Home
| Databases
| WorldLII
| Search
| Feedback
National Data Privacy Legislation |
Recorded in the national register of legal acts
Republic of Belarus, 29 October 2021, No. 1/19975
DECREE OF THE PRESIDENT OF THE REPUBLIC OF
BELARUS
28 October 2021, No. 422
ON MEASURES TO IMPROVE
THE PROTECTION OF PERSONAL DATA
(Extract)
For the purpose of ensuring the protection of the
personal data, rights and freedoms of natural persons in the processing of their
personal data, I hereby DECREE that:
1. a National Personal Data Protection Center of the Republic of Belarus (hereinafter, unless otherwise specified, - National Personal Data Protection Center) shall be created.
2. the Regulations on the National Personal Data Protection Center (appended) are hereby confirmed.
3. It is hereby established that:
3.1. the National Personal Data Protection Center shall be authorised to implement an educational programme of further training for management staff and specialists, including in the spheres of technical and/or cryptographic protection of information and personal data protection;
3.2. owners/proprietors of information systems <*> and proprietors of critically important information computing centres, as well as organisations carrying out the licensing of activities relating to the technical and/or cryptographic protection of information, shall provide:
training at the National Personal Data Protection Center no less than once every three years for their staff and/or other persons whose duties include ensuring information security, in accordance with an educational programme of further training for management staff and specialists in the spheres of technical and/or cryptographic protection of information;
information to the National Personal Data Protection Center, each year by 15 November, on the number of staff and/or other persons whose duties include ensuring information security, for further training;
--------------------------------
<*> specified in the
first clause of paragraph 3 of the Regulations on the technical and
cryptographic protection of information confirmed by Decree No. 196 of the
President of the
Republic of Belarus of 16 April 2013.
Sub-paragraph 3.3 shall enter into force as of 15 November 2021 (second indent of
paragraph 8 of the document).
|
3.3. processors/authorised persons <*> shall organise, no less than once every five years, the undertaking of training in questions of personal data protection by persons responsible for carrying out the internal supervision of personal data processing, as well as persons carrying out the processing of personal data, including:
by categories of persons defined by the Operations and Analysis Centre under the President of the Republic of Belarus, - at the National Personal Data Protection Center in accordance with the further training programme for management staff and specialists;
by other persons:
in training establishments and also other organisations authorised to implement an educational programme of further training for management staff and specialists in accordance with the further training programme for management staff and specialists;
in other organisations in accordance with the educational programme of training courses (lectures, thematic seminars, workshops, training sessions, officer courses and other types of training courses);
on the premises of the processor/authorised person through the study of the established requirements in the sphere of personal data protection and the testing by the processor/authorised person of knowledge of personal data protection (in the form of an interview, survey, tests and other forms of knowledge checking).
Processors/authorised persons shall, by 15 December 2021, and by 15 November of the following years, provide the National Personal Data Protection Center with information on the number of persons responsible for carrying out the internal supervision of personal data processing and also individuals directly carrying out personal data processing who are required to undergo training at the National Personal Data Protection Center;
--------------------------------
<*> for the purposes of the present Decree:
processor shall be taken as meaning a state agency or legal entity of the Republic of Belarus, another organisation or a natural person, including an individual entrepreneur, who/which, independently or jointly with the aforementioned entities/persons, organise and/or carry out the processing of personal data;
authorised person shall be taken as meaning a state agency or legal entity of
the Republic of Belarus, another organisation or a natural
person, including an
individual entrepreneur, who, in accordance with a legislative act or a decision
of the state agency which is
the processor or on the basis of an agreement with
the processor, carries out personal data processing on behalf of or in the
interest
of the processor.
3.4. The training measures provided for in sub-paragraph
3.2 and 3.3 of the present paragraph shall be funded in
respect of:
persons whose work is paid for from budget funds, - within the limits of the funding provided for in the republic or corresponding local budget for the support of state agencies and other state organisations;
other persons – from income generated by economic activity, as well as
from other sources not prohibited by law;
Sub-paragraph 3.5 shall enter into force as of 15 November 2021 (second indent of
paragraph 8 of the document).
|
3.5. processors which are state agencies or legal entities of the Republic of Belarus or other organisations shall establish and keep up to date:
a) [а in the original Cyrillic text] a list of information resources/systems containing personal data of which they are the owners/proprietors;
b) [б in the original Cyrillic text] the categories of personal data subject to inclusion in such resources/systems:
publicly accessible data;
special-category personal data (other than biometric and genetic personal data);
biometric and genetic personal data;
personal data that are not publicly accessible or special-category;
c) [в in the original Cyrillic text] a list of authorised persons, where personal data processing is carried out by authorised persons;
d) [г in the original Cyrillic text] the period for which
processed data are kept;
Sub-paragraph 3.6 shall enter into force as of 1 January 2024 (third indent of
paragraph 8 of the document).
|
3.6. processors shall enter information on information resources/systems containing personal data in the state information resource known as the "Register of personal data" (herein – the register), being created by the National Personal Data Protection Center, and also provide updates of the corresponding information.
The types of information resources/systems for which information should be entered in the register, as well as the list of information included in the register and the deadline for entering it in the register shall be determined by the Operations and Analysis Centre under the President of the Republic of Belarus.
The proprietor and operator of the register shall be the National Personal Data Protection Center.
Expenditure on the creation and functioning of the register shall be financed by:
republic budget funds allocated to the support of the Operations and Analysis Centre under the President of the Republic of Belarus;
other sources not prohibited by law;
3.7. restricted publication;
3.9. work/services to create, operate and develop the information resources/systems being created/functioning for the purpose of fulfilling the functions assigned to the National Personal Data Protection Center may be carried out/provided without them being included in state digital development programmes.
4. The provisions of the present Decree shall not apply to relations concerning the processing of personal data classified under the established procedure as state secrets.
5. Decrees of the President of the Republic of Belarus shall be amended (appendix).
Paragraph 6 entered into force after official publication (fourth indent of
paragraph 8 of the document).
|
6. The Council of Ministers of the Republic of Belarus shall:
when specifying individual targets for the republic budget for 2021, make provision for additional funding to finance the National Personal Data Protection Center in accordance with sub-paragraph 3.8 of paragraph 3 of the present Decree;
when drawing up the draft republic budget for 2022 and the following years, under the established procedure, provide for funding to be allocated to the Operations and Analysis Centre under the President of the Republic of Belarus for the support of the National Personal Data Protection Center;
by 15 November 2021, bring legislative acts into line with the present Decree
and take other measures to implement it.
Paragraph 7 entered into force after official publication (fourth indent of
paragraph 8 of the document).
|
7. The Operations and Analysis Centre under the President of the Republic of Belarus shall:
7.1. by 15 November 2021, ensure that the National Personal Data Protection Center is provided with the necessary administrative premises, equipment and other tangible assets for the carrying out of its activities;
7.2. determine:
by 15 November 2021, the categories of persons responsible for carrying out the internal supervision of personal data processing and also individuals directly carrying out personal data processing who are required to undergo training at the National Personal Data Protection Center;
by 1 August 2022, the types of information resources/systems for which
information shall be entered in the register, as well as the
list of information
included in the register and the deadlines for entering it in the
register.
Paragraph 8 entered into force after official publication.
|
8. The present Decree shall enter into force as follows:
sub-paragraphs 3.3 and 3.5 of paragraph 3 - as of 15 November 2021;
sub-paragraph 3.6 of paragraph 3 - as of 1 January 2024;
paragraphs 6, 7 and the present paragraph - following the official publication of the present Decree;
other provisions of the present Decree - 15 days after its official
publication.
President of the Republic of Belarus
|
А. Lukashenko
|
Appendix
to Decree No. 422 of the President
of the
Republic of Belarus
28.10.2021
LIST
OF AMENDMENTS MADE TO
DECREES OF THE PRESIDENT OF THE REPUBLIC OF BELARUS
1. In the Unified national register of legal acts of the Republic of
Belarus, established by Decree No. 1 of the President of the
Republic of Belarus
of 4 January 1999, after item
10.03.08.04 insert an item worded as follows:
"10.03.08.05
|
Personal data and their protection".
|
2. The
list of posts of management staff of state agencies and other organisations
included in the personnel register of the Head of State
of the Republic of
Belarus, established by Decree No. 644 of the President of the Republic of
Belarus of 8 November 2001, shall be
supplemented by an indent worded as
follows:
"The director of the National Personal Data Protection Center".
3. The Procedure
for appointment/approval of appointment/dismissal and consent to
appointment/dismissal by the President of the Republic of Belarus
for certain
posts included in the personnel register of the Head of State of the Republic of
Belarus, established by Decree No. 645
of the President of the Republic of
Belarus of 8 November 2001, shall be supplemented by a paragraph 15-2 worded as
follows:
"15-2.
|
Director of the National Personal Data Protection Center
|
Head of the Operations and Analysis Centre under the President of the
Republic of Belarus
|
President of the Republic of Belarus
|
-
|
- ".
|
4. Appendix
7 to the Regulations governing the procedure for issuing and using staff IDs
in state authorities/organisations, established by Decree
No. 159 of the
President of the Republic of Belarus of 18 March 2008, shall be supplemented by
an item worded as follows:
"NPDPC
|
The National Personal Data Protection Center".
|
5. In Decree No. 510 of the President of the Republic of Belarus of 16
October 2009 "On improving supervisory/oversight activity in
the Republic of
Belarus":
paragraph 23 shall be supplemented by an indent worded as follows:
"supervision of personal data processing by processors/authorised persons.";
In the first clause of paragraph 15 of the Regulations governing the procedure for organising and conducting checks, established by the Decree, after the words "by the state institution "Administration of the Science Park " insert the words ", by the state institution "Administration of the "Velikiy kamen" Chinese-Belarusian industrial park;
the
list of supervisory/oversight bodies empowered to carry out checks, and the
sphere of their supervisory/oversight activity, established
by the Decree, shall
be supplemented by a paragraph 8-1 worded as follows:
"8-1. state institution "Administration of the "Velikiy kamen"
Chinese-Belarusian industrial park
|
supervision of compliance by residents of the "Velikiy kamen"
Chinese-Belarusian industrial park (hereinafter – the industrial
park)
with requirements established by legislation:
medical use on the territory of the industrial park of unregistered drugs
and medical devices
use on the territory of the industrial park of medical care methods that
are not approved for use in the manner prescribed by law
provision of medical services on the territory of the industrial park with
the use of unregistered drugs and medical devices, as well
as with the use of
medical care methods that are not approved for use in the manner prescribed by
law".
|
CONFIRMED
DECREE NO.
422
OF THE PRESIDENT OF THE
REPUBLIC OF BELARUS
OF
28.10.2021
REGULATIONS
ON THE NATIONAL
PERSONAL DATA PROTECTION CENTER
CHAPTER 1
GENERAL PROVISIONS
1. The National Personal Data Protection Center is the authorised body
for the protection of the rights of data subjects.
2. The National Personal Data Protection Center shall operate independently on the basis of the Constitution of the Republic of Belarus, Republic of Belarus Law No. 99-Z of 7 May 2021 "On the protection of personal data", the present Regulations and other legislative acts.
The assigning of functions to the National Personal Data Protection Center that are incompatible with the functions of protecting the rights of data subjects shall be prohibited, with the exception of the processing of personal data while exercising the powers assigned to it.
3. The official title of the National Personal Data Protection Center shall be as follows:
full version:
in Belarusian: Нацыянальны цэнтр абароны персанальных даных Рэспублiкi Беларусь;
in Russian: Национальный центр защиты персональных данных Республики Беларусь;
in English: National Personal Data Protection Center of the Republic of Belarus;
short version:
in Belarusian: Нацыянальны цэнтр абароны персанальных даных;
in Russian: Национальный центр защиты персональных данных;
in English: National Personal Data Protection Center.
4. The National Personal Data Protection Center shall be a legal entity, created and operating in the form of a state institution and shall have an independent balance sheet, a current/cheque and other bank accounts, including in foreign currency, a seal and stationery depicting the state emblem of the Republic of Belarus and bearing its title, other seals, stamps and stationery necessary for the carrying out of its activities, as well as its own logo.
The founder of the National Personal Data Protection Center and the state authority exercising the right of ownership over the property of that institution, on behalf of the Republic of Belarus, shall be the Operations and Analysis Centre under the President of the Republic of Belarus.
5. The reorganisation and winding up of the National Personal Data Protection
Center shall be carried out by decision of the President
of the Republic of
Belarus or a court in the cases and under the procedure provided for in
legislation.
CHAPTER 2
FUNDAMENTAL TASKS, FUNCTIONS AND RIGHTS
OF THE NATIONAL PERSONAL DATA PROTECTION CENTER
6. The fundamental tasks of the National Personal Data Protection Center
shall be to:
take measures to protect the rights of data subjects in the processing of their personal data;
organise training on questions of personal data protection.
7. The National Personal Data Protection Center shall, in accordance with its fundamental tasks, fulfil the following functions:
exercise supervision of personal data processing by processors/authorised persons (hereinafter - supervision);
examine complaints from data subjects relating to personal data processing issues;
define the list of foreign States on whose territory an adequate level of protection is guaranteed for the rights of data subjects;
grant permission for the transborder transmission of personal data in cases where an adequate level of protection for the rights of data subjects is not guaranteed on the territory of the foreign State, and also determine the procedure for the granting of such permission;
submit proposals for improving legislation on personal data and participate in the preparation of draft legislation on personal data;
provide clarification on questions of application of the legislation on personal data and carry out other explanatory work with regard to that legislation;
determine the cases in which notification of the National Personal Data Protection Center of breaches of personal data protection systems is not required;
establish a classification of information resources/systems containing personal data for the purposes of defining what is required of them in terms of technical and cryptographic protection of personal data;
participate in the work of international organisations relating to questions of personal data protection;
cooperate with bodies/organisations protecting the rights of data subjects in foreign States;
every year, no later than 15 March, publish a report on its activities in the media;
implement further training programmes for adults in accordance with the legislation on education;
exercise other powers provided for in legislation on personal data.
8. In order to fulfil its fundamental tasks and functions, the National Personal Data Protection Center shall be authorised:
in the exercise of supervision, to request and obtain free of charge from state agencies or legal entities of the Republic of Belarus, other organisations or natural persons the information that is necessary to determine the lawfulness of actions/failure to act of processors/authorised persons in the sphere of personal data processing (including the personal data of natural persons without their consent). This information shall be provided within 10 calendar days following receipt of the request;
in the exercise of supervision, to use information resources/systems free of charge, which shall include having access to them, including remote access, obtaining information from them, including information containing banking, commercial, professional and other secrets protected by law, as well as personal data of natural persons without their consent, with the exception of information resources/systems containing state secrets, on the basis of written requests, requests made in electronic form or agreements/conventions concluded with the owners/proprietors of information resources/systems;
to use, free of charge, information and/or electronic services provided by state agencies or legal entities of the Republic of Belarus or other organisations, on the basis of agreements/conventions concluded with entities providing such services;
to carry out checks in respect of processors/authorised persons during the processing of personal data by them to ensure that they comply with legislation on personal data;
to demand that processors/authorised persons modify, block or delete personal data that are inaccurate or have been obtained unlawfully and remedy other infringements of legislation on personal data;
to demand that processors/authorised persons stop the processing of personal data if it is not possible to ensure the protection of data subjects' rights by other means;
to take decisions on questions falling within its competence that are binding on state agencies, legal entities of the Republic of Belarus, other organisations and natural persons carrying out personal data processing activities;
to enlist staff of state agencies and other state organisations, by agreement with their managers, and other natural persons on a contractual basis for the resolving of questions falling within the competence of the National Personal Data Protection Center;
to carry out, on a voluntary basis, audits of processors'/authorised persons' compliance with the requirements of legislation on personal data;
to use state means of telecommunications and communication;
to organise and implement international cooperation on questions falling within its competence;
to conclude agreements, within the limits of its competence, with state agencies, legal entities of the Republic of Belarus, other organisations and natural persons, as well as with agencies and organisations of other States, international organisations and inter-state formations;
to engage in income-generating activities;
to implement other activity not prohibited by law aimed at the fulfilment of
its fundamental tasks and functions.
CHAPTER 3
ORGANS OF ADMINISTRATION OF THE
NATIONAL PERSONAL DATA PROTECTION CENTER
9. The National Personal Data Protection Center shall be headed by a
director.
10. The director of the National Personal Data Protection Center shall be appointed to and dismissed from their post by the President of the Republic of Belarus at the proposal of the head of the Operations and Analysis Centre under the President of the Republic of Belarus.
The contract with the director of the National Personal Data Protection Center shall be concluded by the head of the Operations and Analysis Centre under the President of the Republic of Belarus.
11. The director of the National Personal Data Protection Center shall:
manage the activities of the National Personal Data Protection Center and bear personal responsibility for the execution of the fundamental tasks and duties conferred upon them;
by agreement with the Operations and Analysis Centre under the President of the Republic of Belarus, establish the structure of the National Personal Data Protection Center, as well as the size of its staff, whose activities shall be funded by income-generating activities;
establish the staffing structure of the National Personal Data Protection Center;
act, with full authority, on behalf of the National Personal Data Protection Center, represent its interests in dealings with state authorities and legal persons of the Republic of Belarus and other organisations and physical persons;
appoint and dismiss staff of the National Personal Data Protection Center, including, by agreement with the head of the Operations and Analysis Centre under the President of the Republic of Belarus, the deputy directors, and conclude work agreements/contracts with them);
issue orders on matters falling within their competence requiring mandatory execution by all staff of the National Personal Data Protection Center, and organise and supervise the execution of those orders;
open and close current/cheque and other bank accounts of the National Personal Data Protection Center;
give incentives and apply disciplinary measures to the staff of the National Personal Data Protection Center;
organise the examination of applications from citizens, including individual entrepreneurs, and legal entities, receive citizens in person, including individual entrepreneurs, their representatives and representatives of legal entities;
bear personal responsibility for the targeted and effective expenditure of the funds of the National Personal Data Protection Center;
exercise other powers linked to the direct management of the National Personal Data Protection Center.
12. For the purpose of assisting the National Personal Data Protection Center to implement the functions assigned to it, an advisory board operating on a non-remunerated basis shall be created under it.
The composition of the advisory board and the procedure for its organisation
and functioning shall be established by the director
of the National Personal
Data Protection Center.
CHAPTER 4
SUPERVISION OF PERSONAL DATA PROCESSING
BY PROCESSORS/AUTHORISED PERSONS
13. Supervision shall be exercised by the National Personal Data
Protection Center in the form of:
checks carried out in accordance with the schedule of checks on compliance with legislation on personal data, established each year by the director of the National Personal Data Protection Center and published on the official website of the National Personal Data Protection Center on the Internet by no later than 30 December of the year preceding the carrying out of checks (hereinafter - scheduled checks);
checks carried out without being included in the aforementioned schedule (hereinafter - unscheduled checks);
desk research.
Scheduled checks on a given processor/authorised person shall be carried out no more than once every two years.
Processors/authorised persons for whom/which the National Personal Data Protection Center has issued a positive conclusion on the findings of a voluntary audit of compliance with the requirements of legislation on personal data shall not be subject to scheduled checks for a period of five years dating from the receipt of the corresponding conclusion.
Unscheduled checks may be ordered by the director of the National Personal Data Protection Center where there is information, including information obtained from an organisation or a natural person or complaints from data subjects, testifying to breaches of the requirements of legislation on personal data that are being/have been committed. Anonymous information shall not provide any grounds for ordering unscheduled checks.
Interference in the supervision activities of the National Personal Data Protection Center or the giving of instructions or guidance for them shall be prohibited.
14. The period in which a scheduled or unscheduled check is carried out may not exceed 20 working days. That period may be extended by the director of the National Personal Data Protection Center once by no more than 10 working days.
15. For the carrying out of a scheduled or unscheduled check, the director of the National Personal Data Protection Center shall set up a compliance-checking commission (hereinafter - the commission) and issue an order, indicating the name of the processor/authorised person, the type of check to be carried out (scheduled or unscheduled), the start date of the check, its duration, the composition of the commission and the issues that are to be checked.
16. The processor/authorised person shall be notified in writing of the ordering of the scheduled check no later than 10 working days before it is carried out. This notification shall contain information on the start date of the check, its duration, the composition of the commission and also the issues that are to be checked.
17. Checking measures carried out in connection with a scheduled or unscheduled check shall take place, as a rule, in the presence of a representative of the processor/authorised person undergoing the check.
18. Those carrying out the check shall be entitled to demand that the processor/authorised person:
provide documents/copies thereof and/or information relating to personal data processing. If such documents/copies thereof may, in accordance with the requirements of legislation, be located in a place other than the place where the check is being carried out, they shall be provided no later than the working day following the demand to provide documents/copies thereof;
provide access, upon production of staff ID and the order for the carrying out of a check (and in the case of sites to which access is restricted in accordance with legislation - documents required by law for access to such sites), to premises and other sites/territory where personal data processing is carried out (with the exception of living premises) and to the software and hardware used to carry out such processing. Where it is impossible/difficult to inspect that software and hardware in situ, the software and hardware may, by decision of the director of the National Personal Data Protection Center, be removed for a period not exceeding the duration of the carrying out of the check.
19. In the course of a scheduled or unscheduled check, an assessment shall be made of the personal data protection measures taken by the processor/authorised person, including as to whether they are adequate to protect personal data.
20. For the carrying out of a scheduled or unscheduled check the head of the commission shall independently determine the methods and means of carrying it out.
21. A report of the findings of a scheduled or unscheduled check shall be drawn up in duplicate and shall indicate:
the compliance/non-compliance of the personal data protection measures taken by the processor/authorised person with the requirements of legislation on personal data;
the expert opinion of the commission as to whether the personal data protection measures taken by the processor/authorised person are adequate;
findings of infringements of legislation on personal data or a conclusion that there are no such infringements.
22. The report of the scheduled or unscheduled check shall be drawn up within 10 working days following its completion and be signed by all the commission's members.
Within three working days following the drawing up of the report, the first copy thereof shall be sent to the operator/authorised person undergoing checking or handed to its/their authorised representative, while the second shall be kept at the National Personal Data Protection Center.
23. In the event of a scheduled or unscheduled check finding infringements of legislation on personal data, cited in the report on the scheduled or unscheduled check, the director of the National Personal Data Protection Center shall, within 10 working days following the completion of the check, issue a written demand/order that the infringements found be remedied and/or personal data processing within the information resource/system be suspended/stopped, stating the specific activities that must be suspended/stopped, and establish a time limit for such remedial action and/or suspension/stoppage, not exceeding six months.
The demand/order shall be drawn up in duplicate. The first copy shall, within three working days following the drawing up of the document, be sent to the processor/authorised person undergoing the check or handed to its/their authorised representative, while the second shall be kept at the National Personal Data Protection Center.
Notification of the fulfilment of the written demand/order to remedy the infringements found shall be given in writing by the processor/authorised person within the time limits specified in that written demand/order to the National Personal Data Protection Center together with supporting documents, and the National Personal Data Protection Center shall also be given the possibility of ascertaining (including in situ), if necessary, that the infringements have been remedied.
Where there are objective circumstances preventing the remedying of the infringements stated in the written demand/order within the time limits established therein, upon application submitted by the processor/authorised person no later than three working days before the expiry of those time limits and stating the circumstances concerned, those time limits may be extended by the director of the National Personal Data Protection Center. The decision to extend or to refuse to extend the stated time limits shall be taken no later than two working days following receipt of the application and written notification thereof shall be given to the processor/authorised person within two working days following the taking of the decision.
The decision to resume personal data processing in the corresponding information resources/systems shall be taken by the director of the National Personal Data Protection Center within 10 working days following the remedying of the infringements that gave grounds for the issuing of a written demand/order to suspend/stop personal data processing in the information resource/system, and written notification thereof shall be given to the processor/authorised person within two working days following the taking of the decision.
24. Where there are objections to the report of the scheduled or unscheduled check, the manager of the processor/authorised person or another authorised representative thereof shall, no later than 15 days following receipt of the report by the processor/authorised person or the handing of the report to their authorised representative, shall submit written objections to the report's content to the National Personal Data Protection Center.
The merits of the arguments set out in the objections shall be examined by the National Personal Data Protection Center no later than 10 working days following their receipt. The findings of the examination of the objections shall be set out in a written conclusion, which shall be sent to the processor/authorised person or handed to their authorised representative.
In the event of the objections being deemed well-founded, a new report on the check shall be drawn up and, where necessary, the corresponding written demand/order shall be repealed/modified.
25. A written demand/order issued in the light of the findings of a scheduled or unscheduled check requiring infringements to be remedied and/or personal data processing within the information resource/system to be suspended/stopped and also the actions/failure to act of those carrying out the check may be appealed against by the processor/authorised person in a judicial procedure.
26. Desk research shall be carried out by the National Personal Data Protection Center on its premises through the study, analysis and assessment of:
information published in the media and on the Internet;
documents and other information including information obtained from the processor/authorised person at the request of the National Personal Data Protection Center.
Desk research shall be carried out without the issuing of instructions for it
or notification thereof to the processor/authorised
person. In the light of the
findings of such a check, recommendations to remedy infringements of the
legislation on personal data
found may be sent to the processor/authorised
person.
CHAPTER 5
EXAMINATION OF COMPLAINTS FROM DATA
SUBJECTS REGARDING THE PROCESSING OF PERSONAL DATA
27. Data subjects who believe that their rights,
freedoms and lawful interests have been infringed in the processing of personal
data
shall be entitled to make a complaint relating to personal data processing
issues to the National Personal Data Protection Center
(hereinafter -
complaint).
The complaint may relate to actions/failure to act directly affecting the rights, freedoms and lawful interests of the data subject submitting the complaint within three months following the date on which they became known to the person making the complaint.
28. The complaint shall be submitted in writing or in electronic document form and must contain:
the surname, first name, patronymic (where applicable) of the data subject, the address of their place of residence/place of stay;
a presentation of the essence of the complaint, specifying the actions/failure to act infringing the data subject's rights, freedoms and lawful interests;
information on the steps taken to restore the data subject's infringed rights, freedoms and lawful interests (including an application to the processor/authorised person, to a court, the prosecution authorities or other state agencies) or on the lack of such steps;
the data subject's personal signature in the event of the complaint being sent in written form.
The complaint shall enclose documents and other material (including photographs and screenshots corroborating the fact that the rights, freedoms and lawful interests of the data subject making the complaint have been infringed (where these exist).
29. Complaints in writing shall be sent by express/courier delivery or by letter post.
Complaints in electronic document form shall be certified by a digital signature generated using a private key, the public key certificate of which is issued in the state system for managing public keys for verification of electronic digital signatures of the Republic of Belarus.
30. A complaint shall not be examined on the merits if it:
fails to meet the requirements provided for in paragraphs 27 - 29 of the present Regulations;
has been examined, is being examined or is subject to examination in accordance with legislation on constitutional proceedings or legislation on civil, commercial or criminal proceedings, or if another procedure has been established for submitting and examining such a complaint under legislative acts.
A decision not to examine the complaint on the merits shall be taken by the National Personal Data Protection Center within 10 working days following the date of its registration, and notification thereof shall be given to the data subject having submitted the complaint, with a statement of the reasons for the decision taken.
31. Complaints shall be examined no later than one month following the date of their registration in the National Personal Data Protection Center. In the event of a complaint requiring further analysis and checking, the specified time limit may be extended by the National Personal Data Protection Center for no more than one month, with notification thereof of the data subject who filed the complaint.
32. In the event of the information contained in a complaint on infringements in the processing of personal data being confirmed, the National Personal Data Protection Center shall take the necessary steps to protect the infringed rights, freedoms and lawful interests of the data subject who submitted the complaint and notify the data subject thereof.
In the event of the information contained in a complaint on infringements in the processing of personal data not being confirmed, the National Personal Data Protection Center shall not grant satisfaction in respect of that complaint and notify the data subject thereof, providing an explanation of the procedure for appealing against its decision.
Decisions taken by the National Personal Data Protection Center in the light of its examination of appeals may be appealed against in a judicial procedure.
33. In the event of repeat complaints that do not contain any new facts of
significance for their examination on the merits, correspondence
with the data
subject concerned in respect of those complaints shall be halted and the data
subject notified thereof. If repeat complaints
are received in respect of
questions on which correspondence with the data subject has been halted, those
complaints shall not require
examination (and the data subject shall not be
notified thereof).
CHAPTER 6
FINANCIAL ACTIVITY AND PROPERTY OF THE
NATIONAL PERSONAL DATA PROTECTION CENTER
34. The National Personal Data Protection Center shall be financed
by:
funds from the republic budget;
funds from income-generating activities;
other sources not prohibited by law.
35. Funds received by the National Personal Data Protection Center from income-generating activities and other sources not prohibited by law, after the payment of taxes, dues/duties and other compulsory payments into the republic and local budgets and state fund budgets and outlay of expenditure linked to that activity, shall remain at the National Personal Data Protection Center's disposal:
to ensure its functioning, including for increases in staff where necessary;
for the development of its equipment and technology;
for incentives given to the staff of the National Personal Data Protection Center and the provision of further training and material assistance for those staff;
for other purposes determined by the Operations and Analysis Centre under the President of the Republic of Belarus.
36. The property of the National Personal Data Protection Center shall be in the ownership of the republic and is assigned to the Center on the basis of the right of operational management.
The possession, use and disposal of the property assigned to the National Personal Data Protection Center shall be exercised in accordance with the Center's tasks and functions and within the limits established by law.
37. The National Personal Data Protection Center shall keep accounts and tax
accounts recording the results of its activities and
present accounting and tax
reports.
WorldLII:
Copyright Policy
|
Disclaimers
|
Privacy Policy
|
Feedback
URL: http://www.worldlii.org/int/other/NDPrivLegis/2021/6.html