Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Russia – Data Protection Overview
Back

Russia – Data Protection Overview

November 2023

1. Governing Texts

Please note that some websites from the Government of the Russian Federation ('the Government') may not be working, therefore, some hyperlinks to laws and official documents may not be available.

Major reform on personal data legislation in 2022

In July 2022, the law significantly amending Federal Law of 27 July 2006 No. 152-FZ on Personal Data (as amended) (available in Russian here; an unofficial English version as of 2019 is available here) ('the Law on Personal Data') has been adopted by the State Parliament ('Duma'). The new-passed law provides new rules for personal data processing, especially cross-border data transfer, and establishes new mandatory requirements for both data controllers and data processors, among them is the new requirement on data breach notification. The new-passed law entered into force on September 1, 2022. However, some of the law's provisions came into force on March 1, 2023, for example:

  • new rules on cross-border transfer of personal data;
  • the obligation to notify the Federal Service for Supervision of Communications, Information Technology, and Mass Media ('Roskomnadzor') of any changes on personal data processing in the register of data controllers no later than the 15th of the following month and of the termination of personal data processing within 10 days after the termination of such processing;
  • the obligation to carry out an assessment of harm according to the requirements of Roskomnadzor; and 
  • the obligation to delete personal data in case of the data subject's request or consent withdrawal, or achievement of data processing purposes, under requirements which are to be issued by Roskomnadzor.

For further information, see relevant sections below.

New rules for identification and/or authentication using biometric personal data

In January 2022, new rules for the accreditation of organizations that perform identification and/or authentication using biometric personal data came into force, pursuant to Decree of 20 October 2021 No. 1799 on the Accreditation of Organizations that Own Information Systems that Provide Identification and/or Authentication using Biometric Personal Data of Individuals (only available in Russian here) ('Decree No. 1799') adopted by the Government. The requirements for accreditation differ depending on whether the organization performs authentication, identification, or both. For further information, see the section on special categories of personal data below.

New rules for state data protection audits and inspections

On June 29, 2021, the Government adopted Decree of 29 June 2021 No. 1046 on Federal State Control (Supervision) over the Processing of Personal Data (only available in Russian here) ('Decree No. 1046'), which establishes new rules for audits and inspections of companies processing personal data. The Roskomnadzor is entitled to investigate companies' compliance with data protection laws. For this purpose, it conducts audits and inspections, both scheduled and unscheduled, in accordance with the rules specified in legislation. For further information, see the section on penalties below.

However, on March 10, 2022, the Government adopted Decree of 10 March 2022 No. 336 on the Organization and Implementation of State Control (Supervision) and Municipal Control (only available in Russian here), imposing a moratorium in relation to the scheduled audits and inspections in 2022 in light of the current geopolitical situation. The moratorium also concerns scheduled audits and inspections by the Roskomnadzor in relation to companies processing personal data.

The special moratorium has also been imposed in support of IT companies in Russia by the Government's Decree of 20 March 2022 No. 448 (only available in Russian here). It prohibits any scheduled audits and inspections until December 31, 2024, and applies only to IT companies in Russia that have undergone the accreditation procedure.

New consent form for processing of publicly available personal data

On September 1, 2021, the requirements for the content of the consent form for processing of publicly available personal data came into force, pursuant to Order of the Roskomnadzor of 24 February 2021 No. 18 on the Approval of the Requirements for the Content of Consent to the Processing of Personal Data Authorized by the Data Subject for Distribution (only available in Russian here) ('Order No. 18'). For further information, see section on consent below.

1.1. Key acts, regulations, directives, bills

The following Acts, Regulations, Decrees, and Conventions regulate data protection in Russia:

Please note that on March 16, 2022, the Council of Europe ('CoE') adopted Resolution CM/Res(2022)3 on legal and financial consequences of the cessation of membership of the Russian Federation in the Council of Europe ('Resolution No. 3'). Alongside the cessation of membership of the Russian Federation in the CoE, it implies that Russia's signatory status under the Protocol Amending the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data ('Convention 108+') has been suspended as of  March 16, 2022, because it has not ratified it. Nevertheless, Russia will continue to be a contracting party to Convention 108 since it is open to accession by non-Member States.

The Government has issued the following Decrees:

  • Decree of 1 January 2012 No. 1119 on Approving of Requirements for the Protection of Personal Data in the Case of Processing in Personal Data Information Systems (only available in Russian here) ('Decree No. 1119');
  • Decree of 15 December 2008 No. 687 on Approving the Provision Regarding Properties of Personal Data Processing without Software (only available in Russian here) ('Decree No. 687');
  • Decree of 6 July 2008 No. 512 on Approving the Requirements to Biometric Personal Data Tangible Carrier and such Data Storage Outside of Personal Data Information Systems (only available in Russian here);
  • Decree No. 1799 (only available in Russian here); and
  • Decree No. 1046 (only available in Russian here).

The Roskomnadzor has issued the following Orders:

  • Order No. 18 (only available for download in Russian here); and
  • the Order of 30 May 2017 No. 94 on Approval of the Methodical Recommendations for Notification of the Authorized Body on Processing Personal Data and on Amending the Previously Submitted Information (only available in Russian here) ('the Notifications Order')

The Federal Service for Technical and Export Control ('FSTEC') has issued the following Orders:

  • Order of 25 December 2017 No. 239 on Making Changes in Safety Requirements of Significant Objects of Critical Information Infrastructure of the Russian Federation (only available in Russian here);
  • Order of 18 February 2013 No. 21 on Approving the List and Scope of Planning and Technical Activities for Protection of Personal Data While Processing via Personal Data Information Systems; and
  • Order of 5 February 2021 on Information Security Threat Assessment Methodology.

1.2. Guidelines

The Ministry of Digital Development, Communications and Mass Media has published:

  • Processing and Storage of Personal Data in the Russian Federation (including changes as of 1 September 2015) (only available in Russian here).

The Roskomnadzor has also published:

  • Recommendations on drafting a data processing policy (only available in Russian here); and
  • letter on biometric data processing (only available in Russian here).

1.3. Case law

The Supreme Court of the Russian Federation ('the Supreme Court') has issued the following decisions:

  • Case of 5 March 2018 No. 307-KG18-101 where the Supreme Court found that photographic images are treated as biometric personal data because they describe a person's physical and biological characteristics, from which it is possible to identify this person. Thus, if a company uses an access system based on photo identification of employees, this company should obtain written consent for the processing of biometric data (only available in Russian here);
  • Case of 19 December 2018 No. AKPI18-1109 where the Supreme Court confirmed the powers of the Federal Service Bureau ('FSB'), the security agency of Russia, to have constant access to user's data (only available in Russian here); and
  • Case of 12 November 2019 No. 14-KG19-15 where the Civil Division of the Supreme Court recognized negative reviews about the specialist posted on the internet as an intrusion into his private life (only available in Russian here).
  • Case of 21 July 2023 No. 305-ES23-12160 where the Supreme Court declined the cassation appeal and, thus, upheld the decision of the lower courts that to receive an e-mail in the contact form, it is not necessary to obtain the individual's consent to collecting personal data. E‑mail will not be deemed to be personal data without any additional identification (e.g., name, surname, patronymic, phone number) as it is impossible to identify the individual to whom it belongs based on the e-mail address only. Furthermore, e-mail address can be changed, and another user may be registered under the same e‑mail address (only available in Russian here). It seems to us that this position of the courts should be treated with extreme caution. It is vulnerable to criticism from the point of view of literal interpretation of legal provisions, as well as the position of the data protection authority in Russia.

The Arbitration Court of the Moscow District has issued the following decision:

  • Case of 30 May 2022 No. А40-163911/21-17-1229 (only available in Russian here) where the Arbitration Court of the Moscow District found that transfer of employee's data can be carried out without employee's written consent if the collective agreement between the employees contains provisions that personal data of employees may be transferred to the third parties (e.g. to an insurance company) and that employer may process personal data of former employees if, inter alia, there is a legal ground provided by law (for instance, compliance with pension regulation).

The Central District Arbitration Court has issued the following decision:

  • Case of 20 September 2023 No. А62-7498/2022 where the court stated that e-mail address is deemed to be personal data in the context of registration data on the online platform as prescribed by laws related to personal data protection, as well as by-laws adopted thereunder, clarifications of the authorized bodies. Nevertheless, no mandatory written consent from the recipient is required to send an advertisement message via e-mail (e.g., the consent may be obtained by clicking on 'checkbox' in the registration form) (only available in Russian here).

The Moscow City Court has issued the following decisions:

  • Case of 10 November 2016 No. 33-38783/16 on the restriction of the access to LinkedIn Corporation from Russia (only available to download in Russian here);
  • Case of 16 September 2015 No. 33-30344/2015 on Google LLC's fine for violation of the right to privacy of correspondence (only available to download in Russian here) ('the Google Case'); and
  • Case of 4 June 2018 No. 33a-3957 where McDonald's LLC was fined for violation of data processing requirements (processing of former employee's personal data without their consent, storage of curriculum vitae and consent on the processing of personal data as a part of the employee's personal file) (only available in Russian here).

The Tagansky District Court has issued the following decisions:

  • Case of 19 December 2018 No. 2-4261/18, where the Court restricted access to the website for violation of data processing requirements by use of Google Analytics (only available to download in Russian here);
  • Cases of 13 February 2020 No. 5-167/2020 (only available in Russian here) and 5-168/2020 (only available in Russian here) where it was decided that, per Decision of the Supreme Court of 27 December 2019 No. 5-AD19-239 (only available in Russian here), Twitter, Inc. and Facebook, Inc. did not comply with the localization requirement when processing the data of Russian users. For this offence, each company was fined RUB 4 million (approx. $43,080) (only available in Russian here and here);
  • Case of 27 September 2021 No. 12-2080/2021 by which Twitter was fined in the amount of RUB 17 million (approx. $183,090) for repeated violations of the personal data localization requirements (only available in Russian here); and
  • Case of 24 November 2021 No. 12-2147/2021 by which Facebook was fined in the amount of RUB 15 million (approx. $161,550) for repeated violations of the personal data localization requirements (only available in Russian here);

The Savelovsky District Court has issued the following decisions:

  • Case of 6 November 2019 No. 2a-577/19 where the Court stated that citizens' video images obtained via face recognition technology in the municipal video surveillance system cannot be considered biometric data. Thus, there is no need to obtain citizens' written consent for the processing of biometric data in this case (only available to download in Russian here).

Justice of the Peace No. 422 in Moscow has issued the following decisions:

  • Case of 16 August 2022 No. 05-1349/422/2022 (only available in Russian here) by which Freelancer International Pty Limited, was fined in the amount of RUB 500,000 (approx. $5,385) for violation of the personal data localization requirements;
  • Case of 28 July 2022 No. 05-1348/422/2022 (only available in Russian here) by which Match Group LLC was fined in the amount of RUB 2 million (approx. $21,540) for violation of the personal data localization requirements; In Case of 4 September 2023 No. 05-1007/422/2023 Match Group LLC was fined once again in the amount of RUB 10 million (approx. € 96,930) for repeated violation of the personal data localization requirements (only available to download in Russian here);
  • Case of 12 July 2022 No. 05-1346/422/2022 (only available in Russian here) by which Zoom Video Communications, Inc. was fined in the amount of RUB 1 million (approx. $10,770) for violation of the personal data localization requirements;
  • Case of 28 July 2022 No. 05-1345/422/2022 (only available in Russian here), by which WhatsApp LLC was fined in the amount of RUB 18 million (approx. $193,860) for repeated violation of the personal data localization requirements;
  • Case of 28 July 2022 No. 05-1344/422/2022 (only available in Russian here), by which Snap Inc. was fined in the amount of RUB 2 million (approx. $21,540) for violation of the personal data localization requirements;
  • Case of 28 July 2022 No. 05-1343/422/2022 (only available in Russian here) by which Spotify AB was fined in the amount of RUB 500,000 (approx. $5,385) for violation of the personal data localization requirements;
  • Case of 28 July 2022 No. 05-1330/422/2022 (only available in Russian here), by which Hotels.com, L.P., was fined in the amount of RUB 1 million (approx. $10,770) for violation of the personal data localization requirements;
  • Case of 12 July 2022 No. 05-1297/422/2022 (only available in Russian here) by which Ookla LLC was fined in the amount of RUB 1 million (approx. $10,770) for violation of the personal data localization requirements;
  • Case of 12 July 2022 No. Google LLC (only available in Russian here) by which Google LLC was fined in the amount of RUB 15 million (approx. $161,550) for repeated violation of the personal data localization requirements;
  • Case of 28 July 2022 No. 05-1152/422/2022 (only available in Russian here) by which Airbnb, Inc. was fined in the amount of RUB 2 million (approx. $21,540) for violation of the personal data localization requirements;
  • Case of 28 July 2022 No. 05-1141/422/2022 (only available in Russian here) by which United Parcel Service, Inc. was fined in the amount of RUB 1 million (approx. $10,770) for violation of the personal data localization requirements;
  • Case of 28 July 2022 No. 05-1140/422/2022 (only available in Russian here) by which Pinterest, Inc. was fined in the amount of RUB 2 million (approx. $21,540) for violation of the personal data localization requirements;
  • Case of 12 July 2022 No. 05-1139/422/2022 (only available in Russian here) by which Apple Inc. was fined in the amount of RUB 2 million (approx. $21,540) for violation of the personal data localization requirements;
  • Case of 28 June 2022 No. 05-1136/422/2022 (only available in Russian here) by which Twitch Interactive, Inc was fined in the amount of RUB 2 million (approx. $21,540) for violation of the personal data localization requirements; In Case of 4 September 2023 No. 05-1006/422/2023 Twitch Interactive, Inc was fined once again in the amount of RUB 13 million (approx. $140,010) for repeated violation of the personal data localization requirements (further information available only in Russian here);
  • Case of 16 June 2022 No. 05-1134/422/2022 (only available in Russian here) by which Likeme Pte.Ltd was fined in the amount of RUB 1.5 million (approx. $16,155) for violation of the personal data localization requirements;
  • Case of 11 July 2023 No. 05-0713/422/2023 (only available to download in Russian here) by which International Training (ITI) was fined in amount of RUB 1 million (approx. $10,770) for violation of the personal data localization requirements; and
  • Case of 11 July 2023 No. 05-0685/422/2023 (only available to download in Russian here) by which PADI Americas Inc. was fined in amount of RUB 1.5 million (approx. $16,155) for violation of the personal data localization requirements. On December 11, 2018, the Roskomnadzor imposed a fine on Google for non-compliance with the requirements of the Law on Information that obliges search engines to connect to the federal database of banned websites (only available in Russian here).

2. Scope of Application

2.1. Personal scope

The laws outlined above apply to any entities, including state and municipal authorities, legal entities, and individuals that process personal data through the use of automated means, including via an information/telecommunication network, or without automated means if the nature of the manual processing is similar to the automated processing, i.e., allows one to search personal data in a card catalogue or archive with the use of an algorithm.

2.2. Territorial scope

The Law on Personal Data applies to entities having physical presence in Russia and processing personal data there. Starting from September 2022, the Law on Personal Data also applies to foreign entities and individuals if they process personal data of Russian data subjects based on the agreement with such data subjects or relying on their consent for personal data processing. For instance, Russian privacy laws apply to foreign companies with no presence in Russia which process personal data of Russian users through their websites and apps (Russian users agree to Terms of Use and/or consent to privacy policy) even if they are not targeting Russian audience.

Also, according to the new requirements, foreign data processors bear joint liability for privacy violations with data controllers located in Russia.

2.3. Material scope

The Law on Personal Data regulates the relationships relating to the processing of personal data by governmental bodies, municipal bodies, legal entities, and persons by automatic means, including via the Internet, or without such means, if the processing of personal data without the use of such means corresponds to the character of the operations as involving the personal data by automatic means.

The Law on Personal Data does not apply to activities related to personal data processing by individuals for personal or family purposes, data processing by the state archives, processing of personal data that is associated with state secrecy, and the activities of courts in the Russian Federation according to the specific regulations. Moreover, there are rules for manual processing of personal data that are established by Decree No. 687.

3. Data Protection Authority | Regulatory Authority 

3.1. Main regulator for data protection

The Roskomnadzor is the main regulator for data protection.

3.2. Main powers, duties and responsibilities

The main powers, duties, and responsibilities of the Roskomnadzor are to:

  • check the data processing activities of data controllers through systematic monitoring measures and in the course of scheduled and unscheduled checks;
  • check information submitted by data controllers in their notifications to the Roskomnadzor;
  • request data controllers to specify, block, cease the processing of, and destroy inaccurately or illegally received personal data;
  • restrict access to information processed in violation of Russian legislation covering personal data protection;
  • take measures aimed at suspension and cessation of the processing of personal data, processed in violation of Russian legislation covering data protection;
  • file claims to court in order to protect the interests of data subjects and represent data subjects in court;
  • exchange information with the FSB, supervising the use of cryptographic technologies;
  • exchange information with the FSTEC, supervising the use of technical tools and software for information protection;
  • bring persons to administrative liability for infringement of Russian legislation covering personal data protection;
  • consider claims of citizens and legal entities concerning the processing of personal data and adopt decisions upon consideration of such claims, liaising with citizens and legal entities;
  • maintain the registry of data controllers;
  • monitor data controllers' processing activities on the internet; and
  • take measures aimed at improving the protection of personal data subjects' rights.

4. Key Definitions

Data controller: Referred to as 'data operator', which is an entity who, separately or jointly with other entities, arranges and/or carries out personal data processing, as well as determines the purposes of personal data processing, scope of personal data to be processed, and actions (operations) performed on personal data.

Data processor: There is no definition of 'data processor' in the Law on Personal Data. However, the Law on Personal Data imposes obligations on a 'person carrying out the processing of personal data on the instructions of an operator'.

Personal data: Any information relating directly or indirectly to an identified or identifiable individual.

Sensitive data: Personal data related to race, national origin, political views, religious and philosophical convictions, and health and intimacy.

Health data: There is no definition of 'health data' in the Law on Personal Data.

Biometric data: Any information on physiological and biological characteristics of an individual allowing and used for identification of such individuals.

Pseudonymization: Actions resulting in the impossibility to attribute personal data to the particular individual to whom the personal data relates without the use of additional information.

Personal data processing: Any activity (operation) or set of activities (operations) that are performed upon personal data, whether or not by automatic means, including the collection, recording, systematization, gathering, storage, specification, updating, alteration, retrieval, use, transfer, dissemination, making available, access, depersonalization, blocking, deletion, and destruction of personal data.

Information system of personal data: Personal data contained in the databases of personal data along with information technologies and technical means used for the processing of personal data.

Data subject: Referred to as 'subjects of personal data' as individuals to which personal data relates.

Publicly available data: Referred to as 'personal data permitted by the data subject for dissemination', personal data to which an unlimited number of persons have access, and to which is provided by the data subject by giving consent to the processing of personal data for distribution in the manner prescribed by the Law on Personal Data.

Data protection officer: There is no definition of data protection officer ('DPO') in the Law on Personal Data. However, the Law on Personal Data refers to 'a person responsible for organizing the processing of personal data' (Articles 18.1(1)(1) and 22.1(1) of the Law on Personal Data).

5. Legal Bases

Data controllers are required to ensure that they have legitimate grounds for the processing of personal data. For this purpose, companies should consider if any of the grounds provided by the Law on Personal Data are applicable to the intended data processing.

5.1. Consent

General requirements

Personal data may be processed upon the consent of the data subject. Such consent shall be specific, informed, conscious, unambiguous, and substantive. As a basic principle, consent can be provided in any form allowing the data controller to verify this. However, in some cases (e.g., where employee personal data is transferred to any third party; automated decision-making; the processing of sensitive and biometric personal data), consent must be executed in written form subject to strict statutory requirements.

In this respect, data controllers should be aware that the specific wording and form of the data subject's consent can be prescribed by the Law on Personal Data or other specific laws, such as the Labor Code, in respect of employee personal data, and must strictly follow the same.

Processing of sensitive and biometric personal data shall be based on the individual's written consent or other alternative legal grounds, which are quite narrow and rarely apply. As to the processing of personal data for direct marketing purposes and automated decision making, individual consent serves as the only appropriate legal ground, and there are no exceptions in this regard.

In some cases, consent shall be provided in a written form containing a number of legally required elements, namely:

  • data subject's name, address, and passport details;
  • name, address, and passport details of the data subject's representative and details of documents confirming the representative's authorization (where consent is given by such an individual);
  • name and address of the data controller;
  • purpose of personal data processing;
  • categories of personal data to be processed;
  • name and address of the data processors;
  • operations on personal data (collection, recording, systematization, among others) and general description of data processing methods (automated, manual, mixed, among); and
  • terms of consent and procedure of its withdrawal.

Publicly available data

Requirements for obtaining consent for publicly available data

Data controllers making personal data publicly available, for further use by third parties, must:

  • obtain individuals' specific and unambiguous consents, which shall not be bundled with any other consents;
  • enable individuals to choose the types of their personal data to be made publicly available and set out restrictions on the use of such personal data;
  • enable individuals to revoke their consent for making the data publicly available with immediate effect; and
  • set out the rules for use of the publicly available data, with a view to individuals' consents, and post such rules on their relevant web resources within three business days.

When it comes to the third parties who intend to use publicly available personal data, such third parties may either:

  • rely on the consent obtained by the controller when making the data publicly available, considering the rules of such use defined by that controller;
  • rely on the consent provided by an individual to the Roskomnadzor, via a dedicated web-based platform to be set up under the law, but also considering the rules of data use defined by the Roskomnadzor; or
  • ensure, on their own, that they have appropriate legal grounds for the use of such publicly available personal data.

On September 1, 2021, the requirements for the content of the consent form for processing of publicly available personal data came into force. Order No. 18 states that the consent must include the following information:

  • the data subject's full name and e-mail address or mailing address;
  • the data controller's name or full name, place of registration, place of residence or stay, tax identification number ('TIN'), primary state registration number ('OGRN'), and website;
  • the purpose of personal data processing;
  • categories of personal data to be processed (general, sensitive, and biometric);
  • the personal data to which the data subject may establish a prohibition of dissemination;
  • the conditions of transfer of personal data by the controller to third parties; and
  • the validity period of the consent.

The data subject may either give the consent for making personal data publicly available directly to the data controller or submit it through an IT system of the Roskomnadzor, available here.

Burden of proof

If personal data is disseminated and processed without consent or made publicly available due to an offense, crime, or force majeure circumstance, the burden of proof falls on every data controller who has disseminated or otherwise processed this data.

Assumptions relating to obtaining consent for publicly available data

If a separate consent for making personal data available is not obtained by the data controller, but in general, personal data is processed lawfully (e.g., the consent for personal data processing is in place), this data may be processed by the data controller, but without the right to disseminate it (i.e., this data may not be made publicly available).

Separate consent must contain the types of personal data to be made publicly available and restrictions on the use of such personal data. Otherwise, it is held that the data controller cannot make this data publicly available.

Exception relating to the processing of publicly available data

The conditions and restrictions established by the data subjects will not apply to cases of processing personal data in State or other public interests. Furthermore, all conditions for the processing of such types of data will not apply in case personal data is processed for fulfilling legal obligations of State and local authorities.

5.2. Contract with the data subject

It is possible to rely on the legal ground of contractual necessity where processing is necessary to enter into a contract with a data subject at the data subject's initiative or a contract to which the data subject is either a party, beneficiary, or guarantor, or to perform such contracts. Data can be processed on the basis of an agreement concluded with a data subject to which the data subject is a beneficiary or guarantor, or in order to conclude an agreement with a data subject.

Agreements that constitute grounds for the processing of individuals' data must also contain wording evidencing data subjects' awareness of the processing of their data conducted under such agreements.

Such agreements should not contain contractual clauses:

  • restricting personal data subjects' freedom;
  • establishing cases for processing minors' personal data, unless cases provided by a law; and
  • allowing the omission of the data subject as a condition for the conclusion of an agreement.

5.3. Legal obligations

The data controller is authorized to process the personal data where it is necessary to perform its functions and obligations imposed on that data controller by virtue of applicable laws. This includes:

  • processing carried out in order to achieve goals provided by international treaties to which Russia is a party, and by Russian law, for performance of obligations of the data controllers imposed on such data controller by Russian law;
  • processing that is performed in accordance with labor laws, social security laws, pension laws; and
  • processing that is required for judgment purposes, enforcement of a judicial act that is enforceable in Russia, among others.

5.4. Interests of the data subject

Personal data may be processed when such processing is required for the protection of life, health, or other vital interests of data subjects, if obtaining consent is not possible.

5.5. Public interest

Not applicable.

5.6. Legitimate interests of the data controller

The data controller may perform the processing of personal data where it is necessary to exercise rights and preserve the legitimate interests of such data controller or a third party, provided that the rights and legal interests of the data subject are not infringed. However, due to the Roskomnadzor's narrow approach in this regard, this legal ground is construed very narrowly and applied very rarely.

5.7. Legal bases in other instances

The data controller is authorized to process depersonalized personal data for statistical and other research purposes. This legal ground, however, is not applicable in cases where such processing is associated with direct marketing purposes. In such case, prior opt-in consent is required.

Furthermore, processing may also be carried out:

  • for the purpose of mass media and journalism, provided that the rights and legal interests of the data subject are not infringed; or
  • where the personal data is subject to obligatory publication or disclosure by Russian federal law.

6. Principles

Article 5 of the Law on Personal Data provides for the following principles:

  • the processing of personal data must be carried out on a lawful and fair basis;
  • the processing of personal data should be limited to the achievement of specific, predetermined, and legitimate purposes, and it is prohibited to process personal data that is incompatible with the purposes of collecting personal data;
  • it is prohibited to combine databases containing personal data, the processing of which is carried out for purposes that are incompatible with each other;
  • only personal data that meet the purposes of their processing are subject to processing;
  • the content and scope of the processed personal data must correspond to the stated purposes of processing, and the processed personal data should not be excessive in relation to the stated purposes of their processing;
  • when processing personal data, the accuracy of personal data, their sufficiency, and, if necessary, their relevance in relation to the purposes of processing personal data must be ensured. The controller must take the necessary measures or ensure that they are taken to remove or clarify incomplete or inaccurate data; and
  • storage of personal data should be carried out in a form that allows the data subject to be determined no longer than required by the purposes of processing personal data, if the period of storage of personal data is not established by federal law or by an agreement to which the data subject is a party, beneficiary, or guarantor. The processed personal data is subject to destruction or depersonalization upon reaching the goals of processing or in case of loss of the need to achieve these goals, unless otherwise provided by federal law.

7. Controller and Processor Obligations

Obligations to data subjects

Data controllers have numerous obligations to data subjects. In particular, data controllers shall:

  • provide certain information regarding the processing of data subject's personal data upon their request;
  • provide access to personal data;
  • eliminate violations in the processing of personal data upon the request of a data subject; and
  • keep personal data confidential and ensure the preservation of confidentiality of data by data processors.

Data controllers shall specify what data is held or cease the processing of the personal data and destroy the data of a data subject upon their request, if such personal data is inaccurate or processed illegally.

Obligations relating to security and technical measures

Data controllers shall take sufficient organizational, legal, and technical measures for the security and confidentiality of processed personal data. The Law on Personal Data provides for a basic list of measures to ensure personal data security. Along with these measures, companies must implement additional security measures in accordance with the procedures set out in Decree No. 1119. To figure out what particular measures are deemed relevant for a company, a threat modelling method must be applied. This method allows the identification and rating of threats that are likely to affect the information system of the company and requires an IT audit of the company's information system, as well as the elaboration of the so-called 'security threats model'. This model shall apply to and be internally documented within the company and approved by its authorized officer.

Decree No. 1119 stipulates four levels of security of personal data processed in information systems. Each level determines the particular security measures which must be undertaken. In order to implement these measures, the support of the company's IT department and/or external IT organizations, or experts competent in Russian information security regulations is required. Specialists implementing these measures must also be aware of the many state regulations that provide for more detailed guidance on the implementation of data security measures, in particular Acts issued by the FSB and the FSTEC.

In addition, from September 1, 2022, a data controller must ensure interaction with the State System of Detection, Prevention, and Elimination of Computer Attacks ('GosSOPKA'). The interaction procedure is to be adopted by the FSB (see the section on data breach notification below).

Under Russian law, each company shall have an internal policy on the processing of personal data. Such policy must outline all the data management procedures existing in the company. The policy is required to be in hard copy and must be approved by an authorized body within the company. From September 1, 2022, for personal data collected through the information resource (i.e., website), the respective privacy policy must be available on each webpage of the website via which personal data is collected. The privacy policy shall be compliant with the legal requirements governing the provision of information to data subjects prior to the collection of their personal data, as well as the Roskomnadzor's related recommendations. Although such recommendations are not legally binding, they reflect relevant legal requirements and the Roskomnadzor's practical recommendations.

Data controllers are required to conduct an audit for compliance with Russian data protection requirements at least once every three years.

Data controllers may fulfill all information security requirements themselves, or they may outsource this function to a specialized organization possessing the required licenses.

7.1. Data processing notification

It is obligatory for data controllers to file a notification with the Roskomnadzor prior to the commencement of data processing. There are some exceptions to this requirement:

  • processed personal data is included in state information systems of personal data created for the purpose of protection of state security and public order;
  • data controller processes personal data exclusively without the use of automation means; or
  • personal data is processed in cases provided by the Federal Law N 16-FZ of 19 January 2007 On Transport Security (as amended 14 March 2022) (only available in Russian here), which is the legislation of the Russian Federation on transport security, in order to ensure the stable and safe functioning of the transport complex, protection of the interests of individuals, society and the state in the sphere of the transport complex from acts of unlawful interference.

The above-mentioned exceptions are not common in practice, therefore, and as a result, almost every data controller falls within the scope of the requirement to file the notification. The notification shall be filed once and with respect to all data processing activities of the particular data controller. If there are any changes to the data processing activities, the data controller is obliged to notify the Roskomnadzor of those changes within 10 business days. From March 1, 2023 this term was changed: in case of any change a data controller is obliged to file an application to Roskomnadzor on the change of personal data processing no later than the 15th day of the month following the change, and if processing is terminated, a data controller will be obliged to notify Roskomnadzor within 10 business days.

The notification must be sent to the Roskomnadzor as a document on paper or in an electronic form and signed by an authorized person (e.g., DPO) of the data controller.

The notification shall contain certain information specified in the Law on Personal Data. In particular:

  • data controller and data processor details;
  • the purpose of data processing, and for each such a purpose;
    • the categories of personal data processed;
    • the categories of data subjects whose personal data is processed;
    • the legal grounds for data processing;
    • types and methods of data processing;
  • a list of security measures undertaken by the data controller (including encryption tools);
  • the date of the beginning of the processing of personal data;
  • the terms of termination of processing of personal data;
  • encryption details;
  • the name and contacts of a DPO;
  • information on cross-border (international) data transfers; and
  • information on the location of databases that are used for the processing of personal data relating to Russian citizens, etc.

In practice, all necessary information shall be provided in a detailed and accurate form. The notification can be filed only by the company, branch, or representative office which is registered in Russia.

Additionally, if incomplete or inaccurate information is submitted to the Roskomnadzor, the data controller is obliged to submit a new notification in electronic form within 30 days from the date of receipt of the Roskomnadzor's order to finalize the previously submitted notification as per Section 3.4 of the Notifications Order. Following the notification, the Roskomnadzor will enter the operator's details into its register within 30 days. Additionally, changes to the notified information or termination of the processing must also be notified to the Roskomnadzor within 10 days from the change or termination of data processing (Article 22(7) of the Law and Section 4.1 and 5 of the Notifications Order).

The Roskomnadzor has issued the following guidance in connection with the notification requirement:

  • Notification of the processing (of the intention to process) personal data (only available in Russian here); and
  • Clarifications on the notification of processing on 10 February 2020 (only available in Russian here) and on 2 April 2020 (only available in Russian here).

The registry of data controllers is public and is accessible (only in Russian here).

7.2. Data transfers

Transfer requirements

In practice, the majority of companies operating in Russia transfer personal data to their parent entities abroad and use data processors. Unless authorized by Russian law or international treaties to which Russia is a party, such transfer is only possible if performed on the basis of an agreement concluded between a company transferring data (i.e., the data controller) and the company receiving it for further processing (other data controller or data processor). As stated above, this agreement shall contain some mandatory terms specified by the Law on Personal Data. Thus, data controllers should carefully review their intra-group agreements and agreements concluded with contractors and ensure that they contain provisions required by the Law on Personal Data.

Data controllers must ensure that the consent of individuals for the transfer of their data to third parties is obtained in accordance with the provisions prescribed by the Law on Personal Data. This also applies to any cross-border transfer, in cases where data is transferred outside Russia.

In general, the requirements for the form of consent depend on the country where the data is being transferred.

According to the Law on Personal Data, countries providing adequate protection of personal data are the countries that are parties to Convention 108 and some other countries, which are approved by the Roskomnadzor. Starting from September 2022, Roskomnadzor independently decides which countries shall be deemed 'adequate' for the purposes of cross-border data transfer. Therefore, the Roskomnadzor may decide whether a member state of Convention 108 is included into the list of 'adequate' countries or not.

The current list of countries providing adequate protection of personal data (as amended in 2022) (only available in Russian here) includes member states of Convention 108 and the following non-member states:

  • Australia;
  • Angola;
  • Bangladesh;
  • Belarus;
  • Benin;
  • Canada;
  • Brazil;
  • Costa Rica;
  • Côte d’Ivoire;
  • Chad;
  • China;
  • Gabon;
  • Israel;
  • India;
  • Japan;
  • Kazakhstan;
  • Kirghizstan;
  • Malaysia;
  • Mali;
  • Mongolia;
  • New Zealand;
  • Niger;
  • Nigeria;
  • Peru;
  • Qatar;
  • Singapore;
  • South Africa;
  • South Korea;
  • Tajikistan;
  • Thailand;
  • Togolese Republic;
  • Uzbekistan;
  • Vietnam; and
  • Zambia.

Starting from March 1, 2023, there are two regimes of cross-border personal data transfer. Transfer of personal data to 'adequate' countries is only allowed with notification of Roskomnadzor, however, without the obligation to obtain permission. On the other hand, the transfer of personal data to 'inadequate' countries strictly requires the permission of Roskomnadzor. Therefore, data cannot be transferred until such regulatory permit is obtained unless it is required to protect life, health, or other vital interests of a data subject or others. Such application for notification or permission shall be reviewed by Roskomnadzor within the statutory term of 10 days.

In exceptional cases, if there are threats to defense, security, or the foundations of the constitutional order, cross-border transfer of personal data may be restricted or banned by decision of Roskomnadzor.

Prior to filing the notifications on cross-border data transfers, data controllers should make an assessment of the adequacy of personal data protection, provided by a data recipient in a particular country where the personal data will be transferred.

Please note that on March 16, 2022, the CoE adopted Resolution No. 3, confirming that the Russian Federation will continue to be a contracting party to Convention 108, since it is open to accession by non-Member States.

Data localization requirements

Federal Law of 21 July 2014 No. 242-FZ (as amended) (only available in Russian here) ('the Data Localization Law'), which entered into effect September 1, 2015, implies that upon collection of personal data relating to Russian citizens, a data controller must ensure that certain operations on personal data of the Russian citizens (namely recording, systematization, accumulation, storage, adaptation/alteration, and retrieval) is carried out in database(s) located in Russia once such data is collected. This is the so-called localization requirement.

In other words, once personal data is collected, it shall be placed in the database located in Russia (i.e., the primary database), so that all mentioned operations on the data should be carried out locally. Afterwards, the data can be transferred abroad for further processing (i.e., to the secondary database).

Operations required for updating/rectifying personal data shall be primarily made in the local database(s).

The scope of application of the localization requirement provides that:

  • only data of Russian citizens shall be localized (as per clarifications of the Russian regulator, companies shall themselves decide how to determine individuals' (data subjects) citizenship considering their business practices);
  • data shall be localized upon its collection (in the context of the localization requirement, collection means the deliberate process of gathering information and further use of such data for a particular purpose(s)). In this regard, the Data Localization Law applies only to personal data collected directly from an individual (data subject) by the company or by the third party specifically engaged for this purpose;
  • the localization requirement applies only to data controllers. Thus, entities acting in the capacity of data processors are out of the scope. However, in that case, the requirement to ensure the status of the data processor is properly formalized, as described below in the section on controller and processor contracts below applies; and
  • the localization requirement does not apply to the data collected before September 1, 2015, as long as no operations on data mentioned above have been carried out after September 1, 2015.

Russian law does not require the data controller to set up their own database. It may be either the data controller's own database or a third party's database (e.g., rented server facilities, cloud hosting). Starting from September 1, 2022, if collection of personal data is assigned to data processors, the respective assignment must contain their obligation to localize collected personal data in databases located in Russia.

It is a feasible option to ensure compliance with the localization requirement through the efforts of a third party, e.g., oblige a data processor contractually to ensure that data is processed in line with the localization requirement.

The amendments to the Code of Administrative Offences, effective since December 2, 2019, introduced new fines of up to RUB 6 million (approx. $64,620) for the first localization offence and up to RUB 18 million (approx. $193,860) for the subsequent offence.

7.3. Data processing records

There is no obligation for data controllers and/or data processors to maintain data processing records. However, some companies maintain similar records as good practice and convenient tool in order to monitor and record data processing activities, data flows, and compliance with applicable legal requirements.

7.4. Data protection impact assessment

There is no obligation for data controllers and/or data processors to conduct a Data Protection Impact Assessment ('DPIA') as provided for by the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'). However, there are similar obligations regarding the assessment of security measures and security levels. The assessment shall be conducted by a data controller, or through a third-party provider having the appropriate FSTEC license, at least once every three years.

Specifically, the Law on Personal Data provides that data controllers must independently determine the composition and range of necessary and sufficient measures to ensure the fulfilment of the obligations stipulated in the Law on Personal Data and regulatory legal acts adopted in accordance with it. In particular, such measures include the assessment of damage that may be caused to data subjects in the event of violation of the Law on Personal Data and correlating such damage with the measures taken by the controller to ensure the fulfilment of the obligations under the same (Article 18-1(1)(5) of the Law on Personal Data). Such an assessment should be carried under the requirements which are to be adopted by Roskomnadzor.

7.5. Data protection officer appointment

The appointment of a DPO is compulsory in Russia (Articles 18.1(1)(1) and 22.1(1) of the Law on Personal Data). A DPO must be appointed by data controllers which are legal entities and must be reported to the Roskomnadzor in the filed notification, in accordance with requirements described in the section on data processing notification above.

The DPO shall be appointed by the written order of the general director of the organization and shall receive instructions from, and be subordinate to, the general director. Please note that such orders shall be adopted when the general director acts as a DPO as well.

There is no specification in the Law on Personal Data as to whether the DPO should be a Russian citizen, although the DPO may be an individual or a legal entity (Article 18.1(1) of the Law on Personal Data).

The DPO is responsible for:

  • internal control over the compliance of the organization and its employees with Russian legislation covering personal data, including requirements for the protection of personal data;
  • informing the organization's employees on provisions of the Russian legislation covering personal data, local normative acts on personal data processing, and the requirements for the protection of personal data; and
  • receiving and processing requests and inquiries of personal data subjects and monitoring the reception and processing of such requests.

The DPO is expected to receive instructions directly from the organization and is accountable to the organization (Article 22.1(2) of the Law on Personal Data). In this regard, Articles 22.1(3) and 22 (3) of the Law on Personal Data specify the information that an organization must provide the DPO with.

7.6. Data breach notification

General obligations

The security regulations under the Law on Personal Data and Decree No. 1119 require that the controller implements several security incident detection and response measures, e.g., that it defines individuals responsible for incident detection and response, guides users to notify such individuals of security incidents that are revealed, among other things. The extent of such measures will be defined by the controller based on threat modelling method (see the section on controller and processor obligations above relating to security and technical measures).

As for data breach notifications, beginning from September 1, 2022, the Law on Personal Data now provides an obligation of data controllers to notify Roskomnadzor when a data breach is revealed.

The procedure for notification of Roskomnadzor about the incident has two steps:

  • within 24 hours: a notification on:
    • causes of data breach;
    • alleged harm;
    • security measures undertaken; and
    • details on authorized official of a data controller to interact in relation to data breach; or
  • within 72 hours: a notification on:
    • internal investigation results; and
    • persons who caused the data breach.

A data controller now should ensure interaction with GosSOPKA. The interaction procedure is to be adopted by the Federal Security Service. Such an interaction implies that a data controller will transmit information about computer incidents that led to the unlawful transfer (provision, distribution, access) of personal data to GosSOPKA.

Nevertheless, data controllers are not required to notify data subjects of data breaches that have occurred.

Financial obligation

The Central Bank of the Russian Federation ('the Central Bank') has issued Ordinance of 8 October 2018 No. 4926-U (only available in Russia here) ('the Ordinance') which regulates the form and procedure for transmitting information to the Central Bank by money transfer operators, payment system operators, and payment infrastructure service operators, including the transmission of the information without the client's consent. According to the Ordinance, money transfer operators and payment infrastructure service providers shall notify the Central Bank about the detected violations of requirements of information protection when transferring funds, as well as provide for a plan of action on disclosure of information about such incidents. Such notifications are made through the specific electronic platform of the Central Bank.

7.7. Data retention

The Law on Personal Data does not specify any particular retention periods. Rather, these are provided by other specific laws outlined below. The Law on Personal Data simply provides that personal data should not be kept/processed for a longer period than is necessary for the purpose for which it is processed (unless longer processing and, in particular, retention periods are mandated by Russian law or by agreement of the data subject). Normally, a data controller must cease the processing and destroy personal data within 30 days after the purposes of the processing of such information have been achieved, unless otherwise provided by applicable Russian law or individual's consent.

Under Russian law, there are some legal mandates, e.g., Federal Law of 6 December 2011 No. 402-FZ on Accounting Records (only available in Russian here), governing retention periods for particular types of documents that can be produced in the course of an entity's activity. These terms are mostly prescribed for hardcopies maintained in accordance with Russian legislation and normal business activities. The storage of data on IT systems must usually be regulated by internal policies of data controllers and data subjects' consent.

7.8. Children's data

Russian data protection laws do not set out any specific rules with regard to the processing of children's data.

As per Russian law, children (i.e., those under the age of 18) exercise their rights and protect their interests through their parents (or other legal representatives). Thus, strictly speaking, where children's data is processed and this requires consent, such consent should be requested from parents (or other legal representatives). However, in certain cases starting from the age of 14, children may act more or less independently, e.g., to make some small-scale transactions on their own, etc. Thus, where children's data is processed in the context of such transactions, consent of the parent or legal representative is not needed. However, in practice, there is no unified approach to the notion of small-scale transactions and the age threshold requiring parental consent to data processing.

In addition, the Law on Personal Data provides that agreements between data controllers and data subjects should not include provisions establishing cases for processing children's personal data, unless such cases are provided by a law.

7.9. Special categories of personal data

Articles 10 and 11 of the Law on Personal Data define two categories of privacy-sensitive information, namely:

  • special categories of personal data (sensitive personal data), which is defined as personal data relating to race, national origin, political views, religious and philosophical commitments, intimate life and health. In addition, it includes criminal convictions data; and
  • biometric data, which includes information relating to an individual's physiological and biological characteristics enabling, and is used for, the individual's identification (e.g., fingerprints, voice recordings, personal images, etc.).

As a basic rule, such types of personal data (except criminal convictions data) may be processed only based on an individual's written consent.

The Law on Personal Data also establishes that a data controller cannot refuse to provide its services to a data subject if they refuse to give their consent to biometric data processing, unless obtaining such a consent is not mandatory under a federal law.

With regards to criminal convictions data, its processing is generally prohibited (Article 10 of the Law on Personal Data), unless the law directly prescribes processing of such data. Legal exceptions for any mentioned types of data are very narrow and apply quite rarely.

Furthermore, new rules for the accreditation of organizations that perform identification and/or authentication using biometric personal data came into force in January 2022. The requirements for accreditation differ depending on whether the organization performs solely authentication, identification, or both. The requirements for the organizations that perform identification or identification and authentication in particular include:

  • ownership of capital up to RUB 500 million (approx. $5.41 million);
  • financial security of liability for losses caused to third parties in the amount of up to RUB 100 million (approx. $1.08 million);
  • ownership of hardware encryption (cryptographic) means with confirmation of compliance with the requirements established by the FSB;
  • at least two employees with higher education in the field of information technology or information security; and
  • a duly certified copy of the CEO's employment history.

Foreign legal entities can also apply for accreditation. In addition to the above requirements, they must also confirm that their technical means of information systems ensuring identification and/or authentication are in the Russian Federation and provide an excerpt from the register of foreign legal entities.

An exception is the legal entities whose personal law is the law of a State included in the list of foreign states that commit unfriendly acts against the Russian Federation; such legal entities cannot be accredited in this field.

7.10. Controller and processor contracts

A data processor's responsibilities shall be specified in its agreement with the data controller. A data controller can, with the consent of a data subject, assign data processing to data processors based on the assignment agreement concluded with them.

A data controller is responsible for the actions of their data processors before the data subjects, and data processors can be responsible before a data controller on a contractual basis. In addition, from September 1, 2022, foreign data processors bear equal liability along with data controllers in case of any violations of and is not responsible before data subjects.

However, a data processor is not obliged to ensure legal grounds for the processing of personal data.

As stated above, a data processor arranges to process personal data on the assignment of a data controller, which is expressed in a so-called data processing agreement. Such an agreement and/or assignment by the data controller must contain specific information, provided by the Law on Personal Data. In particular, it shall include:

  • the categories of processed data:
  • a list of operations performed with personal data;
  • the purposes of processing personal data;
  • the confidentiality and security obligations of the data processor; and
  • the obligations of a data processor to ensure the level of protection required by the Law on Personal Data;
  • the obligation to notify a data controller about data breach; and
  • the obligation to comply with data localization requirement.

Formally speaking, assigning personal data processing activities to a data processor requires a data subject's informed written consent. In some cases (e.g., where an employees' personal data is disclosed), the law prescribes the provision of written consent, which shall be compliant with specific requirements regarding its form and content. In particular, along with other mandatory elements, such consent shall contain the processor's name and address. As recently articulated by the Roskomnadzor officials in the course of public events, this requirement shall be construed as applicable only to data processors and, therefore, other data controllers receiving personal data under such consent may be indicated in a general manner, unless their details are necessary to ensure that consent is specific and informative enough.

8. Data Subject Rights

Data subjects are entitled to access their personal data, request specification or the termination of processing, and request the destruction of incorrect or incomplete personal data, as well as data processed in violation of Russian legislation covering personal data protection. Data subjects are also entitled to receive information about the categories of personal data processed, the purposes of the processing, the legal grounds for the processing, the terms of the processing, the legal consequences of the processing, the persons having access to personal data and other information related to the processing of their personal data.

Data subjects are entitled to challenge the actions or inactions of data controllers with regard to the processing of their personal data in court, or to report them to the Roskomnadzor. Data subjects are also provided with increased protection in the case of the processing of their sensitive data and biometric data, the processing of personal data for purposes of direct marketing or agitation contacts, and the adoption of decisions in respect of personal data subjects exclusively based on automated processing.

8.1. Right to be informed

The right to be informed means that the data controller shall make the policies containing information about data processing available to the data subjects concerned.

The data processing policies shall contain a range of details regarding data processing activities, in particular, categories of processed data, purposes of processing, operations performed on data, methods of processing, categories and list of processed personal data, categories of data subjects, terms of processing, data retention, and procedures for erasure.

From September 1, 2022, a privacy policy should also be published on every webpage via which personal data is collected.

8.2. Right to access

Upon the request of a data subject, a data controller shall provide any record containing the personal data of the data subject. If such record contains personal data of other data subjects, this information must be excluded from the tangible medium provided to the data subject. A data controller may refuse a data subject access to their personal data if such access infringes upon the legal interests of a data controller and/or third parties.

8.3. Right to rectification

The data subject has the right to require the rectification of personal data where the personal data is incomplete, inaccurate, outdated, processed unlawfully, or no longer needed to achieve the specific purpose of data processing.

8.4. Right to erasure

In addition to the right of rectification, the data subject has the right to require the blocking and destruction of personal data where the personal data is incomplete, inaccurate, outdated, processed unlawfully, or no longer needed to achieve the specific purpose of data processing.

8.5. Right to object/opt-out

The Law on Personal Data does not include the right to object. However, data subjects can demand the cessation of illegal processing.

Withdrawal of opt-in consent can also be regarded as equivalent to the right to opt-out.

8.6. Right to data portability

Russian law does not include the right to data portability.

8.7. Right not to be subject to automated decision-making

Under Article 16 of the Law on Personal Data, solely automated decision-making is not permitted if the decision produces legal consequences for the data subject or significantly affects the data subject's rights and legal interests.

However, decisions based exclusively on automated processing are exceptionally allowed upon the data subject's written consent, and a data subject shall be notified of the order of automated decision-making and its consequences. The data controller must provide the possibility to a data subject to object to the automated decision.

8.8. Other rights

General rights

Data subjects are entitled:

  • to withdraw consent at any time, in which case the data controller must terminate processing of personal data based on consent within 30 calendar days; and
  • to lodge a complaint to the Roskomnadzor or a court.

Publicly available data

With respect to making personal data publicly available, data subjects are entitled to:

  • determine the types and categories of personal data to be made publicly available;
  • establish restrictions on the use of such personal data (e.g., limit the purposes of processing);
  • revoke consent to the processing of publicly available data at any time; and
  • request the data controller that breaches the rules for the processing of publicly available data to terminate this processing within three business days.

9. Penalties

Liability for the violation of Russian legislation covering personal data protection may arise in the form of an administrative fine, the restriction of access to an information resource (i.e., a website or an app) of the data controller or data processor, criminal liability, and, in rare cases, damage claims by data subjects.

Administrative liability is provided for the following violations of data protection laws:

  • processing of personal data without duly legal grounds and processing which is incompatible with data processing purposes;
  • carrying out personal data processing without a data subject's written consent in cases where the written consent is required by law, or with written consent that does not meet mandatory requirements;
  • failure to publish or provide access to a privacy policy or information on requirements for personal data protection;
  • failure to provide information on personal data processing to data subjects;
  • failure to satisfy (within the prescribed term) a request for personal data clarification, blocking, or destruction (in cases where personal data is incomplete, outdated, imprecise, illegitimately received, or unnecessary for the stated purpose of data processing);
  • failure to comply with security requirements while storing tangible media containing personal data, and unauthorized access resulting in illegitimate or accidental access to personal data or its destruction, modification, blocking, copying, disclosure, or dissemination; and
  • failure of a state or municipal authority to meet the obligation to pseudonymize personal data or to comply with depersonalization methods or requirements.

Administrative fines for such violations vary depending on the type of violation and may be up to RUB 150,000 (approx. $1,620) for the first offence and RUB 500,000 (approx. $5,420) for a repeated offense for legal entities. Furthermore, the fines for company officials may be up to up to RUB 40,000 (approx. $430) for the first offence and RUB 100,000 (approx. $1,080) for a repeated offense.

If data is illegally used for advertising purposes, or if its usage constitutes an act of unfair competition, the fines may be up to RUB 500,000 (approx. $5,415).

Notably, there is no special fine for the failure to appoint a DPO in Russia. However, in practice, the Roskomnadzor may conduct a check or inspection, locate various breaches of the data protection law, including failure to appoint a DPO, and issue a binding order to address the corresponding breaches at issue. If the binding order is not complied with an administrative fine can be applied. Specifically, non-compliance with a binding order of a state agency, including the Roskomndazor, will result in the imposition of an administrative fine in the amount of RUB 10,000 to 20,000 (approx. $110 to $220 for legal entities and an administrative fine in the amount of RUB 1,000 to 2,000 (approx. $10 to $20) for responsible manages (such as, CEOs), or disqualification of the director up to three years.

There is also an administrative fine for the failure to notify the Roskomnadzor of the appointment of a DPO in Russia, failure of which may result in the warning or imposition of the administrative fine in the amount of RUB 3,000 to 5,000 (approx. $30 to $50) for legal entities, and an administrative fine in the amount of RUB 300 to 500 (approx. $3 to $5) for responsible managers. This (administrative) liability is dictated by Article 19.7 of the Code on Administrative Offences.

Article 13.11 of the Code of Administrative Offences provides for the following maximum administrative penalties to be imposed on legal entities and company officials for the violation of Russian laws on personal data (except the data localization requirement):

Type of offence

Fine for legal entities

Fine for company officials

Data processing without an appropriate legal ground, or excessive data processing

Up to RUB 100,000 (approx. $1,080) for the first offence and RUB 300,000 (approx. $ 3,250) for a repeated offence

Up to RUB 20,000 (approx. $220) for the first offence and RUB 50,000 (approx. $540) for a repeated offense

Data processing without written consent, or in breach of the requirements for written consent (when such consent is statutorily required)

Up to RUB 150,000 (approx. $ 1,620) for the first offence and RUB 500,000 (approx. $ 5,20) for a repeated offense

Up to RUB 40,000 (approx. $430) for the first offence and RUB 100,000 (approx. $1,080) for a repeated offense

Failure to provide easy access to the privacy policy, which also includes the absence of such a policy

Up to RUB 60,000 (approx. $650)

Up to RUB 12,000 (approx. $130)

Failure to handle a data subject's request to access their data

Up to RUB 80,000 (approx. $870)

Up to RUB 12,000 (approx. $130)

Failure to comply with the requirements for data specification, blockage, and deletion

Up to RUB 90,000 (approx. $970) for the first offence and RUB 500,000 (approx. $ 5,420 for a repeated offense

Up to RUB 20,000 (approx. $220) for the first offence and RUB 50,000 (approx. $540) for a repeated offense

Violation of the requirements for non-automated (manual), data processing, which have triggered unauthorized access, or other unlawful data processing

Up to RUB 100,000 (approx. $ 1,080)

Up to RUB 20,000 (approx. $220)

Failure to comply with data localization requirement

Up to RUB 6 million (approx. $ 64,980) for the first offence and up to RUB 18 million (approx. $ 194,950) for a repeated offence

Up to RUB 200,000 (approx. $2,170) for the first offence and up to RUB 800,000 (approx. $8,660) for a repeated offence

Additionally, we expect that in Autumn 2023 a legislative bill providing administrative liability for unlawful / accidental transfers of personal data (data breach incidents) will be introduced to the State Duma as the lower chamber of the Russian Parliament. According to the public statements of lawmakers, such offence may entail the following administrative fines for the companies if the number of data subjects concerned is:

  • from 1,000 to 10,000 data subjects – administrative fines from RUB 3 million (approx. $32,490) up to RUB 5 million (approx. $54,150);
  • from 10,000 to 100,000 data subjects – administrative fines from RUB 5 million (approx. $54,150) up to RUB 10 million (approx. $108,300);
  • more that 100,000 data subjects – from RUB 10 million (approx. $108,300) up to RUB 15 million (approx. $162,460).

For repeated offences, a turnover fine of 0.1% to 3% of revenue for a calendar year or part of the current year, but not less than RUB 15 million (approx. $162,460) and not more than RUB 500 million (approx. $5.4 million) is proposed. Also, we can except increased liability for data breach incidents in relation to biometric personal data and sensitive personal data as well as specific liability for lack of notification to Roskomnadzor on a data breach incident as required by Russian data protection laws.

Access to an information resource or website of the data controller/data processor may be restricted from Russia based on a Russian court decision if such information resource processes the personal data of Russian nationals in violation of Russian data protection laws. Criminal liability may arise for illegal access to computer information, which results in the destruction, blocking, modification, or copying of computer information, as well as for illegal disclosure of information about an individual's private life. Criminal liability may be imposed only on individuals (i.e., company officials).

Individuals are entitled to claim damages caused to them by the illegal processing of their personal data, including moral damages, through the civil court. However, currently, Russian courts are reluctant to satisfy such claims in full and often decrease the number of damages requested by a claimant.

Data protection audits and inspections

On June 29, 2021, the Government adopted Decree No. 1046, which establishes new rules for audits and inspections of companies processing personal data.

The Roskomnadzor is entitled to investigate companies' compliance with data protection laws. For this purpose, it conducts audits and inspections, both scheduled and unscheduled, in accordance with the rules specified in legislation. The key provisions introduced by Decree No. 1046 are as follows:

  • data processors are equated to data controllers for the purposes of state control during inspections of the Roskomnadzor;
  • all data controllers fall into one of the following categories of risk of harm: high risk; significant risk; medium risk; moderate risk; and low risk. The type of risk is set depending on the category of personal data and data operations processed (e.g., sensitive and biometric data, big data, cross-border data transfers), as well as the cases of data controller liability for breach of legislation on personal data. The frequency of inspections is set according to the risk assigned to the controller: the higher the risk assigned, the more frequent the inspections are;
  • preventive measures may be carried out by the Roskomnadzor, including informing, reviewing law enforcement practice, warnings, counselling, and preventive visits; and
  • in the exercise of audits and inspections over the processing of personal data, the types of control (supervision) measures include inspection visits, documentary inspections, and on-site inspections.

New types of preventive measures may be carried out when exercising audit over the processing of personal data:

  • informing;
  • generalization of law enforcement practice;
  • issuance of a warning;
  • consultation; and
  • preventive visit.

Apart from inspections, the Roskomnadzor supervises compliance by way of monitoring companies on the internet or analyzing any available information about their processing activities, e.g., information received from data subjects or any other parties, or data available in a public domain. Upon such monitoring, the Roskomnadzor is entitled to request the company to rectify any violations within 10 business days. If the company does not comply, it will face administrative fines.

9.1 Enforcement decisions

See the section on case law above.

Feedback