HomeAnalyticsAlertsData Protection Enforcement in Belarus: Recent Regulatory Actions

Data Protection Enforcement in Belarus: Recent Regulatory Actions

International companies operating in Belarus have faced a significant shift in how data protection rules are applied and enforced. Belarus's data protection authority – the Natsionalniy tsentr zashchity personalnykh dannykh (National Centre for Personal Data Protection. Hereinafter the DPA) – has stepped up inspections, issued formal enforcement notices. Additionally, imposed penalties on a broader range of businesses than in prior years. Companies that process Belarusian residents' personal data, whether inside the country or from abroad, now face concrete and time-sensitive compliance obligations.

Belarus strengthened its data protection legislative regime through amendments to its personal data legislation that took effect in 2024, extending obligations to foreign entities that process data of Belarusian residents. Every data controller and data processor subject to Belarusian law must review their consent mechanism, data transfer arrangements, and internal documentation before regulatory inspection. Companies that have not completed this review face suspension of data processing activities and administrative fines.

This alert sets out what changed, which businesses are affected, and the immediate actions international companies should take now.

What changed – the regulatory development and effective date

Belarus's personal data legislation was substantively amended in 2024. The amendments entered into force in stages, with the core enforcement provisions becoming fully operational by early 2025. The changes cover three principal areas.

First, the territorial scope of Belarusian data protection rules was expanded. Foreign entities that collect, store, or otherwise process personal data of individuals located in Belarus are now expressly subject to Belarusian law – regardless of where the processing occurs. This mirrors the extraterritorial logic seen in GDPR compliance regimes but operates under a distinct national legislative regime with its own requirements.

Second, cross-border data transfer rules were tightened. Transferring personal data outside Belarus now requires either a lawful basis prescribed by data protection legislation or the prior authorisation of the DPA. Informal or contractual arrangements that were previously tolerated are no longer sufficient on their own. Businesses relying on standard contractual safeguards modelled on GDPR compliance frameworks must verify that those arrangements are recognised under Belarusian law specifically.

Third, the DPA received extended investigative and sanctioning powers. It may now conduct unannounced inspections, compel disclosure of data processing records, and issue binding orders requiring immediate suspension of non-compliant processing. Fines have increased materially. For international companies, the practical risk is a processing suspension that disrupts operations – not merely a financial penalty.

For companies also processing data in Russia, the parallel enforcement environment is addressed in our alert on data protection enforcement actions in Russia.

Who is affected – threshold criteria and compliance deadline

The amended rules apply to any entity that meets one or more of the following threshold criteria.

  • The entity is incorporated or registered in Belarus.
  • The entity processes personal data of individuals residing in Belarus, regardless of where the entity is based.
  • The entity operates a digital platform, application, or service accessible to Belarusian users and collects data as part of that operation.
  • The entity acts as a data processor under contract with a Belarusian data controller.
  • The entity transfers personal data of Belarusian residents to servers or recipients outside Belarus.

The compliance deadline for full alignment with the amended legislation passed in early 2025. The DPA has confirmed that enforcement is now active across all sectors. E-commerce operators, technology companies, financial services providers, logistics businesses, and HR platforms processing employee data are among the categories receiving the most immediate scrutiny. Companies that have taken no action since the amendments entered into force are at the highest risk of enforcement.

To receive an expert assessment of your data protection exposure in Belarus, contact us at info@ferrazwhitmore.com.

Immediate actions for international companies

Companies subject to Belarusian data protection rules should treat the following as urgent priorities.

1. Map your data flows. Identify every category of personal data collected from Belarusian residents. Document the legal basis for each processing activity. Where no clear basis exists under Belarusian data protection legislation, processing should be suspended until a lawful basis is established.

2. Review your consent mechanism. Belarusian law requires that consent to data processing be freely given, specific, informed, and recorded. Blanket or implied consent is insufficient. Consent mechanisms must be updated to meet the prescribed standard and records of consent must be retained.

3. Audit cross-border data transfer arrangements. If personal data of Belarusian residents is transferred to servers or recipients outside Belarus, verify that each transfer has a recognised legal basis under Belarusian law. Arrangements based solely on GDPR compliance logic do not automatically satisfy Belarusian requirements.

4. Appoint a local representative if required. Foreign entities without a physical presence in Belarus may be required to appoint a local representative to liaise with the DPA. Confirm whether this obligation applies to your business and, if so, formalise the appointment without delay.

5. Prepare internal documentation. The DPA may request data processing records at short notice. Maintaining a current register of processing activities, data retention schedules, and data processor agreements is both a legal obligation and a practical safeguard against enforcement escalation.

Companies operating across the broader CIS region should also review their data protection compliance position in Belarus as part of a coordinated regional audit. Businesses deploying automated processing or AI-driven tools should additionally assess their obligations under the emerging AI and technology regulation regime in Belarus.

About Ferraz & Whitmore

Ferraz & Whitmore is an international law firm based in Lisbon, advising business clients across 46 jurisdictions. Our data protection practice covers CIS jurisdictions including Belarus, supported by practitioners with experience before regional data protection authorities and in cross-border enforcement matters. We advise international companies on data controller and data processor obligations, consent mechanism design, cross-border data transfer compliance, and DPA engagement across both civil law and common law systems. As a law firm in Belarus with cross-border reach, we help clients build compliant data processing operations that withstand regulatory scrutiny. To discuss your data protection position in Belarus, contact us at info@ferrazwhitmore.com.

Disclaimer: This publication is provided for informational purposes only and does not constitute legal advice. The information herein should not be relied upon as a substitute for professional legal counsel tailored to your specific circumstances. Ferraz & Whitmore assumes no liability for actions taken or not taken based on the contents of this material. For advice regarding your particular situation, please contact info@ferrazwhitmore.com.