Data Protected - Russia

Last updated December 2017

General | Data Protection Laws

National Legislation
National Supervisory Authority
Scope of Application
Personal Data
Sensitive Personal Data
Data Protection Officers
Accountability and Privacy Impact Assessments
Rights of Data Subjects
Security
Transfer of Personal Data to Third Countries
Enforcement

ePrivacy | Marketing and cookies

National Legislation
Cookies
Marketing by E-mail
Marketing by Telephone

_____________________________________________________________________

General | Data Protection Laws

____________________________________________________________

National Legislation

General data protection laws 

The Russian Federal Law “On Personal Data” (No. 152-FZ, dated 27 July 2006) (the “OPD Law”) contains similar provisions to those in the GDPR and the Data Protection Directive.

The Russian Federal law “On amendments to certain legislative acts of the Russian Federation for clarification of personal data processing information and telecommunication networks” (No. 242-FZ) (the “Data Localisation Law”) amends the OPD Law and was passed in July 2014.

Also, a new law was passed in July 2015 giving individuals the right to be delisted from search engines (the “Delisting Law”). This law came into force on 1 January 2016.

Entry into force

The majority of the provisions of the OPD Law came into force on 26 January 2007 and have been amended several times since.

The amendments made by the Data Localisation Law came into force on 1 September 2015.

_____________________________________________________________________ Top

National Supervisory Authority

Details of the competent national supervisory authority

The Federal Service for Supervision of Communications, Information Technology and Mass Media (the “Roskomnadzor”)

Kitaygorodsky pr. 7, bld. 2
109074 Moscow

www.rsoc.ru

Notification or registration scheme and timing

Personal data may be processed by a “data operator” (a concept similar to a controller) only with prior written notification to the Roskomnadzor, unless the processing is exempt. No approval is required and notification is free of charge. The notification must occur prior to the first processing of personal data.

Exemptions to notification

Every data operator who intends to process personal data must notify the Roskomnadzor unless they are subject to an exemption. Exemptions apply if: (i) the data is processed under employment law; (ii) the data was received by the data operator in connection with a contract with the data subject, provided that such personal data is not transferred to or circulated among third parties without the data subject’s consent and are only used to perform the contract or to enter into other contracts with the data subject; (iii) the data relates to certain processing by a public association or religious organisation; (iv) the data was made publicly available by the data subject; (v) the data only consists of the surname, first name and patronymic of the data subject; (vi) the data is necessary for granting one-time access to the data subject into the territory where the data operator is located; (vii) the data is part of information systems of personal data which are classified as state-automated information systems as well as state information systems of personal data under relevant legislation and created for the protection of the state and for ensuring public order; (viii) the data is processed without using automated equipment, in compliance with federal laws or other regulations that lay down the requirements for the protection of personal data and data subjects’ rights; or (ix) the data is processed in accordance with legal requirements relating to the safety of transportation systems.

_____________________________________________________________________ Top

Scope of Application

What is the territorial scope of application?

The OPD Law is not expressly limited to data operators established in Russia.

There is a degree of uncertainty as to whether data operators established outside Russia are subject to this law in relation to the processing of data collected in Russia. However, the general view is that the laws are likely to only apply to data operators established in Russia (namely entities incorporated in Russia or Russia-based offices/branches of foreign companies), where personal data is processed in the context of that establishment.

However, under the Data Localisation Law, website owners established outside Russia may be required to store personal data of Russian nationals in Russia if they gather such data through websites “aimed at the territory of Russia”.

Is there a concept of a controller and a processor?

Russian law contains the concept of a “data operator” that is similar to the European concept of a controller. It also has the concept of third party processor similar to the European concept of a processor.

The OPD Law applies to all data operators.

Are both manual and electronic records subject to data protection legislation?

The OPD Law applies to electronic records.

It also applies to certain manual records/non-automated data to the extent that the latter is recorded with the intention that it should be processed by means of automated equipment and/or is recorded in a relevant filing system. The relevant filing system is a set of information relating to individuals to the extent that the set is structured, either by reference to individuals or by reference to criteria relating to individuals, in such a way that specific information relating to a particular individual is readily accessible.

Are there any national derogations?

The OPD Law does not apply to the processing of personal data for the purposes of complying with the Russian mandatory archiving legislation (i.e. legislation that contains mandatory document retention requirements) and state secrecy laws.

The OPD Law also does not apply to the processing of personal data exclusively for personal or family use.

_____________________________________________________________________ Top

Personal Data

What is personal data?

The OPD Law defines personal data as any information directly or indirectly related to an identified or identifiable individual (the subject of the personal data).

Is information about legal entities personal data?

No. However, information about shareholders that are private individuals may be treated as personal data.

What are the rules for processing personal data?

Personal data may generally be processed: (i) with the prior consent of the data subject; (ii) under an international treaty or pursuant to Russian law; (iii) for judicial purposes; (iv) for the purpose of the united web based portal of state and municipal services; (v) for the purpose of an agreement with the data subject or an agreement where the data subject is beneficiary or guarantor, including where the operator exercises its right to assignment of a claim or right under such agreement (effective as of 1 June 2014); (vi) for statistical or other scientific purposes (in which case, however, data must be anonymised); (vii) for the protection of the life, health or other legitimate interests of the data subject, in cases where obtaining their prior consent is impossible; (viii) for the protection of the data operator’s or third parties’ rights or for public purposes, if there is no breach of the data subject’s rights and freedoms; (ix) for the purposes of mandatory disclosure or publication of personal data in cases directly prescribed by law; (x) in the context of professional journalistic, scientific, literary or other creative activities, if there is no breach of the data subject’s rights and freedoms; or (xi) if such data was made publicly available by the data subject or under his/her instruction.

The Data Localisation Law took effect on 1 September 2015. Amongst other things, data operators processing personal data about Russian nationals must ensure that data is stored on databases located in Russia. It is not thought to impose additional restrictions on transfers of personal data outside of Russia beyond those set out in the Transfer of Personal Data to Third Countries section below.

Are there any formalities to obtain consent to process personal data?

The OPD Law requires any consent to be in writing and that the consent is specific, informed and freely given. The OPD Law allows the consent to be collected in electronic form based on the electronic signature of the data subject.

The consent should include: (i) the surname, first name, patronymic, address of the data subject and information on the identity document of the data subject and his/her representative (if applicable); (ii) the name and address of the data operator and/or processor; (iii) the purpose of the processing; (iv) a list of the relevant personal data to be processed; (v) a list of actions for which consent is given and a general description of methods of data processing used by the operator; (vi) the term of the consent and the procedure for its revocation; (vii) the surname, first name, patronymic and address of a person processing data at the request of the data operator (if applicable); and (viii) the signature of the data subject.

Are there any special rules when processing personal data about children?

The processing of personal data relating to children (below the age of 18) requires prior written consent of their parents.

_____________________________________________________________________ Top

Sensitive Personal Data

What is sensitive personal data?

Under the OPD Law, sensitive personal data includes racial or ethnic origin, political opinions, religious or philosophical beliefs, and the processing of data concerning health or sex life.

According to the OPD Law, biometric information is treated as a separate class of personal data with its own legal regime. Biometric personal data may be processed without the consent of the personal data subject thereto in connection with the administration of justice and other specific instances as stipulated by applicable laws.

Are there additional rules for processing sensitive personal data?

Sensitive personal data may be processed only if: (i) the data subject has provided his/her consent to the processing of personal data in writing; (ii) the personal data was made public by the data subject; (iii) it is required under an international treaty of the Russian Federation on readmission (i.e. return of immigrants); (iv) it is performed for the all-Russian population census; (v) it is performed under the laws on social support, employment or pensions; (vi) the data processing is necessary to protect the life, health and vitally important legitimate interests of the data subject or other individuals, provided that it is impossible to obtain the data subject’s consent; (vii) it is carried out by a person who is engaged in professional medical activity for medical purposes and subject to medical confidentiality; (viii) it is performed by religious organisations or public societies on their members’ personal data; (ix) it is necessary in connection with the ascertaining of rights or enforcement of rights of the data subject or third parties as well as for the administration of justice; (x) it is performed in accordance with Russian state security, anti-terrorist, transport safety, anti-corruption, law-enforcement, criminal investigation or criminal prosecution legislation; (xi) it falls under mandatory types of insurance, under the insurance legislation; (xii) it is necessary for child adoption; or (xiii) it is performed by public prosecution bodies in connection with prosecutor’s supervision.

Processing of sensitive personal data (where it is permitted) shall be stopped immediately if the reasons for such processing are eliminated.

Are there additional rules for processing information about criminal offences?

 

Data regarding criminal convictions is considered to be sensitive personal data that may be processed by state or municipal bodies only in cases set out in the Russian federal laws.

 

Are there any formalities to obtain consent to process sensitive personal data?

The formalities are the same as those for consent to process personal data (see above).

_____________________________________________________________________ Top

Data Protection Officers

When must a data protection officer be appointed?

There is a legal requirement for a data operator (if a legal entity) to appoint a data protection officer.

What are the duties of a data protection officer?

The officer is responsible for ensuring compliance with the OPD Law including: (i) implementing appropriate internal controls over the data operator and its employees; (ii) making employees of the data operator aware of personal data related laws and regulations, internal (local) acts on data protection and other data protection requirements; and (iii) dealing with applications and requests from data subjects.

_____________________________________________________________________ Top

Accountability and Privacy Impact Assessments

Is there a general accountability obligation?

Under Russian employment law, a company must put in place a written data protection policy.

Are privacy impact assessments mandatory?

No.

_____________________________________________________________________ Top

Rights of Data Subjects

Privacy notices

Under Russian employment law, a company must put in place a written data protection policy.

Rights to access information

Data subjects may obtain their subject access information by a request to the data operator. A subject access request is free of charge. There are statutory exceptions where the data subject’s right of access to his/her personal data may be restricted in accordance with federal laws.

Rights to data portability

There is no right to data portability.

Right to be forgotten

In certain cases, a data subject may request that the personal data operator rectify, block or delete personal data. In certain cases, a data subject may object to decisions being taken based solely on automatic processing of the data subject’s personal data.

Objection to direct marketing and profiling

Under the OPD Law, processing of personal data for purposes of the direct marketing of goods, work or services is only allowed with the prior consent of a data subject.

Other rights

The Delisting Law requires internet search engines to comply with requests from individuals to delist their search results if they link to irrelevant information or information whose publication is incompatible with law (including data protection laws). There are exemptions for some recent and unspent criminal convictions.

_____________________________________________________________________ Top

Security

Security requirements in order to protect personal data

The OPD Law only refers to the general obligation to implement appropriate technical and organisational measures to protect personal data and does not contain any specific security requirements.

Also, the Russian Government adopted Resolution No. 1119, dated 1 November 2012 which implements measures and requirements in order to prevent any unauthorised access to personal data.

Specific rules governing processing by third party agents (processors)

Under Russian law an operator is allowed, with the consent of the data subject, to engage a third party to process personal data on the basis of an agreement, state or municipal contract or under the state or municipal legal act issued by the relevant authority (the "Operator's Instruction").

The Operator's Instruction must contain a list of processing actions performed by the third party processor, the purposes of such processing and the obligation of the third party processor to maintain confidentiality and ensure protection of personal data in compliance with the OPD Law as well as requirements to protect personal data.

Notice of breach laws

Data operators are required to notify data subjects and the Roskomnadzor (if there is a request for confirmation of compliance with the OPD Law by the Roskomnadzor) of elimination of breaches of the OPD Law. This notification obligation also applies to security breaches.

On the 26th of May 2017, the lower chamber of Russian parliament approved in the first reading a series of amendments to the Russian data protection legislation that, among other things, impose a legal obligation on data controllers to report massive data leaks to the Roskomnadzor. Before becoming a law, this bill would have to go through the second and third reading in the lower chamber, the upper chamber and approval by the President and at this stage it is difficult to predict how quickly this will happen. It should be noted, however, that the fact that this bill was approved by the lower chamber in the first reading suggests that it will almost certainly be approved at the remaining stages of the legislative process and become a law.

_____________________________________________________________________ Top

Transfer of Personal Data to Third Countries

Restrictions on transfers to third countries

The OPD Law contains the following restrictions on transborder dataflows. Prior to the transborder transfer of personal data, a data operator must check whether the foreign jurisdiction to which the personal data is to be transferred provides adequate protection for the rights of data subjects. The transfer of personal data to a jurisdiction with adequate protection is generally permitted, subject to the provisions of the OPD Law and any further restrictions and limitations in the Russian constitutional system.

States that are party to the Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data provide adequate protection as do those states that are not party to the Convention, but are specifically named by the Roskomnadzor as providing an adequate level of data protection.

The transfer of personal data to a foreign jurisdiction which does not provide adequate protection of data subjects’ rights may take place only: (i) with the prior written consent of the data subject; (ii) under an international treaty; (iii) under a Russian federal law, if it is required to protect the Russian constitutional system and ensure the defence of the country and security of the state; (iv) to ensure the safety of the transportation system; (v) in the context of the performance of an agreement with the data subject; or (vi) for the protection of life, health and other vital interests of a data subject or of other individuals when it is impossible to obtain a data subject’s prior consent.

The amendments made by the Data Localisation Law are thought to just require the retention of personal data in Russia and not impose additional restrictions on transborder dataflows.

Notification and approval of national regulator (including notification of use of Model Contracts)

There is no additional obligation to notify or obtain the approval of the Roskomnadzor for transborder dataflows.

Use of binding corporate rules

No concept of binding corporate rules is used in the OPD Law.

_____________________________________________________________________ Top

Enforcement

Fines

Breaches may lead to administrative and civil liability.

Imprisonment

Breach of the OPD Law is not punishable by imprisonment.

Compensation

Data subjects have a right to compensation for damage, including moral damages.

Other powers

Roskomnadzor has the right to apply for a court order blocking access to a website through which the relevant person processes personal data in violation of Russian data protection laws (including the breach of the Data Localisation Law).

Practice

The OPD Law has been updated several times since it was adopted in 2006. Over the last couple of years, there has been a trend towards active enforcement action in a number of areas including data localisation requirements and the use of data subjects’ consent.

As an example, in November 2016 Roskomnadzor ordered the major Russian internet providers to block access to LinkedIn. LinkedIn Corporation, as the administrator of LinkedIn, was found in breach of the Data Localisation Law. As at the date of this publication, most internet providers in Russia have blocked access to LinkedIn.

_____________________________________________________________________ Top

ePrivacy | Marketing and cookies

_____________________________________________________________

National Legislation

ePrivacy laws

There are no specific ePrivacy laws but the OPD Law does contain provisions on direct marketing.

_____________________________________________________________________ Top

Cookies

Conditions for use of cookies

No concept of cookies is used in the OPD Law. However, in practice the Roskomnadzor tends to view cookies as personal data to the extent the relevant individual can be identified from cookies.

Regulatory guidance on the use of cookies

There is no official guidance on cookies from the Roskomnadzor.

_____________________________________________________________________ Top

Marketing by E-mail

Conditions for direct marketing by e-mail to individual subscribers

Under the OPD Law, personal data processing for direct marketing purposes is only allowed with the prior consent of the data subject.

Conditions for direct marketing by e-mail to corporate subscribers

The OPD Law does not apply to corporate subscribers.

Exemptions and other issues

Consent can be revoked by the data subject at any time.

_____________________________________________________________________ Top

Marketing by Telephone

Conditions for direct marketing by telephone to individual subscribers (excludes automated calls)

Under the OPD Law, personal data processing for direct marketing purposes is only allowed with the prior consent of the data subject.

Conditions for direct marketing by telephone to corporate subscribers (excludes automated calls)

The OPD Law does not apply to corporate subscribers.

Exemptions and other issues

Consent can be revoked by the data subject at any time.

_____________________________________________________________________ Top