Russia - Data Protection Overview
Amendments to the Law on Personal Data
Federal Law of 27 July 2006 No. 152-FZ on Personal Data (as amended) (available in Russian here; an unofficial English version as of 2019 is available here) ('the Law on Personal Data') was recently amended in December 2020 pursuant to Federal Law of 30 December 2020 No. 519-FZ on Amendments to the Federal Law on Personal Data (only available in Russian here) ('the Amendments'). The Amendments came into force on 1 March 2021 and significantly change the legal landscape with regard to the use of publicly available personal data, while also clarifying the conditions of consent to the further processing of such data. See section 5.1. below for further information.
New penalties for the breach of Russian data protection laws
The spread of COVID-19 has made companies change their daily practices in order to ensure continuous business operation without compromising individuals' safety. Companies, as employers, are obliged to collect employees' and other individuals' sensitive data for the purpose of preventing the spread of the infection. For example, the following data processing activities have been carried out by employers in Moscow:
- measurement of employees' temperature every four hours;
- COVID-19 tests for not less than 10% of employees every 15 days;
- collection of employees' blood samples for the laboratory study by way of Enzyme-Linked Immunosorbent Assay ('ELISA') to detect infection and related immunity to it; and
- collection of extended scope of employees' health data (including chronic diseases specified in the list of diseases adopted by Moscow City Health Department, pregnancy, etc.)
Under Russian law, such information is considered personal data, and therefore its processing shall be fully compliant both with general statutory requirements and positions of the regulator elaborated in the course of the pandemic. For instance, the Federal Service for the Supervision of Communications, Information Technology and Mass Communications ('Roskomnadzor') has issued the following recommendations with regard to some COVID-related data protection compliance issues:
- Russian employment laws lay down that employees' health data may be processed to an extent necessary to consider an employee's capacity to perform his employment duties. As explained by the Roskomnadzor, this may be used to justify processing of employees' personal data. As for measuring the temperature of visitors, it is quite onerous to justify their health data processing in the absence of consent. The Roskomnadzor advised that such individuals provide their consent by affirmative actions. However, we also believe that it may be an option to avoid keeping records of visitors' temperature and thereby avoid personal data protection concerns.
- Personal data processing should be transparent to all individuals concerned. This should be done via public notices placed on the company's premises and implementation/update of local data protection/privacy policies.
- The data shall be deleted in a timely manner and processed no longer than necessary to fulfil the processing purpose declared.
- Processing of health data is a sensitive issue in terms of compliance and individuals' privacy, so it is necessary to implement necessary security safeguards to preserve such data from unauthorised access, modification, and other unlawful operations.
In addition, a number of obligations may be imposed by regional laws and regulations. For example, under new regulations adopted in Moscow, employers must submit certain information about employees that are working remotely to the Mayor of Moscow and the Government of the Russian Federation ('the Russian Government'). In such circumstances, companies should monitor their privacy practices and applicable requirements on a daily basis.
1. GOVERNING TEXTS
The following Acts, Regulations, Decrees, and Conventions regulate data protection in Russia:
- the Law on Personal Data;
- Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data 108/81 ('Convention 108');
- Protocol Amending the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data ('the Protocol Amending Convention 108');
- Articles 23 and 24 of the Constitution of the Russian Federation of 12 December 1993;
- Federal Law of 27 July 2006 No. 149-FZ on Information, Information Technologies, and Protection of Information (as amended) (only available in Russian here) ('the Law on Information');
- Chapter 14 of the Labour Code of the Russian Federation of 30 December 2001 No. 197-FZ (as amended) (only available in Russian here) ('the Labour Code');
- Federal Law of 26 July 2004 No. 98-FZ on Trade Secrets (only available in Russian here);
- Federal Law of 26 July 2017 No. 187-FZ on Security of Critical Information Infrastructure of the Russian Federation (only available in Russian here);
- Federal Law of 24 April 2020 No. 123-FZ on the Experiment to Establish Special Regulation in Order to Create the Necessary Conditions for the Development and Implementation of Artificial Intelligence Technologies in the Region of the Russian Federation – Federal City of Moscow and Amending the Articles 6 and 10 of the Federal Law on Personal Data (only available in Russian here); and
- Code of 30 December 2001 No. 195-FZ on Administrative Offences (as amended) (only available in Russian here) ('the Code of Administrative Offences').
The Russian Government has issued the following Decrees:
- Decree of the Government of 1 January 2012 No. 1119 on the Approval of Requirements for the Protection of Personal Data in the Case of Processing in Personal Data Information Systems (only available in Russian here) ('Decree No. 1119');
- Decree of the Government of 13 February 2019 No. 146 on Approving the Rules on Organising and Implementing State Control and Supervision on the Processing of Personal Data (only available in Russian here) ('Decree No. 146');
- Decree of the Government of 15 December 2008 No. 687 on Approving the Provision Regarding Properties of Personal Data Processing without Software (only available in Russian here) ('Decree No. 687'); and
- Decree of the Government of 6 July 2008 No. 512 on Approving the Requirements to Biometric Personal Data Tangible Carrier and such Data Storage Outside of Personal Data Information Systems (only available in Russian here).
The Federal Service for Technical and Export Control ('FSTEC') has issued the following Orders:
- Order of 25 December 2017 No. 239 on Making Changes in Safety Requirements of Significant Objects of Critical Information Infrastructure of the Russian Federation (only available in Russian here); and
- Order of 18 February 2013 No. 21 on Approving the List and Scope of Planning and Technical Activities for Protection of Personal Data While Processing via Personal Data Information Systems (only available in Russian here).
The Ministry of Digital Development, Communications and Mass Media ('Ministry') has published:
- Processing and Storage of Personal Data in the Russian Federation (changes as of 1 September 2015) (only available in Russian here).
The Roskomnadzor has also published:
- Recommendations on Drafting the Data Processing Policy (only available in Russian here); and
- Recommendations with regard to some COVID-19-related data protection compliance issues (only available in Russian here).
1.3. Case law
- Decision of the Moscow City Court ('MCC') of 10 November 2016 Case No. 33-38783/16 on the restriction of the access to LinkedIn Corporation from Russia (only available to download in Russian here).
- Decision of the MCC of 16 September 2015 Case No. 33-30344/2015 on Google LLC's fine for violation of the right to privacy of correspondence (only available to download in Russian here) ('the Google Case').
- Decision of the Tagansky District Court of 19 December 2018 Case No. 2-4261/18, where the Court restricted access to the website vote.2019 for violation of data processing requirements by use of Google Analytics (only available to download in Russian here).
- Decision of the MCC of 4 June 2018 Case No. 33a-3957, where McDonald's LLC was fined for violation of data processing requirements (processing of former employee's personal data without their consent, storage of curriculum vitae and consent on processing of personal data as a part of the employee's personal file) (only available in Russian here).
- Decision of the Supreme Court of the Russian Federation ('the Supreme Court') of 5 March 2018 Case No. 307-KG18-101, wherein the Supreme Court found that photographic images are treated as biometric personal data because they describe a person's physical and biological characteristics, from which it is possible to identify this person. Thus, if a company uses an access system based on photo identification of employees, this company should obtain written consent for processing of biometric data (only available in Russian here).
- Decision of the Supreme Court of 19 December 2018 Case No. AKPI18-1109, wherein the Court confirmed the powers of the Federal Service Bureau ('FSB'), the security agency of Russia, to have constant access to user's data (only available in Russian here).
- On 11 December 2018, the Roskomnadzor imposed a fine on Google for non-compliance with the requirements of the Law on Information that obliges search engines to connect to the federal database of banned websites (only available in Russian here).
- Decision of the Savelovsky District Court of 6 November 2019 Case No. 2a-577/19, wherein the Court stated that citizens' video images obtained via face recognition technology in the municipal video surveillance system cannot be considered biometric data. Thus, there is no need to obtain citizens' written consent for the processing of biometric data in this case (only available to download in Russian here).
- Decision of the Civil Division of the Supreme Court of the Russian Federation of 12 November 2019 No. 14-KG19-15, wherein the Court recognised negative reviews about the specialist posted on the internet as an intrusion into his private life (only available in Russian here).
- Decisions of the Magistrate Court of Judicial District No. 374 of Tagansky judicial district of Moscow of 13 February 2020 Cases No 5-167/2020 (accessible in Russian here) and 5-168/2020 (accessible in Russian here), wherein it was decided that, per Decision of the Supreme Court of 27 December 2019 No. 5-AD19-239 (only available in Russian here), Twitter, Inc. and Facebook, Inc. did not comply with the localisation requirement when processing the data of Russian users. For this offence, each company was fined RUB 4 million (approx. €44,300) (only available in Russian here and here).
2. SCOPE OF APPLICATION
The laws outlined above apply to any entities, including state and municipal authorities, legal entities, and individuals that process personal data through the use of automated means, including via an information/telecommunication network, or without automated means if the nature of the manual processing is similar to the automated processing, i.e. allows one to search personal data in a card catalogue or archive with the use of an algorithm.
The Law on Personal Data does not contain special provisions governing the territorial scope. In general, the effect of Russian law, including the Law on Personal Data, is limited to the territory of the Russian Federation.
With regard to the applicability of Russian law to web presence, carrying out activities on the Internet does not allow for a clear definition of the geographical boundaries of such activities. In this regard, there is a so-called 'targeting test' aimed at detecting the fact of targeting Russian nationals, which leads to the applicability of Russian law. For instance, a web presence (e.g. website or app) may be considered as targeting Russian nationals if it is registered with a Russian domain (e.g. .ru, .moscow, .su, .рф, etc.), or if it provides for the delivery of goods and services to Russia. Use of the Russian language can also be a criterion. However, the targeting test is not formalistic, and other circumstances demonstrating that the owner of the website or app considers the Russian market within its business strategy will be examined by the regulator/courts (in case of inspection, dispute, etc.).
The Law on Personal Data regulates the relationships relating to the processing of personal data by governmental bodies, municipal bodies, legal entities, and persons by automatic means, including via the Internet, or without such means, if the processing of personal data without the use of such means corresponds to the character of the operations as involving the personal data by automatic means.
The Law on Personal Data does not apply to activities related to personal data processing by individuals for personal or family purposes, data processing by the state archives, processing of personal data that is associated with state secrecy, and the activities of courts in the Russian Federation according to the specific regulations. Moreover, there are rules for manual processing of personal data that are established by Decree No. 687.
3.1. Main regulator for data protection
The Roskomnadzor is the main regulator for data protection.
3.2. Main powers, duties and responsibilities
The main powers, duties, and responsibilities of the Roskomnadzor are to:
- check the data processing activities of data controllers through systematic monitoring measures and in the course of scheduled and unscheduled checks;
- check information submitted by data controllers in their notifications to the Roskomnadzor;
- request data controllers to specify, block, cease the processing of, and destroy inaccurately or illegally received personal data;
- restrict access to information processed in violation of Russian legislation covering personal data protection;
- take measures aimed at suspension and cessation of the processing of personal data, processed in violation of Russian legislation covering data protection.
- file claims to court in order to protect the interests of data subjects and represent data subjects in court;
- exchange information with the FSB, supervising the use of cryptographic technologies;
- exchange information with FSTEC, supervising the use of technical tools and software for information protection;
- bring persons to administrative liability for infringement of Russian legislation covering personal data protection;
- consider claims of citizens and legal entities concerning processing of personal data and adopt decisions upon consideration of such claims, liaising with citizens and legal entities;
- maintain the registry of data controllers;
- monitor data controllers' processing activities on the internet; and
- take measures aimed at improving the protection of personal data subjects' rights.
4. KEY DEFINITIONS
Data controller: The Law on Personal Data refers to a 'data operator,' which is an entity who, separately or jointly with other entities, arranges and/or carries out personal data processing, as well as determines the purposes of personal data processing, scope of personal data to be processed, and actions (operations) performed on personal data.
Data processor: There is no definition of 'data processor' in the Law on Personal Data. However, the Law on Personal Data imposes obligations on a 'person carrying out the processing of personal data on the instructions of an operator.'
Personal data processing: Any activity (operation) or set of activities (operations) which are performed upon personal data, whether or not by automatic means, including the collection, recording, systematisation, gathering, storage, specification, updating, alteration, retrieval, use, transfer, dissemination, making available, access, depersonalisation, blocking, deletion, and destruction of personal data.
Information system of personal data: Personal data contained in the databases of personal data along with information technologies and technical means used for processing of personal data.
Data subject: The Law on Personal Data refers to 'subjects of personal data' as individuals to which personal data relates.
Publicly available data: Referred to as 'personal data permitted by the data subject for dissemination,' personal data to which an unlimited number of persons have access and to which is provided by the data subject by giving consent to the processing of personal data for distribution in the manner prescribed by the Law on Personal Data.
5. LEGAL BASES
Data controllers are required to ensure that they have legitimate grounds for the processing of personal data. For this purpose, companies should consider if any of the grounds provided by the Law on Personal Data are applicable to the intended data processing.
Personal data may be processed upon the consent of the data subject. Such consent shall be specific, informed, and conscious. As a basic principle, consent can be provided in any form allowing the data controller to verify this. However, in some cases (e.g. where employee personal data is transferred to any third party; automated decision-making; processing of sensitive and biometric personal data) the consent shall be executed in written form subject to strict statutory requirements.
In this respect, data controllers should be aware that the specific wording and form of the data subject's consent can be prescribed by the Law on Personal Data or other specific laws, such as the Labour Code, in respect of employee personal data, and must be strictly followed.
Processing of sensitive and biometric personal data shall be based on the individual's written consent or other alternative legal grounds, which are quite narrow and rarely apply. As to the processing of personal data for direct marketing purposes and automated decision making, individual consent serves as the only appropriate legal ground and there are no exceptions in this regard.
In some cases, consent shall be provided in a written form containing a number of legally required elements, namely:
- data subject's name, address, and passport details;
- name, address, and passport details of data subject's representative and details of documents confirming representative's authorisation (where consent is given by such an individual);
- name and address of the data controller;
- purpose of personal data processing;
- categories of personal data to be processed;
- name and address of the data processors;
- operations on personal data (collection, recording, systematisation, etc.) and general description of data processing methods (automated, manual, mixed, etc.); and
- terms of consent and procedure of its withdrawal.
Publicly available data
Requirements for obtaining consent for publicly available data
Data controllers making personal data publicly available, for further use by third parties, shall:
- obtain individuals' specific and unambiguous consents, which shall not be bundled with any other consents;
- enable individuals to choose the types of their personal data to be made publicly available and set out restrictions on the use of such personal data;
- enable individuals to revoke their consents for making the data publicly available with immediate effect; and
- set out the rules for use of the publicly available data, with a view to individuals' consents, and post such rules on their relevant web resources within three business days.
When it comes to the third parties who intend to use publicly available personal data, such third parties may either:
- rely on the consent obtained by the controller when making the data publicly available, considering the rules of such use defined by that controller;
- rely on the consent provided by an individual to the Roskomnadzor, via a dedicated web-based platform to be set up under the law, but also considering the rules of data use defined by the Roskomnadzor; ot
- ensure, on their own, that they have appropriate legal grounds for the use of such publicly available personal data.
The data subject may either give the consent for making personal data publicly available directly to the data controller or submit it through an IT system of the Roskomnadzor. The provisions related to IT system will enter into force on 1 July 2021. The Roskomnadzor is expected to provide further technical details about the functioning of this system and guidelines for using it shortly.
Burden of proof
If personal data is disseminated and processed without consent or made publicly available due to an offence, crime, or force majeure circumstances, the burden of proof falls on every data controller who has disseminated or otherwise processed this data.
Assumptions relating to obtaining consent for publicly available data
If a separate consent for making personal data available is not obtained by the data controller, but, in general, personal data is processed lawfully (e.g. the consent for personal data processing is in place), this data may be processed by the data controller, but without the right to disseminate it (i.e. this data may not be made publicly available).
Separate consent must contain the types of personal data to be made publicly available and restrictions on the use of such personal data. Otherwise, it is held that the data controller cannot make this data publicly available.
Exception relating to the processing of publicly available data
The conditions and restrictions established by the data subjects will not apply to cases of processing personal data in State or other public interests. Furthermore, all conditions for the processing of such types of data will not apply in case personal data is processed for fulfilling the legal obligations of State and local authorities.
It is possible to rely on the legal ground of contractual necessity where processing is necessary to enter into a contract with a data subject at the data subject's initiative or a contract to which the data subject is either a party, beneficiary, or guarantor, or to perform such contracts.
Data can be processed on the basis of an agreement concluded with a data subject or to which the data subject is a beneficiary or guarantor, or in order to conclude an agreement with a data subject. Agreements that constitute grounds for the processing of individuals' data must also contain wording evidencing data subjects' awareness of the processing of their data conducted under such agreements.
The data controller is authorised to process the personal data where it is necessary to perform its functions and obligations imposed on that data controller by virtue of applicable laws. This includes:
- processing carried out in order to achieve goals provided by international treaties to which Russia is a party and by Russian law, for performance of obligations of the data controllers imposed on such data controller by Russian law;
- processing that is performed in accordance with labour laws, social security laws, pension laws; and
- processing that is required for judgment purposes, enforcement of a judicial act that is enforceable in Russia, etc.
Personal data may be processed when such processing is required for the protection of life, health, or other vital interests of personal data subjects, if obtaining of a consent is not possible.
The data controller may perform the processing of personal data where it is necessary to exercise rights and preserve legitimate interests of such data controller or a third party, provided that the rights and legal interests of the data subject are not infringed. However, due to the Roskomnadzor's narrow approach in this regard, this legal ground is construed very narrowly and applied vary rarely.
The data controller is authorised to process depersonalised personal data for statistical and other research purposes. This legal ground, however, is not applicable in cases where such processing is associated with direct marketing purposes.
Furthermore, processing may also be carried out:
- for the purpose of mass media and journalism, provided that the rights and legal interests of the data subject are not infringed; or
- where the personal data is subject to obligatory publication or disclosure by Russian federal law.
7. CONTROLLER AND PROCESSOR OBLIGATIONS
Obligations to data subjects
Data controllers have numerous obligations to data subjects. In particular, data controllers shall:
- provide certain information regarding processing of data subject's personal data upon his/her request;
- provide access to personal data;
- eliminate violations in processing of personal data upon the request of a data subject; and
- keep personal data confidential and ensure the preservation of confidentiality of data by data processors.
Data controllers shall specify what data is held or cease the processing of the personal data and destroy the data of a data subject upon their request, if such personal data is inaccurate or processed illegally.
Obligations relating to security and technical measures
Data controllers shall take sufficient organisational, legal, and technical measures for the security and confidentiality of processed personal data. The Law on Personal Data provides for a basic list of measures to ensure personal data security. Along with these measures, companies must implement additional security measures in accordance with the procedures set out in Decree No. 1119. To figure out what particular measures are deemed relevant for a company, a threat modelling method must be applied. This method allows the identification and rating of threats which are likely to affect the information system of the company, and requires an IT audit of the company's information system, as well as the elaboration of the so-called 'security threats model.' This model shall apply to and be internally documented within the company and approved by its authorised officer.
Decree No. 1119 stipulates four levels of security of personal data processed in information systems. Each level determines the particular security measures which must be undertaken. In order to implement these measures, the support of the company's IT department and/or external IT organisations, or experts competent in Russian information security regulations is required. Specialists implementing these measures must also be aware of the many state regulations that provide for more detailed guidance on the implementation of data security measures, in particular Acts issued by the FSB and the FSTEC.
Data controllers are required to conduct an audit for compliance with Russian data protection requirements at least once every three years.
Data controllers may fulfil all information security requirements themselves, or they may outsource this function to a specialised organisation possessing the required licences.
It is obligatory for data controllers to file a notification with the Roskomnadzor prior to the commencement of data processing. There are some exceptions to this requirement, for example, where:
- personal data is processed under employment law;
- personal data was made publicly available by the data subject; and
- personal data only consists of the surname, first name, and patronymic of the data subject, among others.
The Roskomnadzor construes the above-mentioned exceptions very restrictively and, as a result, almost every data controller falls within the scope of the requirement to file the notification. The notification shall be filed once and with respect to all data processing activities of the particular data controller. If there are any changes to the data processing activities, the data controller is obliged to notify the Roskomnadzor of those changes within ten business days.
The notification shall contain certain information specified in the Law on Personal Data. In particular:
- data controller and data processor details;
- the purposes of data processing;
- categories of personal data processed;
- categories of data subjects whose personal data is processed;
- legal grounds for data processing;
- list of security measures undertaken by the data controller (including encryption tools);
- date of the beginning of processing of personal data;
- terms of termination of processing of personal data;
- types of personal data per each category of data subject;
- list of operations with personal data and an overview of the ways of data processing;
- encryption details;
- name and contacts of a data protection officer ('DPO');
- information on cross-border (international) data transfers; and
- information on the location of databases that are used for processing of personal data relating to Russian citizens, etc.
In practice, all necessary information shall be provided in a detailed and accurate form.
The notification can be filed only by the company, branch, or representative office which is registered in Russia.
The registry of data controllers is public and is accessible, only in Russian, here.
In practice, the majority of companies operating in Russia transfer personal data to their parent entities abroad and use data processors. Unless authorised by Russian law or international treaties to which Russia is a party, such transfer is only possible if performed on the basis of an agreement concluded between a company transferring data (data controller) and the company receiving it for further processing (other data controller or data processor). As stated above, this agreement shall contain some mandatory terms specified by the Law on Personal Data. Thus, data controllers should carefully review their intra-group agreements and agreements concluded with contractors, and ensure that they contain provisions required by the Law on Personal Data. Data controllers must ensure that the consent of individuals for the transfer of their data to third parties is obtained in accordance with the provisions prescribed by the Law on Personal Data. This also applies to any cross-border transfer, in cases where data is transferred outside Russia.
In general, requirements of the form of consent depend on the country where the data is being transferred. If personal data is transferred to countries that are not considered as providing adequate protection of personal data in accordance with Russian law, the consent for such transfer must be obtained in writing (please see the requirements for written consent in section 8), or the transfer must alternatively be permitted on the basis of the performance of an agreement with the data subject.
According to the Law on Personal Data, countries providing adequate protection of personal data are the countries that are parties to Convention 108 and some other countries, which are approved by the Roskomnadzor. The current list (amended 14 January 2019) of countries providing adequate protection of personal data includes:
- Costa Rica;
- New Zealand;
- South Africa;
- South Korea; and
Data localisation requirements
Federal Law of 21 July 2014 No. 242-FZ ('the Data Localisation Law') which entered into effect 1 September 2015, implies that upon collection of personal data relating to Russian citizens, a data controller must ensure that certain operations on personal data of the Russian citizens (namely recording, systematisation, accumulation, storage, adaptation/alteration, and retrieval) shall be carried out in database(s) located in Russia once such data is collected. This is the so-called localisation requirement.
In other words, once personal data is collected, it shall be placed in the database located in Russia (i.e. the primary database) so that all mentioned operations on the data should be carried out locally. Afterwards, the data can be transferred abroad for further processing (i.e. to the secondary database).
Operations required for updating/rectifying personal data shall be primarily made in the local database(s).
The scope of application of the localisation requirement provides that:
- only data of Russian citizens shall be localised (as per clarifications of the Russian regulator, companies shall themselves decide how to determine individuals' (data subjects) citizenship considering their business practices);
- data shall be localised upon its collection (in the context of the localisation requirement, collection means the deliberate process of gathering information and further use of such data for a particular purpose(s)). In this regard, the Data Localisation Law applies only to personal data collected directly from an individual (data subject) by the company or by the third party specifically engaged for this purpose;
- the localisation requirement applies only to data controllers. Thus, entities acting in the capacity of data processors are out of the scope. However, in that case, the requirement to ensure the status of the data processor is properly formalised, as described below in section 7.10 below applies; and
- the localisation requirement does not apply to the data collected before 1 September 2015 as long as no operations on data mentioned above have been carried out with the data after 1 September 2015.
Russian law does not require the data controller to set up his/her own database. It may be either the data controller's own database or a third party's database (e.g. rented server facilities, cloud hosting, etc.).
It is a feasible option to ensure compliance with the localisation requirement through the efforts of a third party, e.g. oblige a data processor contractually to ensure that data is processed in line with the localisation requirement.
The amendments to the Code of Administrative Offences effective since 2 December 2019, introduced new fines of up to RUB 6 million (approx. €66,500) for the first localisation offence and up to RUB 18 million (approx. €200,00) for the subsequent offence.
There is no obligation for data controllers and/or data processors to maintain data processing records. However, some companies maintain similar records as good practice and convenient tool in order to monitor and record data processing activities, data flows, and compliance with applicable legal requirements.
There is no obligation for data controllers and/or data processors to conduct a Data Protection Impact Assessment as provided for by the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'). However, there are similar obligations regarding the assessment of security measures and security level. The assessment shall be conducted by a data controller or through a third-party provider having appropriate FSTEC licence, at least once every three years.
The appointment of a data protection officer ('DPO') is compulsory in Russia. A DPO must be appointed by data controllers which are legal entities and must be reported to the Roskomnadzor in the filed notification, in accordance with requirements described in section 7.1 above.
The DPO shall be appointed by the written order of the general director of the organisation and shall receive instructions from, and be subordinate to, the general director. Please note that such orders shall be adopted when the general director acts as a DPO as well.
The DPO is responsible for:
- internal control over the compliance of the organisation and its employees with Russian legislation covering personal data, including requirements for the protection of personal data;
- informing the organisation's employees on provisions of the Russian legislation covering personal data, local normative acts on personal data processing, and the requirements for the protection of personal data; and
- receiving and processing requests and inquiries of personal data subjects and monitoring the reception and processing of such requests.
There is no general requirement for data breach notification in Russia, although sector-specific requirements exist in special regulations for banking activities. Russia has recently signed the Protocol Amending Convention 108 and therefore has accepted new legal obligations, including implementation of data breach notifications. Thus, new obligations to notify data protection authorities of security incidents shall be implemented in Russian legislation covering personal data protection in the near future.
The Central Bank of the Russian Federation's ('the Central Bank') has issued Ordinance of 8 October 2018 No. 4926-U (only available in Russia here) ('the Ordinance') which regulates the form and procedure for transmitting information to the Central Bank by money transfer operators, payment system operators, and payment infrastructure service operators, including the transmission of the information without the client's consent. According to the Ordinance, money transfer operators and payment infrastructure service providers shall notify the Central Bank about the detected violations of requirements of information protection when transferring funds, as well as provide for a plan of action on disclosure of information about such incidents. Such notifications are made through the specific electronic platform of the Central Bank.
The Law on Personal Data does not specify any particular retention periods, rather, these are provided by other specific laws outlined below. The Law on Personal Data simply provides that personal data should not be kept/processed for a longer period than is necessary for the purpose for which it is processed (unless longer processing and, in particular, retention periods are mandated by Russian law or by agreement of the data subject). Normally, a data controller must cease the processing and destroy personal data within 30 days after the purposes of processing of such information have been achieved, unless otherwise provided by applicable Russian law or individual's consent.
Under Russian law, there are some legal mandates, e.g. Federal Law of 6 December 2011 No. 402-FZ on Accounting Records (only available in Russian here), governing retention periods for particular types of documents that can be produced in the course of an entity's activity. These terms are mostly prescribed for hardcopies maintained in accordance with Russian legislation and normal business activities. The storage of data on IT systems must usually be regulated by internal policies of data controllers and data subjects' consent.
Russian data protection laws do not set out any specific rules with regard to processing of children's data.
As per Russian law, children (i.e. those under the age of 18) exercise their rights and protect their interests through their parents (or other legal representatives). Thus, strictly speaking, where children's data is processed and this requires consent, such consent should be requested from parents (or other legal representatives). However, in certain cases starting from the age of 14. children may act more or less independently, e.g. to make some small-scale transactions on their own, etc. Thus, where children's data is processed in the context of such transactions, consent of the parent or legal representative is not needed. However, in practice, there is no unified approach to the notion of small-scale transaction and the age threshold requiring parental consent to data processing.
Article 10 of the Law on Personal Data defines two categories of privacy-sensitive information, namely:
- Special categories of personal data (sensitive personal data), which is defined as personal data relating to race, national origin, political views, religious and philosophical commitments, intimate life and health. In addition, it includes criminal convictions data; and
- Biometric data, which includes information relating to individual's physiological and biological characteristics enabling and is used for individual's identification (e.g. fingerprints, voice recordings, personal images, etc.).
As a basic rule, such types of personal data (except criminal convictions data) may be processed only based on individual's written consent.
With regards to criminal convictions data, its processing is generally prohibited (Article 10 of the Law on Personal Data), unless the law directly prescribes processing of such data. Legal exceptions for any mentioned types of data are very narrow and apply quite rarely.
A data processor's responsibilities shall be specified in its agreement with the data controller.
A data controller can, with the consent of a data subject, transfer personal data to a person processing such data on behalf of the data controller (upon assignment of the data controller), based on the agreement concluded with such persons.
A data controller is responsible for the actions of his/her data processors before the data subjects, and data processors can be responsible before a data controller on a contractual basis.
However, a data processor is not obliged to ensure legal grounds of processing of personal data and is not responsible before data subjects.
As stated above, a data processor arranges processing of personal on the assignment of a data controller, which is expressed in a so-called data processing agreement. Such an agreement and/or assignment by the data controller must contain specific information, provided by the Law on Personal Data. In particular, it shall include:
- a list of operations performed with personal data;
- the purposes of processing personal data;
- the categories of processed data;
- the confidentiality and security obligations of the data processor; and
- the obligations of a data processor to ensure the level of protection required by the Law on Personal Data.
Formally speaking, assigning personal data processing activities to a data processor requires a data subject's informed written consent. In some cases (e.g. where an employees' personal data is disclosed), the law prescribes the provision of written consent, which shall be compliant with specific requirements regarding its form and content. In particular, along with other mandatory elements, such consent shall contain the processor's name and address. As recently articulated by the Roskomnadzor officials in the course of public events, this requirement shall be construed as applicable only to data processors and, therefore, other data controllers receiving personal data under such consent may be indicated in a general manner, unless their details are necessary to ensure that consent is specific and informative enough.
8. DATA SUBJECT RIGHTS
Data subjects are entitled to access their personal data, request specification or the termination of processing, and request the destruction of incorrect or incomplete personal data, as well as data processed in violation of Russian legislation covering personal data protection. Data subjects are also entitled to receive information about the categories of personal data processed, the purposes of the processing, the legal grounds for the processing, the terms of the processing, the legal consequences of the processing, the persons having access to personal data and other information related to the processing of their personal data.
Data subjects are entitled to challenge actions or inactions of data controllers with regard to the processing of their personal data in court, or to report them to the Roskomnadzor. Data subjects are also provided with increased protection in the case of the processing of their sensitive data and biometric data, the processing of personal data for purposes of direct marketing or agitation contacts, and the adoption of decisions in respect of personal data subjects exclusively based on automated processing.
The right to be informed means that the data controller shall make the policies containing information about data processing available to the data subjects concerned.
The data processing policies shall contain a range of details regarding data processing activities, in particular, categories of processed data, purposes of processing, operations performed on data, methods of processing, information on international transfers, etc.
Upon the request of a data subject, a data controller shall provide any record containing the personal data of the data subject. If such record contains personal data of other data subjects, this information must be excluded from the tangible medium provided to the data subject. A data controller may refuse a data subject access to his/her personal data if such access infringes upon the legal interests of a data controller and/or third parties.
The data subject has the right to require the rectification of personal data where the personal data is incomplete, inaccurate, outdated, processed unlawfully, or no longer needed to achieve the specific purpose of data processing.
In addition to the right of rectification, the data subject has the right to require the blocking and destruction of personal data where the personal data is incomplete, inaccurate, outdated, processed unlawfully, or no longer needed to achieve the specific purpose of data processing.
The Law on Personal Data does not include the right to object. However, data subjects can demand the ceasure of illegal processing.
Withdrawal of opt-in consent can also be regarded as equivalent to the right to opt-out.
Russian law does not include the right to data portability.
Under Article 16 of the Law on Personal Data, solely automated decision-making is not permitted if the decision produces legal consequences for data subject or significantly affects data subject's rights and legal interests.
However, decisions based exclusively on automated processing is exceptionally allowed upon data subject' written consent, and a data subject shall be notified on the order of automated decision-making and its consequences. Data controller must provide the possibility to a data subject to object the automated decision.
Furthermore, data subjects are entitled:
- to withdraw the consent at any time, in which case the data controller must terminate processing of personal data based on consent within 30 calendar days; and
- to lodge a complaint to the Roskomnadzor or a court.
Publicly available data
With respect to making personal data publicly available, data subjects are entitled to:
- determine the types and categories of personal data to be made publicly available;
- establish restrictions on the use of such personal data (e.g. limit the purposes of processing);
- revoke consent to the processing of publicly available data at any time; and
- request the data controller that breaches the rules for processing of publicly available data to terminate this processing within three business days.
Liability for the violation of Russian legislation covering personal data protection may arise in the form of an administrative fine, the restriction of access to an information resource (i.e. a website or an app) of the data controller or data processor, criminal liability, and, in rare cases, damage claims by data subjects.
Administrative liability is provided for the following violations of data protection laws:
- processing of personal data without duly legal grounds and processing which is incompatible with data processing purposes;
- carrying out personal data processing without a data subject's written consent in cases where the written consent is required by law, or with written consent that does not meet mandatory requirements;
- failure to provide information on personal data processing to data subjects;
- failure to satisfy (within the prescribed term) a request on personal data clarification, blocking, or destruction (in cases where personal data is incomplete, outdated, imprecise, illegitimately received, or unnecessary for the stated purpose of data processing);
- failure to comply with security requirements while storing tangible media containing personal data, and unauthorised access resulting in illegitimate or accidental access to personal data or its destruction, modification, blocking, copying, disclosure, or dissemination; and
- failure of a state or municipal authority to meet the obligation to pseudonymise personal data or to comply with depersonalisation methods or requirements.
Administrative fines for such violations vary depending on the type of violation and may be up to RUB 150,000 (approx. €1,680) for the first offence and RUB 500,000 (approx. €5,600) for a repeated offence for legal entities. Furthermore, the fines for company officials may be up to up to RUB 40,000 (approx. €440) for the first offence and RUB 100,000 (approx. €1,115) for a repeated offence.
If data is illegally used for advertising purposes, or if its usage constitutes an act of unfair competition, the fines may be up to RUB 500,000 (approx. €5,500).
Access to an information resource or website of the data controller/data processor may be restricted from Russia based on a Russian court decision if such information resource processes the personal data of Russian nationals in violation of Russian data protection laws.
Criminal liability may arise for illegal access to computer information, which results in the destruction, blocking, modification, or copying of computer information, as well as for illegal disclosure of information about an individual's private life. Criminal liability may be imposed only on individuals (i.e. company's officials).
Individuals are entitled to claim damages caused to them by the illegal processing of their personal data, including moral damages, through the civil court. However, currently, Russian courts are reluctant to satisfy such claims in full and often decrease the amount of damages requested by a claimant.
Federal Law of 2 December 2019 No. 405-FZ on Amending Certain Legislative Acts of the Russian Federation (only available in Russian here) ('Federal Law No. 405-FZ') increased the fines for violations of personal data localisation requirement that implies processing of Russian nationals' personal data by means of certain operations and upon their collection in Russia. Federal Law No. 405-FZ established a fine of up to RUB 6 million (approx. €65,000) for a first offence, and RUB 18 million (approx. €200,500) for repeated offences. Such a fine can be imposed on a legal entity failing to meet the requirement (Article 13.11(9) of the Code of Administrative Offences).
Furthermore, under the Code of Administrative Offences, administrative fines can be imposed on both the data controller and its official whose misconduct has led to the breach of the Law on Personal Data. In particular, the official may be fined for up to RUB 800,000 (approx. €9,000) for committing the offence described in the preceding paragraph.
New rules of data protection audit/inspections
On 13 February 2019, the Russian Government adopted Decree No. 146, which has approved new rules of audits/inspections of companies processing personal data.
The Roskomnadzor is entitled to investigate companies' compliance with data protection laws. For this purpose, it conducts audits/inspections, both scheduled and unscheduled, in accordance with the rules specified in legislation. Decree No. 146 sets out new rules for these inspections. The key changes introduced by the document are as follows:
- certain categories of companies can be inspected more frequently, e.g. companies processing sensitive and biometric data, companies acting in the capacity of data processors processing data on behalf of data controllers having no presence in Russia, and companies transferring data to countries considered 'inadequate' under Russian law in terms of data protection;
- additional ground for unscheduled inspection: this ground is a decision of the Roskomnadzor based on monitoring a company on the internet (e.g. if data is collected and otherwise processed through websites/app), or analysis of any available information (e.g. information contained in data subjects' complaints or any information in a public domain);
- companies will have a maximum of six months to rectify violations revealed in the course of the inspection. After the inspection, the Roskomnadzor can request the company to rectify the violations. Previous legislation did not set out the statutory deadline for companies to comply with such requests. Under Decree No. 146, the deadline cannot exceed six months; and
- the Roskomnadzor can suspend data processing activities for a period until the company rectifies the violation: this is not a new enforcement power of the Roskomnadzor, however, unlike under previous regulations, Decree No. 146 clearly specifies a case where the Roskomnadzor will request suspension of processing activities if the company does not rectify the violation upon the request of the Roskomnadzor and this violation is sensitive in terms of data subjects' rights and legitimate interests.
Apart from inspections, the Roskomnadzor supervises compliance by way of monitoring companies on the internet or analysing any available information about their processing activities, e.g. information received from data subjects, any other parties or data available in a public domain. Upon such monitoring, the Roskomnadzor is entitled to request the company to rectify any violations. If the company does not comply, it will face administrative fines.
See section 1.3 above.