Russian Federation: Data Protection 2017

Last Updated: 8 November 2017
Article by Yana Dianova

1 RELEVANT LEGISLATION AND COMPETENT AUTHORITIES

1.1 What is the principal data protection legislation?

According to Art. 15 p. 4 of the Constitution of the Russian Federation (hereinafter – the "Constitution"), the universally recognised principles and rules of international law and international treaties of the Russian Federation are the integral part of its legal system, including the Strasbourg Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (ETS No. 108) (hereinafter – the "Strasbourg Convention"), which was ratified by Russia in 2005. Art. 23 of the Constitution establishes the right to privacy, including privacy of correspondence and telephone and other communications, for every individual, and Art. 24 prohibits the collection, storage, use and dissemination of the information on an individual's private life without his/her consent. The principles and requirements in the domain of data privacy and data protection are contained in the Federal Law No. 149-FZ dated 27 July 2006 on Information, Information Technologies and Data Protection (hereinafter – the "Information Protection Act"), and the Federal Law No. 152-FZ dated 27 July 2006 on Personal Data (hereinafter – the "Personal Data Act").

1.2 Is there any other general legislation that impacts data protection?

Chapter 14 of the Labour Code of the Russian Federation provides for the requirements to employers in connection with employees' personal data protection. The Code on Administrative Offences of the Russian Federation (hereinafter – the "Administrative Code") establishes liability for violation of the rules and requirements for data processing and protection. There are also the decrees of the President of the Russian Federation, the decisions of the Government of the Russian Federation and the orders of the Federal Service for the Supervision of Communications, Information Technology and Mass Media, Federal Service for Technical and Export Control ("FSTEC"), and the Federal Security Service ("FSS"), which establish administrative regulations and requirements regarding data protection in Russia.

1.3 Is there any sector-specific legislation that impacts data protection?

Provisions regarding data protection specific to certain sectors are contained, in particular, in the Federal Law No. 126-FZ "On Communication", the Air Code of the Russian Federation (Art. 85.1), the Federal Law No. 395-1-FZ on Banks and Banking Activity, the Federal Law No. 323-FZ on the Fundamentals of Protection of the Health of Citizens in the Russian Federation, the Federal Law No. 79-FZ "On State Civil Service in the Russian Federation", etc.

1.4 What is the relevant data protection regulatory authority(ies)?

The principal data protection regulatory authority is the Federal Service for Supervision of Communications, Information Technologies and Mass Media (the abbreviated appellation in Russian is "Roskomnadzor"). Its official website in English is found at http://eng.rkn.gov.ru/. Roskomnadzor reports to the Ministry of Telecom and Mass Communications of the Russian Federation (the abbreviated appellation in Russian is "Minkomsvyazy").

2 DEFINITIONS

2.1 Please provide the key definitions used in the relevant legislation:

  • "Personal Data"

    Any information relating directly or indirectly to an identified or identifiable individual (the data subject).
  • "Sensitive Personal Data"

    Russian laws do not contain the concept of "sensitive personal data"; instead, the concept of "special categories of personal data" is envisaged by the Personal Data Act, and includes any information that relates to nationality, racial or ethnic origin, political opinions, religious or philosophical beliefs and the state of health or private life.
  • "Processing"

    Any action (operation) or a set of actions (operations) towards personal data, whether or not performed by automated means, including collection, recording, systematisation, accumulation, storage, alteration (update, modification), retrieval, use, transfer (dissemination, provision, access), depersonalisation, blocking, deletion or destruction.
  • "Data Controller"

    Russian laws do not contain the concept of "data controller". However, the Personal Data Act provides for the concept of "data operator", which may be a state or municipal body, legal or physical person, that organises and/or carries out (alone or jointly with the other persons) the processing of personal data and which also determines the purposes of personal data processing, content of personal data and actions (operations) related to personal data.
  • "Data Processor"

    Russian laws do not contain the concept of "data processor". However, the Personal Data Act refers to a party that may be acting (processing personal data), under the authorisation of the data operator on the basis of the corresponding agreement (including state contract) or by operation of the special state or municipal act and subject to data subject's consent.
  • "Data Subject"

    An identified or identifiable individual (physical person).
  • Other key definitions – please specify (e.g., "Pseudonymous Data", "Direct Personal Data", "Indirect Personal Data")

    • "Cross-border Transfer of Personal Data"
      Transfer of personal data to a foreign state, foreign state agency, foreign national or legal entity.
    • "Database"
      An accumulation of independent materials (articles, calculations, regulations, court decisions and other similar materials) systematised so that these materials may be found and processed by an electronic computer.
    • "Personal Data Information System"
      An accumulation of personal data contained in personal databases and information technologies and technical means providing for processing thereof.
    • "Biometric Personal Data"
      Data characterising physiological and biological particular features of a human, on the basis of which his/her identity may be ascertained.
    • "Search Engine"
      An information system that carries out upon enquiry of a user search on the internet for information with particular content and provides to the user the information on the address of an internet site page for the purposes of access to the requested information on internet sites owned by other persons, except for information systems used for performance of state and municipal functions, provision of state and municipal services, as well as for exercise of other public authorities provided for by federal laws.

3 KEY PRINCIPLES

3.1 What are the key principles that apply to the processing of personal data?

  • Transparency

    The data subject has the right to be informed when his/ her personal data are being processed by the data operator. The data operator must, inter alia, provide the data subject with information on (1) the purposes and methods of processing personal data, (2) its name and location (address), (3) the personal data being processed and the sources from which it has been received, (4) the persons who have access to personal data (except for the employees of the data operator), (5) the term of processing and retention of personal data, and (6) all other information (as applicable) required to ensure the transparent processing of personal data.
  • Lawful basis for processing

    Processing of personal data must be done on a lawful and fair basis. The Personal Data Act establishes, in particular, the following lawful grounds for the processing of personal data: (1) a consent in writing is granted by the data subject, or processing is carried out; (2) to achieve the goals provided by an international treaty of the Russian Federation or a law to exercise and perform functions and powers assigned to and obligations imposed on an operator by the legislation – to administer justice, enforce a judgment or an act of another authority or official; (3) to exercise the powers of the federal executive authorities, state extra-budgetary funds, executive state authorities of the constituent entities of the Russian Federation, municipal authorities and functions of organisations involved in the provision of relevant state and municipal services; (4) to perform professional activities of a journalist and/or the lawful activities of mass media, or scientific, literary or other creative activities, or processing is required; and (5) for performance of the contract to which the data subject is a party or a beneficiary.
  • Purpose limitation

    Processing of personal data must be limited to the achievement of objectives (purposes) which have to be specific, defined in advance and legitimate. Processing of personal data that is not consistent with the purposes of such processing is not allowed.
  • Data minimisation

    Processing should be carried out only with respect to personal data that is consistent with the purposes of processing personal data. The content and volume of personal data to be processed must fully correspond to the claimed purposes of data processing. The processed personal data shall not exceed the claimed purposes of data processing.
  • Proportionality

    The personal data must be accurate, sufficient and, where necessary, kept up to date in proportion to the purposes of data processing. The data operator must take all necessary measures (or procure taking the measures) requited to erase personal data, or adjust/rectify incomplete or inaccurate data.
  • Retention

    Retention (storage) of personal data must be carried out in a form which allows defining the data subject and for a period no longer than is required for the purposes of processing personal data, unless the specific term of storage or retention of personal data is set forth by the law or by the agreement to which the data subject is a party, beneficiary or guarantor. Personal data which is processed must be destructed or depersonalised as soon as the objectives (purposes) of data processing are achieved, or in cases where the achievement of such purposes is no longer effective or necessary, unless it is otherwise provided by the federal law.
  • Other key principles – please specify

    • Division of databases of personal data
      It is not permitted to consolidate databases of personal data which is being processed for incompatible purposes.

4 INDIVIDUAL RIGHTS

4.1 What are the key rights that individuals have in relation to the processing of their personal data?

  • Access to data

    An individual has the right to access his/her data which is being processed by the data operator. The individual (or his/ her representative) may file a request with the data operator containing the details of the passport (or another identification document) of the individual or his/her representative and the information on the respective relationship between him/ her and the data operator. Such a request may be submitted as an electronic document and contain an e-signature.

    Upon receipt of the request, the data operator must confirm the fact of data processing and provide to the data subject all the necessary information, including (1) its name and location (address), (2) the purposes and methods of processing personal data, (3) the personal data being processed and the sources from which it has been received, (4) the persons who have access to personal data, (5) the term of processing and retention of personal data, and (6) all other information required by the law and requested by the data subject. If the required information has not been provided in full by the data operator within 30 days from the original request (unless a shorter period is provided for by the law), the data subject is entitled to submit a repetitive request for provision of access to his/her personal data or the information regarding it. In certain cases, the data subject's right to access may be limited, as prescribed by the federal law.
  • Correction and deletion

    The data subject may request the data operator to correct or adjust his/her personal data in cases where it is incomplete or inaccurate. The data subject may request as well the data operator to block the personal data, unless it is not prohibited by the law. Furthermore, the data subject is entitled to request the data operator to delete his/her personal data if such data are incomplete, inaccurate, is being processed in violation of the law or unnecessary for the purposes of data processing.
  • Objection to processing

    The data subject may raise an objection to the processing of his/her personal data by the data operator or withdraw his/her consent to the data processing. Except where the personal data processing cannot be terminated or would result in violation of the law (e.g., labour law), the data operator must discontinue the data processing. Otherwise, the data subject will be able to enforce his/her rights by all available legal remedies.
  • Objection to marketing

    Personal data may be processed for the purposes of marketing (e.g., by way of direct communications with a respective customer) only with the preliminary consent of the respective data subject. The burden of proof that the data subject's consent has been received rests with the data operator. The data operator must immediately discontinue the processing of the data subject's personal data upon the respective request of the latter.
  • Complaint to relevant data protection authority(ies)

    In the event that the data subject believes that the data operator is processing his/her personal data in violation of the Personal Data Act or applicable laws, or otherwise infringing upon his/ her rights and freedoms, the data subject is entitled to file a complaint with Roskomnadzor, or bring a civil action with a court. The data subject may avail herself of other legal remedies, including the reimbursement of losses and moral damages.
  • Other key rights – please specify

    • Objection to taking decisions on the basis of personal data automated processing
      It is prohibited to make decisions that involve legal consequences for a data subject or otherwise concerning his/her rights and lawful interests exclusively on the basis of automated processing of the personal data, unless the data subject has granted a specific consent in writing for this and in other cases has been provided for by the federal laws.

5 REGISTRATION FORMALITIES AND PRIOR APPROVAL

5.1 In what circumstances is registration or notification required to the relevant data protection regulatory authority(ies)? (E.g., general notification requirement, notification required for specific processing activities.)

The data operator must notify Roskomnadzor of its intention to process personal data before processing, in order to be recorded with the register of data operators. The notification may be submitted by the data operator in paper form or electronically. Roskomnadzor shall enter the information contained in the notification submitted by the data operator in the register of data operators within 30 days from the receipt of such notification. The data operator may start processing personal data in accordance with the relevant purposes and methods (as described in the notification) upon registration in the register of data operators maintained by Roskomandzor. The information in the register of data operators is publicly available (except for the information on technical means of data protection) (in Russian) at http://rkn.gov.ru/personal-data/register/. The data operator is also obliged to notify Roskomnadzor of any changes in the information provided in its original notification and upon termination of the personal data processing.

5.2 On what basis are registrations/notifications made? (E.g., per legal entity, per processing purpose, per data category, per system or database.)

The notification/registration requirement will be applicable to every data operator that is involved in the processing of any categories of personal data in the territory of Russia, and which uses a personal data information system or personal data database.

The data operator is exempt from the obligation to notify Roskomnadzor in the cases provided for by the Personal Data Act, in particular, on processing of the personal data:

  1. obtained in accordance with the labour law;
  2. received under a contract to which the respective data subject is a party, provided that such personal data are not transferred to third parties without the data subject's consent, and only used to perform the contract or to enter into further contracts with the data subject;
  3. relating to a certain type of processing by a public association or religious organisation acting under the applicable laws, provided that such personal data are not distributed or disclosed to third parties without the data subject's consent;
  4. made by the data subject publicly available;
  5. consisting only of the surname, first name and patronymic of the data subject;
  6. which is necessary for granting the data subject onetime access into the premises where the data operator is located, or in certain other cases;
  7. contained in the state automated information systems or in the state information systems created for the purposes of state security and public order;
  8. processed without the use of automatic systems under the applicable laws subject to the compliance with the rights of the data subject; and
  9. processed in accordance with the laws and regulations related to the transport security.

5.3 Who must register with/notify the relevant data protection authority(ies)? (E.g., local legal entities, foreign legal entities subject to the relevant data protection legislation, representative or branch offices of foreign legal entities subject to the relevant data protection legislation.)

Under the Personal Data Act, an entity deemed a data operator is under an obligation to file a notification with Roskomnadzor in order to be registered in the register of data operators. According to the official position of Roskomnadzor, the notification/registration requirement applies to Russian legal entities and representatives/ branch offices of foreign legal entities that are involved in data processing in the territory of Russia. At the same time, foreign legal entities are subject to compliance with the other rules of Russian laws regarding data protection if they process personal data of citizens of the Russian Federation (please see question 16.2 below). Furthermore, in the event that a data operator commissions processing of personal data to a third party (subject to consent in writing of the respective data subject), the data operator is still under the obligation to notify Roskomnadzor on personal data processing.

5.4 What information must be included in the registration/ notification? (E.g., details of the notifying entity, affected categories of individuals, affected categories of personal data, processing purposes.)

The following information must be included in the notification:

  • the name and address of the data operator;
  • the purpose of processing personal data;
  • the categories of personal data;
  • the categories of data subjects whose data are being processed;
  • the legal grounds for processing personal data;
  • the list of actions towards personal data;
  • the description of methods of processing personal data;
  • the description of the information systems and the security measures (including encryption) being taken for the protection of personal data;
  • the full name and contact details of the Data Protection Officer;
  • the start date of processing personal data;
  • the term of processing or the condition for termination of processing personal data;
  • whether or not the cross-border data transfer of the personal data is carried out in the course of the personal data processing; and
  • the location of the databases containing the personal data of the citizens of the Russian Federation.

In the event that incomplete or inaccurate information is provided in the notification, Roskomnadzor may require the operator to make the information precise before it is entered into the register of data operators.

5.5 What are the sanctions for failure to register/notify where required?

A failure to provide notification to Roskomnadzor on the processing of personal data for the registration in the register of data operators may result in an administrative fine up to RUB 5,000 on a legal entity. Also, processing of personal data without notification of Roskomnadzor, where such notification is required under the Personal Data Act, will result in an administrative fine up to RUB 10,000 for a legal entity (regarding the administrative fines effective from 1 July 2017, please see question 16.1 below).

5.6 What is the fee per registration (if applicable)?

Registration in the register of data operators does not require the payment of any state or official fee.

5.7 How frequently must registrations/notifications be renewed (if applicable)?

Registration in the register of data operators is carried out on a permanent basis and does not require renewal. However, the data operator must notify Roskomnadzor of any amendments of information in the register of data operators, as well as the termination of the data processing within 10 working days from the respective amendment or termination date.

5.8 For what types of processing activities is prior approval required from the data protection regulator?

The data operator must obtain the data subject's consent (unless it is released from such obligation under the law) and implement the necessary organisational/technical measures provided for by the Personal Data Act, the requirements to the protection of personal data in the course of processing thereof in the personal data information systems approved by the Decision of the Government of the Russian Federation dated 1 November 2012 No. 1119 and other applicable regulatory acts. Prior approval by Roskomnadzor is not required in order to perform the processing of personal data.

5.9 Describe the procedure for obtaining prior approval, and the applicable timeframe.

Please see question 5.8 above.

To read this Chapter in full, please click here.

Originally published by The International Comparative Legal Guide to: Data Protection 2017, Global Legal Group.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on Mondaq.com.

Click to Login as an existing user or Register so you can print this article.

Authors
Similar Articles
Relevancy Powered by MondaqAI
Gorodissky & Partners
Gorodissky & Partners
Gorodissky & Partners
Dechert
Gorodissky & Partners
 
Some comments from our readers…
“The articles are extremely timely and highly applicable”
“I often find critical information not available elsewhere”
“As in-house counsel, Mondaq’s service is of great value”

Related Topics
 
Similar Articles
Relevancy Powered by MondaqAI
Gorodissky & Partners
Gorodissky & Partners
Gorodissky & Partners
Dechert
Gorodissky & Partners
Related Articles
 
Up-coming Events Search
Tools
Print
Font Size:
Translation
Channels
Mondaq on Twitter
 
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).
 
Email Address
Company Name
Password
Confirm Password
Position
Mondaq Topics -- Select your Interests
 Accounting
 Anti-trust
 Commercial
 Compliance
 Consumer
 Criminal
 Employment
 Energy
 Environment
 Family
 Finance
 Government
 Healthcare
 Immigration
 Insolvency
 Insurance
 International
 IP
 Law Performance
 Law Practice
 Litigation
 Media & IT
 Privacy
 Real Estate
 Strategy
 Tax
 Technology
 Transport
 Wealth Mgt
Regions
Africa
Asia
Asia Pacific
Australasia
Canada
Caribbean
Europe
European Union
Latin America
Middle East
U.K.
United States
Worldwide Updates
Registration (you must scroll down to set your data preferences)

Mondaq Ltd requires you to register and provide information that personally identifies you, including your content preferences, for three primary purposes (full details of Mondaq’s use of your personal data can be found in our Privacy and Cookies Notice):

  • To allow you to personalize the Mondaq websites you are visiting to show content ("Content") relevant to your interests.
  • To enable features such as password reminder, news alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our content providers ("Contributors") who contribute Content for free for your use.

Mondaq hopes that our registered users will support us in maintaining our free to view business model by consenting to our use of your personal data as described below.

Mondaq has a "free to view" business model. Our services are paid for by Contributors in exchange for Mondaq providing them with access to information about who accesses their content. Once personal data is transferred to our Contributors they become a data controller of this personal data. They use it to measure the response that their articles are receiving, as a form of market research. They may also use it to provide Mondaq users with information about their products and services.

Details of each Contributor to which your personal data will be transferred is clearly stated within the Content that you access. For full details of how this Contributor will use your personal data, you should review the Contributor’s own Privacy Notice.

Please indicate your preference below:

Yes, I am happy to support Mondaq in maintaining its free to view business model by agreeing to allow Mondaq to share my personal data with Contributors whose Content I access
No, I do not want Mondaq to share my personal data with Contributors

Also please let us know whether you are happy to receive communications promoting products and services offered by Mondaq:

Yes, I am happy to received promotional communications from Mondaq
No, please do not send me promotional communications from Mondaq
Terms & Conditions

Mondaq.com (the Website) is owned and managed by Mondaq Ltd (Mondaq). Mondaq grants you a non-exclusive, revocable licence to access the Website and associated services, such as the Mondaq News Alerts (Services), subject to and in consideration of your compliance with the following terms and conditions of use (Terms). Your use of the Website and/or Services constitutes your agreement to the Terms. Mondaq may terminate your use of the Website and Services if you are in breach of these Terms or if Mondaq decides to terminate the licence granted hereunder for any reason whatsoever.

Use of www.mondaq.com

To Use Mondaq.com you must be: eighteen (18) years old or over; legally capable of entering into binding contracts; and not in any way prohibited by the applicable law to enter into these Terms in the jurisdiction which you are currently located.

You may use the Website as an unregistered user, however, you are required to register as a user if you wish to read the full text of the Content or to receive the Services.

You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these Terms or with the prior written consent of Mondaq. You may not use electronic or other means to extract details or information from the Content. Nor shall you extract information about users or Contributors in order to offer them any services or products.

In your use of the Website and/or Services you shall: comply with all applicable laws, regulations, directives and legislations which apply to your Use of the Website and/or Services in whatever country you are physically located including without limitation any and all consumer law, export control laws and regulations; provide to us true, correct and accurate information and promptly inform us in the event that any information that you have provided to us changes or becomes inaccurate; notify Mondaq immediately of any circumstances where you have reason to believe that any Intellectual Property Rights or any other rights of any third party may have been infringed; co-operate with reasonable security or other checks or requests for information made by Mondaq from time to time; and at all times be fully liable for the breach of any of these Terms by a third party using your login details to access the Website and/or Services

however, you shall not: do anything likely to impair, interfere with or damage or cause harm or distress to any persons, or the network; do anything that will infringe any Intellectual Property Rights or other rights of Mondaq or any third party; or use the Website, Services and/or Content otherwise than in accordance with these Terms; use any trade marks or service marks of Mondaq or the Contributors, or do anything which may be seen to take unfair advantage of the reputation and goodwill of Mondaq or the Contributors, or the Website, Services and/or Content.

Mondaq reserves the right, in its sole discretion, to take any action that it deems necessary and appropriate in the event it considers that there is a breach or threatened breach of the Terms.

Mondaq’s Rights and Obligations

Unless otherwise expressly set out to the contrary, nothing in these Terms shall serve to transfer from Mondaq to you, any Intellectual Property Rights owned by and/or licensed to Mondaq and all rights, title and interest in and to such Intellectual Property Rights will remain exclusively with Mondaq and/or its licensors.

Mondaq shall use its reasonable endeavours to make the Website and Services available to you at all times, but we cannot guarantee an uninterrupted and fault free service.

Mondaq reserves the right to make changes to the services and/or the Website or part thereof, from time to time, and we may add, remove, modify and/or vary any elements of features and functionalities of the Website or the services.

Mondaq also reserves the right from time to time to monitor your Use of the Website and/or services.

Disclaimer

The Content is general information only. It is not intended to constitute legal advice or seek to be the complete and comprehensive statement of the law, nor is it intended to address your specific requirements or provide advice on which reliance should be placed. Mondaq and/or its Contributors and other suppliers make no representations about the suitability of the information contained in the Content for any purpose. All Content provided "as is" without warranty of any kind. Mondaq and/or its Contributors and other suppliers hereby exclude and disclaim all representations, warranties or guarantees with regard to the Content, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. To the maximum extent permitted by law, Mondaq expressly excludes all representations, warranties, obligations, and liabilities arising out of or in connection with all Content. In no event shall Mondaq and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use of the Content or performance of Mondaq’s Services.

General

Mondaq may alter or amend these Terms by amending them on the Website. By continuing to Use the Services and/or the Website after such amendment, you will be deemed to have accepted any amendment to these Terms.

These Terms shall be governed by and construed in accordance with the laws of England and Wales and you irrevocably submit to the exclusive jurisdiction of the courts of England and Wales to settle any dispute which may arise out of or in connection with these Terms. If you live outside the United Kingdom, English law shall apply only to the extent that English law shall not deprive you of any legal protection accorded in accordance with the law of the place where you are habitually resident ("Local Law"). In the event English law deprives you of any legal protection which is accorded to you under Local Law, then these terms shall be governed by Local Law and any dispute or claim arising out of or in connection with these Terms shall be subject to the non-exclusive jurisdiction of the courts where you are habitually resident.

You may print and keep a copy of these Terms, which form the entire agreement between you and Mondaq and supersede any other communications or advertising in respect of the Service and/or the Website.

No delay in exercising or non-exercise by you and/or Mondaq of any of its rights under or in connection with these Terms shall operate as a waiver or release of each of your or Mondaq’s right. Rather, any such waiver or release must be specifically granted in writing signed by the party granting it.

If any part of these Terms is held unenforceable, that part shall be enforced to the maximum extent permissible so as to give effect to the intent of the parties, and the Terms shall continue in full force and effect.

Mondaq shall not incur any liability to you on account of any loss or damage resulting from any delay or failure to perform all or any part of these Terms if such delay or failure is caused, in whole or in part, by events, occurrences, or causes beyond the control of Mondaq. Such events, occurrences or causes will include, without limitation, acts of God, strikes, lockouts, server and network failure, riots, acts of war, earthquakes, fire and explosions.

By clicking Register you state you have read and agree to our Terms and Conditions