Принципы обработки персональных данных физических лиц в Европейском союзе и Республике Беларусь: анализ правового регулирования и возможностей заимствования. ; Principles of processing of personal data of natural persons in the European Union and the Republic of Belarus: analysis of legal regulation...
In: http://oai.elaba.lt/documents/38198300.pdf
The purpose of this master's thesis - a comprehensive study of the regulation of principles governing processing of personal data in the European Union and the Republic of Belarus. The object of the present study is public relationships arising during implementation of processing of personal data. The main objectives are to review current legislation in the field of regulation of principles relating to processing of personal data in the European Union and the Republic of Belarus; to review the draft Law on personal data in the Republic of Belarus; to analyse comprehensively existing problems in the mentioned sphere; to review existing legislation in the sphere of regulation of principles related to processing of personal data of natural persons in the European Union in order to highlight adoption opportunities of foreign legislation for Belarus. The Regulation identifies seven principles applied to the processing of personal data: the principle of lawfulness, fairness and transparency, the principle of purpose limitation, the principle of data minimisation, the principle of accuracy, the principle of storage limitation, the principle of integrity and confidentiality, as well as the principle of accountability. The current legislation of the Republic of Belarus does not name the principles applied to the collection and processing of personal data, only establishing that the collection, processing, storage of personal data cannot be carried out without the written consent of that natural person, unless otherwise provided by legislation. On the other hand, the draft Law of the Republic of Belarus "On Personal Data" despite also not naming the principles applied to the processing of personal data, contains provisions on measures aimed at the implementation of certain principles, which are used in the Regulation. For example, according to the Draft the processing of personal data should be carried out in an amount that is not excessive in relation to the established goals, which is also referred to in the Regulation as a result of the principle of data minimization; personal data should be stored in a form that allows to determine the subject of personal data no longer than the processing goals require, and should be removed or depersonalized upon reaching the processing goals, which is the result of the implementation of the principle of data minimisation, also named in the Regulation. The same provisions are true for the principle of accuracy, lawfulness (including fairness and transparency), partially - for confidentiality and integrity. Thus, it is possible to speak of indirect partial recognition of the principles set forth in the Regulation. Practical implementation of the above-mentioned principles in the European Union is carried out through organizational and technical measures within the framework of data protection by design and by default. These measures are not "exclusive" for each single principle - instead, such measures are aimed at the implementation of the principles in conjunction with each other. For example, the publication of privacy policies and of other documents satisfy transparency, accuracy and accountability at the same time. Practical implementation of the protection of personal data in the current legislation of the Republic of Belarus is carried out via the adoption of measures of legal, technical and organizational nature. Organizational measures are the restriction of access to premises used in the process of processing personal data, as well as the differentiation of access rights to relevant information; legal measures oblige processors to enter agreements with users of relevant information, setting conditions for such use. Technical measures consist of technical and/or cryptographic information security, as well as certification of relevant information security systems. To speak about the practical implementation of the principles laid down in the Draft, it is not possible in the moment to identify suitable practical measures due to the lack of legal force of such a document and its inapplicability at the present time. However, as mentioned above, the Draft indirectly recognizes the principles of Regulation via directly naming almost identical level of protection achieved through fulfilling the requirements of the Draft. Thus, it can be said that measures aimed at implementing the principles of the Regulation will be applicable in to the Republic of Belarus too, provided that the Draft enters into force. The main recommendations for amending and supplementing the Draft can be divided into 2 groups: (a) bringing the provisions of the Draft in accordance with the Regulation, (b) considering issues that are problematic for both the Regulation and the Draft. Recommendations aimed at resolving problematic issues for both jurisdictions include clarifying the issue of "random" data collection; the ratio of information disclosure within the framework of transparency in the context of the protection of undisclosed information, information on intellectual property objects; revision of the approach on liability for violation of the provisions of the Draft in order to ensure a balance between preventiveness and economic benefits of practical implementation of principles of processing; provision of exemption cases when the operator did not know and should not have known about the application of the Draft requirements in order to eliminate "user extremism"; consideration of the possibility of providing measures aimed at eliminating the "consent fatigue". The results of this work can be useful both in the process of analysing and discussing the draft Law of the Republic of Belarus \"On Personal Data\" and to actors interested in the activity of collecting and processing personal data of individuals in the Republic of Belarus and (or) the European Union.