Fundamental provisions of data protection law in Russia can be found in the Russian Constitution, international treaties and specific laws. Russia is a member of the Strasbourg Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (Convention) (ratified by Russia in 2006) and the Russian Constitution establishes the right to privacy of each individual (articles. 23 and 24). Most rules are found in specific legislation, particularly the Data Protection Act No. 152 FZ dated 27 July 2006 (DPA) and various regulatory acts adopted to implement the DPA as well as other laws, including the Information, Information Technologies and Information Protection Act No. 149 FZ dated 27 July 2006 establishing basic rules as to the information in general and its protection. In addition, the Russian Labour Code contains provisions on the protection of employees’ personal data (Part XIV). Other laws may also contain data protection provisions which implement the provisions of DPA in relation to specific areas of state services or industries.
On 22 July 2014 notable amendments to the DPA were adopted and came into force on 1 September 2015. The amendments require all personal data operators to store and process any personal data of Russian individuals within databases located in Russia (subject to few exceptions). The penalty for violation of this requirement is ultimately the blocking of websites involving unlawful handling of Russian personal data. A Register of Infringers of Rights of Personal Data Subjects shall be established by the Roscomnadzor and from there and the Roscomnadzor may move to block websites.
As the amendments are newly passed and a track record of enforcement and legal interpretation has not been established, it is still unclear as to how this register and the website blocking would work in practice. According to clarifications of Russian regulators, storing and processing of personal data of Russian individuals outside of Russia can still be compliant with the law as long as primary (often interpreted as initial) storage and processing of data is done in Russia. It is still an open question whether keeping "mirror" databases in Russia and elsewhere would be deemed as compliant.
Fundamental provisions of data protection law in Russia can be found in the Russian Constitution, international treaties and specific laws. Russia is a member of the Strasbourg Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (Convention) (ratified by Russia in 2006) and the Russian Constitution establishes the right to privacy of each individual (articles. 23 and 24). Most rules are found in specific legislation, particularly the Data Protection Act No. 152 FZ dated 27 July 2006 (DPA) and various regulatory acts adopted to implement the DPA as well as other laws, including the Information, Information Technologies and Information Protection Act No. 149 FZ dated 27 July 2006 establishing basic rules as to the information in general and its protection. In addition, the Russian Labour Code contains provisions on the protection of employees’ personal data (Part XIV). Other laws may also contain data protection provisions which implement the provisions of DPA in relation to specific areas of state services or industries.
On 22 July 2014 notable amendments to the DPA were adopted and came into force on 1 September 2015. The amendments require all personal data operators to store and process any personal data of Russian individuals within databases located in Russia (subject to few exceptions). The penalty for violation of this requirement is ultimately the blocking of websites involving unlawful handling of Russian personal data. A Register of Infringers of Rights of Personal Data Subjects shall be established by the Roscomnadzor and from there and the Roscomnadzor may move to block websites.
As the amendments are newly passed and a track record of enforcement and legal interpretation has not been established, it is still unclear as to how this register and the website blocking would work in practice. According to clarifications of Russian regulators, storing and processing of personal data of Russian individuals outside of Russia can still be compliant with the law as long as primary (often interpreted as initial) storage and processing of data is done in Russia. It is still an open question whether keeping "mirror" databases in Russia and elsewhere would be deemed as compliant.
Definition of personal data
Personal data is defined in law as any information that relates directly or indirectly to the specific or defined physical person (the data subject). This can be widely interpreted in various contexts, so it is important to consider each situation carefully.
Definition of sensitive personal data
Sensitive personal data is defined as special categories of personal data in Russian legislation. Such special categories include data related to race, national identity, political opinions, religious and philosophical beliefs, health state, intimacies and biometrical data.
Federal Service for Supervision of Communications, Information Technologies and Mass Media or, in short, Roscomnadzor (‘Agency’)
Build. 2, 7, Kitaigorodskiy proezd
Moscow, 109074
T +7 495 987 6800
F +7 495 987 6801
The Agency is in charge of maintaining the Registry of Data Controllers.
Any data controller shall notify the Agency in writing about its intention to process personal data, unless very few narrow exclusions apply.
The notification letter shall contain information about:
- the full name and address of the data controller;
- the purpose of the processing;
- the categories of personal data processed;
- the categories of the subjects whose personal data is processed;
- the legal grounds for processing;
- the types of processing of the personal data;
- the measures of protection of personal data;
- name and contact information of the physical person or legal entity responsible for personal data processing;
- the data processing commencement date;
- information on occurrence of cross border transfer of personal data;
- the term of processing or the conditions for termination of processing the personal data; and
- information on personal data security provision.
If the data controller is a legal entity, it is required to appoint a data protection officer. Such an appointment is considered to be a personal data protection measure. The data protection officer oversees compliance by the data controller and its employees regarding the data protection issues, informs them of statutory requirements and organises the receiving and processing of communications from data subjects.
There are no legal restrictions as to whether the data protection officer should be a citizen or resident of the Russian Federation, however, it is adviseable that the data protection officer is available in case there is an inspection or other communication from the authorities.
Non-appointment or improper appointment of the data protection officer is a violation of the data protection regime and may result in the imposition of penalties and enforcement protocols, as described below.
Data controllers may collect and process personal data where any of the following conditions are met:
- The data subject consents;
- The processing is required by a federal law or under an international treaty;
- The processing is required for administration of justice, execution of a court order or any other statements of public officers to be executed;
- The processing is required for provision of state or municipal services;
- The data controller needs to process the data to perform or conclude a contract to which the data subject is a party or beneficiary party or guarantor;
- The processing is carried out for statistical or scientific purposes (except where processing is used also for advertising purposes) provided that it is impersonalised;
- The processing protects the data controller’s vital interests and it is impossible to have the data subject’s consent;
- The processing is required for execution of statutory controller’s or third parties’ rights or for purposes important for the community provided the data subject’s rights are not in breach;
- The processing is carried out by a journalist or mass media as a part of its professional activities or for the purposes of scientific, literary or other creative activities, except if the processing would damage the data subject’s rights and freedoms; or
- Personal data that is processed is subject to publication or mandatory disclosure under law.
As a general rule, consents by a data subject may be given in any form, but it is the data controller’s obligation to provide proof that he has the data subject’s consent. Because of this burden of proof, it is important to keep careful records of consents.
In the following cases, the DPA requires that the data subject’s consent should be in writing (preferably in hard copy form):
- where the personal data is collected to be included within publicly accessible sources;
- where sensitive or biometrical data is processed; or
- where a legally binding decision is made solely on the grounds of the automated processing of personal data.
Consent is deemed to have been given in writing where it is signed by hand or given in an electronic form and signed by an electronic signature.
Consent may be revoked.
Consent in writing must contain the following information:
- The identity of the data subject, his / her address and passport details and identity of the subject;
- Data representative (if any);
- The identity and address of the data controller or the entity that processes personal data on behalf of the data controller (if any);
- The purpose of the processing;
- The list of personal data that may be collected and processed;
- The types of processing that are authorised;
- The term for which the consent, remains valid and way of revocation; and
- The data subject’s signature.
The data controller shall ensure the confidentiality of personal data. The data controller and other persons who have access to the personal data, shall not disclose any information to a third party without the prior consent of the data subject.
According to recently adopted amendments to the law, prior to a transfer of personal data out of Russia, the data controller must notify Roskomnadzor on cross-border data transferring.
The law distinguishes between the countries that provide adequate protection of personal data and countries that do not provide adequate protection of personal data. This differentiation impacts the procedure of data transferring as commented below.
The fact that the recipient state ratified the Convention is sufficient ground to deem that the state provides adequate protection of personal data for the purposes of the DPA.
In addition to the above, the Roskomnadzor issued the Order No. 274 of 15 March 2013 'On endorsement of the List of the Foreign States Which are Not Parties to the EC Convention for the Protection of Individuals With Regard to Automatic Processing of Personal Data'. The Order contains the list of countries which are officially recognized by Russian authorities as 'ensuring adequate protection'. Apart from the Member States of the Convention, there are 23 so 'white-listed' states as of today.
In connection to both types of countries Roskomnadzor has the right to restrict cross-border transfers. For the countries which provide the adequate protection of personal data the controller must notify Roskomnadzor beforehand but may commence the cross-border data transfer without waiting for Roskomnadzor’s express or tacit approval of the transfer (and has to discontinue such transferring if Roskomnadzor objects). For the countries which do not provide the adequate protection of personal data for the purposes of the DPA, the transfer to those countries is not permissible until Roskomnadzor issues the express or tacit approval within the statutory set timeframes.
Data controllers are required to take appropriate technical and organisational measures against unauthorised or unlawful processing and accidental loss, changing, blocking or destruction of, or damage to, personal data.
A recent special regulation sets forth certain measures that the data controller should undertake to ensure security of personal data, data systems, carriers of biometrical information and technologies.
Under the recently adopted amendments, in case of establishing the fact of unlawful or occasional transfer or dissemination of personal data, that caused a violation of data subject rights, the data controller must:
- within 24 hours notify Roskomnadzor about:
- the incident;
- believed reasons that caused violation of data subject rights;
- estimated harm inflicted to data subject rights;
- measures taken to cure consequences of the incident; and
- details of the contact person to communicate with Roskomnadzor.
- within 72 hours notify Roskomnadzor about the results of internal investigation of the incident as well as to provide the information on the parties, if any, whose actions caused the incident.
The above timeframes are very short that may cause significant practical difficulties in complying with them.
In Russia, the Agency is responsible for the enforcement of the DPA. The Agency is entitled to:
- carry out checks;
- consider complaints from data subjects;
- require the submission of necessary information about personal data processing by the data controller;
- require the undertaking of certain actions according to the law by the data processor, including discontinuance of the processing of personal data;
- file court actions;
- initiate criminal cases; and
- impose administrative liability.
If the Agency becomes aware that a data controller is in violation of the law, he can serve an enforcement notice requiring the data controller to rectify the position.
A data controller can face civil or administrative if there is a violation of personal data law. Officers of the data controller responsible for the offence may also face disciplinary action. Criminal liability may be imposed for very narrow and intrusive types of violations, such as intentional intrusion in the private life of individuals, etc.
Usually, in the case of violation of data protection law, the Agency will serve an enforcement notice requiring the position to be rectified and may also impose an administrative penalty and / or recommend imposing disciplinary action on the officers of the data controller who are responsible for the offence.
The maximum administrative penalty that can be imposed, as at the date of this review, is RUR (Russian Rubles) 18, 000, 000 for violation of data localization rules (but this is usually much less in practice). For other data violations the penalties (administrative fines) are much lower.
Electronic marketing activities are subject to limitations set by the Russian Law on Advertising No. 38-FZ dated 13 March 2006, under which the distribution of advertising through telecommunications networks, in particular, through the use of telephone, facsimile and mobile telephone communications, is allowed only subject to preliminary consent of a subscriber or addressee to receive advertising.
Advertising is presumed to be distributed without preliminary consent of the subscriber or addressee unless the advertising distributor can prove that such consent was obtained. The advertising distributor is obliged immediately to stop distribution of advertising to the address of the person who made such a demand.
Russian law does not specifically regulate online privacy. The definition of personal data under the DPA is rather broad and there are views that information on number, length of visits of particular web-sites and IP address (in combination with other data allowing the user to be identified) could be considered personal data.