Data Law Navigator | Russia
Information on Data Protection and Cyber Security laws from CMS experts
The content will be periodically updated by our lawyers but, given the constantly evolving laws in this area, we cannot guarantee the content is complete and accurate.
Jump directly to Cyber Security
Last updated 24 October 2018
- Federal Law No. 152-FZ “On Personal Data” (the “Data Protection Law”)
- Labour Code of the Russian Federation
(for personal data of employees)
- The Ministry of Digital Development, Communications and Mass Media of the Russian Federation (Minkomsvyaz) http://minsvyaz.ru/en/
- The Federal Service for Supervision of Communications, Information Technology and Mass Media (Roskomnadzor) http://eng.rkn.gov.ru/
Anticipated changes to law
Russia has recently signed an Amending Protocol updating the Council of Europe Convention No. 108 for the Protection of Individuals with regard to Automatic Processing of Personal Data. National data protection law is expected to be amended to comply with the Convention. For example, a breach notification obligation should be introduced, as well as genetic data – a new category of sensitive personal data.
Stage of legislative implementation of GDPR
Local derogations as permitted by GDPR
The Data Protection Law regulates the rights of data subjects and the obligations of data controllers, consent rules, data localization and cross-border data transfer.
The Data Protection Law provides an exemption for data processing by individuals for personal needs and for processing of state secrets.
The Data Protection Law applies to all data controllers in Russia, including branches and representative offices of foreign companies.
The localisation requirement also applies to the foreign websites that target the Russian market.
Violation of data protection law may result in administrative, civil or even criminal liability.
Most frequent violations include:
- Failure to obtain a written consent of a personal data subject – fine of RUB 15,000 to RUB 75,000 (approx. EUR 200 to EUR 1,000)
- Processing of personal data without proper legal grounds – warning or fine of RUB 30,000 to RUB 50,000 (approx. EUR 400 to EUR 667)
- Failure to inform a data subject on the processing of his personal data – warning or fine of RUB 20,000 to RUB 40,000 (approx. EUR 267 – EUR 533)
- Failure to publish a personal data processing policy – warning or fine of RUB 15,000 to RUB 30,000 (approx. EUR 200 to EUR 400)
- Failure to file a notification to the Roskomnadzor – warning or fine of RUB 3,000 to RUB 5,000 (approx. EUR 40 to EUR 67)
- Breach of the localisation requirement – blocking of the website based on a court decision
Registration / notification
Personal data processing should be notified to the Roskomnadzor before commencing processing.
Main obligations and processing requirements
Data subject consent is a most common legal ground for data processing. Other common grounds include performance of an agreement with a data subject or complying with statutory obligations.
The law requires data controllers to make the following main steps:
- define categories of personal data
- purposes and duration of processing
- obtain a data subject's consent (unless an exception applies)
- appoint a data protection officer, adopt a data protection policy and take appropriate security measures to prevent unauthorised processing
- notify Roskomnadzor on the commencing of data processing
Localization rules require data controllers initially process personal data of Russian citizens on servers physically located in Russia.
Data subject rights
Data subjects have the right to:
- access to information concerning their data
- to rectify, erase or block the processing of their personal data, especially if the data are incomplete or inaccurate
- to object at any time on legitimate grounds to the processing of their data
Processing by third parties
To transfer personal data to third parties, a consent of a personal data subject is normally required. Third parties must comply with the same legal requirements and obligations as data operators and data processing rules. The data processor is liable for acts or omissions of third parties acting under its authorisation, while the respective third parties are liable to the processor for data breach.
Transfers out of country
The Data Protection Law distinguishes two types of cross-border data transfer:
- transfer of data to countries with adequate protection of personal data (“Safe Countries”); and
- transfer of data to countries without adequate protection of personal data (“Unsafe Countries”).
Safe Countries comprise signatories to the Strasbourg Convention of 28 January 1981 or countries that are included into the specific safe countries list of Roskomnadzor (includes Canada and Australia among others).
To the transfer of personal data to the Safe Countries requirements of the Data Protection Law apply. Transfer to the Unsafe Countries (for example to the US) requires an additional qualified consent of the data subject, unless an exception applies.
Data Protection Officer
A data protection officer shall be appointed and notified to Roskomnadzor.
The data operator should take appropriate legal, organisational and technical measures to protect personal data against any unauthorised/illegal actions in respect to personal data, such as accidental access, unauthorised copying, etc.
Currently there is no mandatory requirement to report data breaches to data subjects or to Roskomnadzor. However, the Central Bank of Russia plans to introduce breach reporting requirement to the banks.
The prior consent of the individual to use his personal data is required for direct marketing purposes.
The Data Protection Law does not define "cookies". However, under some circumstances cookies were considered by courts as personal data.
- Clarification of the Localisation Rules (in Russian): http://minsvyaz.ru/ru/personaldata/
Last reviewed 24 October 2018
*Unknown, as the Law is not yet effective and no practice is available.
Laws and regulations
- Federal Law of 26 July 2017 No. 187-FZ On Security of Critical Informational Infrastructure of the Russian Federation (“the Law”) – came into force on 1 January 2018.
Anticipated changes to law
By-laws regulating specific rules concerning critical informational infrastructure are to be adopted.
The Law sets out requirements for ensuring security of critical informational infrastructure in the health care, science, transportation, communication, banking, finance market, energy, nuclear energy, defence, aerospace, mining, iron and steel and chemicals sectors.
The Federal Service for Technical and Export control: http://fstec.ru/en/
- Requirement to establish and maintain a security system.
- Obligation to assess and assign a level of importance to the critical infrastructure, subject to notification to the authority in charge.
- Mandatory reporting of all incidents threatening the security of the critical infrastructure.
- Assessment of security level.
To be adopted.
Is there a national computer emergency response team (CERT) or computer security incident response team (CSIRT)?
A National Coordination Center for Computer Incidents will be created under the Law, but it has not yet been set up.
Is there a national incident management structure for responding to cybersecurity incidents?
This or similar procedure should be adopted by the authority in charge.
Other cybersecurity initiatives
Regulations supporting the Law are expected to be adopted soon.