Data & Privacy ยท Belarus
Data protection & privacy law in Belarus (2026)
Belarus shaded by its data & privacy status
Data protection in Belarus: comprehensive law, under Law of the Republic of Belarus No. 99-Z 'On Personal Data Protection' of 7 May 2021 (in force 15 November 2021), supervised by the National Personal Data Protection Center (NPDPC / cpd.by).
Belarus enacted its first standalone, comprehensive personal data protection law (Law No. 99-Z) in May 2021, which came into force in November 2021. The law is broadly modelled on the GDPR, introducing operator/authorised-party concepts analogous to controller/processor, a full suite of data-subject rights, mandatory DPO appointment for legal entities and public bodies, breach notification obligations, and cross-border transfer rules. The National Personal Data Protection Center (NPDPC) is the independent supervisory authority empowered to audit compliance, issue binding prescriptions, and order cessation of unlawful processing.
Key points
Law No. 99-Z 'On Personal Data Protection' of 7 May 2021 entered into force on 15 November 2021 and is the first Belarusian act dedicated exclusively to personal data protection, superseding fragmented provisions in the 2008 Law on Information, Informatization and Protection of Information.
The National Personal Data Protection Center of the Republic of Belarus (NPDPC) is the independent public authority responsible for supervising compliance. It can conduct audits, issue written prescriptions to eliminate violations, and demand termination of unlawful processing.
The law grants rights to information, access, rectification, erasure, objection to automated decision-making, data portability, and consent withdrawal (with erasure within 15 days unless another lawful basis applies). These rights closely mirror GDPR Chapter III.
Belarusian legal entities and public bodies acting as operators must appoint a data protection officer (or dedicated unit), publish internal processing policies, train staff, and implement technical and cryptographic protection measures classified by competent bodies.
Operators must notify the NPDPC of any violation of personal-data protection systems immediately and no later than three working days after discovery, a stricter timeline than the GDPR's 72-hour window from awareness.
Violations carry administrative fines from BYN 1,450 to BYN 5,800, alongside potential civil damages and, for serious cases, criminal liability including corrective work, arrest, or deprivation of the right to hold certain positions.
Timeline - major decisions & events
President Lukashenko signed the Law 'On Amendments to the Codes on Administrative Liability,' establishing explicit administrative penalties for violations of cybersecurity requirements. This strengthened the enforcement layer that intersects with personal-data security obligations under the 2021 PDP Law.
REVERA Law Group โAmendments refined implementation details of the 2021 PDP Law and aligned ancillary statutes, including state-registration and population-register legislation, with the new personal-data framework.
National Center for Personal Data Protection of the Republic of Belarus (cpd.by) โDecree No. 422 'On measures to improve the protection of personal data' formally designated the National Center for Personal Data Protection (NPDPC) as Belarus's dedicated supervisory authority, with powers to investigate complaints, conduct operator inspections, issue cross-border transfer permits, and develop data-protection guidance.
Official Internet Portal of the President of the Republic of Belarus โPassed by the House of Representatives on 2 April 2021 and approved by the Council of the Republic on 21 April, the law was signed on 7 May 2021, the first Belarusian statute specifically dedicated to personal data, replacing the scattered provisions of the 2008 Information Law.
CIS Legislation Portal โ Law No. 99-Z text โChanges to the Law on Mass Media took effect, requiring internet resources distributing mass information to register with the Ministry of Information and bringing them within the state media regulatory framework; later 2021 additions granted prosecutors power to block internet resources without a court order for content deemed harmful to national interests.
BelTA (Belarusian Telegraph Agency) โ official state news agency โArticle 28 of the 1994 Constitution guaranteed every person protection against unlawful interference with private life, including correspondence and communications, and assigned the State an obligation to create conditions for personal-data protection, establishing the constitutional foundation for all subsequent privacy legislation.
University of Minnesota Human Rights Library โ Constitution of Belarus โBelarus - other topics
Data & Privacy in other countries
Last verified 5/24/2026 ยท Orientation, not legal advice - verify against the primary sources linked above. Methodology & how to cite ยท Explore the full world map โ