Data protection & privacy laws in Belarus (2026)

Law No. 99-Z 'On Personal Data Protection' of 7 May 2021 entered into force on 15 November 2021 and is the first Belarusian act dedicated exclusively to personal data protection, superseding fragmented provisions in the 2008 Law on Information, Informatization and Protection of Information.

The National Personal Data Protection Center of the Republic of Belarus (NPDPC) is the independent public authority responsible for supervising compliance. It can conduct audits, issue written prescriptions to eliminate violations, and demand termination of unlawful processing.

The law grants rights to information, access, rectification, erasure, objection to automated decision-making, data portability, and consent withdrawal (with erasure within 15 days unless another lawful basis applies). These rights closely mirror GDPR Chapter III.

Belarusian legal entities and public bodies acting as operators must appoint a data protection officer (or dedicated unit), publish internal processing policies, train staff, and implement technical and cryptographic protection measures classified by competent bodies.

Operators must notify the NPDPC of any violation of personal-data protection systems immediately and no later than three working days after discovery — a stricter timeline than the GDPR's 72-hour window from awareness.

Violations carry administrative fines from BYN 1,450 to BYN 5,800, alongside potential civil damages and, for serious cases, criminal liability including corrective work, arrest, or deprivation of the right to hold certain positions.