ARTICLE
15 April 2016

Russia's New Personal Data Localization Requirements

FH
Ford & Harrison LLP

Contributor

FordHarrison is a labor and employment firm with attorneys in 29 offices, including two affiliate firms. The firm has built a national legal practice as one of the nation's leading defense firms with an exclusive focus on labor law, employment law, litigation, business immigration, employee benefits and executive compensation.
Over the last few months, we have started to see a trend in Russia towards greater protection of personal data of its citizens and greater attention to data privacy.
Russian Federation Employment and HR

Executive Summary: Employers in Russia and companies doing business in Russia should be prepared to comply with recently enacted requirements governing storage and processing of the personal data of Russian citizens, which are designed to provide additional protection for this data. 

Over the last few months, we have started to see a trend in Russia towards greater protection of personal data of its citizens and greater attention to data privacy.

One major step in providing added protection was the implementation of new localization requirements for Russian personal data. 

Effective September 1, 2015, data controllers processing personal data of Russian nationals are now required to initially store and process the personal data in databases located in Russia.

Personal data of Russian nationals can still be transferred abroad, but only after first processing such data into the primary local Russian database(s) and subject to compliance with Russian cross-border transfer rules.

These new data localization requirements cover both Russian and foreign companies with a presence in Russia.  These requirements will also apply to foreign companies that have no presence in Russia but target the Russian market, e.g. online retailers shipping goods to Russia.

Data controllers with a presence in Russia must also disclose the location of the database(s) in a notification form to be filed with the Russian Data Protection Authority.

These new localization requirements became effective just in time for the Russian Data Protection Authority's ('Roskomnadzor') announced plan for increased inspections in 2016 aimed at checking compliance with data privacy legislation, including the new localization requirements.

Altogether, Roskomnadzor intends to conduct over 1,000 inspections of companies in the e-commerce, banking, automotive, cosmetics and IT industries.  A list is published of the companies that will be inspected, though the list only includes Russian entities.

The inspection involves a review of all the required internal documents and policies required to be in place as well as the IT documents that will demonstrate compliance with the data protection laws, including new data localization requirements.

Key Takeaways Employers in Russia and any company doing business in Russia should be sure to review their policies and procedures for processing and storing individuals' personal information.  The new localization requirements may require companies to overhaul their policies and procedures to comply with the new requirements.  With the increased inspections by the Data Protection Authority, it is recommended that companies not only review their policies and procedures for compliance with the localization requirements, but also Russia's data protection requirement as a whole, and do so sooner rather than later.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More