Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Back
Oct 2021
LinkedIn Created with Sketch. Twitter Created with Sketch.

Russia: Overview of Vendor Privacy Contracts

Vendor Management
Xanya69 / Essentials collection / istockphoto.com

October 2021

1. Governing Texts

Please note that some of the Russian Government's websites are not working, therefore some of the hyperlinks to Government departments and official documents may not be available at the moment

1.1. Legislation

  • The Federal Law of 27 July 2006 No. 152-FZ on Personal Data (available in Russian here; an unofficial English version of the Law is available here) ('the Law on Personal Data') as amended. by the Federal Law of 14 July 2022 No. 266-FZ on Amending the Federal Law on Personal Data (only available in Russian here).

1.2. Regulatory authority guidance

The Federal Service for the Supervision of Communications, Information Technology and Mass Communications ('Roskomnadzor') is the main authority for administering the Law on Personal Data however, it has not issued any guidance on the requirements of vendor privacy contracts.

1.3. Regulatory authority templates

Not applicable.

2. Definitions

Data controller: The Law on Personal Data refers to a 'data operator', which is an entity who, separately or jointly with other entities, arranges and/or carries out personal data processing, as well as determines the purposes of personal data processing, scope of personal data to be processed, and actions (operations) performed on personal data.

Data processor: There is no definition of data processor in the Law on Personal Data. However, the Law on Personal Data imposes obligations on a 'person carrying out the processing of personal data on the instructions of an operator.'

3. Contractual Requirements

3.1. Are there requirements for a contract to be in place between a controller and processor?

Article 6 of the Law on Personal Data, on conditions for personal data processing, requires a controller to enter into an agreement with a processor for data processing purposes (Article 6(3) of the Law on Personal Data). Such agreement is also defined in the Law on Personal Data as the 'controller's instructions'.

3.2. What content should be included?

Agreements must include the following (Article 6(3) of the Law on Personal Data):

  • a list of personal data and processing actions to be performed by the entrusted entity;
  • the purposes of processing;
  • the obligation of such entity to comply with personal data confidentiality;
  • requirements provided for in Articles 18(5) and 181 (i.e. data localisation and accountability measures);
  • the obligation to furnish information to confirm measures adopted to fulfill the controller's instructions, including before the processing of personal data, to provide documents and other information confirming the adoption of measures and compliance; and
  • the obligation to ensure the security of personal data during processing, as well as;
  • the requirements relating to the protection of personal data in accordance with Article 19 of the Law on Personal Data and the requirement to notify the controller for cases provided in Article 21(31) of the Law on Personal Data).

4. Data Subject Rights Handling & Assistance

4.1. Are processors required to assist controllers with handling of data subject requests?

The Law on Personal Data does not require processors to assist controllers on data subject requests. In addition, a processor is not obliged to obtain the consent of the data subject to the processing of their personal data, and where a controller assigns the processing activities to another entity, then the liability of the data subject for the actions of such entity lies with the controller (Article 6(4) and (5) of the Law on Personal Data).

However, in general, processors are required to take necessary measures aimed at ensuring the fulfilment of obligations provided by the Law on Personal Data (Article 6(3) of the Law on Personal Data). Furthermore, if the controller entrusts the processing of personal data to a foreign individual or a foreign legal entity, both the controller and the processor are liable to the data subject for their actions (Article 6(6) of the Law on Personal Data).

For further information see Russia – Data Subject Rights.

5. Processor Recordkeeping

5.1. Are processors required to keep records of their processing activities?

As specified in sections 3.2. and 6.1., processors must comply with Article 19 of the Law on Personal Data which requires, as one of the measures of ensuring security of personal data during processing, to keep a record of media that contain personal data (Article 19(2)(5) of the Law on Personal Data).

In general, processors are required to take necessary measures aimed at ensuring the fulfilment of obligations provided by the Law on Personal Data (Article 6(3) of the Law on Personal Data).

6. Security Measures

6.1. Are processors required to implement specific security measures? If so, what measures must be implemented?

As specified in section 3.2., the Law on Personal Data requires processor agreements to include provisions for a processor to implement specific security measures under Article 19 of the Law on Personal Data. These measures are:

  • identifying threats to the security of personal data during processing in personal data information systems;
  • employing the organisational and technical measures for ensuring the security of personal data during processing in personal data information systems necessary to meet the requirements concerning the protection of personal data, fulfilment of which ensures the levels of protection of personal data stipulated by the Government of the Russian Federation;
  • employing means of data protection that have undergone compliance assessment procedures;
  • assessing the efficacy of the measures taken to ensure the security of personal data prior to the commissioning of a personal data information system;
  • keeping a record of media that contain personal data;
  • detecting instances of unauthorised access to personal data and taking measures;
  • restoring personal data that have been modified or destroyed as a result of unauthorised access;
  • establishing rules for access to personal data that is processed in a personal data information system and ensuring the registration and recording of all actions performed on personal data in a personal data information system; and
  • monitoring the measures taken to ensure the security of personal data and the level of protection of personal data information systems.

7. Breach Notification

7.1. Are processors under an obligation to notify controllers in the event of a data breach? If so, are there timeframe and content requirements?

As specified in section 3.2., the Law on Personal Data requires processor agreements to include provisions for the processor to notify the controller in cases provided for by Article 21(31) of the Law on Personal Data, namely where there has been an illegal or accidental transfer (i.e. provision, distribution, or access) of personal data, resulting in a violation of the rights of data subjects.

While the Law on Personal Data does not explicitly clarify the timeframe for such notification, Article 21(31) of the Law on Personal Data indicates that, for controllers, notification should take place within 24 and 72 hours.

For further information see Russia – Data Breach.

8. Subprocessor

8.1. Are subprocessors regulated? If so, what obligations are imposed?

The Law on Personal Data does not explicitly refer to subprocessors.

9. Cross-Border Transfers

9.1. Do transfer restrictions apply to processors? If so, what restrictions and what exemptions apply?

The Law on Personal Data does not explicitly refer to restrictions that apply to processors.

For further information see Russia – Data Transfers.

10. Regulatory Assistance

10.1. Are processors required to assist controllers with regulatory investigations?

The Law on Personal Data does not explicitly refer to requirements to assist controllers with regulatory investigations.

11. Processor DPO / Representative

11.1. Are processors required to appoint a DPO / representative?

The Law on Personal Data does not explicitly refer to requirements to appoint a data protection officer or representative.

For further information see Russia - Data Protection Officer Appointment

12. Supervision & Monitoring

12.1. Are controllers obliged to supervise or monitor processors' compliance with the law and contract?

The Law on Personal Data does not explicitly refer to supervision or monitoring requirements for processor's compliance with the law and their contract.

Authored by OneTrust DataGuidance

DataGuidance's Privacy Analysts carry out research regarding global privacy developments, and liaise with a network of lawyers, authorities and professionals to gain insight into current trends. The Analyst Team work closely with clients to direct their research for the production of topic-specific Charts.

Company

Our Policies

Your Rights

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
© OneTrust, LLC. All Rights Reserved.
The materials herein are for informational purposes only and do not constitute legal advice.
Feedback