In Belarus, as in many other countries, personal data is regulated by legislation that protects the rights of citizens to their privacy and information security.
Personal data in Belarus is any information related to an individual that can be used to identify him. This can be a name, address, phone number, passport data, information about the place of work and much more.
The legislation of Belarus obliges companies and government agencies to ensure the protection of personal data of citizens. For example, according to the Law on Personal Data, the processing of personal data is allowed, as a general rule, only with the consent of the data subject or if there are legitimate grounds for this.
Citizens have the right to access their personal data, to correct, block or destroy it in case of misuse. Also, government agencies and organizations are required to inform citizens about the processing of their personal data and obtain their consent to this processing.
Violation of the legislation on personal data in Belarus can result in serious fines and even criminal liability for organizations and officials.
Thus, in Belarus, personal data is protected by the state, and citizens have the right to confidentiality and security of their personal information.
In order to prevent violations of the legislation on personal data, it is necessary to conduct a timely audit of documents related to the protection of personal data in the company. This may require the help of an experienced personal data specialist.
Processing of personal data
The processing of personal data includes actions that the company performs with personal data. Including:
- Collecting;
- Systematization;
- Keeping;
- Change;
- Using;
- Depersonalization;
- Blocking;
- Distribution;
- Provision;
- Deletion of personal data.
Personal data is processed by companies and individual entrepreneurs — personal data operators. Operators can combine with each other to process personal data.
Principles of personal data processing
1. Proportionality of the processing of personal data to the stated purposes of processing
Personal data must be processed in accordance with the purposes of their processing, which are stated by the operator. An example of excessive processing of personal data by an online store may be the collection of information that is not required to deliver goods to customers.
For example, a store requests from customers not only basic information necessary to place and contact an order, such as name, address and phone number, but also data such as religious affiliation, political views or personal life information that is not directly related to the purposes of delivery of goods for which the store collects personal data.
Such excessive processing of personal data violates the principle of proportionality of personal data processing to the purposes of processing, provided for by the legislation on personal data protection, and jeopardizes the confidentiality and security of customer information.
2. Processing of personal data with the consent of an individual — the subject of personal data
As a general rule, the operator must obtain the consent of an individual to process his personal data. In the consent, it is necessary to specify the goals for which the operator is going to process personal data.
A number of exceptions, when a company does not need to obtain the consent of an individual, are prescribed in the legislation. For example, consent does not need to be obtained in the following cases:
- When a company is required to collect personal data by law.
- When maintaining personalized accounting.
- When registering an employment relationship with an individual.
- To fulfill a contract that is concluded with an individual.
3. The processing of personal data is limited to achieving the purposes of processing
When processing personal data in accordance with consent (when the consent of an individual is required) or legislation (when personal data is processed without consent), the purposes for which personal data is processed are determined. Personal data may not be processed for purposes that are not specified in consent or legislation.
The purpose of personal data processing must be legitimate, specific (and not general and abstract) and stated in advance (before the start of personal data processing).
Examples of personal data processing purposes include:
- “Processing of a job candidate’s resume”
- “Processing in the course of work”
- “Conclusion, execution, modification and termination of a specific contract” and others.
If it is necessary to change the initially stated purposes of personal data processing, companies need to obtain a new consent from an individual to process personal data.
4. Compliance of the content and volume of personal data with the purposes of processing
The personal data processed should not be superfluous. You cannot collect personal data that does not affect the achievement of the purpose for which personal data is collected. For example, when ordering goods for pickup, the online store does not need to collect personal data about the customer’s home address.
5. Transparency of personal data processing
This means that the personal data subject must be provided with complete information related to the processing of his personal data. Usually, the operator issues a written consent form or consent in electronic form.
Before obtaining consent, an individual must be informed:
- About the purposes for which his personal data will be processed.
- About the list of personal data that will be processed with the consent of an individual.
- About the Personal Data Processing Policy that each operator should have.
- About the period for which an individual consents to the processing of personal data.
- About the actions that the operator will perform with his personal data.
It is also necessary to provide other information related to the processing of personal data, for example, data on the partners of the personal data operator who supply goods.
An individual also needs to explain his rights related to the processing of personal data, how to exercise these rights, as well as the consequences of his consent to the processing of personal data or refusal of consent.
All this information can be included in the text of an individual’s consent to the processing of his personal data.
6. The operator must take measures to ensure the reliability of the processed data and update them if necessary
At the request of the personal data subject, whose personal data has changed, the operator must make changes to his documents or provide the client with the opportunity to independently make changes to his personal data and delete them.
7. The operator must store personal data no longer than the purposes of their processing require
The Operator must store personal data in a form that will allow the identification of the individual who identifies this personal data.
As a rule, the terms of storage of personal data are prescribed in the Personal Data Processing Policy.
8. The operator must appoint a department or employee who will control the processing of personal data
The appointment of a person or department responsible for internal control over the processing of personal data is one of the requirements of the legislation on personal data in Belarus. Such responsibilities can be assigned to an employee or employees who already work in the company. One of the requirements for such an employee is higher education and knowledge in the field of personal data.
In order to organize the work on the processing and protection of personal data in the company, it is necessary to develop and keep up to date a number of documents. Our personal data specialists audit the documentation of personal data and develop the necessary documentation and software solutions.
How to contact us
For more information or advice, do not hesitate to contact us. We are here to help and support you.
Phone and e-mail communication options are available for your convenience:
- +375293664477 (WhatsApp/Telegram/Viber);
- info@spex.by.