Applicable legislation

In Belarus, until recently, there was no proper regulation for personal data processing, and there was no consolidated act defining uniform approaches. However, in 2021, the first comprehensive legislation on data protection was introduced, characterized by a risk-based approach.

The processing of personal data in Belarus is currently regulated by the following:

• Law of the Republic of Belarus of May 7, 2021 No. 99-Z on Personal Data Protection (available in Russian here) (an unofficial English version is available here) (PDP Law);
• Decree of October 28, 2021 No. 422 on measures to improve the protection of personal data; and
• recommendations and clarifications adopted as a follow-up to the PDP Law.

The PDP Law regulates all spheres of activity, including the processing of personal data in the financial sector. Additionally, the processing of personal data in the financial sector is regulated by specific acts, including:

• Banking Code of the Republic of Belarus of October 25, 2000 No. 441-Z (Banking Code);
• Law of the Republic of Belarus of November 10, 2008 No. 455-Z on Information, Informatization and Information Protection;
• Law of the Republic of Belarus of June 30, 2014 No. 165-Z on Measures to Prevent Money Laundering, Terrorist Financing and Financing of Proliferation of Weapons of Mass Destruction (Law on Measures to Prevent Money Laundering);
• regulations on the procedure of certification of information protection systems of information systems designed for processing of information, the dissemination and/or provision of which is restricted, approved by the Order of the Operational and Analytical Center under the President of the Republic of Belarus of February 20, 2020 No. 66; and
• other acts regulating financial transactions.

Considering the specifics and peculiarities of personal data processing in the financial sector, the regulator has developed recommendations for applying the PDP Law in banking and insurance activities. However, these recommendations are only available to organizations engaged in banking and insurance activities and are not publicly accessible.

Supervisory authorities

The National Personal Data Protection Center is the public authority responsible for supervising the application of the PDP Law to protect the rights and freedoms of personal data subjects. Its duty is to take measures to protect the rights of personal data subjects, such as conducting compliance checks on personal data processing and organizing training on personal data protection issues.

The Operational and Analytical Center under the President of the Republic of Belarus (OAC) is responsible for the regulation of technical measures aimed at protecting information from leaks through unauthorized and unintentional channels or influences.

Supervisory authorities involved in regulating personal data processing in the financial sector, provided they process personal data, include:

• the Ministry of Finance of the Republic of Belarus;
• the National Bank of the Republic of Belarus; and
• the Financial Monitoring Department of the State Control Committee of the Republic of Belarus.

Legal basis for processing

Personal data can only be processed if there is a legal basis for such processing. The PDP Law provides several legal bases for processing personal data (Articles 5, 6, 8, 9).

In the financial sector, the following legal bases are used for personal data processing:

• consent;
• the processing is necessary for the performance of actions specified in a contract concluded with the data subject;
• personal data processing is necessary to fulfill duties or exercise powers prescribed by legislative acts; and
• the implementation of norms of legislation in the field of national security, the fight against corruption, the prevention of money laundering, terrorist financing, and financing of proliferation of weapons of mass destruction.

Although consent is the basic legal basis for processing data in Belarus, it is not a universal or mandatory condition. In the financial sector, certain entities, primarily state bodies and organizations, can process personal data without obtaining consent due to their duties and powers as outlined in legislative acts. Additionally, personal data processing may occur based on a contract with an individual, such as a contract for opening an account in a bank.

Privacy notices and policies

To comply with data protection legislation, every organization, including those operating in the financial sector, must take certain legal measures. These measures include the preparation of internal documents that regulate the processing of personal data within the organization. Furthermore, these documents should also be made available on the organization’s website or application if applicable.

Taking into account the risk-based approach, organizations determine the composition and list of measures necessary and sufficient to fulfill the obligations to ensure data protection. Additionally, the National Personal Data Protection Center has established several mandatory documents, such as a list of authorized persons who have access to the personal data of the organization, and a list of information resources or systems containing personal data.

The main documents that describe the processes of personal data processing in the organization are:

• Regulation of personal data processing, which is an internal document; and
• Personal Data Processing Policy, which is posted on the organization's website or application (Privacy Policy).

The National Personal Data Protection Center has developed recommendations for drafting a document that defines the personal data processing policy of the operator (authorized person) concerning the processing of personal data. These recommendations, available in Russian here, should be followed when drawing up the Privacy Policy.

Through the Privacy Policy, the personal data subject is informed about who collects, uses, or otherwise processes personal data, to what extent and for what purposes the data is processed, what rights the personal data subject has in this regard, and the mechanism for exercising such rights.

When processing personal data based on consent, the operator must first provide the data subject with all information about such processing, separately from other information. A simple reference to the Privacy Policy is not enough.

Data security and risk management

In addition to legal measures, organizations must implement technical information protection measures, including the implementation of technical and cryptographic personal data protection as prescribed by the OAC. These measures involve, among others, the application of information protection systems, and the certification of such systems.

As financial organizations mainly process non-disclosable information, they must adhere to additional information protection and cybersecurity requirements mandated by the National Bank. These requirements pertain to the provision of payment services, including requirements for the payment software application, security of payment services, as well as safeguards for information protection, and the protection of information resources and systems.

Data Transfers and Outsourcing

Cross-border transfer of personal data is regulated by the PDP Law. The procedure for such transfers depends on the destination country, which can be categorized into two types:

• Countries or territories that ensure an adequate level of protection of personal data subjects' rights. In Belarus, these include the parties to the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (1981), and foreign states that are members of the Eurasian Economic Union.

• Countries or territories that do not provide an adequate level of protection of personal data subjects' rights.

If personal data is transferred to foreign countries, where an adequate level of protection of personal data subjects' rights is provided, general rules of personal data processing must be observed. However, if the data is transferred to countries or territories that do not provide an adequate level of protection, the transfer of personal data to such territory is prohibited. There are certain exceptions to this prohibition, which include:

• when the consent of the personal data subject for such transfer has been obtained;
• when the required permission of the National Personal Data Protection Center has been received; and
• when the transfer is conducted following other legal bases.

Thus, there are cases of interaction, in particular, between the financial monitoring authority and foreign and international organizations. In these cases, it may be necessary to submit personal data of participants involved in financial transactions, which may include banking or other secrets protected by law. However, such data can only be submitted if it does not harm the national security of Belarus or is not used without the prior consent of the financial monitoring authority.

When transferring personal data to foreign countries, it is necessary to specify in the Privacy Policy the list of foreign companies involved, the country to which personal data is being transferred, and the legal basis for such transfer.

Data retention and record keeping

The main principle of personal data processing is the limitation of the retention period. Personal data should only be stored as long as necessary to fulfill the purposes of the processing. Retention periods for personal data are established by law or, in the absence of statutory retention periods, are determined by the organization itself. The basic retention period of financial documents, including those containing personal data, is stipulated by the Decision of the Ministry of Justice of the Republic of Belarus of May 24, 2012 No. 140 on the list of standard documents.

It is also important to consider the storage location of personal data. In Belarus, there are no localization requirements for personal data. However, there are requirements for technical protection of information. These requirements stipulate that personal data should only be processed within information systems equipped with adequate information protection measures. Such information protection systems must be certified following the established procedure by the OAC.

The information protection system must be provided with information protection tools that possess a certificate of compliance issued by the National System of Conformity Confirmation of the Republic of Belarus or a positive expert opinion based on the results of a state expert review.

Therefore, processing or storing personal data in information systems that do not meet the OAC protection requirements constitutes a violation of Belarussian legislation.

Regarding the record keeping of personal data processing and access procedures to personal data, it is organized as follows:

• The organization maintains a register of personal data processing: the register is an internal document that includes information about all processing of personal data, types of data, storage periods, legal basis for processing, etc.
• Access to personal data within the financial organization is delimited between departments and employees. The procedure for access is set out in an internal document of the organization.

Breach notification

The organization is required to notify the National Personal Data Protection Center in case of a personal data protection system breach. The notification should be sent by the organization immediately, but no later than 3 working days after the organization became aware of the breach.

While there is no specific obligation to notify the organization about leaks of personal data subjects, it is a good practice to post on the website of the organization about the leak.

There are also cases where it is not required to notify the National Personal Data Protection Center. The notification is not required if the breach of the protection systems has not led to:

• unlawful dissemination or provision of personal data; or
• modification, blocking, or deletion of personal data without the possibility of restoring access to them.

Confidentiality and banking secrecy

The peculiarity of personal data processing in the financial sector lines in the processing of personal data constituting a legally protected secret.

Personal data and information classified as banking and other legally protected secrets are distinct types of information subject to restrictions on dissemination and/or provision. In many cases, the same information qualifies both as personal data and as information that constitutes a legally protected secret.

Personal data that falls under the category of legally protected secrets is subject to special regulations. The processing of such data is governed by specific legislation, which takes precedence over the provisions of the PDP Law.

Bank secrecy shall include information on:

• accounts and deposits, including information on the existence of an account in a bank or non-bank financial institution;
• its holder;
• account numbers and other relevant account details;
• the number of funds in the accounts and deposits; and
• details of specific transactions, including transactions conducted without opening an account, and transactions involving accounts, deposits, and property held in custody by the bank (as outlined in Part 1, Article 121 of the Banking Code).

This information is subject to strict legal protection and must not be disclosed. Access to such information shall be provided in accordance with the procedures prescribed by law and with the consent of the subject to whom the information relates. In certain cases, access to such information may be granted to third parties and audit organizations, but only to the extent necessary to perform an audit services contract.

A list of cases has been defined in which information constituting a banking secret may be provided without the consent of the data subject. In particular, the information shall be provided to:

• courts in cases under their jurisdiction;
• the National Bank of the Republic of Belarus;
• special subdivisions on fighting corruption and organized crime of the internal affairs bodies;
• the OAC;
• the state security bodies of the Republic of Belarus; and
• other organizations specified in Article 121 of the Banking Code.

There are administrative penalties, including a fine of up to 20 basic units (approx. $260), as well as criminal liabilities for the disclosure of legally protected secrets, including banking secrets. The criminal penalties may include fines, deprivation of the right to hold certain positions or engage in certain activities, arrest, restriction of freedom, or imprisonment for up to three years.

Financial reporting and money laundering

Several mandatory procedures in the financial sector involve the collection of large amounts of personal data. These procedures, such as Know Your Customer (KYC) and Anti-Money Laundering (AML) are stipulated by the Law on Measures to Prevent Money Laundering and the Resolution of the Board of the National Bank of the Republic of Belarus of December 24, 2014 No. 818 on Internal Control in Carrying out Banking Operations.

AML/KYC procedures are widespread in banking, insurance, cryptocurrency-related activities, and tokens for customer identification and verification of customer information.

To carry out AML/KYC procedures, organizations process a large amount of data based on an explicit legal requirement without obtaining consent from the individuals whose data is being processed.

Furthermore, certain categories of organizations, such as banks, insurance companies, and crypto platform operators, are not held liable for submitting information containing personal data to the financial monitoring authority, as it does not violate banking or other legally protected secrets.

Enforcement

The legislation on personal data violations provides for various types of liability, including:

• disciplinary - governed by Article 47 of the Labour Code of the Republic of Belarus of July 26, 1999 No. 296-Z;
• administrative - governed by Article 23.7 of the Code of administrative offenses of the Republic of Belarus of January 6, 2021, No. 91-Z;
• criminal - governed by Articles 203-1, 203-2 of the Criminal Code of the Republic of Belarus of July 9, 1999 No. 275-Z;
• civil liability - provided in paragraph 2 of Article 19 of the PDP Law, which includes compensation for moral damage, property damage, and losses suffered by the personal data subject.

It is worth noting that the practice of holding organizations accountable for personal data violations is just emerging in Belarus. In 2022, administrative liability proceedings were initiated against 10 organizations, with a maximum fine of 200 basic units (approx. $2,600).

Alena Potorskaya Head of Personal Data Protection Direction
[email protected]
Yulia Burmistrova Associate
[email protected]
REVERA law group, Minsk