Belarus Personal Data Protection Law (99-Z)

Why Belarusian Privacy Compliance Matters for Global Teams

Foreign companies working with Belarusian customers, users, or staff need a clear, board-ready position on local privacy rules. Belarus operates a dedicated personal data regime anchored in Law No. 99-Z “On Personal Data Protection,” effective since 15 November 2021. The framework covers lawful bases, granular consent content, security and governance duties, cross-border transfers, breach notification, and supervisory powers of the National Personal Data Protection Center (NPDPC). For English-speaking stakeholders, the NPDPC’s official translation is the primary reference and should anchor internal mappings and vendor instructions.

Constitutional and Statutory Foundations You Can Cite

Belarusian privacy protection is not merely statutory. Article 28 of the Constitution secures the right to protection against unlawful interference with privacy and assigns the state a role in safeguarding personal data. This constitutional baseline informs how regulators and courts weigh competing interests and is helpful to reference in policies and dispute narratives. The statute itself—Law No. 99-Z—structures the domain with definitions, principles, operator obligations, data-subject rights, and enforcement mechanics, giving multinationals a predictable compliance playbook.

Scope, Definitions, and Treaty Primacy

Article 2 brings under the law both automated and non-automated processing where records are organized by search criteria. Article 3 preserves the primacy of Belarus’s international treaties, which can be outcome-determinative in cross-border contexts. The NPDPC’s English text consolidates key terms: “operator” (controller), “authorized person” (processor), “special personal data,” and “cross-border transfer.” Contract templates, privacy notices, and vendor inventories should adopt these definitions so the same roles and responsibilities flow through procurement and audit trails.

Lawful Bases and the Belarus-Specific Consent Standard

Belarusian lawful bases revolve around consent unless another basis applies. Article 4(3) sets consent as the default; Article 6 then lists contexts where consent is unnecessary, including administration of justice, public interests, and protection of life and health. Where consent is used, Article 5 requires unusually detailed pre-consent disclosures: operator identity and location, purposes, the list of data, the validity period of consent, authorized processors, the list of actions with data and processing methods, and a clear explanation of rights and consequences. Imported “GDPR-style” forms often miss these items; web forms and HR templates should be localized to avoid formal defects that undermine the lawfulness of processing.

Data-Subject Rights and Enforceable Timelines

Belarus aligns with international norms on data-subject control but adds concrete timelines. Articles 10, 11, and 15 provide rights to information, access, rectification, erasure, and consent withdrawal. Upon withdrawal, operators must stop processing and erase the data within fifteen days unless another lawful ground remains. This fixed, short SLA needs to be embedded in internal playbooks and mirrored in processor contracts, so that downstream vendors supply confirmations fast enough to support the operator’s deadline.

Operator Obligations and the Three-Business-Day Breach Rule

Article 16 consolidates day-to-day duties and introduces a decisive incident clock. Operators must inform individuals of their rights, obtain consent where required, ensure protection during processing, keep transmission logs, correct inaccuracies, stop processing when the legal basis ends, and—crucially—notify the NPDPC about violations of personal-data-protection systems immediately, but no later than three working days after discovery unless the Center directs otherwise. This is distinct from the GDPR’s 72-hour rule and warrants a separate timer in the incident plan, with forensics and vendors bound to deliver facts swiftly.

Governance, DPO Function, and Technical–Cryptographic Measures

Article 17 turns governance into a binding obligation. Belarusian legal entities and public bodies must appoint a data protection officer or a dedicated unit, publish internal processing policies, train staff, implement controlled access procedures, and apply technical and cryptographic protection in line with classifications approved by competent bodies. Practically, global programs should map these expectations to existing encryption, key management, role-based access controls, and audit logging, and keep evidence packs ready for supervisory queries or vendor assessments.

Cross-Border Transfers: Adequacy, Consent, or Permit

Cross-border flows are controlled by Article 9. Transfers to countries without an adequate level of protection are prohibited unless a narrow gateway applies: explicit, informed consent; necessity for a contract with the data subject; vital interests; international treaties; AML/CTF needs of a competent authority; or a permit from the NPDPC. The Center also determines and publishes the adequacy list. Unlike the EU model, Belarus does not treat SCCs or BCRs as standalone transfer tools. For non-adequate destinations, organizations should plan around consent with a Belarus-specific risk disclosure or assemble a permit dossier for the NPDPC, complete with technical and organizational measures, vendor controls, and transparency artifacts.

Supervision, Powers, and Liability Landscape

Article 18 identifies the NPDPC as the independent authority empowered to control processing, handle complaints, order rectification or erasure, define the adequacy list, and issue cross-border permits. Article 19 establishes that violations incur liability under Belarusian law, including compensation for moral damage even without material loss. Administrative provisions in the Code of Administrative Offences complement civil remedies and, in serious cases, can overlap with criminal exposure. For risk registers, Belarus should be presented as an actively supervised jurisdiction with real administrative penalties and corrective orders.

Implementation Blueprint for Foreign Operators

A practical blueprint starts with definitions and scope alignment in contracts and notices, then localizes consent to Article 5 disclosures. Incident response plans must include the three-business-day notification workflow with vendor SLAs and executive escalation. Governance artifacts—DPO appointment, staff training, access controls, cryptographic policies, and audit logs—should be documented and regularly reviewed. For international routing, screen destinations against the adequacy list; if non-adequate, either build a consent-with-risk-disclosure pathway tailored to Article 9 or budget time for an NPDPC permit supported by a technical–organizational controls dossier. Public-facing privacy notices should reference Belarusian legal bases, rights, and cross-border posture explicitly rather than repurposing generic GDPR text.

What Foreign Boards Should Ask Their Teams

Boards and GCs should seek confirmation that Belarus-specific consent content is live in all intake channels, that the fifteen-day erasure SLA is operationally feasible with processors, that a DPO or dedicated unit is appointed with direct reporting lines, and that incident metrics show readiness for the three-business-day NPDPC notice. For cross-border operations, leadership should see a destination inventory mapped to adequacy status, with documented decisions where consent or permits form the legal route and with evidence of risk disclosures to individuals.

Bottom Line for 2025 Programs

Belarus provides a coherent, statute-driven regime that rewards disciplined governance and documentation. Operators that localize consent, codify Article 16–17 controls, treat the three-business-day breach clock as a hard deadline, and plan cross-border routes around adequacy or permits will find supervision predictable and audits navigable. The key is to embed Belarus-specific elements into the global privacy management system rather than treating them as a copy-paste from EU materials.

Need help?

If you need Belarus-ready privacy notices, consent language, DPIAs, incident playbooks, or a complete cross-border transfer strategy and NPDPC permit dossier, our “Economic disputes” law firm LLC can help. We have dozens of completed projects, a team of 10+ lawyers fluent in English and Polish, and a bank account in EU banks for streamlined billing. Contact us to design compliant personal data processing under Belarusian law and to prepare the documents Belarusian regulators expect to see.