On November 15, 2021, Law No. 99-З dated 07.05.2021 "On the Protection of Personal Data" came into force. The law defined the concept of personal data, methods of processing and storing personal data. Also, a new organization has appeared that is engaged in conducting inspections, as well as the further development of legislation on personal data - the national center for the protection of personal data.
According to the Law “On the Protection of Personal Data” (hereinafter referred to as the Law), personal data means any information that relates to an identified natural person or an individual who can be identified. That is, personal data can include any information about a person. Prior to the adoption of the Law, there were three categories of information related to personal data: basic data, additional data, and other data.
After the entry into force of the Law, special categories of personal data appeared: special personal data and genetic personal data. Special personal data includes data on race or nationality, political views, membership in trade unions, religious or other beliefs, health or sexual life, administrative or criminal liability, physiological and biological characteristics of a person (fingerprints fingers, palms, iris, characteristics of the face and its image, etc.), which are used for its unique identification (biometric personal data). Genetic personal data, in turn, includes inherited or acquired genetic characteristics of a person, which contain unique data about his physiology or health.
If an organization or an individual entrepreneur in their activities fill out questionnaires and / or conduct surveys; collect information on the company's website about users using cookies, perform operations with any data about any person in the course of any activity - the conditions of the Law on Personal Data must be observed.
Before proceeding with the processing of personal data, it is necessary to obtain the consent of the person to the processing of his personal data. Consent must be a free, unequivocal expression of consent to the processing of personal data. Consent may be obtained in writing, in the form of an electronic document or in other electronic form. Consent to the processing of personal data can be withdrawn. To do this, an individual can write a statement or express his disagreement with the processing of his personal data in the form in which the consent was received.
But, there are cases when obtaining consent to the processing of personal data is not required. So, if special personal data is made public by the person himself (for example, placing a personal phone number on the windshield of a car), if personal data is collected during employment, if the collection of personal data is aimed at implementing the norms of legislation in the field of national security, combating corruption and in other cases provided for by the Law.
In addition, an individual may receive information about the provision of his personal data to third parties free of charge once a calendar year, with the exception of cases that may be provided for in other regulatory legal acts. The Law also approves such definitions as an operator and an authorized person. An operator is a person who organizes and/or performs the processing of personal data, and an authorized person is a person who processes personal data on behalf of the operator or in his interests.
The operator can be:
- government agency;
- legal entity of the Republic of Belarus;
- other organization;
- an individual, including an individual entrepreneur.
Thus, the operator can be any person who processes personal data in connection with professional or business activities..
In order to comply with the Law on the Protection of Personal Data, organizations or individual entrepreneurs who are operators must:
- appoint a person responsible for internal control over the processing of personal data, as well as determine the list of persons who have access to the processing of personal data;
- prepare information about all personal data of individuals processed by the organization. Determine the purpose of each processing, the appropriate legal basis for each processing (consent, employment relationship, contract, processing of public data, legal requirements, etc.);
- develop an organization's policy regarding the processing of personal data and related documents necessary to systematize processes;
- develop forms of documents and other LPAs related to the implementation of legal requirements regarding the processing of personal data;
- familiarize employees and other persons directly involved in the processing of personal data with the provisions of the legislation on personal data, including the requirements for the protection of personal data, documents defining the policy regarding the processing of personal data;
- conduct training with employees on working with personal data;
- obtain the consent of the subjects of personal data for their processing, except as otherwise provided by law;
- train responsible persons;
- draw up a contract of instruction for the processing of personal data with authorized persons (if necessary);
- carry out technical and cryptographic protection of personal data.
Control over the implementation of the Law on the Protection of Personal Data is carried out by the National Center for the Protection of Personal Data.
The National Center for Personal Data Protection performs the following functions:
- exercises control over the processing of personal data by operators (authorized persons) and considers complaints from personal data subjects regarding the processing of personal data;
- determines the list of foreign states on the territory of which an appropriate level of protection of the rights of personal data subjects is ensured and issues permits for cross-border transfer of personal data, if an adequate level of protection of the rights of personal data subjects is not provided on the territory of a foreign state, and also determines the procedure for issuing such permits
- establishes a classification of information resources (systems) containing personal data in order to determine the requirements for technical and cryptographic protection of personal data;
- makes proposals on improving the legislation on personal data, participates in the preparation of draft acts of legislation on personal data, and also provides clarifications on the application of legislation on personal data, conducts other explanatory work on legislation on personal data;
- participates in the work of international organizations on the protection of personal data and cooperates with bodies (organizations) for the protection of the rights of subjects of personal data in foreign countries;
- trains persons responsible for the processing and storage of personal data; and also implements educational programs of additional education for adults in accordance with the legislation on education;
- exercises other powers provided by the legislation on personal data.
You also need to know that in case of violation of legislation in the field of personal data protection, there are administrative and criminal liability. If you need assistance in preparing documents to comply with the requirements of the Law on Personal Data, you can always contact ProYuristBy law firm. We will gladly help you!
