Data Protection and Employee Privacy in Belarus
1) What laws in Belarus regulate the protection of employee personal data, and how do they compare to international standards?
In Belarus, the protection of employees' personal data is governed by the following legislation:
1. The Law of May 7, 2021 No. 99-Z “On personal data protection” (PDP Law).
2. The Edict of the President of the Republic of Belarus of October 28, 2021 No. 422 “On measures for improving personal data protection”.
3. The Order of the Operational and Analytical Center under the President of the Republic of Belarus of February, 20, 2020 No. 66 "On Measures to Implement the Edict of the President of the Republic of Belarus of December 9, 2019 No. 449".
4. The Order of the Operational and Analytical Center under the President of the Republic of Belarus of November, 12, 2021 No. 194 "On education on the personal data protection issues".
5. The Order of the Operational and Analytical Center under the President of the Republic of Belarus of June, 1, 2022 No. 94 "On the state information resource "The Register of personal data operators".
Additionally, the National Personal Data Protection Center of the Republic of Belarus drafted the Recommendations on personal data processing related to labour activities.
The General Data Protection Regulation (GDPR) served as the basis for the PDP Law. However, processing that is necessary for the purposes of legitimate interests, for example, may not be used as a legal basis for personal data processing.
When transferring personal data across borders, the criterion of an "adequate level of protection of data subjects' rights" is used in the PDP Law. This includes countries that are parties to the Council of Europe's Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, as well as the EAEU member states.
2) What types of employee personal data are typically protected under labor laws?
Belarusian labour legislation does not specify the exact types of personal data that must be processed in employment.
However, in practice, employers typically handle the following employee personal data during the hiring process:
- full name (surname, first name, and patronymic);
- identification number;
- passport number;
- registered address and/or residential address;
- military service status and military registration details (for men);
- work experience (previous employers and job titles);
- educational background;
- medical information;
- criminal record information and personalised account number;
- details from the job placement.
Processing any additional personal data beyond these would be deemed excessive including when preparing consent for data processing is needed.
3) How to ensure compliance with personal data protection legislation when transferring employee personal data to third parties (e.g., contractors, partners)?
If an employer delegates the processing of employees' personal data to third parties, it is necessary to sign the contract (for example, for HR or accounting services). This contract between the employer and the third-party organisation must include the information stipulated by Article 7 of the PDP Law. For example, the purposes for which the personal data will be processed; obligations to maintain the confidentiality of the personal data; a detailed list of actions the third party will perform with the personal data.
If the employer transfers personal data to other third parties (e.g., contractors), there are no specific legal requirements for the contract concerning the handling of personal data.
4) In what form is consent obtained for the processing of employees' personal data?
Consent for personal data processing may be given in any form that allows confirmation of its receipt from the employee. It can be obtained in writing, as an electronic document, or in another electronic form (e.g., by filling in data in the software's personal account and checking a checkbox). It is necessary to obtain separate consent for each purpose of data processing.
5) What personal data of employees may not be requested and processed by the employer?
There is no list of employees’ personal data which may not be requested and processed by the employer. However, data protection legislation upholds a core principle for processing any individual's personal data, including that of employees: the data must be proportionate to the purposes stated by the employer, ensuring a fair balance between the interests of the employee and the employer throughout the processing.
6) What are the consequences of violating employee data protection laws?
A breach of data protection legislation can lead to liability for the employer, including the company itself, its management, and any individuals responsible for handling personal data, including employees involved in data processing. The legislation outlines various forms of liability:
- Disciplinary Liability. This may include dismissal for violating procedures related to the collection, organisation, storage, modification, use, anonymisation, blocking, distribution, provision, or deletion of personal data (Clause 10 Part 1 of Article 47 of the Labour Code of the Republic of Belarus);
- Civil Liability. Employers may be required to compensate employees for moral damages resulting from unlawful processing of their personal data;
- Administrative Liability. Under Articles 23.7 and 24.11 of the Code of Administrative Offences of the Republic of Belarus, fines ranging from 45 euros to 1,130 euros may be imposed;
- Criminal Liability. Under Articles 203-1 and 203-2 of the Criminal Code of the Republic of Belarus, penalties can include fines, arrest, restriction of freedom, or imprisonment for up to 5 years. Such crimes include, for example, failure to implement data protection measures that leads to unauthorized dissemination of personal data and other severe consequences; and deliberate illegal collection of personal data without consent, causing significant harm to an individual’s rights and interests.
Authors: Anton Mazol, Polina Sachava
