Data protection in Russian Federation overview

Legislation

1. What national laws regulate the collection and use of personal data?

General laws

The main provisions of data protection and privacy law can be found in the:

• Strasbourg Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data 2005 (Strasbourg Convention).
• Russian Constitution 1993 (Articles 23 and 24).
• Federal Law No. 149-FZ on Information, Information Technologies and Data Protection 2006 (Data Protection Act).
• Federal Law No. 152-FZ on Personal Data 2006 (Personal Data Protection Act).

The principal law in this area is the Personal Data Protection Act.

Sectoral laws

Data protection specific provisions can also be found in various sectoral laws, for example, the:

• Russian Labour Code (Chapter 14).
• Russian Air Code (Article 85.1).
• Federal Law No. 323 on the Fundamentals of Protection of the Health of Citizens in the Russian Federation.

There are also certain local administrative regulations and official requirements that regulate the collection, storage and use of personal data, issued by the:

• Russian President.
• Russian Government.
• Federal Service for Supervision of Communications, Information Technology and Mass Media (Roskomnadzor).
• Federal Service for Technical and Export Control (FSTEC).
• Federal Security Service (FSS).

Scope of legislation

2. To whom do the laws apply?

Data protection laws apply to all data operators and third parties acting under the authorisation of data operators. Russian data protection laws do not contain the concepts of "data controller" and "data processor". However, the Personal Data Protection Act does refer to the concept of "data operator". A data operator can be a state or municipal body, legal or physical person that both:

• Organises and/or carries out (alone or jointly with other persons) the processing of personal data.
• Determines the purposes of personal data processing, the content of personal data, and the actions (operations) related to personal data.

The data processing can be shifted to a third party, subject to the data subject's consent, who will be acting under the authorisation of the data operator on the basis of the corresponding agreement, or by operation of the special state or municipal act.

3. What data is regulated?

Data protection laws regulate all personal data that is processed by data operators or third parties. Personal data is any information (directly or indirectly) related to an identified or identifiable individual (data subject).

Russian data protection legislation does not distinguish between direct personal data and indirect personal data. Therefore the personal data will be regarded as "direct" or "indirect" depending on the facts of each situation.

4. What acts are regulated?

Data protection laws apply to all acts of data processing, including collection, recording, systematisation, accumulation, storage, alteration (update, modification), retrieval, use, transfer (dissemination, provision, access), depersonalisation, blocking, deletion or destruction of data. Electronic (automated) and manual (non-automated) records of personal data will be subject to the data protection legislation.

5. What is the jurisdictional scope of the rules?

Data protection laws do not contain any express provisions regarding their jurisdictional or territorial effect. Therefore, it is generally presumed that the national data protection rules apply to:

• Data processing that occurs in, or targeted at Russia.
• Collection, storage as well as the use of personal data of Russian citizens (data subjects).

This is regardless of where the data operators are established and located. In the context of cross-border data flow, the national data protection legislation can also be applied to a certain extent, provided the Russian individual is a party to the corresponding data transfer agreement.

6. What are the main exemptions (if any)?

The following exemptions apply to the scope of regulation of data protection laws:

• Processing of personal data by individuals solely for personal and family needs (provided the rights of data subjects are not infringed).
• Organisation of storage, collection, recordation and use of archived documents containing personal data in accordance with the national laws on archive funds and matters.
• Processing of personal data that can be referred to as state secrecy data.
• Submission by the competent authorities of data related to the activities of courts in Russia in accordance with the relevant court legislation.

Notification

7. Is notification or registration required before processing data?

A data operator that is processing personal data must notify Roskomnadzor before it begins to process personal data. The notification can be submitted by the data operator on paper or electronically.

Notification

The notification must contain the following information:

• The name and address of the data operator.
• The purposes of processing of the personal data.
• The categories of personal data.
• The categories of data subjects whose data is being processed.
• List of consented actions in relation to personal data, and a general description of the methods of data processing used by the data operator.
• The description of IT systems and security measures (including encryption).
• The name and contact details of the data protection officer.
• The start date of processing personal data.
• The duration of processing or the conditions for terminating the processing of personal data.
• Cross-border data transfer information.
• The location of the database that will contain the personal data of Russian individuals (as of 1 September 2015) (see Question 21).

Roskomnadzor will register the data operator within 30 days of the date of receipt of the corresponding notification (in the absence of any further questions or inquiries). The information listed above (except the description of the data operator's IT systems and corresponding security measures) becomes publicly available once included in the register. Roskomnadzor maintains a register of data operators based on the information that is contained in the notifications it receives. The register of data operators is public and can be found in Russian, see http://rkn.gov.ru/personal-data/register/.

The notification/registration requirement will be applicable to every data operator that is involved in the processing of different categories of personal data in the territory of Russia (or processing personal data of Russian citizens) and uses its internal IT system or database subject to the data protection legislation. However, the data operator will be discharged of this statutory requirement and will be able to process personal data without notification/registration in certain circumstances.

For example, where the personal data:

• Is only processed under the labour law.
• Has been received by the data operator in connection with a contract with a respective data subject (individual), provided that the personal data:
  • is not transferred to third parties without the individual's consent;
  • is only used to perform the contract or to enter into further contracts with the individual.
• Relates to a certain type of processing by a public association or religious organisation acting under the applicable laws, provided that the personal data is not distributed or disclosed to third parties without the data subject's consent.
• Has been made publicly available by the data subject.
• Consists only of the surname, first name and patronymic of the data subject.
• Is necessary for granting the data subject one-time access into the premises where the data operator is located.
• Is included in IT systems that have acquired the status of state computer IT systems under the applicable laws, or in state IT systems created for the purposes of state security and public order.
• Is processed without the use of automated systems under the applicable laws subject to compliance with the rights of the data subject.
• Is processed in accordance with the laws and regulations relating to transport security.

Notification and registration does not require the payment of any official fee.

MAIN DATA PROTECTION RULES AND PRINCIPLES

Main obligations and processing requirements

8. What are the main obligations imposed on data controllers to ensure data is processed properly?

The main obligations imposed on data operators to ensure the personal data is processed properly are as follows:

• Defining the categories of personal data, the purposes of data processing and the duration of processing. ? Obtaining the data subject's consent (unless otherwise provided by the law). ? Appointing a data protection officer, adopting the data protection policy (and other required documents) and taking other appropriate security (especially technical and organisational) measures to prevent unauthorised/unlawful data processing and a breach of the data protection legislation. ? Locating the data centre or data server in the territory of Russia (see Question 21). ? Notifying Roskomnadzor for the purposes of registration (unless otherwise provided by the law).

9. Is the consent of data subjects required before processing personal data?

In most cases, the data subject's consent will be required before processing personal data. The data subject's consent must be specific, informed and willful.

Unless otherwise provided by the law, the data subject's consent can be obtained in any form, including online. In cases where the law requires the data subject's consent to be given in writing (for example, biometric data processing), implied or inferred consent will not be regarded as valid. E-signatures are allowed and can be used in accordance with the provisions of the applicable law on digital signatures, if the data subject's consent represents an electronic form of the document. The burden of proof that the data subject's consent has been received remains with the data operator.

There is no prescribed or approved form of consent. However, the Personal Data Protection Act specifies the information that must appear in the written consent of the data subject:

• First name, middle name, surname and address of the data subject, number of the ID (for example, passport), date of issue of the ID and the issued authority.
• First name, middle name, surname and address of the representative of the data subject, number of the ID (for example, passport), date of issue of the ID and the issued authority, details of the power of attorney or other applicable document (if the consent has been given by the data subject's representative).
• First name, middle name, surname and address of the data operator.
• Purpose of the data processing.
• List of consented personal data.
• First name, middle name, surname and address of a third party that is processing the personal data under the authorisation of the data operator.
• List of consented actions in relation to personal data, and a general description of the methods of data processing used by the data operator.
• Duration of data subject's consent, and the method of its revocation.
• Signature of the data subject.

A minor's personal data can be processed under the consent provided by the lawful representative.

10. If consent is not given, on what other grounds (if any) can processing be justified?

The processing of personal data without the data subject's consent can be justified in certain circumstances. For example, if data processing is required for:

• Purposes defined by an international treaty or under Russian law.
• Certain judicial purposes.
• The performance of certain competent powers by the federal authorities that provide state and municipal services.
• An agreement with the data subject or an agreement where the data subject is the beneficiary or guarantor.
• The protection of life, health or other vital interests of the data subject.
• The protection of the data operator's or third parties' rights and interests, or for public purposes, provided there are no breaches of rights and freedoms of the data subject.
• Professional journalistic, media, scientific, literary or other creative activities, provided there are no breaches of rights and freedoms of the data subject.
• Statistical or other scientific purposes (provided the relevant personal data has been made anonymous).
• Data which has been made publicly available by the data subject at his request.
• Mandatory publication or disclosure in accordance with the applicable law.

Special rules

11. Do special rules apply for certain types of personal data, such as sensitive data?

Under the Personal Data Protection Act, sensitive data refers to any information that relates to nationality, racial or ethnic origin, political opinions, religious or philosophical beliefs and the state of a person's health or sex life.

Sensitive data can only be processed if the:

• Data subject has provided his written consent to the data processing.
• Personal data has been made publicly available by the data subject.
• Sensitive data processing is required under an international treaty of Russia on re-admission (for example, the return of immigrants to the country).
• Sensitive data processing is performed for the all-Russian population census.
• Sensitive data processing is performed under the relevant laws on social support, employment or pensions.
• Sensitive data processing is required for the protection of life, health or the vital interests of the data subject or other individuals, provided that it is impossible to obtain the data subject's consent.
• Sensitive data processing is made by a person who is engaged in various medical activities for certain medical purposes, provided the processing is carried out by a professional subject to medical confidentiality.
• Sensitive data processing is performed by public societies or religious organisations in relation to the personal data of their members for the purposes defined by their articles of incorporation, provided the personal data will not be distributed without written consent.
• Sensitive data processing is required for the establishment or enforcement of rights of the data subject, or third parties, as well as for the administration of justice.
• Sensitive data processing is made in accordance with Russian state defence, security, anti-terrorist, transport safety, anti-corruption, law enforcement, execution, criminal investigation and prosecution legislation.
• Sensitive data processing is made by the prosecutors' offices in the context of special prosecution enforcement.
• Sensitive data processing is made under the insurance legislation.
• Sensitive data processing is made by state authorities, municipal agencies or organisations for the purposes of child adoption.
• Sensitive data processing is made in accordance with the applicable laws on citizenship.

The processing of sensitive personal data (where it is permitted by the law) will be terminated immediately if the reasons for the processing no longer exist.

RIGHTS OF INDIVIDUALS

12. What information should be provided to data subjects at the point of collection of the personal data?

At the point of collection of the personal data, the data subject must be provided with the following information:

• The purpose of data collection/processing.
• The volume of data collection/processing.
• The term of data/collection/processing.
• Details of the data operator (or a third party acting under the data operator's authorisation).
• Other information provided by the law.

13. What other specific rights are granted to data subjects?

The data subject has the right to access the data being processed by the data operator and reserves the right to receive the information related to data processing, including but not limited to:

• Confirmation of the data processing by the data operator.
• The legal grounds and purposes of data processing.
• The purposes and methods of data processing used by the data operator.
• The name and location of the data operator, information on the persons (except for the employees) who have access to the personal data or to whom personal data may be disclosed under the agreement with the data operator or under the law.
• The duration of data processing, including the duration of storage of personal data.
• The information on the occurred or prospective cross-border data transfer.
• Other information provided by the Personal Data Protection Act and other laws.

In addition, the data subject has the right to:

• Data correction and blockage.
• Object to data processing.
• Object to direct marketing.
• Object to decisions being made solely on the basis of automated data processing.
• Complain about the actions or omissions of the data operator and claim compensation of losses, including moral damages.

14. Do data subjects have a right to request the deletion of their data?

Data subjects can request the deletion of personal data if the data is:

• Incomplete
• Out-of-date.
• Inaccurate.
• Unlawfully obtained.
• Not necessary for the declared purposes of data processing.

SECURITY REQUIREMENTS

15. What security requirements are imposed in relation to personal data?

The data operator must take necessary and sufficient protective measures to comply with the data protection legislation, including the following:

• Appointing a data protection officer.
• Adopting the data protection policy and other documents, including local/corporate rules, intended for the prevention and detection of breaches of the data protection legislation
• Applying for the relevant legal, organisational and technical security measures.
• Performing internal control and/or audit to ensure data processing compliance with the data protection legislation and the data operator's policy/documents/local rules.
• Evaluating the damages that may be caused to data subjects in the event of a breach of data protection legislation.
• Disclosing the relevant provisions of the data protection legislation and data protection requirements that define the policy/documents/local rules of the data operator to the employees.

In any event, the data operator must take the necessary legal, organisational and technical measures for the protection of personal data against any unauthorised/illegal or accidental access, destruction, modification, blocking, copying, provision, or distribution, as well as against any other unauthorised actions with regard to personal data. Additional security measures can be established by:

• Locating security threats in the course of processing of personal data in the relevant IT systems.
• Providing the appropriate level of protection of processing of personal data in the relevant IT systems.
• Applying different certified methods of protection of personal data (including encryption).
• Evaluating the efficiency of security measures (prior to the implementation of any security measures).
• Recording any computer media that contains personal data.
• Revealing unauthorised access to personal data.
• Retrieving personal data that has been modified or destroyed due to the unauthorised access.
• Adopting rules governing the access to personal data being processed in the relevant IT systems, the registration and recording of all actions related to personal data in the relevant IT systems, or control over the security measures with regard to personal data and the level of protection of the relevant IT systems.

16. Is there a requirement to notify personal data security breaches to data subjects or the national regulator?

In general, there is no legal requirement to report data breaches to data subjects or to Roskomnadzor. In the event of locating or detecting unauthorised processing of personal data, the data operator (or the relevant authorised person) must terminate the processing within three business days. If it is not possible to change the unauthorised processing of personal data into a lawful manner of processing, the data operator must destroy the personal data within ten business days. Following the termination of processing of personal data or destruction of personal data, the data operator must notify the data subject (or its representative). If the request for the termination or destruction has been made by Roskomnadzor, the notification must be sent to Roskomnadzor.

PROCESSING BY THIRD PARTIES

17. What additional requirements (if any) apply where a third party processes the data on behalf of the data controller?

The data subject must consent to the transfer of personal data to third parties. Third parties are subject to the same legal requirements and obligations as data operators and must comply with the data processing rules that have been defined by the law. The data operator will be liable for all acts or omissions of third parties (acting under the authorisation of the data operator), while respective third parties must take responsibility before the data operator.

ELECTRONIC COMMUNICATIONS

18. Under what conditions can data controllers store cookies or equivalent devices on the data subject's terminal equipment?

The law does not contain a definition for "cookies". There are also no official guidelines from Roskomnadzor (or other state agency) on the use or distribution of cookies.

Under the Data Protection Act, a person distributing information must provide the addressee with the explicit option of rejecting the information (when using a method that allows for the identification of the addressee), including when sending regular postal messages and electronic messages. Therefore, it is generally presumed that all types of cookies require an opt-in consent of the respective data subject (in the absence of a more specific legislation on this point).

19. What requirements are imposed on the sending of unsolicited electronic commercial communications (spam)?

Unsolicited electronic commercial communications (spam) are not allowed in Russia. Such communications can only be sent with the addressee's prior consent and must be immediately stopped on his request. Failure to comply with these requirements can lead to different types of liability (including the administrative liability).

INTERNATIONAL TRANSFER OF DATA

Transfer of data outside the jurisdiction

20. What rules regulate the transfer of data outside your jurisdiction?

Article 12 of the Personal Data Protection Act regulates cross-border data flows. In the event of an international transfer of personal data, all data operators must ensure (before the transfer is made) that the rights and interests of the respective data subject are fully protected in an adequate manner in the corresponding foreign country. All countries that are signatories to the Strasbourg Convention are considered to be jurisdictions that provide "adequate protection" of the rights and interests of data subjects.

In addition, Roskomnadzor has adopted an official list of countries (including Australia, Argentina, Canada, Israel, Mexico and New Zealand) that may secure the adequate protection level for the purposes of cross-border transfers of personal data. International data transfer to any jurisdiction with the adequate protection level is not subject to any restriction, provided that the consent of the respective data subject has been received.

Cross-border transfers of personal data to countries that do not provide a level of adequate protection is only permitted if the:

• Written consent of the respective data subject has been received.
• Cross-border data transfer is allowed under an international treaty that Russia is a party to.
• Cross-border data transfer is allowed under applicable laws if necessary for the purposes of:
  • protecting the Russian constitutional system;
  • protecting the national state defence and state security.
  • securing the maintenance of the Russian transportation system, and protecting the interests of individuals, society and the state in the transportation sector from illegal intrusion.
• Cross-border data transfer is made for the performance of the contract to which the data subject is a party to.
• Cross-border data transfer is required to protect the data subject's life, health or other vital interests and it is impossible to obtain his prior consent in writing.

Typically, companies that are acting as data operators will check for the adequate protection level of data protection before transferring any personal data abroad. In addition, companies will obtain written consent from the respective data subjects or execute international data transfer agreements with the respective data subjects. Following these steps, companies will proceed with cross-border data transfers in accordance with their internal corporate rules or policies (as applicable).

21. Is there a requirement to store (certain types of) personal data inside the jurisdiction?

On 21 July 2014, the President of the Russian Federation signed Federal Law No. 242-FZ on Amendments to Certain Legislative Acts of the Russian Federation for Clarification of Personal Data Processing in Information and Telecommunication Networks (New Data Protection Law), which became effective on 1 September 2015.

The New Data Protection Law amends the Personal Data Protection Act by mainly addressing two issues:

• It introduces certain new obligations for data operators with regard to the collection, storage and processing of personal data of Russian citizens (individuals).
• It introduces a new mechanism for Roskomnadzor to block websites and online resources that illegally process the personal data of Russian citizens (individuals).

Specifically, the New Data Protection Law introduces an obligation on all data operators to "ensure recording, systematisation, accumulation, storage, change and extraction of personal data of Russian citizens with the use of data centres located in the territory of the Russian Federation in the course of collection of relevant personal data of individuals, including via the Internet". This means that any personal data of Russian citizens collected by data operators will need to be stored in servers, IT systems or data centres located in Russia. The New Data Protection Law does not expressly stipulate this, but the requirement is interpreted as prohibiting the storage of personal data on Russian citizens outside of Russia (without locating the personal data of Russian citizens in Russia at first). Therefore, through a literal interpretation of the New Data Protection Law, local and foreign companies (data operators) are required to process or organise the processing of personal data of Russian citizens in Russia, subject to compliance with all other general requirements of the data protection legislation. In addition, the New Data Protection Law does not:

• Prohibit accessing the servers, IT systems or data centres that are located within the Russian territory from abroad.
• Impose any special restrictions on the transfers, including cross-border transfers of personal data related to Russian citizens.
• Duplication of personal data of Russian citizens.

Data transfer agreements

22. Are data transfer agreements contemplated or in use? Have any standard forms or precedents been approved by national authorities?

Data transfer agreements are not specifically regulated by the law, but they are widely used in practice, especially when foreign parties are involved. Roskomnadzor has not adopted a standard form of a data transfer agreement. Hence every such agreement will be subject to the facts of each situation and executed under the principle of freedom of contact.

23. Is a data transfer agreement sufficient to legitimise transfer, or must additional requirements (such as the need to obtain consent) be satisfied?

A data transfer agreement is sufficient to legitimise the international transfer of personal data, provided the data subject's consent is expressly stated in the agreement. In addition, the data operator must notify Roskomnadzor about its right to cross-border data transfer at the time of sending the notification for the purposes of registration.

24. Does the relevant national regulator need to approve the data transfer agreement?

Roskomnadzor does not need to approve or register the data transfer agreement. The data transfer agreement must be executed by the relevant data operator and data subject in writing in order to be effective and enforceable.

ENFORCEMENT AND SANCTIONS

25. What are the enforcement powers of the national regulator?

Roskomnadzor has certain enforcement powers and is responsible for the following:

• Sending out requests to individuals/legal entities and obtaining necessary information on data processing.
• Carrying out inspections and checking the information contained in the notifications on the processing of personal data (submitted by the data operators), or engaging with other state agencies for this specific purpose.
• Rectifying, blocking or destroying false or illegally-obtained personal data.
• Limiting access to data that is processed by a breach of the data protection legislation (as of 1 September 2015) (see Question 21).
• Suspending or terminating the processing of personal data that has been initiated by a breach of the data protection legislation. Bringing civil actions with competent courts for the protection of the rights of data subjects and representing the interests of data subjects before the trial.
• Filing petitions to FSTEC, FSS and other state agencies for the purposes of suspending or cancelling relevant licences.
• Submitting materials to the Prosecutor's Office and other law enforcement agencies for the purposes of commencement of criminal cases for data breaches.
• Issuing binding orders and bringing guilty parties to administrative liability.

26. What are the sanctions and remedies for non-compliance with data protection laws?

In Russia, non-compliance with data protection laws can be punishable with:

• Civil sanctions (for example, moral damages).
• Administrative sanctions (for example, administrative fines).
• Criminal sanctions (for example, imprisonment).

Finally, it is important to note that Russian data protection laws have been enforced quite heavily in recent years, and data subjects have sent many complaints to Roskomnadzor. There has also been a growing number of appeals by data operators against the orders and decisions of Roskomnadzor imposing different sanctions on data operators and blocking their Internet resources. As a result, the national case law and court practice relating to sanctions for non-compliance with Russian data protection laws continues to develop constantly. In the near future, the Russian Government may strengthen the sanctions for data breaches, at least from the administrative liability perspective, by amending the applicable law.

REGULATOR DETAILS

Main areas of responsibility. Supervision of legitimate data processing, accepting notifications, performing registration and maintaining the register of data operators, carrying out inspections and enforcement, adopting official regulations and guidelines. The website is available in English and Russian.

• http://rkn.gov.ru/ 
  
  The Russian version of the official website of Roskomnadzor. The website contains the official, up-to-date information on data protection regulation, enforcement and legislation in Russia. The website also contains the special data protection portal, the online register of data operators and the annual reports of activities of Roskomnadzor.
• http://eng.rkn.gov.ru/ 
  
  The English version of the official website of Roskomnadzor. The website contains the official translation of certain pages of the Russian version of the official website of Roskomnadzor and some legal aspects and news related to data protection in Russia.
• http://eng.pd.rkn.gov.ru/ 
  
  The official English data protection portal maintained by Roskomnadzor. The portal contains the annual reports of activities of Roskomnadzor, certain international activities of Roskomnadzor (and its representatives) and a list of national and international data protection legislation.