Personal Data: Protection, Responsibility, and Common Mistakes

In the era of digital technologies, personal data (PD) has become of paramount importance, creating the need for its reliable protection. Protecting PD is not only about formal compliance with the law but also an investment in reputation, client trust, and business sustainability. In a time when data breaches have become common, clients particularly value companies that provide reliable protection for their PD.

What Regulates Personal Data Protection in the Republic of Belarus?

The main legal acts regulating PD protection are:

• The Constitution of the Republic of Belarus
• The Law of the Republic of Belarus dated May 7, 2021, "On Personal Data Protection" (the Law on Personal Data Protection), which entered into force on November 15, 2021, introducing significant changes in this area of law.
• The Decree of the President of the Republic of Belarus No. 422 of October 28, 2021, "On Measures for Improving Personal Data Protection."
• The Law of the Republic of Belarus dated November 10, 2008, No. 455-З "On Information, Informatization, and Information Protection."
• The Labor Code of the Republic of Belarus (Article 47).

What is Personal Data and What Does It Include?

Personal data (PD) refers to any information related to an identified or identifiable natural person (Clause 9, Article 1 of the Law on Personal Data Protection).

What does it mean?

This means that any information that can directly or indirectly identify a specific individual is considered personal data.

Examples of information that may be considered PD include:

• Full name
• Date and place of birth
• Passport details
• Contact details (phone, e-mail, address, etc.)
• Photos/videos
• Information about family status, education, job position
• Health status, racial or ethnic background, political views, phone number, IP address, cookies, browsing history, search queries, purchase data, subscriptions, memberships in organizations, bonus cards, bank accounts and transactions, etc.
• Other data that allows identifying a person.

Examples of PD:
• Ivanov Ivan Ivanovich
• Ivanov I.I., 01.01.1996
• Passport MР1111111
• IvanovII@mail.ru

Even if the information alone does not identify a person, it may still be considered PD if, in combination with other information, it can identify an individual.

Therefore, there is no universal list defining which information should be considered PD. The question of whether certain information constitutes PD requires an individualized approach and careful analysis of each specific case.

What to Consider When Processing Personal Data?

Compliance with the PD protection law requires a comprehensive approach, including organizational, technical, and legal measures.
The following steps should be taken by businesses:

• Define the purpose of processing personal data.
  

  Clearly define the purposes for which you collect and use PD. The purposes must be lawful, specific, and clearly stated in advance. Collect only the PD necessary for achieving the stated goals, as the processed PD must not exceed what is required for those purposes.

• Obtain consent from the PD subject.
  

  In most cases, consent from the PD subject is required. The consent must be freely given, unambiguous, and informed. It should be provided in writing, electronically, or in any other form that allows confirming its receipt. Ensure the consent form complies with the legal requirements.

• Appoint a person responsible for internal control of PD processing.
  

  The operator must designate a person responsible for overseeing the internal control of PD processing.

• Train employees.
  

  All employees with access to PD should be trained on the rules for processing PD.

• Store PD only for as long as necessary to achieve processing goals.
  

  The retention period must not exceed what is necessary for achieving the stated purposes.

• Develop and implement the necessary PD processing documents.

What documents need to be developed?

To comply with the legislation of the Republic of Belarus on PD protection, the organization must develop and implement a set of documents:

• Order on the appointment of a person responsible for internal control of PD processing
• PD processing policies (for clients, contractors, website visitors, cookies)
• PD processing register
• List of authorized persons processing PD
• Consent form for PD processing
• Internal control procedure for PD processing
• Job description of the person responsible for internal control of PD processing
• Training regulations for employees with access to PD
• Consent withdrawal form
• PD subject’s rights application form
• List of information resources (systems) containing PD and categories of PD to be included
• PD access procedure, including for PD processed in information resources
• PD destruction procedure

It is important to note that relying on universal templates is not recommended. PD processing document development requires an individualized approach, and each organization must create a document package reflecting its specific activities.

What Are the Consequences of Non-Compliance with Personal Data Protection Legislation?

Failure to comply with PD protection laws can lead to administrative, criminal, and civil liability.

• Administrative liability:
  

  Violation of PD protection legislation may result in a fine for the legal entity of up to 200 basic units.

• Criminal liability:
  

  Illegal collection, storage, or distribution of PD may result in criminal liability, including imprisonment for up to five years.

• Civil liability:
  

  The PD subject may seek compensation for moral damage in case of rights violation.

Therefore, compliance with PD legislation is not only an obligation but also a means of protecting the business from fines and reputational risks. To avoid violations, it is crucial to properly establish PD processing procedures.

The cost of services for developing and implementing a PD protection document package is calculated individually, based on the complexity and scope of the work involved.