Data Protection in Russia

Transfer in Russia

According to recently adopted amendments to the law, prior to a transfer of personal data out of Russia, the data controller must notify the Agency of planned cross-border data transfers.

The law distinguishes between the countries which provide “adequate protection” of personal data and countries that do not provide adequate protection of personal data. This differentiation impacts the procedure of data transferring as commented below. Jurisdictions which have adopted the Convention are generally considered to provide adequate protection and some others are designated by the Agency as well (Roskomnadzor Order No. 128 of 5 August 2022 “On Endorsement of the List Of Foreign States Providing Adequate Protection of the rights of Personal Data Subjects”). The Order currently lists 34 so 'white-listed' states.

In connection to both types of countries the Agency has the right to restrict cross-border transfers. For the countries which provide the adequate protection of personal data, the controller must notify the Agency beforehand but may commence the cross-border data transfer without waiting for approval of the transfer. Should the Agency object to the transfer, the controller must discontinue such transferring. For the countries which do not provide the adequate protection of personal data for the purposes of the DPA, the transfer to those countries can be performed only after approval from the Agency is received. Approval can be “received” either expressly or by the lapse of the relevant time frame. No response from the Agency is deemed to be an approval.

Continue reading

  • no results

Previous topic
Back to top