Existing provision

New provision

Scope

Extraterritorial application (Article 1)

The Law on Personal Data is silent on this matter.

Following amendment, the Law on Personal Data will apply to the processing of the personal data of Russian citizens, which is carried out by foreign legal entities or foreign individuals on the basis of:

• an agreement to which the Russian citizen is parties, or other agreements with the Russian citizen; or
• consent of the Russian citizen to the processing of their personal data.

Relations with data subjects

Legal basis: contracts with data subjects (Article 6(1))

The processing of personal data is permitted on the basis of an agreement to which the data subject is a party or beneficiary.

Following amendment, explicit requirements will apply to such agreements. Namely, they should not contain provisions which:

• restrict the rights and freedoms of the subject of personal data;
• establish cases of processing minors' personal data; or
• require the inaction of the data subject, as a condition for concluding the agreement.

Biometric data (Article 11)

The processing of biometric data is very much limited to cases provided for by federal law.

Following amendment, restrictions on using biometric data will continue to apply. In particular, the provision of biometric data must not be mandatory, except as provided for by federal law.

If, in accordance with federal law, it is not mandatory for the operator to obtain consent to the processing of personal data, the operator is not entitled to refuse service where the data subject objects to providing their biometric data and/or consent.

Data subject rights (Articles 14, 18, and 20)

Operators are obliged to respond to access requests within 30 days.

Following amendment, operators will be obliged to respond to access requests within ten working days.

In addition to shorter timeframes, operators will be expected to inform the data subject of how it fulfils the obligations established by Article 18¹ (i.e. accountability measures) and, where the provision of personal data is mandatory, the legal consequences of refusing such provision.

Vendor management

Vendor contracts and processor obligations (Article 6(3))

Operators have the right to entrust the processing of personal data to another entity, with the consent of the data subject and on the basis of an agreement concluded with the entrusted entity. Entrusted entities are required to comply with the operator's instructions.

Following amendment, entrusted entities will be subject to additional requirements, including observing the confidentiality of personal data and taking necessary measures to fulfil obligations under the Law on Personal Data.

In terms of processing agreements, operators will be required to define the following:

• a list of personal data and processing actions to be performed by the entrusted entity;
• the purposes of processing;
• the obligation to maintain confidentiality;
• requirements provided for in Articles 18(5) and 18¹ (i.e. data localisation and accountability measures);
• the obligation to furnish information to confirm measures adopted to fulfill the operator's instructions; and
• the obligation to ensure data security, including requirements provided for in Article 19 and the requirement to notify the operator of data breaches.

Finally, if an operator entrusts the processing of personal data to a foreign individual or foreign legal entity, the operator and such entrusted entity will be liable to the data subject.

Cross-border data transfers

Transfer mechanisms and prior approval (Article 12)

Subject to the Law on Personal Data and certain prohibitions, transfers may be made to countries that are either:

• party to the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data ('Convention 108'); or
• approved by the Roskomnadzor as providing adequate protection of the rights of data subjects.

Transfers that do not satisfy these conditions may be made in the following cases:

• with the written consent of the data subject;
• when provided for by international treaties of the Russian Federation;
• when provided for by federal law, if necessary to protect constitutional order and national security;
• on the basis of an agreement to which the data subject is a party; or
• for protection of life, health, or other vital interests of the data subject or other persons, if it is impossible to obtain consent.

Following amendment, transfer mechanisms under the Law on Personal Data will be restricted, while operators will be subject to additional conditions relating to notification and assessment.

Transfer mechanisms

Accordingly, transfers may be made to countries either:

• approved by the Roskomnadzor as providing adequate protection, which will include countries party to Convention 108; or
• in cases where such transfer is necessary to protect the life, health, or other vital interests of the data subject or other persons.

Prior approval

Prior to the transfer of personal data, the operator will be required to:

• carry out an assessment of the intended third country and foreign recipient; and
• notify the Roskomnadzor to obtain approval for the intended transfer.

Upon submitting a notification, operators will have the right to carry out transfers, until the Roskomnadzor's decision to prohibit or restrict the transfer. In which case, the operator will be responsible for ensuring the destruction of personal data previously transferred.

Compliance and accountability

Accountability measures: policies and procedures (Article 18¹)

Operators must adopt measures to demonstrate compliance with the Law on Personal Data, including:

• appointing a person responsible for organising data processing;
• publicising a processing policy;
• adopting legal, technical, and organisational measures for ensuring data security;
• implementing internal controls and audits;
• conducting risk assessments in the event of a violation of the Law on Personal Data; and
• training employees.

Following amendment, explicit requirements will apply to operators' processing policies.

For each processing purpose, operators will be required to define and document the following:

• the categories and the list of processed personal data;
• the categories of data subjects whose personal data is processed;
• methods of processing;
• terms of processing and storage; and
• procedures for the destruction of personal data upon reaching the goals of processing or upon the occurrence of other legal grounds.

Data breach notification (Articles 19 and 21)

There are no requirements concerning data breach notifications under the Law on Personal Data. However, operators are required to take certain actions in the event of an incident, upon request by a data subject or the Roskomnadzor.

Following amendment, operators will be obliged to engage with GosSOPKA, the state system for detecting, preventing, and eliminating information security incidents. This will include providing information on computer incidents that have resulted in the unlawful transfer (i.e. provision, distribution, or access) of personal data. Procedures for this is expected to be further elaborated.

More importantly, in the case of unlawful transfers, operators must notify the Roskomnadzor:

• within 24 hours, regarding the incident, the alleged causes and harm caused to data subjects, the measures taken to address the incident, as well as information about the appointed responsible person; and
• within 72 hours, regarding the results of internal investigations, as well as information about the persons whose actions caused the identified incident (if any).

Data processing notification (Article 22)

Prior to the processing of personal data, operators are generally required to notify the Roskomnadzor. This requirement does not apply to such data which:

• is processed in accordance with labour law;
• was obtained by the operator as part of an agreement to which the data subject is a party;
• relates to members of a public association or religious organisation;
• is authorised by the data subject for distribution;
• includes only first names, last names, and patronymics of the data subjects;
• is necessary for the one-off admission of a data subject onto premises where the operator is situated;
• has been included in information systems that have the status of state automated information systems;
• is processed without automation tools; or
• is processed in cases provided for by transport security legislation.

Following amendment, exceptions to the notification requirement will be reduced. As such, notification will not be required only in the following circumstances:

• personal data that has been included in the state information systems of personal data created in order to protect the security of the state and public order;
• in the event that the operator carries out processing activities exclusively without the use of automation tools; or
• personal data that is processed in cases provided for by transport security legislation.