Foreign Websites and Belarusian Users: When Does Data Protection Law Apply?

larus No. 99-Z of May 7, 2021 “On Personal Data Protection” (hereinafter – the Data Protection Law) apply to them if their resource targets an international audience and Belarusians happen to visit it? The answer isn’t always obvious. Belarusian legislation, like GDPR in Europe, has an extraterritorial effect. This means a company may have to follow local rules even if it has no office or representation in Belarus .

What does extraterritoriality mean in the context of Personal Data?

Extraterritoriality means that national legislation applies to relationships involving foreign parties occurring outside the state’s territory. When it comes to personal data, this means the law can regulate a foreign company’s activities if it interacts with Belarusian citizens’ data.

The Data Protection Law establishes that its provisions apply to personal data processing carried out:

• within the territory of the Republic of Belarus
• outside Belarus, if the processing involves actions aimed at using data processing facilities located in Belarus, or relates to providing goods (work, services) to Belarusian citizens, or offering them goods (work, services) 

In other words, the key criterion is whether activities are targeted at the Belarusian market or Belarusian users.

When does a foreign website fall under Belarusian Law?

Several situations require a foreign website to comply with the Data Protection Law.

Intentional targeting of Belarusian users

A website clearly targets Belarus if:

• it uses the national .by domain
• content is fully or partially in Belarusian or Russian, AND the site advertises in Belarus or offers goods/services with payment in Belarusian rubles
• contact details for Belarus are listed, or there’s geotargeting toward Belarusian audiences 

In such cases, processing Belarusian users’ personal data (e.g., collecting emails for newsletters, cookies, filling out feedback forms) falls under the Data Protection Law.

No targeting but Belarusian users exist

If a site is international with no specific focus on Belarus but Belarusians use it, the obligation to comply doesn't always arise. However, if the site collects data for commercial purposes (like an online store delivering goods to Belarus), the operator must consider Belarusian law regarding Belarusian customers’ data.

Using data processing facilities in Belarus

If server equipment or other means for processing personal data (like a data center) are physically located in Belarus, even a foreign website owner must comply with the Data Protection Law.

Important: The law doesn’t require a foreign company to be physically present in Belarus. The mere fact of processing Belarusians’ data is sufficient.

What obligations does a foreign operator have?

If a foreign website falls under Belarusian law, it must meet the same requirements as local companies.

Core Operator Obligations:

1. Appoint someone responsible for personal data processing.This can be an employee or a contracted person.
2. Publish a public personal data processing policy.The document must be accessible on the site and clearly describe what data is collected, why, and how it’s processed.
3. Obtain consent for personal data processing.Consent must be specific, informed, and unambiguous. No “silent consent” or pre-checked boxes. Consent can be in writing or electronic form.
4. Notify the authorized body about intent to process personal data.Foreign operators must notify the National Center for Personal Data Protection of the Republic of Belarus (hereinafter – NCPDP) before processing begins. Exceptions include processing without automation (e.g., only on paper) or data processed solely for border crossing purposes.
5. Ensure data subjects’ rights are respected.Belarusian users can request clarification, blocking, or deletion of their data, and receive information about its processing. Operators must respond within a reasonable time (usually 5–15 days, depending on complexity).
6. Take measures to protect personal datafrom unauthorized access, destruction, alteration, copying, and distribution.

What penalties apply for violations?

Liability for violating personal data legislation falls under Article 23.7 of the Code of the Republic of Belarus on Administrative Offenses (hereinafter – CAO). Even foreign companies can face penalties if violations affect Belarusian citizens’ rights.

Additionally, data subjects can seek moral damages compensation through court.

The NCPDP actively monitors online resources for violations. There are known cases where the center sent demands to remedy violations to website owners registered abroad.

Comparison with other jurisdictions

A similar extraterritoriality principle exists in GDPR (General Data Protection Regulation in the European Union). It applies to companies outside the EU if they offer goods or services to EU residents or monitor their behavior.

Russia also applies extraterritoriality. Federal Law No. 152-FZ “On Personal Data” requires operators processing Russian citizens’ data to ensure recording, systematization, accumulation, storage, updating, and retrieval using databases located in Russia (the so-called data localization law). The requirement to register as an operator also applies to foreign companies.

Belarus’s approach is closer to the European model: no strict data localization requirement, but clear obligations to notify the NCPDP and respect data subjects’ rights. This makes it more flexible for international business, but no less mandatory.

Practical recommendations for foreign website owners

Conduct an audit

Determine whether your site falls under Belarusian law. Assess whether you collect Belarusian users’ data and whether your activities show targeting of Belarus.

If the Law applies, fulfill requirements:

• Submit a notification to the NCPDP via center.gov.by. The notification must include information about the operator, processing purposes, data categories, and legal basis.
• Develop and publish a personal data processing policy in Russian or Belarusian. Ensure it's directly linked from your main page.
• Configure consent mechanisms. Remove pre-checked boxes. Ensure users can give informed consent for specific processing purposes.
• Enable data subject rights implementation. Create a feedback form or provide an email where Belarusian users can send requests.

Consult with specialists

Data protection legislation evolves constantly. The NCPDP regularly publishes clarifications on law application. When in doubt, consult lawyers specializing in Belarusian data protection.

The law firm “Economic Disputes” is a reliable partner for foreign companies facing legal risks when working with Belarusian users and data. Our team of 15 lawyers and specialists with 15–25 years of practical experience, including Director Sergei Belyavsky, who has 20 years of experience in economic courts and ten years as a judge, enables us to quickly and competently assess whether compliance with Belarusian personal data law is required and what steps to take to mitigate risks. We help clients prepare and submit notifications to the National Center for Data Protection, develop appropriate data processing policies in Russian or Belarusian, and implement informed consent mechanisms and procedures for exercising data subjects’ rights.

Our international partners in over 160 countries, positive references, and experience in recovering significant amounts confirm our ability to handle complex cross-border matters –from legal assessments of extraterritoriality to the practical implementation of National Center for Data Protection requirements and defending interests in disputes. For convenient international transactions, we maintain a bank account with PKO Bank Polski and speak Russian, Polish, and English. Submit a request  and we will analyze your situation and propose a realistic, effective strategy to protect your interests.