Belarus Law 99-Z

Law on Personal Data Protection No. 99-Z

Flag of BY
BelarusOpt-inNational
Back to Regulations Guide

Key Facts

Effective Date
November 15, 2021
Enacted
May 7, 2021
Enforcing Authority
NPDPC (National Centre for Personal Data Protection)
Consent Model
Opt-in
Applies To
Any organization processing personal data of individuals in Belarus

Overview

Belarus's Law 99-Z is the country's first dedicated data protection law, effective November 2021. While administrative fines are modest, the law uniquely imposes criminal liability for unlawful data handling under Articles 203-1 and 203-2 of the Criminal Code, with penalties up to 5 years imprisonment.

What This Means for Your Website

  • Consent with detailed pre-consent disclosures is required for processing personal data of Belarusian visitors
  • Violations of data handling rules can result in criminal liability including imprisonment
  • Violations must be reported to the NPDPC within 3 working days
  • Administrative fines are low (~EUR 2,050) but criminal penalties are severe

Key Requirements

The NPDPC enforces the law with administrative penalties up to approximately EUR 2,050. Criminal penalties under Articles 203-1 and 203-2 include fines, arrest, restriction of freedom, or imprisonment up to 5 years for deliberate unauthorized processing causing significant harm. Breach notification to the NPDPC is required within 3 working days.

How ConsentStack Handles This

ConsentStack applies consent requirements with detailed disclosures for Belarusian visitors, helping website operators avoid the criminal liability risks associated with unlawful data handling.

Penalties

Administrative: up to EUR 2,050 for illegal collection. Criminal: fines, arrest, or imprisonment up to 5 years under Articles 203-1, 203-2.

Key Requirements

  • Consent required for personal data processing including cookies
  • Detailed pre-consent disclosures required
  • NPDPC notification of violations within 3 working days
  • Operators must implement data protection measures
  • Article 6 lists contexts where consent is unnecessary

Notable Provisions

  • Criminal liability for unlawful data handling (up to 5 years imprisonment)
  • Belarus first dedicated data protection law
  • Low administrative fines but severe criminal penalties
  • 3-working-day breach notification to NPDPC

Other Europe Regulations

GDPREuropean Union + EEA
The GDPR sets the global standard for data protection, requiring explicit opt-in consent before processing personal data of EU/EEA residents. For websites, non-essential cookies must be blocked until visitors actively consent. Pre-ticked boxes and implied consent are invalid.
PECRUnited Kingdom
PECR is the UK's cookie-specific law, requiring consent before storing or accessing cookies. The DUAA 2025 significantly increased penalties from GBP 500,000 to GBP 17.5 million and introduced analytics exceptions on an opt-out basis. Only strictly necessary cookies are exempt.
ePrivacy DirectiveEuropean Union + EEA
Article 5(3) of the ePrivacy Directive is the primary EU legal basis requiring cookie consent. It mandates prior informed consent before storing or accessing any information on a user's device, with narrow exceptions only for transmission necessity and explicitly requested services.
Loi Informatique et LibertésFrance
France has the most actively enforced cookie regime in Europe. CNIL issued 259 corrective decisions in 2025, with cookie-specific fines totaling EUR 486.8 million including EUR 325M against Google. A Refuse all button or Continue without accepting must appear on the first layer.
UK GDPRUnited Kingdom
The UK GDPR is the retained EU GDPR post-Brexit, with consent standards identical to the EU version. The UK adequacy decision was renewed December 2025, valid until December 2031. Combined with PECR, it forms the legal framework for cookie consent in the UK.
TDDDGGermany
Germany implements the ePrivacy Directive through Section 25 of TDDDG (renamed from TTDSG in May 2024). A Consent Management Ordinance (EinwV) became effective April 2025, establishing a voluntary framework for recognized consent management services. Cookie banners must not obscure website content.

Frequently Asked Questions

Does Belarus have criminal penalties for data protection violations?

Yes. Belarus uniquely imposes criminal liability under Articles 203-1 and 203-2, with penalties up to 5 years imprisonment for deliberate unauthorized processing causing significant harm.

How quickly must data breaches be reported in Belarus?

Within 3 working days to the NPDPC — faster than the GDPR's one-month general reporting requirement for data subjects.

What are the administrative penalties in Belarus?

Administrative fines are modest at up to approximately EUR 2,050. However, criminal penalties are severe, making compliance essential.

Stay compliant with Belarus Law 99-Z

ConsentStack helps you implement Opt-in consent for Belarus automatically.

Get started