal data
during their processing carried out:
with the use of automated
means;
without the use of automated means, where arrangements are made in
that process to search for personal data and/or access them under
certain
criteria (card index files, lists, databases, logs and others).
2. The
scope of application of the present Law shall not extend to activities in
cases of processing of personal data:
by natural persons in the process of
solely personal, family, home and other similar use of such data which is
unrelated to professional
or business activities;
classified as state secrets
under the established procedure.
Article 3. Legal regulation of activities in the sphere of personal data
processing
1. Activities in the sphere of personal data processing
shall be regulated by legislation on personal data, as well as the international
treaties of the Republic of Belarus.
2. Legislation on personal data
shall be based on the Constitution of the Republic of Belarus and consist of the
present Law and other legislative acts.
3. In the event of a legislative
act establishing a legal regime of secrecy protected by law and providing for
particular aspects
of processing of personal data protected as state secrets,
the provisions of that legislative act shall be applicable.
4. Where an
international treaty of the Republic of Belarus establishes other rules than
those set forth in the present Law, the rules
of the international treaty shall
apply.
CHAPTER 2
PROCESSING OF PERSONAL DATA
Article 4. General requirements for the processing of personal
data
1. Personal data shall be processed in accordance with the
present Law and other legislative acts.
2. The processing of personal
data shall be proportionate to the purposes of that processing and guarantee, at
all stages of processing,
a fair balance between the interests of all the
parties concerned.
3. The processing of personal data shall be carried
out with the consent of the data subject, except in the cases provided for in
the present Law and other legislative acts.
In the event of personal data
being processed without the consent of the data subject, the purposes of
processing these data shall
be those established by the present Law and other
legislative acts.
4. Personal data shall be processed solely to the
extent required to fulfil specific previously stated lawful purposes. Processing
of personal data that is not compatible with the initially stated purposes of
processing shall be prohibited.
In the event of it being necessary to modify
the initially stated purposes of processing of personal data, the processor
shall be
under obligation to obtain the consent of the data subject for the
processing of their personal data (hereinafter – consent
of the data
subject) in accordance with the modified purposes of personal data processing
where no other grounds for such processing
are provided for in the present Law
and other legislative acts.
5. The contents and volume of personal data
processed shall correspond to the stated purposes of their processing. The
personal data
processed shall not be excessive in relation to the stated
purposes of their processing.
6. The processing of personal data shall
be transparent. To that end, the data subject shall, in the cases provided for
in the present
Law, be provided with the corresponding information concerning
the processing of their personal data.
7. The processor shall be under
obligation to take steps to guarantee the validity of the personal data
processed by them where it
is necessary to update the
data.
8. Personal data shall be stored in a
form making it possible to identify the data subject for no longer than required
by the stated
purposes of personal data processing.
Article 5. Consent of the data subject
1. The consent of the
data subject shall be in the form of the free, unequivocal, informed expression
of their will, authorising the
processing of their personal data.
2. The
consent of the data subject may be obtained in written form, in the form of an
electronic document or in another electronic
form.
3. When given in
another electronic form the consent of the data subject may be obtained by means
of:
the indication/selection by the data subject of certain information/a
code following the receipt of a notification by SMS or e-mail;
the ticking of
a corresponding box by the data subject on an internet resource;
other means
whereby it may be established that the consent of the data subject has been
obtained.
4. The necessity of obtaining the consent of the data subject
only in written form or in the form of an electronic document may be
stipulated
by legislative acts.
5. Prior to obtaining the consent of the data
subject the processor shall provide the data subject, in written or electronic
form
corresponding to the form of expression of such consent, with information
containing:
the name (surname, first name, patronymic name (where one
exists)) and location (residential address/registered address) of the processor
obtaining the consent of the data subject;
the purposes of the processing of
personal data;
a list of the personal data, the processing of which the data
subject is consenting to;
the period of time for which the consent of the
data subject is being given;
information on authorised persons in the event
of the personal data processing being carried out by such persons;
a list of
actions on personal data to which the data subject is consenting and a general
description of the means used by the processor
to process the personal
data;
other information necessary to ensure the transparency of the process
of personal data processing.
Prior to obtaining the consent of the data
subject, the processor shall explain to the data subject, in simple and clear
language,
their rights pertaining to the processing of personal data, the
machinery for exercising those rights and also the consequences of
their giving
consent or refusing to give consent. This information must be provided by the
processor to the data subject in written
or electronic form corresponding to the
form of expression of their consent, separately from other information provided
to them.
6. When giving their consent to the processor, the data subject
shall indicate their surname, first name, patronymic name (where one
exists),
date of birth, identification number and, in the event of not having such a
number, the number of the document attesting
to their identity, except in the
case provided for in the second sub-paragraph of the present paragraph.
If
the purposes of personal data processing do not require the processing of the
information indicated in the first sub-paragraph
of the present paragraph, that
information shall not be subject to processing by the processor upon obtaining
the consent of the
data subject.
7. The obligation to prove that the
consent of the data subject has been obtained shall lie with the
processor.
8. The data subject shall be entitled to withdraw their
consent under the procedure established by the present Law.
9. In the
event of the death of the data subject, notification of posthumous consent to
the processing of their personal data shall
be given by one of their successors,
close relatives or an adoptive parent or adoptive child or the spouse of the
data subject, where
such consent was not given by the data subject in their
lifetime.
In the event of the data subject being declared legally incapable
or partially incapacitated, or not yet having attained 16 years
of age, except
where they have entered into marriage before attaining the age of 16
years , consent for the processing of their personal
data shall be given by
one of their legal representatives. Another minor age under which consent for
the processing of an individual's
personal data shall be given by one of their
legal representatives may be provided for by legislative acts.
The persons
indicated in the first and second sub-paragraphs of the present paragraph, in
the event of having consented to the processing
of personal data on behalf of
the data subject, shall enjoy the rights of the data subject set out in the
present Law.
Article 6. Processing of personal data without the consent of the data
subject
The consent of the data subject to the processing of personal
data, with the exception of the special-category personal data to be
processed
according to the procedure established in Article 8 of the present Law,
shall not be required:
for the purpose of conducting administrative and/or
criminal proceedings or carrying out operational and investigative
activities;
for the purpose of administering justice, executing court
decisions and other writs of execution;
for the purpose of carrying out
checks/supervision in accordance with legislative acts;
for the purpose of
implementing legislative norms in the sphere of national security, the fight
against corruption, the prevention
of laundering of the proceeds of crime, the
financing of terrorist activities and financing of the distribution of weapons
of mass
destruction;
for the purpose of implementing legislative norms
governing elections, referendums, the dismissal of a member of the House of
Representatives
or a member of the Council of the Republic of the National
Assembly of the Republic of Belarus or a member of a local council of
deputies;
for the purpose of recording individual/personalised data on
insured persons for the national social insurance system, including occupational
pension insurance;
for the purpose of registering labour/service relations as
well as in the course of the labour/service activities of the data subject
in
the cases provided for in legislation;
for the purpose of carrying out
notarial activities;
in examining questions linked to citizenship of the
Republic of Belarus and the granting of the status of refugee, person requiring
additional protection, stateless person or person requiring interim protection
in the Republic of Belarus;
for the purpose of granting and paying out
pensions and benefits;
for the purpose of organising and conducting state
statistical surveys and drawing up official statistical information;
for
academic or research purposes on condition of compulsory anonymisation of
personal data;
in the recording, calculation and charging of payments for
housing and utilities services, payments for the use of dwellings and
reimbursements
for electricity costs, payments for other services and tax
refunds, as well as the provision of benefits and the enforcement of debts
for
payments for housing and utilities services, payments for the use of dwellings
and reimbursements for electricity costs;
when personal data are obtained by
the processor on the basis of an agreement concluded/being concluded with the
data subject for
the purpose of carrying out the activities established by that
agreement;
in the processing of personal data, where these are indicated in
the document addressed to the processor and signed by the data subject,
in
accordance with the content of that document;
for the purpose of carrying out
the lawful professional activities of a journalist and/or the activities of a
media outlet or of an
organisation engaged in publishing work, aimed at
protecting the public interest, representing a public need to uncover and
disclose
information regarding threats to national security, public order,
public health and the environment, information influencing the
fulfilment of
duties by state officials in positions of responsibility and public figures,
except in the cases provided for in civil
procedural, commercial procedural and
criminal procedural legislation and legislation determining administrative law
procedures;
for the purpose of protecting life, health or other vitally
important interests of the data subject or other persons where it is impossible
to obtain the data subject's consent;
as regards previously distributed
personal data until the personal data subject submits demands that the
processing of the distributed
personal data be stopped and that these personal
data be deleted in the absence of other grounds for personal data processing
provided
for in this Law and other legislative acts;
in cases where the
processing of personal data is necessary for the fulfilment of
obligations/powers provided for in legislative acts;
in cases where direct
provision is made in the present Law and other legislative acts for the
processing of personal data without
the data subject's consent.
Article 7. Processing of personal data on the instructions of the
processor
1. An authorised person shall be under obligation to
comply with the requirements governing personal data processing stipulated in
the present Law and other legislative acts. The agreement between the processor
and the authorised person, the legislative act or
the state authority decision
concerned shall define:
the purposes of personal data processing;
the list
of actions that will be performed on personal data by the authorised
person;
the obligations to respect the confidentiality of personal
data;
measures to ensure the protection of personal data in accordance with
Article 17 of the present Law.
2. An authorised person shall not be
under obligation to obtain the consent of the data subject. If it is necessary
to obtain the
data subject's consent to the processing of personal data on the
instructions of the processor, that consent shall be obtained by
the
processor.
3. In the event of the processor instructing an authorised
person to process personal data, the processor shall be accountable to
the data
subject for the actions of the aforesaid authorised person. The authorised
person shall be accountable to the processor.
Article 8. Processing of special-category personal
data
1. Processing of special-category personal data without the
consent of the data subject shall be prohibited, except in the cases provided
for in paragraph 2 of the present Article.
2. The data subject's consent
to the processing of special-category personal data shall not be required:
if
the special-category personal data are made publicly accessible by data subjects
themselves;
in the registering of labour/service relations as well as in the
course of the labour/service activities of the data subject in the
cases
provided for in legislation;
in the processing by public associations,
political parties, trade unions and religious organisations of the personal data
of their
founders/members in order to achieve statutory aims, provided that
these data may not be distributed without the consent of the data
subject;
for the purpose of organising of the provision of medical assistance
provided that such personal data are processed by medical, pharmaceutical
or
other healthcare staff who are bound by an obligation to ensure personal data
protection and to whom the obligation of medical
secrecy extends under
legislation;
for the purpose of administering justice, executing court
decisions and other writs of execution, executing a notary writ, registering
rights of inheritance;
for the purpose of conducting administrative and/or
criminal proceedings or carrying out operational and investigative
activities;
in the cases provided for in correctional legislation and
legislation on national security, defence, the fight against corruption,
the
fight against terrorism, combating extremism, combating the laundering of the
proceeds of crime, the financing of terrorist activities
and the financing of
the distribution of weapons of mass destruction, the state border of the
Republic of Belarus, citizenship, the
procedure for leaving and entering the
Republic of Belarus, refugee status, subsidiary protection, asylum and temporary
protection
in the Republic of Belarus;
for the purpose of operating the
unified state system for registering and logging offences;
for the purpose of
keeping criminal records;
for the purpose of organising and carrying out
state statistical surveys and drawing up official statistics;
for the purpose
of carrying out administrative procedures;
in connection with the
implementation of the international treaties of the Republic of Belarus on
readmission;
for the purpose of documenting the population;
for the
purpose of protecting the life, health or other vitally important interests of
the data subject or other persons where it
is impossible to obtain the data
subject's consent;
in the event of the processing of special-category
personal data being necessary for the fulfilment/exercise of obligations/powers
provided for in legislative acts;
in the event of the present Law and other
legislative acts directly providing for the processing of special-category
personal data
without the consent of the data subject.
3. The processing
of special-category personal data shall be permissible solely on condition of
taking a set of measures aimed at
obviating the risks for the rights and
freedoms of the data subject that might arise in the processing of such personal
data.
Article 9. Transborder transmission of personal
data
1. Transborder transmission of personal data shall be
prohibited if an adequate level of protection is not afforded to the rights
of
data subjects on the territory of the foreign State, except in cases
where:
the data subject has given consent after being informed of the risks
that might arise in connection with the lack of an adequate level
of protection
for those data;
the personal data are obtained on the basis of an agreement
concluded/being concluded with the data subject for the purpose of carrying
out
the activities set out in that agreement;
the personal data may be obtained
by any person by means of making an application in the cases and under the
procedure provided for
in legislation;
such data transmission is necessary
for protecting the life, health or other vitally important interests of the data
subject or other
persons where it is impossible to obtain the data subject's
consent;
the processing of personal data is carried out within the framework
of the implementation of the international treaties of the Republic
of
Belarus;
such data transmission is carried out by a financial monitoring body
for the purpose of taking measures to prevent the laundering
of the proceeds of
crime, the financing of terrorist activities and the financing of the
distribution of arms of mass destruction
in accordance with legislation;
the
corresponding permission has been obtained from the authorised data subject
protection body.
2. The authorised data subject protection body shall
define a list of foreign States on whose territory an adequate level of
protection
is afforded to the rights of data subjects.
CHAPTER 3
RIGHTS OF THE DATA SUBJECT AND
OBLIGATIONS OF THE PROCESSOR
Article 10. Right of the data subject to withdraw
consent
1. The data subject may at any time, without having to
explain the reasons, withdraw their consent by making an application to the
processor under the procedure established by Article 14 of the present Law or
through the same means with which their consent was
obtained.
2. The
processor shall, within 15 days after receiving an application from a data
subject, in accordance with its content, stop the
processing of personal data,
and notify the data subject thereof, where there are no other grounds for such
actions on personal data
provided for in the present Law and other legislative
acts.
Where it is not technically possible to delete personal data, the
processor shall take measures to prevent further processing of personal
data,
including by blocking them, and inform the data subject thereof within the same
aforementioned period.
3. The expiry of the agreement under which
processing of personal data has taken place or its termination shall produce the
effects
indicated in paragraph 2 of the present Article unless otherwise
provided in that agreement or in acts of legislation.
4. The withdrawal
of the data subject's consent shall not have retroactive effects, ie the
processing of personal data prior to it
being stopped in accordance with the
first sub-paragraph of paragraph 2 shall not be unlawful.
Printed
publications, audio or video recordings of programmes, radio and television
programmes, newsreel programmes and other information
output containing personal
data released before the consent of the data subject was withdrawn shall not be
subject to withdrawal
from public sale.
Article 11. Right to obtain information relating to the processing of
personal data, and modification of personal data
1. The data subject
shall be entitled to obtain information relating to the processing of their
personal data, containing:
the name (surname, first name, patronymic name
(where one exists)) and location (residential address/registered address) of the
processor;
confirmation of the processing of their personal data by the
processor/authorised person;
their personal data and the source from which
these were obtained;
the legal bases and purposes of the processing of the
personal data;
the period for which their consent has been given;
the name
and location of the authorised person constituted by a state agency or legal
entity of the Republic of Belarus or another
organisation if the processing of
personal data has been assigned to such a person;
other information provided
for in legislation.
In order to obtain the information indicated in the first
sub-paragraph of paragraph 1 of the present Article, the data subject shall
make
an application to the processor in accordance with Article 14 of the present
Law. In doing so, the data subject shall not be
required to justify their
interest in the information requested.
2. The processor shall, within
five working days following receipt of the corresponding application from the
data subject, where no
other period is established by legislative acts, provide
to the data subject, in accessible form, the information indicated in the
first sub-paragraph of paragraph 1 of the present Article, or notify the data
subject of the grounds for refusing to provide it.
Such information shall be
provided to the data subject free of charge, except in the cases provided for in
legislative acts.
3. The information indicated in the first
sub-paragraph of paragraph 1 of the present Article shall not be provided:
if
the personal data may be obtained by any person by means of sending a request
under the procedure established by legislation or
by accessing an information
resource/system within the Internet worldwide computer network;
if the
processing of personal data is being carried out:
in accordance with the
legislation on state statistics;
in accordance with legislation in the sphere
of national security or defence, the fight against corruption, the fight
against terrorism,
combating extremism, combating the laundering of the proceeds
of crime, financing of terrorist activities and financing of the distribution
of
weapons of mass destruction, and the state border of the Republic of
Belarus;
in accordance with the legislation on operational and
investigative activities, procedural legislation regarding administrative
infringements
and legislation on criminal procedure and criminal sentence
enforcement;
in respect of questions concerning the keeping of criminal
records;
in other cases provided for in legislative acts.
4. The data
subject shall be entitled to demand that the processor modify their personal
data in the event of these personal data
being incomplete, out-of-date or
inaccurate. To that end, the data subject shall make an application to the
processor under the procedure
established by Article 14 of the present Law,
enclosing the corresponding documents and/or duly certified copies thereof which
confirm
the necessity of modifying their personal data.
The processor shall,
within fifteen days following receipt of the application from the data subject,
modify their personal data accordingly
and notify them thereof, or notify them
of the grounds for refusing to modify the data if no other procedure for
modifying personal
data is established by legislative acts.
Article 12. Right to obtain information on the provision of personal data
to third parties
1. The data subject shall be entitled to obtain
from the processor, once in every calendar year free of charge, information on
the
provision of their personal data to third parties, where no other provision
is made in the present Law and other legislative acts.
In order to obtain the
information indicated in the first sub-paragraph of the present paragraph 1, the
data subject shall make an
application to the processor in accordance with
Article 14 of the present Law.
2. The processor shall, within fifteen
days following receipt of the application from the data subject, provide them
with information
as to which of their personal data have been provided to whom
in the year preceding the date of their application, or notify them
of the
grounds for refusing to provide that information.
3. The information
referred to in the present Article may not be provided in the cases provided for
in paragraph 3 of Article 11 of
the present Law or if the processing of
personal data is being carried out in accordance with legislation
on enforcement proceedings
or in the administering of justice or the
organisation of the activities of courts of general jurisdiction.
Article 13. Right to demand that the processing
of personal data be stopped and/or that they be deleted
1. The data
subject shall be entitled to demand that the processor stop the processing of
their personal data, free of charge, and
likewise delete them, where there are
no grounds for the processing of personal data provided for in the present Law
and other legislative
acts.
To exercise this right, the data subject shall
make an application to the processor in accordance with Article 14 of the
present Law.
2. The processor shall, in the event provided for in
paragraph 1 of the present Article, within fifteen days following receipt of
the
application from the data subject, stop the processing of their personal data
and also delete those data/ensure that the processing
of personal data is
stopped and that the data are deleted by an authorised person, and notify the
data subject thereof.
Where it is not technically possible to delete personal
data, the processor shall take measures to prevent further processing of
personal
data, including by blocking them, and inform the data subject thereof
within the same aforementioned period.
3. The processor shall be
entitled to refuse to satisfy the data subject's demands to stop the processing
of their personal data and/or
to delete them where there are grounds for the
processing of the personal data provided for in the present Law and other
legislative
acts, including if they are necessary for the declared purposes of
the processing, giving notification thereof to the data subject
within fifteen
days.
Article 14. Procedure for an application by the data subject to the
processor
1. To exercise the rights provided for in
Articles 10–13 of the present Law, the data subject shall submit an
application to
the processor by written letter or e-mail. An obligation for the
data subject to be physically present and present attesting to their
identity
when submitting an application to a processor in writing may be provided for by
legislative acts.
2. The data subject's application must contain:
the
data subject's surname, first name, patronymic name (where one exists) and
residential address/place of stay;
the data subject's date of birth;
the
data subject's identification number and, in the event of not having such a
number, the number of the document attesting to their
identity, in cases where
this information has been indicated by the data subject when giving their
consent to the processor or cases
where personal data are being processed
without the data subject's consent;
a statement of the essence of the data
subject's demands;
the data subject's personal signature or electronic
signature.
3. A reply to the application shall be sent to the data
subject in the same form in which the application was made, where there is
no
other stipulation in the application itself.
Article 15. Right to appeal against actions/failure to act and decisions
of the processor linked to the processing of personal data
1. The
data subject shall be entitled to appeal to the authorised data subject
protection body against actions/failure to act and
decisions of the processor
that infringe their rights in the processing of personal data, under the
procedure established by legislation
governing applications by citizens and
legal entities.
2. The decision taken by the authorised data subject
protection body may be appealed against by the data subject in a court under
the
procedure established by legislation.
Article 16. Obligations of the processor
1. The processor
shall be under obligation to:
explain to the data subject their rights in
connection with the processing of personal data;
obtain the data subject's
consent, except in the cases provided for in the present Law and other
legislative acts;
ensure that personal data are protected while they are
being processed;
provide the data subject with information on their personal
data as well as on the provision of their personal data to third parties,
except
in the cases provided for in the present Law and other legislative
acts;
modify personal data that are incomplete, out-of-date or inaccurate
except in cases where another procedure for modifying personal
data is
established by legislative acts or if the purposes of processing personal data
do not envisage subsequent modification of
such data;
stop the processing of
personal data and also delete them or block them/ensure that that the processing
of personal data is stopped/that
the data are deleted or blocked by an
authorised person where there are no grounds for the processing of personal data
provided for
in the present Law and other legislative acts;
notify the
authorised data subject protection body immediately of breaches of the system
for protecting personal data, and no later
than three working days after the
processor became aware of such breaches, except in the cases provided for by the
authorised data
subject protection body;
carry out the modification, blocking
or deletion of a personal data subject's personal data that are inaccurate or
have been obtained
unlawfully at the demand of the authorised data subject
protection body, where no other procedure for modifying, blocking or deleting
personal data has been established by legislative acts;
execute other demands
of the authorised data subject protection body to remedy infringements of
legislation on personal data;
fulfil other obligations provided for in the
present Law and other legislative acts.
2. Where the processor is an
agency of state administration of the Republic, it shall post information on its
official website on
the Internet worldwide computer network concerning the
information resources/systems containing personal data owned by it, except
for
information on information resources/systems containing:
personal data, the
processing of which is carried out in the cases provided for in the fourth to
seventh indents of paragraph 3 of
Article 11 of the present
law;
the personal data of its employees in the process of carrying out
work/official activities;
restricted official information.
Article 17. Measures to ensure personal data protection
1. The
processor/authorised person shall take legal, organisational and technical
measures to ensure that personal data are protected
against unauthorised or
accidental access, modification, blocking, copying, distribution, provision and
deletion, as well as against
other illegal acts.
2. The
processor/authorised person shall formulate and define a list of measures that
are necessary and adequate to fulfil their obligation
to ensure the protection
of personal data, taking account of the requirements of the present Law and
other legislative acts.
3. The following compulsory measures shall be
taken to ensure the protection of personal data:
the appointment by the
processor/authorised person which is a state agency or legal entity of the
Republic of Belarus or another organisation,
of a structural subdivision or
person to be responsible for carrying out internal supervision of personal data
processing;
the publication by the processor/authorised person which is a
legal entity of the Republic of Belarus or another organisation or individual
entrepreneur of documents setting out the policy of the processor/authorised
person with regard to personal data processing;
the familiarisation of the
staff of the processor/authorised person and other persons directly carrying out
personal data processing
with the provisions of the legislation governing
personal data, including the requirements to protect personal data and documents
setting out the policy of the processor/authorised person with regard to
personal data processing, and also the training of those
staff and other persons
under the procedure established by legislation;
the establishment of the
procedure for access to personal data, including those being processed in an
information resource/system;
the implementation of technical and
encryption-based protection of personal data under the procedure established by
the Operations
and Analysis Centre under the President of the Republic of
Belarus, in accordance with the Classification of information resources/systems
containing personal data.
4. The processor/authorised person which is a
legal entity of the Republic of Belarus or another organisation or individual
entrepreneur
shall ensure unlimited access, including via the Internet worldwide
computer network, to the documents setting out the policy of
the
processor/authorised person with regard to personal data processing, prior to
the commencement of such processing.
5. The Classification of
information resources/systems containing personal data shall be established by
the authorised data subject
protection body for the purpose of defining the
requirements imposed on them for the technical and encryption-based protection
of
personal data.
CHAPTER 4
AUTHORISED DATA SUBJECT PROTECTION
BODY. LIABILITY FOR INFRINGEMENT OF THE PRESENT LAW
Article 18. Authorised data subject protection body
1. The
authorised data subject protection body shall take measures to protect the
rights of data subjects in the processing of personal
data.
2. The authorised data subject
protection body shall act independently on the basis of the present Law and
other legislative acts.
The assigning to the authorised data subject
protection body of functions that are incompatible with the functions of
protecting
the rights of data subjects shall be prohibited, with the exception
of personal data processing while exercising the powers provided
for in
paragraph 3 of the present Article.
3. The authorised data subject
protection body shall:
exercise supervision of personal data
processing by processors/authorised persons in accordance with legislative
acts;
examine complaints by data subjects relating to personal data
processing issues;
require operators/authorised persons to modify, block or
delete inaccurate or unlawfully obtained personal data and remedy other
infringements
of the present Law;
define the list of foreign states on whose
territory an adequate level of protection is afforded to the rights of data
subjects;
be responsible for granting permission for the transborder
transmission of personal data in cases where an adequate level of protection
is
not afforded to the rights of data subjects on the territory of the foreign
State;
participate in the preparation of draft legislation on personal
data;
provide clarification on questions of application of the legislation on
personal data and carry out other explanatory work with regard
to that
legislation;
participate in the work of international organisations relating
to questions of personal data protection;
publish, no later than 15 March, an
annual report on its activity in the previous year in the media;
exercise
other powers provided for in the present Law and other legislative
acts.
4. State agencies, legal entities of the Republic of Belarus,
other organisations and natural persons shall provide the authorised
data
subject protection body with the information necessary to determine the
lawfulness of actions of processors/authorised persons.
5. The
authorised data subject protection body shall be defined by the President of the
Republic of Belarus.
Article 19. Liability for infringing the present
Law
1. Persons who are guilty of infringing the present Law shall
bear the liability established in legislative acts.
2. Non-pecuniary
damage caused to a data subject as a result of the violation of their rights as
established by the present Law shall
be compensated for. Compensation of
non-pecuniary damage shall be implemented independently of compensation for
pecuniary damage
and losses borne by the data subject.
CHAPTER 5
CONCLUDING PROVISIONS
Article 20. Measures to implement the provisions of the present
Law
The Council of Ministers of the Republic of Belarus shall:
within
three months, jointly with the Operations and Analysis Centre under the
President of the Republic of Belarus, take steps to
create the authorised data
subject protection body;
within six months: jointly with the National Centre
of Legislation and Legal Research, prepare and introduce, under the established
procedure, proposals to bring legislative acts into conformity with the
present Law;
bring the decisions of the Government of the Republic of Belarus
into conformity with the present Law;
ensure that the state authorities of
the Republic that are subordinate to the Government of the Republic of Belarus
bring their legal
and regulatory acts into conformity with the present
Law;
take other measures to implement the provisions of the present Law.
Article 21. Entry into force of the present Law
The present Law
shall enter into force in the following order:
Articles
1–19 – six months after the official publication of the present
Law;
the other provisions – after the official publication of the
present Law.
|
President of the Republic of Belarus
|
А. Lukashenka
|
WorldLII:
Copyright Policy
|
Disclaimers
|
Privacy Policy
|
Feedback
URL: http://www.worldlii.org/int/other/NDPrivLegis/2021/4.html