The new legal framework on personal data protection, namely the Law on Personal Data Protection (PDP Law), has been in effect in Belarus since 15 November 2021. The PDP Law does not have extra-territorial application and does not apply to foreign organisations in regard to the processing of personal data outside Belarus. At the same time, it applies to foreign organisations carrying out their activities in Belarus through a representative office opened in accordance with Belarusian regulations – with regard to the data processing by the representative office. In this regard, personal data regulation has inevitably affected the pharmaceuticals sector and has caused practical issues.
Comparison with THE GDPR
The adopted PDP Law is closer to European standards in terms of personal data protection. There are many new concepts that are basically identical to those contained in the GDPR: the operator (controller), authorised person (processor), competent authority for the protection of data subjects’ rights (data protection authority), and person or structural unit responsible for controlling personal data processing (data protection officer).
Although the PDP Law has a slightly different conception of consent as one of the legal bases, consent is one of the other possible legal bases for personal data processing, as is the case in the GDPR. The PDP Law establishes additional information requirements for valid consent, which should be provided in the form corresponding to the consent collection. An operator can comply with the requirement by providing a question about consent when the data subject enters their personal data, before they agree to provide the consent.
There are also other legal grounds for processing personal data without the consent of the data subject, including obtaining personal data on the basis of a contract concluded (or to be concluded) with the data subject, for the purpose of carrying out the actions set out in that contract; formalising employment relationships in the process of employment activities, etc. However, legitimate interest is not indicated in the PDP Law as a specific legal basis for processing personal data.
Belarusian PDP Law does not contain a requirement to localise databases containing personal data. This means that the personal data of Belarusian citizens can be stored and processed on servers located outside the territory of Belarus.
The local data protection authority – the National Personal Data Protection Centre – highlights that operators shall make sure whether consent collection is necessary or if there is another legal basis for personal data processing. Pharmaceutical activity is subject to strict and formalised regulation, which may directly require personal data processing. For example, obligatory processing of adverse reaction reports as part of pharmacovigilance entails the processing of personal data of the reporter (inter alia, name, address, date of birth), as well as the reports’ subject matter (description of adverse reaction). Adverse reactions may fall under the concept of “special personal data” (quite similar to “sensitive personal data” under the GDPR) and, consequently, require a higher level of protection provided by the operator under the local PDP Law.
Additional concerns about the application of local personal data regulation to foreign pharmaceutical companies arise from the complex contractual models involving outsourcing organisations. Such models impose difficulties in the qualification of parties and the nature of their relations. For this reason, parties that operate in the pharmaceutical sphere should consider whether the PDP Law applies to them.
Liability for violation
Violation of personal data protection legislation may result in disciplinary, civil, administrative and criminal liability. Generally, sanctions apply to individuals (for example, company officials). The company itself is subject to an administrative fine of up to 50 base units (approx EUR 500 as of 21 March 2022) for each violation related to non-compliance with requirements for the implementation of data protection measures.
Additionally, in case of detected non-compliance with personal data protection regulation, the data protection authority is entitled to require change, block or delete false or illegally obtained personal data, eliminate other violations, as well as to requiring the company or individual to terminate the processing of personal data. In the case of such measures, a company may incur commercial expenses and potential costs, as well as the termination of certain internal processes.
Currently, the regulations on personal data protection, as well as interpretational and practical approaches, are still developing. For this reason, we recommend keeping up with local tendencies and monitoring changes.