Fundamental provisions of data protection law can be found in the Strasbourg Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data ("Convention") ratified by Russia in 2006 and the Russian Constitution establishing the right to privacy of each individual (articles. 23 and 24). There is also specific legislation, including the Data Protection Act No. 152 FZ dated 27 July 2006 ("DPA") and various regulatory Acts adopted to implement the DPA as well as the Information, Information Technologies and Information Protection Act No. 149 FZ dated 27 July 2006 establishing basic rules as to the information in general and its protection. In addition, the Russian Labour Code contains provisions on the protection of employees' personal data (Part XIV). Other laws may also contain data protection provisions which implement the provisions of DPA in relation to specific areas of state services or industries.
DEFINITION OF PERSONAL DATA
Personal data is any information that relates directly or indirectly to the specific or defined physical person (the data subject).
DEFINITION OF SENSITIVE PERSONAL DATA
Sensitive personal data is defined as special categories of personal data in Russian legislation. Such special categories include data related to race, national identity, political opinions, religious and philosophical beliefs, health state, intimacies and biometrical data.
NATIONAL DATA PROTECTION AUTHORITY
Federal Service for Supervision of Communications, information Technologies and Mass Media or, in short, roscomnadzor ("Agency").
The Agency is in charge of maintaining the Registry of data controllers.
Any data controller shall notify the Agency in writing about its intention to process personal data, unless one of the following exclusions applies:
- The personal data is data about employees;
- The personal data was received in connection with a contract entered into with the data subject, provided that such data is not transferred without the consent of the data subject, but used only for the performance of the contract and entering into contracts with the data subject;
- The personal data is the data about members of a public or religious association and processed by such an organisation for lawful purposes in accordance with their charter documents, provided that such data is not transferred without the consent of the data subjects;
- The personal data was made publicly accessible data by the data subject;
- The personal data includes the surname, name and father's name only;
- The personal data is necessary in order to give single access to the premises of the data controller or for other similar purposes;
- The personal data is included in state automated information systems or state information systems created for the protection of state security and public order;
- The personal data is processed in accordance with the law without any use of automatic devices; or
- The personal data is processed in accordance with transportation security legislation in purposes of procurement of stable and secure transport complex and personal, community and state interests protection.
The notification letter shall contain information about:
- The full name and address of the data controller;
- The purpose of the processing;
- The categories of personal data processed;
- The categories of the subjects whose personal data is processed;
- The legal grounds for processing;
- The types of processing of the personal data;
- The measures of protection of personal data;
- Name and contacts of physical person or legal entity responsible for personal data processing;
- The commencement date;
- Information on occurrence of cross border transfer of personal data;
- The term of processing or the conditions for termination of processing the personal data; and
- Information on personal data security provision.
DATA PROTECTION OFFICERS
If the data controller is a legal entity it shall appoint a data protection officer. Such an appointment is considered to be a personal data protection measure. The data protection officer controls the data controller and its employees regarding the data protection issues, informs them off statutory requirements and organises receiving and processing of communications from data subjects.
COLLECTION AND PROCESSING
Data controllers may collect and process personal data where any of the following conditions are met:
- The data subject consents;
- The processing is required by a federal law or under an international treaty;
- The processing is required for administration of justice, execution of the court order or any other statements of public officers to be executed;
- The processing is required for provision of state or municipal service;
- The data controller needs to process the data to perform or conclude a contract to which the data subject is a party or beneficiary party or guarantor;
- The processing is carried out for statistical or scientific purposes (except it is also for advertising purposes) provided that it is impersonalised;
- The processing protects the data controller's vital interests and it is impossible to have the data subject's consent;
- The processing is required for execution of statutory controller's or third parties' rights or for purposes important for community provided data subject's rights are not in breach;
- Personal data that is processed was publicly made accessible by the data subject or upon his or her request;
- The processing is carried out by a journalist or mass media as a part of its professional activities or for the purposes of scientific, literary or other creative activities, except if the processing would damage the data subject's rights and freedoms; or
- Personal data that is processed is subject to publication or mandatory disclosure under law.
As a general rule, consent may be given in any form, but it is the data controller's obligation to provide proof that he has the data subject's consent.
In the following cases the DPA requires that the data subject's consent should be in writing:
- Where the personal data is collected to be included within publicly accessible sources;
- Where sensitive or biometrical data is processed;
- In the case of the cross border transfer of personal data, where the recipient state does not provide adequate protection of personal data; or
- Where a legally binding decision is made solely on the grounds of the automated processing of personal data.
Consent is deemed to have been given in writing where it is signed by hand or given in an electronic form and signed by an electronic signature.
Consent may be revoked.
Consent in writing must contain the following information:
- The identity of the data subject, his/her address and passport details and identity of the subject
- Data representative (if any);
- The identity and address of the data controller or the entity that processes personal data on behalf of the data controller (if any);
- The purpose of the processing;
- The list of personal data that may be collected and processed;
- The types of processing that are authorised;
- The term for which the consent, remains valid and way of revocation; and
- The data subject's signature.
The data controller shall ensure the confidentiality of personal data. The data controller and other persons who have access to the personal data, shall not disclose any information to a third party without a prior consent of the data subject.
Prior to a transfer of personal data out of Russia, the data controller must ensure that the recipient state provides adequate protection of personal data. The fact that the recipient state ratified the Convention is sufficient grounds to deem that the state provides adequate protection of personal data for the purposes of the DPA.
Where there is no adequate protection of personal data, a cross border transfer is permitted if one of the following conditions is met:
- The data subject consents;
- The transfer is provided for under an international treaty to which Russia is a signatory;
- The transfer is necessary in accordance with federal laws for protection of the Constitution, state defence, security and transport system;
- For the purposes of performance of a contract to which the data subject is party; and
- The transfer protects the data subject's vital interests where it is not possible to get the written consent of the data subject.
Data controllers must take appropriate technical and organisational measures against unauthorised or unlawful processing and against accidental loss, changing, blocking or destruction of, or damage to, personal data.
There is a recent special regulation as to the measures that the data controller should undertake to ensure security of personal data, data systems, carriers of biometrical information and technologies.
There is no mandatory requirement to report data security breaches or losses to the Agency or to data subjects.
In Russia, the Agency is responsible for the enforcement of the DPA.
The Agency is entitled to:
- Carry out checks;
- Consider complaints from data subjects;
- Require the submission of necessary information about personal data processing by the data controller;
- Require the undertaking of certain actions according to the law by the data processor, including discontinuance of the processing of personal data;
- File court actions;
- Initiate criminal cases; and
- Impose administrative liability.
If the Agency becomes aware that a data controller is in violation of the law, he can serve an enforcement notice requiring the data controller to rectify the position.
A data controller can face civil, administrative or criminal liability if there is a violation of personal data law. Officers of the data controller responsible for the offence may face disciplinary action.
Usually, in the case of violation of data protection law, the Agency will serve an enforcement notice requiring the position to be rectified and may also impose an administrative penalty and/or recommend imposing disciplinary action on the officers of the data controller who are responsible for the offence.
The maximum administrative penalty that can be imposed, as at the date of this review, is EUR 10,000. Lately, there has been much discussion at about dramatically increasing the administrative penalty.
Electronic marketing activities are subject to limitations set by the Russian Law on Advertising No. 38-FZ dated 13 March 2006 ("AA"), under which the distribution of advertising through telecommunications networks, in particular, through the use of telephone, facsimile and mobile telephone communications, is allowed only subject to preliminary consent of a subscriber or addressee to receive advertising.
Advertising is presumed to be distributed without preliminary consent of the subscriber or addressee unless the advertising distributor can prove that such consent was obtained. The advertising distributor is obliged immediately to stop distribution of advertising to the address of the person who made such a demand.
ONLINE PRIVACY (INCLUDING COOKIES AND LOCATION DATA)
Russian law does not specifically regulate online privacy. The definition of personal data under the DPA is rather broad and there are views that information on number, length of visits of particular web-sites and IP address (in combination with other data allowing the user to be identified) could be considered personal data.
© DLA Piper
This publication is intended as a general overview and discussion of the subjects dealt with. It is not intended to be, and should not used as, a substitute for taking legal advice in any specific situation. DLA Piper Australia will accept no responsibility for any actions taken or not taken on the basis of this publication.
DLA Piper Australia is part of DLA Piper, a global law firm, operating through various separate and distinct legal entities. For further information, please refer to www.dlapiper.com