January 2023

1. Governing Texts

Currently, Belarus is not a party to the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data ('Convention 108').

The Law of 7 May 2021 No. 99-Z on Personal Data Protection (only available in Russian here) ('the PDP Law') sets out general principles of processing (including collection, storage, use, distribution, transfer, and erasure) of personal data, provides for basic terminology in that field, defines the rights of data subjects as well as obligations of operators (similar to data controllers in General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR')) and their authorised persons (similar to data processors in the GDPR), including obligations on measures for the protection of personal data. The PDP Law came into force on 15 November 2021.

The PDP Law introduces a data protection authority that is supposed to control data processing activities - National Personal Data Protection Center ('NPDPC'), to take steps (including to provide clarifications) to ensure the right application of the provisions of the PDP Law.

It is recommended to regularly monitor new legislation and guidelines, because the NPDPC is active in developing its approach to different issues faced in practice and communicating its position in public.

Nevertheless, there are a number of legislative amendments of technical character expected to bring existing legislation in compliance with the provisions of the PDP Law. In particular, we expect amendments to the system of information relations currently established in the Law of 10 November 2008 No. 455-Z on Information, Informatization and Protection of Information (only available in Russian here) ('the Law on Information'). Below we have concentrated on the key provisions of the PDP Law with certain references to the currently effective Law on Information.

1.1. Key acts, regulations, directives, bills

• the Constitution of the Republic of Belarus of 1994 (only available in Russian here);
• the Law on Information;
• the PDP Law;
• the Code of Administrative Offenses of the Republic of Belarus of 6 January 2021 No. 91-Z (only available in Russian here) ('the Administrative Code');
• the Criminal Code of the Republic of Belarus of 9 July 1999 No. 275-Z (only available in Russian here) ('the Criminal Code').

By adopting the PDP Law, Belarusian legislation provides for more systemic regulation of data processing activities, including key principles and terminology, data subject's rights and operator's obligations.

In many aspects, the PDP Law follows the basic concept of the GDPR, including the main principles to ensure data privacy, however it is not as detailed, and mostly uses different terminology to the GDPR.

The Administrative Code stipulates sanctions for illegal collection, processing, storage, or transfer of personal data as well as for failure to comply with measures to ensure the protection of personal data.

In addition, the Criminal Code sets out penalties for illegal actions in relation to personal data and failure to comply with measures to ensure the protection of personal data. In order to be imposed, such crimes must cause substantial harm to rights and grave consequences.

1.2. Guidelines

Currently, the NPDPC has released several recommendations in certain spheres of personal data regulation. There are recommendations for:

• register of personal data processing (examples) (only available in Russian here);
• recommendations for drawing up a document defining the policy of the operator (authorised person) regarding the processing of personal data (only available in Russian here);
• recommendations on the processing of personal data in connection with labour (service) activities (only available in Russian here); and
• recommendations on the relationship of operators and authorised persons in the processing of personal data (only available in Russian here).

Additionally, NPDPC publishes its comments and guidelines in Q&A format on its official website.

1.3. Case law

In Belarus case law is not a source of law per se; we are not aware of this being established in practice. In addition, court proceedings in regard to protection of personal data have not been numerous yet, the practice is being developed currently after new regulations in the sphere came into force. Nonetheless, we see the possibility to bring the cases before Belarusian courts, since the PDP Law provides for, inter alia, compensation of moral damage caused by the violation of the data subject rights.

This concept is followed by the PDP Law which provides for the processing of personal data without data subject's consent within court proceedings. Nevertheless, the Code for Civil Procedure stipulates that the court proceedings may be conducted in a closed manner at the request of one or both parties.

2. Scope of Application

2.1. Personal scope

The PDP Law

The PDP Law provides for the following key roles of the parties involved in the collection, storage, use, distribution, transfer, and erasure of personal data and ensuring data protection measures:

• a data subject;
• an operator;
• an authorised person that processes personal data on behalf of and in the interest of the operator;
• a person appointed by the operator (or the operator's organisational unit) responsible for internal control of processing of the personal data; and
• a state body specifically authorised to regulate personal data protection relations (i.e. the Data Protection Authority).

2.2. Territorial scope

The PDP Law does not specifically address whether it has an extraterritorial effect, rather general rules of territorial scope of legal acts apply. The definition of the operator comprises 'other organisations' without clarification whether foreign organisations processing personal data of Belarusians are concerned.

According to the NPDPC, non-Belarusian company acting in Belarus via its representative office can be qualified as an operator in part of data processing activity of such representative office. At the same time, based on current approaches, the PDP Law should not apply to non-Belarusian companies having no corporate presence in Belarus (i.e. no extra-territorial effect similar to GDPR).

It can be expected that the NPDPC will clarify the issue during the enforcement cases in a more detailed way, and establish a unified approach in the future.

2.3. Material scope

According to the PDP Law, it covers the protection of personal data while processing of such data is accomplished with the use of:

• automated means (tools); or
• non-automated means (tools), if such means (tools) provide the possibility of search for personal data and (or) access to personal data with the help of certain criteria (card-indexes, lists, databases, logs, etc.).

Processing means any type of actions taken in relation to personal data including collection, systematisation, storage, modification, use, depersonalisation, blocking, distribution, provision, erasure of personal data.

The PDP Law will not apply to the processing of personal data that is:

• accomplished for the personal use, not relating to professional and entrepreneurial activity; or
• related to state secrets.

3. Data Protection Authority | Regulatory Authority 

3.1. Main regulator for data protection

The NPDPC functions as the data protection authority. The NPDPC's establishment has been formalised by the PDP Law and Regulation 'On National Personal Data Protection Center' approved by Presidential Edict of 28 October 2021 No. 422 (only available in Russian here).

At the same time, general governance in the sphere of information protection is performed by the President of the Republic of Belarus ('the President') and the Council of Ministers of the Republic of Belarus ('the Council of Ministers'). They lay down basic requirements, determine and ensure a unified state policy on data protection.

The Belarusian DPA is responsible for taking measures in order to ensure protection of data subjects' rights. It is declared as body acting independently based on the PDP Law and other legislation.

In general, the following state authorities are involved in regulating data and data protection issues:

• The Operational and Analytical Centre under the President of the Republic of Belarus ('OAC'); and
• The Ministry of Communications and Informatization of the Republic of Belarus ('the Ministry of Communications').

Compliance with the legislative requirements related to the protection of confidentiality on certain types of data is controlled by authorised state bodies, for example, the National Bank of the Republic of Belarus with respect to banking secrecy and the Ministry of Justice with respect to attorney-client privilege.

3.2. Main powers, duties and responsibilities

The PDP Law provides for the following duties of the DPA, inter alia:

• ensure processing of personal data in accordance with legal requirements;
• deal with data subjects' complaints;
• indicate a list of foreign states where data transfers can be carried out;
• issue permits for the cross-border transfer of personal data, if a foreign state is not in the list;
• provide clarifications on personal data issues; and
• publish annually a report on its activities.

The DPA is empowered to request and receive any relevant information concerning processing of personal data from state bodies, entities and individuals in order to check the lawfulness of processing.

4. Key Definitions

The PDP Law provides for the following key definitions concerning data protection.

Data controller: The PDP Law does not define 'data controller', but defines an 'operator' a state body, a legal entity of the Republic of Belarus, another organisation, an individual, including an individual entrepreneur, independently or jointly with other specified persons organising and (or) carrying out the processing of personal data.

Data processor: The PDP Law does not define 'data processor', but defines an 'authorised person' as state body, a legal entity of the Republic of Belarus, another organisation, an individual that, in accordance with an act of legislation, a state body decision or on the basis of an agreement with an operator, processes personal data on behalf of the operator or in the interests thereof.

Personal data: Any information relating to an identified natural person or natural person who can be identified.

Sensitive data: The PDP Law does not define 'sensitive data', but defines 'special personal data' as personal data related to race or nationality, political views, membership in trade unions, religious or other beliefs, health or sex life, administrative or criminal prosecution, as well as biometric and genetic personal data.

Health data: The PDP Law does not define 'health data', but defines 'genetic personal data' as information related to the inherited or acquired genetic characteristics of a person, which contains unique data about their physiology or health and can be identified, in particular, when examining their biological sample.

Biometric data: Information characterising the physiological and biological characteristics of an individual, which are used for their unique identification (fingerprints, palms, iris, characteristics of the face and its image, etc.).

Pseudonymisation: The PDP Law does not define 'pseudonymisation', but defines 'depersonalisation' as actions as a result of which it becomes impossible without the use of additional information to determine the ownership of personal data to a specific subject of personal data.

Processing of Personal Data: Any action or set of actions performed with personal data, including collection, systematisation, storage, modification, use, depersonalisation, blocking, distribution, transfer and erasure.

5. Legal Bases

The PDP Law provides for a specific list of legal bases for processing of personal data.

Generally, the processing of personal data is carried out on the basis of the data subject's consent. Exceptions to that rule are stipulated by the PDP Law and other legislative acts.

5.1. Consent

The consent of the data subject is a free, unambiguous, and informed expression of their will, through which the processing of their personal data is permitted.

The consent can be obtained in writing, in the form of an electronic document or in another electronic form (e.g. via email or SMS).

Prior to obtaining the consent, the operator is obliged to provide the data subject with information concerning the processing of personal data, that includes, inter alia:

• the operator's name;
• the purposes of processing;
• a list of personal data;
• the period of consent; and
• a list of actions in regard to personal data.

Further to this, the operator is obliged to clarify to the data subject in plain and simple language their rights and the consequences of giving consent or refusing to give it.

The burden of proving the data subject's consent lies upon the operator. The data subject has the right to revoke their consent at any time and without giving reasons.

Exceptions to consent

A number of exceptions where the processing of personal data does not require the data subject's consent is stipulated by the PDP Law. Such exceptions include, inter alia:

• an agreement concluded (being negotiated) with the data subject;
• protection of the data subject's life, health or other vital interests;
• indication of personal data in a document addressed to the operator and signed by the data subject;
• job relations;
• previously disseminated personal data until the data subject objects to processing thereof;
• administrative and (or) criminal proceedings, justice, execution of court orders;
• control (supervision) activity of state bodies;
• national security, fight against corruption, prevention of money-laundering;
• for scientific or other research purposes, subject to the mandatory pseudonymisation of personal data; and
• professional activities of a journalist or a media.

5.2. Contract with the data subject

Please see section on consent above.

5.3. Legal obligations

Please see section on consent above.

5.4. Interests of the data subject

Please see section on consent above.

5.5. Public interest

Please see section on consent above.

5.6. Legitimate interests of the data controller

Not applicable.

5.7. Legal bases in other instances

Please see section on consent above.

6. Principles

The principles of processing of personal data are formulated by the PDP Law as the general requirements for processing. Such requirements include:

• legality of the processing of personal data, based either on the data subject's consent or law;
• proportionality of the processing in regard to the stated purposes of processing and respect of data subjects interests;
• limitation of the processing of personal data by the specific legitimate purposes stated in advance;
• transparency of the processing of personal data, implying the provision of data subjects with the relevant information;
• accuracy of the personal data processed by the operator and, if necessary, actualisation of personal data; and
• limitation of the storage of personal data to the period required by the stated purposes of processing personal data.

7. Controller and Processor Obligations

7.1. Data processing notification

Generally, operators and their authorised persons are not required to notify the DPA of the processing of personal data. Nevertheless, the DPA is entitled to request and receive any information concerning the operators' and their authorised persons' compliance with data protection rules.

7.2. Data transfers

According to the general rule provided by the PDP Law, the cross-border transfer of personal data to countries not ensuring sufficient measures of personal data protection is prohibited. The list of respective countries is to be determined by the data protection authority.

The PDP Law provides for the exceptions, where transfers are allowed to the jurisdictions that are not in the list defined by the data protection authority. For example, such cases include the consent of the data subject with due notification on the relevant risks or a permit for cross-border transfer issued by the data protection authority.

On 26 December 2022, the NPDPC announced that Order No.114 On Changing the order of the Director of the National Centre for the Protection of Perosnal Data of the Republic of Belarus dated 15 November 2021 (only available to download in Russian here) ('Order No. 114') had been signed and amends Order No. 14 'On cross-border data transfers' (only available in Russian here). Order No. 114 provides that Member States of the Eurasian Economic Union ('EEU') should be added to the list of foreign countries that provide an adequate level of protection for the purposes of cross-border data transfers.

In addition, Order No. 114 outlines that data may still be transferred to countries not deemed to provide an adequate level of protection in the following circumstances:

• when the processing of personal data is necessary to fullfil obligations provided for by legislative acts; and
• when information regarding the activities of state bodies and organisations is uploaded onto the global internet by the State, or in cases where business entities provided that the Republic of Belarus, or an administrative-territorial unit, can determine the decisions made by these businesses.

Notably, Order No. 114 states that, for the aforementioned data transfers, operators do not need to submit a permit application to the NPDPC for the cross-border transfer of personal data.

In certain cases Belarusian legislation requires the collection and storage of personal data in Belarus. For example, Law of 17 July 2008 No. 427-Z on Mass Media (only available in Russian here) ('the Mass Media Law') obliges owners of websites used for disseminating mass information to collect and store certain identification data on users in Belarus if they can publicly post materials or comments on such website. Though, in our opinion, this obligation does not limit cross-border transfer and/or copying personal data to the servers located outside Belarus.

7.3. Data processing records

Belarusian law does not stipulate an obligation for operators and/or their authorised persons to maintain data processing records. However, there are certain obligations on the reporting of certain breaches of data protection systems.

7.4. Data protection impact assessment

The PDP Law does not explicitly require the impact assessment. However, certain requirements are formulated so that operator should take potential risks into account (e.g. for the purpose of implementation of protection measures while processing special personal data). In addition, the operator must inform the data subject as for the risks that may occur in connection with the transfer of personal data to the jurisdictions where measures of personal data protection are insufficient.

7.5. Data protection officer appointment

An organisation or other party processing information limited for distribution (includes, among other, personal data) in an information system is currently obliged to create an information protection system to secure information in the system. The information protection system should be certified according to the procedure established by the OAC. As a part of the creation of such a system, the party may be required to establish a special organisational unit (e.g department, division) / appoint a responsible official or involve an independent contractor licensed to perform related activities that will perform the technical work associated with the creation of such a system.

One of the mandatory measure under the Law on PDP to ensure personal data protection would be appointment of the department or person responsible for internal control over the processing of personal data by the operator (authorised person, a kind of analogue to a data protection officer ('DPO') under the GDPR). The PDP Law does not specify any requirements for such a unit/person. However, the NPDPC indicates that the authorised person shall be appointed with consideration of their knowledge of personal data regulation and practice of its application, as well as skills to perform their labour functions. Additionally, authorised persons of particular organisations are obliged to attend special trainings organised by the NPDPC.  

7.6. Data breach notification

The operator is obliged to inform the DPA of any breach of personal data protection systems immediately, but in any case not later than within three days. The notification to the NPDPC can be omitted if the breach did not result in:

• illegal distribution, provision of personal data; or
• amendment, blocking, or deletion of personal data with no options to restore the access.

Certain requirements on the notification of the OAC are set for specific cases of information protection system breaches or periodical reporting as required by Belarus law. The respective requirements are set forth in the Regulations on the procedure for submitting information about information security events, the state of technical and cryptographic protection of information to the OAC, as approved by the Order of the OAC of 2 February 2020 No. 66 On measures to implement the Edict of the President of the Republic of Belarus of 9 December 2019 No. 449 (only available in Russian here).

Moreover, notification requirements may be imposed in specific legislation regulating the processing of certain types of data. For example, in cases of unlawful disclosure, use, or another unlawful breach of confidentiality of trade secrets, the recipient of such information is obliged to notify without delay the owner of any such trade secrets.

7.7. Data retention

The PDP Law provides for the rule according to which the storage of personal data (in the form that allows to identify the data subject) must be limited to the period required by the stated purposes of processing personal data.

Currently, the specific terms for the obligatory storage of different types of data are regulated in general by the legislation on archiving and records management. For example, the terms for storage of different types of documents of the National Archives of the Republic of Belarus (including documents on the appointment of employees to job positions and their dismissal, correspondence on companies' administrative and operational issues, etc.) are provided by the List of Standard Documents of the National Archives of the Republic of Belarus, Generated in the Process of the Functioning of State Authorities, Other Organisations, and Individual Entrepreneurs Indicating Storage Periods, approved by Resolution of the Ministry of Justice of the Republic of Belarus No. 140 dated 24 May 2012 (only available in Russian here). Respective documents may contain limited/confidential information (e.g. personal data, trade secrets).

The PDP Law provides for a specific right for a personal data subject to request deletion of his/her personal data at any time without giving reasons or if the grounds cease to exist. For example, in case the term for which the data subject's consent for the processing of their personal data has expired.

7.8. Children's data

Belarusian law contains fragmentary regulation of children's data. In particular, according to the Mass Media Law it is prohibited to disseminate in the media, on internet resources, information on a minor who has suffered as a result of illegal actions without the consent of his legal representative.

According to the PDP Law, the general age at which a person may give consent for operations with their personal data is 16 years. If a person is under 16 years such consent should be given by their legal representative.

7.9. Special categories of personal data

The PDP Law provides for the processing of special personal data. The special personal data includes data concerning race or nationality, political views, membership in trade unions, religious or other beliefs, health or sex life, administrative or criminal prosecution, as well as biometric and genetic personal data.

The Law provides for the specific legal grounds for the processing of special personal data in case of absence of the data subject's consent, including making such data publicly available, job relations, medical assistance, administrating justice etc.

The PDP Law requires the impact assessment only in case of the processing of special personal data (sensitive data).

7.10. Controller and processor contracts

An operator may authorise another person or entity for the processing of personal data based on the agreement.

The agreement between the operator and the authorised person shall contain the following provisions:

• a list of actions in regard to personal data that could be performed by the authorised person;
• the purposes of the above actions;
• confidentiality obligations with respect to personal data; and
• measures to ensure the protection of personal data in accordance with the PDP Law.

Mandatory measures to ensure the protection of personal data are:

• legal measures, like publication of documents defining the policy of the operator (authorised person) regarding the processing of personal data;
• organisational measures, like appointment of a structural unit or a person responsible for the control over the processing of personal data; familiarisation of employees and other persons directly engaged in the processing of personal data with the provisions of the legislation on personal data, including the requirements for the personal data documents of the operator (authorised person) as well as training of these employees and other persons; establishing the procedure for accessing personal data; and
• technical measures, like implementation of technical and cryptographic protection of personal data.

Notwithstanding the terms of the agreement, the operator (but not the authorised person) is obliged to obtain the consent of the data subject for actions to their personal data.

The Law on Information at the time determines that the owner and user of information may conclude an agreement providing for the conditions of usage of the information as a measure of information protection. Such an agreement should contain provisions regarding the liability of the parties for violation of respective conditions.

For now the Law on Information provides for the classification of data protection measures that should be taken with respect to such information. These measures include:

• legal measures, including the conclusion of agreements between the owner and user of the information containing conditions of data usage; such agreements should contain provisions on liability of parties to the agreement for breach of the conditions of data usage;
• organisational measures, including establishing a special access regime to premises used for collection and processing of data, and differentiation of access levels to such information; and
• technical measures, including the usage of cryptography and technical means of information protection and control.

8. Data Subject Rights

8.1. Right to be informed

The operator involved in the processing of personal data shall give clarifications to the data subject regarding their rights related to the processing of their personal data prior to consent collection. Prior to obtaining the consent, the operator is obliged to provide the data subject with information concerning the processing of personal data, that includes, inter alia:

• the operator's name;
• the purposes of processing;
• a list of personal data;
• the period of consent; and
• a list of actions in regard to personal data.

Further to this, the operator is obliged to clarify to the data subject in plain and simple language their rights and the consequences of giving consent or refusing to give it.

The operator shall also provide certain information following the data subject's request (as described in the section right to access below).

8.2. Right to access

Data subjects are entitled to receive information on the processing of their personal data as well as the information on the transfer of the data to third parties, including:

• name of the operator;
• confirmation of the fact of data processing;
• description of personal data and the sources of data;
• legal grounds and the purposes for the data processing;
• period for the data subject's consent; and
• information on the authorised person.

Information on the transfer of personal data to third parties can be obtained from the operator by the data subject free of charge once in a year.

8.3. Right to rectification

Under the PDP Law, an operator involved in the processing of personal data shall fulfil the request of data subjects to amend (update) their personal data, if such data are incomplete, obsolete, or inaccurate.

8.4. Right to erasure

A data subject has the right the erasure of such data at any time without giving reasons in case of absence of lawful grounds (including data subject's consent) for the processing of personal data.

8.5. Right to object/opt-out

Under the PDP Law, a data subject may:

• withdraw their consent for the processing of personal data; and
• require the termination of the processing of personal data at any time without giving reasons if there are no legal grounds for the processing.

In that case the operator is obliged to erase or, if erasure is not possible, to block the personal data as well as to ensure that the data is no longer processed by the authorised person.

8.6. Right to data portability

Belarusian legislation does not provide for the right to data portability.

8.7. Right not to be subject to automated decision-making

Current legislation does not establish the right not to be subject to automated decision-making. The automated decision-making is not yet widely regulated in Belarus, even though the banking regulations contain certain provisions in regard to the scoring of creditworthiness.

8.8. Other rights

The PDP Law provides for the right of the data subject to claim compensation for damage, including moral damage, caused by the violation of their rights stipulated by that Law. Compensation for moral damage is not dependent on real damage and losses faced (or not) by the data subject.

Data subject can also appeal against the actions (including omissions) and decisions of the operator or the authorised party to the Data Protection Authority.

The Law on Information at the moment provides that the information owner is entitled to:

• prohibit or suspend the processing of information and/or its usage in case of non-compliance with the data protection requirements;
• apply to state authorities to assess the adequacy of its data protection measures, as well as for related consultations;
• use, distribute, and provide the information it owns;
• permit and restrict access to the information, and determine conditions for such access;
• claim to be identified as the source of the information if it becomes publicly available under the data owner's decision;
• determine the conditions for processing and usage of information in information systems and networks;
• provide the rights to use information according to legislation or agreement;
• protect its rights in the case of unlawful access or usage of the information by third parties; and
• take data protection measures.

The rights described above are general in nature, and, for the most part, have not been supplemented by specific and concrete legal requirements on data protection and processing depending on the type of information processed. For example, under the Law on Information an individual currently has no explicit right to request the deletion of their personal data. However, individuals may approach the controlling authority to alert it of any wrongdoing if their personal data has been unlawfully obtained and used.

9. Penalties

Criminal liability

Criminal sanctions in Belarus for the disclosure of specific types of information (e.g. information for limited distribution, which, inter alia, includes personal data) could be imposed only on a natural person and in cases provided by the Criminal Code of the Republic of Belarus.

The Criminal Code contains sanctions for various violations related to the disclosure of certain types of limited/confidential information, for example:

• for intentional disclosure of adoption secrecy, a person could be sentenced to community works, criminal fine (as a general rule, the amount of criminal fine is 30 - 1,000 base units, which is approximately BYN 960 to BYN 32,000 (approx. €360 to €12,030 ) the exact amount of basic unit is established by resolutions of Council of Ministers). As of June 2022, one base unit equals approximately BYN 32 (approx. €12), or corrective works for up to one year;
• for the intentional disclosure of medical secrecy (depending on certain circumstances), a person could be sentenced to a criminal fine, the deprivation of the right to occupy certain job positions, arrest, or the restriction or deprivation of their liberty for up to three years;
• for the unlawful collection or provision of information relating to the private life and (or) personal data of another person without their consent (depending on the circumstances like volume on grave), a person could be sentenced to community work, a criminal fine, arrest, or the restriction or deprivation of liberty for up to two years. For the unlawful distribution – restriction or deprivation of liberty for up to three years with the criminal fine. Higher liability may apply if offence relates to the victims performing public functions;
• for the failure to comply with measures to ensure the protection of personal data by a person who processes personal data, which has inadvertently resulted in their dissemination and causing serious consequences a person could be sentenced to a criminal fine, deprivation of the right to occupy certain job positions or perform certain activities, corrective work for up to one year, arrest, or the restriction of liberty for up to two years or deprivation of liberty for up to one year;
• for the intentional unlawful violation of privacy of correspondence, phone, postal, telegraph, and other communications (depending on the circumstances), a person could be sentenced to community work, a criminal fine, corrective work for up to one year, arrest, deprivation of the right to occupy certain job positions, or deprivation of their liberty for up to two years; and
• for the intentional unlawful disclosure of trade secrets or banking secrecy without the consent of the owner of such information (depending on certain circumstances), a person, who obtained this information in connection with their professional activities, could be sentenced to a criminal fine, the deprivation of the right to occupy certain job positions, arrest, or the restriction or deprivation of their liberty for a term of up to three years; criminal responsibility is imposed if the person performed the violation intentionally, and the respective violation has resulted in significant damage.

The Criminal Code also provides for criminal sanctions for unlawful actions associated with a breach of security of technological (computer) systems and not connected with the disclosure of confidential information, for example:

• unauthorised access to information stored in a computer system, network accompanied by a violation of the data protection system;
• unlawful modification of information stored in a computer system or network;
• unlawful destruction or blocking of computer information; and
• unlawful obtainment of computer information.

Administrative liability

The Administrative Code is in a way similar to the Criminal Code as it establishes sanctions for the unlawful disclosure of certain types of confidential information, as well as for unlawful actions associated with a breach of computer systems or unlawful usage of systems intended for data processing. At the same time, administrative offences are relatively minor compared to criminal ones. Respectively, administrative sanctions are less severe.

The examples of unlawful actions associated with disclosure of limited/confidential information prohibited by the Administrative Code include:

• the intentional disclosure of commercial or other protected by laws secrecy or intentional unlawful (including without consent of the owner of such data) disclosure of personal data by the person, who became familiar with this information in connection with their professional activity (if such disclosure does not fall under criminal sanctions); for this violation the infringer could be fined an amount between 4 to 20 base units, which is approximately BYN 128 to BYN 640 (approx. €41 to €241);
• the unlawful usage or disclosure of the information included in the register of securities owners, or information regarding results of financial and economic activities of securities' issuers, for which the infringer could be fined an amount between 4 to 20 base units, which is approximately BYN 128 to BYN 640 (approx. €41 to €241); and
• the unlawful disclosure of service information, loss of the documents or computer data containing such information through negligence, for which the infringer could be fined an amount between 4 and 20 base units, which is approximately BYN 128 to BYN 640 (approx. €41 to €241).

In addition, Administrative Offences Code, stipulates specific sanctions for personal data processing violations, including, inter alia:

• intentional illegal collection, processing, storage or transfer of personal data of an individual or violation of their rights related to the processing of personal data may cause a fine up to 50 base units, which is approximately BYN 1,600 (approx. €602); intentional distribution up to 200 base units, which is approximately BYN 6,400 (approx. €2,406);
• non-compliance with requirements on data protection measures implementation may cause a fine ranging from 20 to 50 base units for legal entities, which is approximately BYN 640 to 1,600 (approx. €241 to €602).

As to the examples of violations associated with a breach of computer systems or unlawful usage of systems intended for data processing, for example, unauthorised access to computer information stored in a computer system or network.

Civil liability

As a general rule, civil liability in the form of monetary compensation of damages is imposed only in cases explicitly provided by law. For example, in the case of unlawful disclosure of trade secrets.

The PDP Law establishes the compensation of moral (non-pecuniary) damage to the data subject, in cases where such damage is caused by a violation of their rights with respect to personal data.

9.1 Enforcement decisions

Currently, enforcement practice are being developed. There have been several cases concerning personal data protection. In particular, administrative fines have already been imposed on individuals for violation of personal data regulation, including illegal distribution of personal data in social media and violation of the personal data processing order by official. Criminal cases related to personal data processing have been also initiated in Belarus. Several companies from recruitment, financial, telecommunications, and e-commerce industries have been added to the list of scheduled state audits by the regulator for 2022. At the same time, there are examples of data breach incident's becoming a trigger for NPDPC to take measures within its competence.

Further to this, there are cases prior to the adoption of the PDP Law that dealt with privacy issues. For example, a decision of the district court of 11 August 2017 on the claim for the compensation of moral damages confirmed that information about a person's private life contained in the court decision does not constitute a personal and family secrecy, as they were the subject of judicial assessment in the open court proceedings. The references were made on the general civil legislation rather than special requirements to the personal data processing.

For now it is expected that the NPDPC will probably clarify interpretation of requirements and enforcement approach following a number of complaint-based and scheduled inspections of compliance with the PDP Law performed during 2022. Notably, the NPDPC has no powers to impose fines as they were granted to the internal affairs bodies and courts.