A Q&A guide to data protection in the Russian Federation.
This Q&A guide gives a high-level overview of data protection rules and principles, including obligations on the data controller and the consent of data subjects; rights to access personal data or object to its collection; and security requirements. It also covers cookies and spam; data processing by third parties; and the international transfer of data. This article also details the national regulator; its enforcement powers; and sanctions and remedies.
To compare answers across multiple jurisdictions, visit the Data protection Country Q&A tool.
This article is part of the PLC multi-jurisdictional guide to data protection. For a full list of contents, please visit www.practicallaw.com/dataprotection-mjg.
Fundamental provisions of data protection law can be found in:
The Strasbourg Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data 1981 (Strasbourg Convention).
Articles 23 and 24 of the Russian Constitution, which establish the right to privacy for each individual.
There is also specific data protection legislation, including:
The Data Protection Act No. 152 FZ dated 27 July 2006 (DPA), and the various regulations implementing the DPA.
The Information, Information Technologies and Information Protection Act No. 149 FZ dated 27 July 2006, which establishes basic protection for information.
Part XIV of the Russian Labour Code contains provisions on the protection of employees' personal data. Other laws, which implement the provisions of DPA in relation to specific areas of state services or industries, may also contain data protection provisions.
The laws apply to all natural and legal entities processing personal data in the Russian Federation. Russian laws do not distinguish between data "controllers" and "processors" and refer simply to processors.
Data processor is defined as "a state body, municipal body, legal or natural entity which alone or together with other persons organises and/or performs processing of personal data or defining the purposes of processing of personal data, types of personal data subject to processing and actions (operations) performed in relation to personal data".
All personal data is regulated, which includes any information that relates directly or indirectly to a specific or defined physical person and not a legal entity (data subject).
All processing of personal data is regulated. This includes gathering, storing, blocking, deleting and transferring data.
The rules apply to all actions taking place in the Russian Federation. If cross-border agreements involve the transfer of personal data from Russia abroad, personal data protection laws apply to both:
The Russian parties who undertake such transfer from Russia.
The cross-border agreements.
The processing of data by an individual for that individual's personal non-commercial needs is exempt from data protection law. There may be other exemptions subject to special laws (such as the state archive fund or national security).
A processor of personal data must notify the Federal Service for Supervision of Communications, Information Technologies and Mass Media (Roskomnadzor) before it begins to process personal data (see box, The regulatory authority). There are a few exemptions from this notification obligation (such as when an employer processes the personal data of its own employees without transferring the data to third parties).
The notification must contain:
The name of processor.
The type of data.
A description of the categories of data subjects.
The purposes of processing.
The timeframes of processing.
The description of IT systems of the processor.
Data processors must:
Obtain consent from data subjects before processing personal data.
Take appropriate technical and organisational measures against:
unauthorised or unlawful processing;
accidental loss, changing, blocking or destruction of, or damage to, personal data.
Notify Roskomnadzor of their activities involving personal data.
The regulations in this area are constantly being developed and changed. This creates a high degree of uncertainty and difficulty for the data processors in understanding and implementing the regulations.
The consent of data subjects is required before processing personal data. Implied consent is not sufficient.
In a number of situations (such as cross-border transfers to unsecure jurisdictions or transfer of personal data), the law requires consent to be made in writing.
Electronic digital signatures are permissible when they comply with the 2002 law on Electronic Digital Signatures.
There is no prescribed form of consent.
Processing without consent can be justified:
If it is necessary to perform a written contract with the data subject (that is, by implied consent).
On important public interest grounds.
By exemptions under special laws (such as laws governing statistics, archive activities, state services, and so on).
Sensitive personal data includes all information concerning a person's:
Private or intimate life.
Political, religious and philosophical views.
Sensitive data requires consent in written form before processing (subject to few exceptions, including for medical and state security purposes).
Consent must be informed, that is, the purpose and volume of data collected and processed must be disclosed to the individual at the point of data collection or beforehand.
Subjects are entitled to:
Require access to their personal data, and can request details of the data processing, including the:
types of data involved;
purposes of processing; and
name of the operator.
Demand the processor to discontinue processing their personal data (except where processing cannot be terminated or will result in other violations of Russian law).
Subjects can request the deletion of their data if that data is:
Not necessary for the declared purpose of processing.
Data processors must take appropriate technical and organisational measures, although the regulations in this area are constantly being developed and changed (see Question 8).
There is no formal requirement to notify personal data security breaches to data subjects or Roskomnadzor. Notification is neither practised nor advisable.
The data subject must give prior written consent to the transfer of data to third parties. Third parties are subject to the same requirements and obligations as data processers (see Questions 8 and 15).
There is currently no specific regulation governing cookies, so no conditions are imposed on data controllers in practice.
Unsolicited electronic commercial communications are unlawful. Spam can only be lawfully sent after obtaining an individual's consent and must be stopped on his request.
The transfer of data outside Russia is subject to the same general limitations as for the processing of personal data (see Questions 3 to 19). Data can be transferred to Strasbourg Convention states or other states that ensure adequate protection of personal data without following additional requirements (unless this would be contrary to public order, state security, and so on). Data can only be transferred to other states ("unsecure" jurisdictions) on limited grounds, including the written consent of data subjects. There are currently no established guidelines concerning which states are unsecure.
Data transfer agreements are in use, but they are not currently regulated. Roskomnadzor has not yet approved any standard forms.
The consent of the data subject is required to transfer data to "unsecure" jurisdictions (see Question 20).
Roskomnadzor does not need to approve the data transfer agreement.
Undertake inspections of personal data processes conducted by processors.
Impose orders to cure violations and issue administrative fines on violating parties (currently up to RUB10,000 (as at 1 June 2012, US$1 was about RUB33.1)).
In the most serious cases, apply to the relevant enforcement authorities to initiate criminal proceedings or suspend the violating company's business activity.
See Question 24. Criminal sanctions are rarely applied in practice, but apply to the most serious violations (such as intentional dissemination of personal data), which are punishable by imprisonment for up to two years.
Main areas of responsibility. Supervision of data processing, inspections, issuing regulations and guidelines, and accepting notifications on data processors.
Qualified. Russia, 2000; New York, US, 2001
Areas of practice. Intellectual property; trade marks; franchise law; data protection.