Data protection (privacy) laws in Russia

Data protection (privacy) laws in Russia are a rapidly developing branch in Russian legislation that have mostly been enacted in the 2005 and 2006. The Russian Federal Law on Personal Data (No. 152-FZ), implemented on July 27, 2006, constitutes the backbone of Russian privacy laws and requires data operators to take "all the necessary organizational and technical measures required for protecting personal data against unlawful or accidental access". Amendment was signed on December 20, 2020 and came into effect on March 1, 2021. The amendment requires "personal data made publicly available" needs to receive consent from the data subject. Russia's Federal Service for Supervision of Communications, Information Technology and Mass Media is the government agency tasked with overseeing compliance.

Applicable laws

 * Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, signed and ratified by the Russian Federation on December 19, 2005;
 * the Law of the Russian Federation “On Personal Data” as of 27.07.2006 No. 152-FZ, regulating the processing of personal data by means of automation equipment. It is the operator who is required to comply with that Act;
 * the “Regulations on securing personal data being processed in personal data systems” enacted by the Russian Government Regulation as of 17.11.2007 No. 781. The Regulations contain mandatory security regulations to be complied with when processing and storing personal data;
 * the Federal law “On Advertisement” as of 13.03.2006 No. 38-FZ. This regulates marketing communications sent inter alia by electronic means including e-mail, SMS etc.;
 * the Russian Code on Administrative Infractions dated 30.12.2001 No.195-FZ. This regulates issues of responsibility for commission of administrative offences in connection with processing of personal data or distribution of marketing communications.

Definitions

 * personal data is any information related to identified or identifiable on the basis of such information individual (personal data subject), including last name, given name, patronymic, date, month, year and place of birth, address, family, social, property status, education, profession, income, other information;
 * sensitive personal data means personal data relating to:
 * Race or ethnic origin
 * Political opinions
 * Religious beliefs
 * Health condition
 * Sexual life
 * processing is anything that can be done to or with personal data, including obtaining, organizing, accumulating, holding, adjusting (updating, modifying), using, disclosing (including transfer), impersonating, blocking or destroying such data;
 * operator is an entity which organizes and/or performs data processing, as well as determines the purposes and manner of data processing. In most cases both mother company and an entity which manages the relevant facility or service offered will be operators;
 * personal data system is a data system which includes personal data recorded in the data base as well as information technologies and technical equipment which make possible processing of such data.

Basic rules contained in the applicable legislative acts
Consent of the individual is required for processing of his personal data. This rule doesn't apply where such processing is necessary for performance of the contract, to which an individual is a party.

One shall bear in mind that a personal data subject is entitled at any time to revoke his previously granted consent, which obliges the operator to stop processing of such personal data and destroy it within three business days (unless other period of time was agreed on by the operator and an individual) after the date of such revocation, and notify the personal data subject of the fact that his personal data has been destroyed.

More specifically, processing of personal data for the purpose of direct marketing may be performed subject to prior consent of personal data subjects. Lack of such consent is presumed unless the operator proves the contrary. Processing of personal data for the purposes indicated above must be immediately ceased at the demand of personal data subject.

At the time of obtaining of personal data the operator is obliged, subject to request of an individual, to communicate to the latter information relating to the operator and the process of prospective processing.

If personal data is obtained not directly from a personal data subject, the operator prior to processing such information must provide the individual with the following information:
 * name and address of the operator or his representative;
 * purpose and legal grounds of personal data processing;
 * expected users of personal data; and
 * the rights of the individual in accordance with federal law “On Personal Data” dated 27.07.2006 No. 152-FZ.

Generally, it is prohibited to process in any way sensitive personal data of the individual, save for the cases where express written consent, containing all conditions provided for by the law, has been obtained from the individual prior to processing.

Generally, to transfer personal data outside the Russian Federation, the operator will have to make sure, prior to such transfer, that the rights of personal data subjects will enjoy adequate and sufficient protection in the country of destination.

Until 1 September 2015 the position of Federal Service on Telecommunications the governmental body responsible for personal data protection was that adequate and sufficient protection exists only in those foreign states which signed and ratified Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data. Nevertheless, there are three major exceptions which permit transfer of personal data to the countries where lower or no standard of personal data protection applies, namely:
 * When transfer is necessary for performance of a contract to which an individual is a party
 * When a personal data subject gave his prior written consent, containing all conditions provided for by the law, to such transfer
 * When transfer is necessary for performance by the Russian Federation of its obligations under international agreement on readmission

On 1 September 2015 a new "Article 18 (5)" came into effect more strictly limiting the export of data.

The Russian legislation imposes strict limitations on using of the electronic means of communication for direct marketing. Namely, express consent should be obtained from the individual before marketing communications are sent to him by email or SMS. Lack of such prior consent is presumed unless the sender proves the contrary. The law provides for immediate cessation of sending marketing communications at the individual’s short notice. It should be also noted that in Russia it is expressly prohibited to send emails or SMS messages using autodial.

To send marketing communications by post, operator must obtain specific permission from the Federal Service on Telecommunications. Unfortunately the procedure of obtaining of such permission hasn’t been established yet.

Where personal data is processed it should be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.

Personal data being processed shall enjoy confidential regime. It implies employment by the operator of sufficient technical and organisational means designed to prevent unauthorised access of any third parties to processed personal information. Procedures (including issuance of internal regulations or decrees) must be in place to regulate the process of access to such confidential information.

Personal data should be accurate and kept up to date where necessary. The operator is obliged to ensure accessibility of personal information for examination by personal data subjects at their request. In case such subjects find that this information is outdated or inadequate, the operator will be obliged to stop processing of such information until the required modifications are introduced.

Personal data should not be kept for longer than is necessary for the purposes for which they are processed, which requires its destruction after such purposes have been fulfilled or in case their fulfillment is not required any more.

Personal data must be processed in accordance with the rights of personal data subjects under applicable data protection legislation. An operator will be in breach of this principle if, amongst other things, he:
 * contravenes the rights of access provisions set out in the legislation;
 * fails to comply with a request to cease processing within the time limit specified by the law or agreed on by the parties.

Procedures must be in place to ensure that computer systems are configured appropriately to allow accurate recording of the giving of consents in all relevant cases, described herein. Procedures must also be in place to ensure that any notices or requests are responded to and dealt with promptly.

Appropriate technical and organization measures must be taken against unauthorized or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data. Operators should consider appropriate measures to ensure data integrity (for electronic processing), including the installation of virus protection software and firewalls, adopting encryption for data transfers, using privacy enhancing technologies and making regular backups that are securely stored. For manual processing, consideration should be given to appropriate security measures, such as storage of paper records in lockable, fire-proof cabinets.

The relevant provisions require effective protection of personal data. Mandatory regulations on protection of such data are currently being developed by Federal Security Service (hereinafter, the “FSS”) to be issued within two months. For the moment, according to information received from FSS specialist during telephone consultation, FSS has a preliminary draft of the said regulations which may be modified as the final version of said regulations is to be issued within two months. The draft in its current version provides for protection of all personal data being transferred outside Russia in form of encryption. It is worth mentioning, that for the time being, it is practically possible to use only Russian encryption software and equipment for that purpose.

Individual rights
The legislation gives certain rights to personal data subjects in respect of personal data held about them. These include:


 * a right of access to information relating to operator and to the processed personal data;
 * a right to demand cessation of processing, blocking or modifying of the personal data which have been illegally obtained, are inadequate or outdated; and
 * a right to demand immediate cessation of processing for the purposes of direct marketing.

Personal data categories
The legislation describes certain personal data categories:


 * Public - personal data obtained only from publicly available personal data sources created in accordance with art. 8 of The Russian Federal Law on Personal Data (No. 152-FZ)
 * Biometric - information that characterizes the physiological and biological characteristics of a person on the basis of which it's possible to establish his personality and which are used by the personal data operator to identify the subject of the personal data.
 * Special - personal data relating to race, ethnic origin, political opinions, religious beliefs, health condition, sexual life of personal data subjects.
 * Other - personal data that doesn't belong to any of the above categories (public, biometric, special).

Notification
Operators to whom Russian legislation applies are required to send notification to the territorial body of Russian Federal Service on Supervision over Mass Communications, Telecommunications and Preservation of the Cultural Heritage (hereinafter, the “Federal Service on Telecommunications”) for each region of Russia where he possesses personal information processing facilities. For Moscow it will be Moscow Department of the above mentioned federal service. Such notification is necessary for inclusion of the operator into specific Register and shall be made by the operators who have been processing personal information prior to enactment of the Federal law “On Personal Data” dated 27.07.2006 and continue to process it after its enactment prior to January 1, 2008. Those operators who haven’t been engaged in processing of personal information using their own or third party’s equipment located in Russia prior to enactment of the said law must send the notification before they actually start processing personal data. It is important that the said notification contain information provided for by the applicable legislation.

Jurisdiction
Scope of application of Russian Data Protection legislation: Russian laws apply when the operator uses his own or third-party data processing equipment located in Russia. As well as in cases where the data has been already transferred outside Russia, but there has been a violation of personal data subject’s rights prior to or during such transfer. If the data is transferred outside Russia duly, it will be subsequently regulated by the laws of country of destination and implications of Russian law will not apply thereto.

In most cases, the Federal Service on Telecommunications only has jurisdiction in relation to data held or processed in Russia. Nevertheless, the legal implications of the Russian legislation on data protection will apply in respect of the data already transferred outside Russia in case the rights of individuals, whose personal data has been collected and processed using equipment located in Russia, have been violated prior to or during such transfer (e.g., an operator transferred personal data to a country where personal data don’t enjoy adequate protection without prior written consent of a data subject). In that case the Federal Service on Telecommunications may file lawsuits against operators to protect the rights of the personal data subjects and impose respective fines for violation of the data protection legislation.