Data Law Nav­ig­at­or | Rus­sia

In­form­a­tion on Data Pro­tec­tion and Cy­ber Se­cur­ity laws from CMS ex­perts

< back to Overview

The content will be periodically updated by our lawyers but, given the constantly evolving laws in this area, we cannot guarantee the content is complete and accurate.

Jump directly to Cyber Security
 

Data Protection

Last updated 24 October 2018

Risk scale 

Laws

  • Federal Law No. 152-FZ “On Personal Data” (the “Data Protection Law”)
  • Labour Code of the Russian Federation

        (for personal data of employees)

Authority

  • The Ministry of Digital Development, Communications and Mass Media of the Russian Federation (Minkomsvyaz) http://minsvyaz.ru/en/
  • The Federal Service for Supervision of Communications, Information Technology and Mass Media (Roskomnadzor) http://eng.rkn.gov.ru/

Anticipated changes to law

Russia has recently signed an Amending Protocol updating the Council of Europe Convention No. 108 for the Protection of Individuals with regard to Automatic Processing of Personal Data. National data protection law is expected to be amended to comply with the Convention. For example, a breach notification obligation should be introduced, as well as genetic data – a new category of sensitive personal data.

Stage of legislative implementation of GDPR 

Not applicable.

Local derogations as permitted by GDPR

Not applicable.

Scope 

The Data Protection Law regulates the rights of data subjects and the obligations of data controllers, consent rules, data localization and cross-border data transfer.

The Data Protection Law provides an exemption for data processing by individuals for personal needs and for processing of state secrets.

The Data Protection Law applies to all data controllers in Russia, including branches and representative offices of foreign companies.

The localisation requirement also applies to the foreign websites that target the Russian market.

Penalties/enforcement

Violation of data protection law may result in administrative, civil or even criminal liability.

Most frequent violations include:

  • Failure to obtain a written consent of a personal data subject – fine of RUB 15,000 to RUB 75,000 (approx. EUR 200 to EUR 1,000)
  • Processing of personal data without proper legal grounds – warning or fine of RUB 30,000 to RUB 50,000 (approx. EUR 400 to EUR 667)
  • Failure to inform a data subject on the processing of his personal data – warning or fine of RUB 20,000 to RUB 40,000 (approx. EUR 267 – EUR 533)
  • Failure to publish a personal data processing policy – warning or fine of RUB 15,000 to RUB 30,000 (approx. EUR 200 to EUR 400)
  • Failure to file a notification to the Roskomnadzor – warning or fine of RUB 3,000 to RUB 5,000 (approx. EUR 40 to EUR 67)
  • Breach of the localisation requirement – blocking of the website based on a court decision

Registration / notification

Personal data processing should be notified to the Roskomnadzor before commencing processing.

Main obligations and processing requirements

Data subject consent is a most common legal ground for data processing. Other common grounds include performance of an agreement with a data subject or complying with statutory obligations. 

The law requires data controllers to make the following main steps:

  • define categories of personal data
  • purposes and duration of processing
  • obtain a data subject's consent (unless an exception applies)
  • appoint a data protection officer, adopt a data protection policy and take appropriate security measures to prevent unauthorised processing
  • notify Roskomnadzor on the commencing of data processing

Localization rules require data controllers initially process personal data of Russian citizens on servers physically located in Russia.

Data subject rights

Data subjects have the right to:

  • access to information concerning their data
  • to rectify, erase or block the processing of their personal data, especially if the data are incomplete or inaccurate
  • to object at any time on legitimate grounds to the processing of their data

Processing by third parties

To transfer personal data to third parties, a consent of a personal data subject is normally required. Third parties must comply with the same legal requirements and obligations as data operators and data processing rules. The data processor is liable for acts or omissions of third parties acting under its authorisation, while the respective third parties are liable to the processor for data breach.

Transfers out of country

The Data Protection Law distinguishes two types of cross-border data transfer:

  • transfer of data to countries with adequate protection of personal data (“Safe Countries”); and
  • transfer of data to countries without adequate protection of personal data (“Unsafe Countries”). 

Safe Countries comprise signatories to the Strasbourg Convention of 28 January 1981 or countries that are included into the specific safe countries list of Roskomnadzor (includes Canada and Australia among others).  

To the transfer of personal data to the Safe Countries requirements of the Data Protection Law apply. Transfer to the Unsafe Countries (for example to the US) requires an additional qualified consent of the data subject, unless an exception applies.

Data Protection Officer

A data protection officer shall be appointed and notified to Roskomnadzor.

Security

The data operator should take appropriate legal, organisational and technical measures to protect personal data against any unauthorised/illegal actions in respect to personal data, such as accidental access, unauthorised copying, etc.

Breach notification

Currently there is no mandatory requirement to report data breaches to data subjects or to Roskomnadzor. However, the Central Bank of Russia plans to introduce breach reporting requirement to the banks.

Direct marketing

The prior consent of the individual to use his personal data is required for direct marketing purposes.

Cookies

The Data Protection Law does not define "cookies". However, under some circumstances cookies were considered by courts as personal data.

Useful links

  • Clarification of the Localisation Rules (in Russian): http://minsvyaz.ru/ru/personaldata/

 

Cyber Security

Last reviewed 24 October 2018

Risk scale

*Unknown, as the Law is not yet effective and no practice is available.

Laws and regulations

  • Federal Law of 26 July 2017 No. 187-FZ On Security of Critical Informational Infrastructure of the Russian Federation (“the Law”) – came into force on 1 January 2018.

Anticipated changes to law

By-laws regulating specific rules concerning critical informational infrastructure are to be adopted.

Application 

The Law sets out requirements for ensuring security of critical informational infrastructure in the health care, science, transportation, communication, banking, finance market, energy, nuclear energy, defence, aerospace, mining, iron and steel and chemicals sectors.

Authority

The Federal Service for Technical and Export control: http://fstec.ru/en/

Key obligations 

  • Requirement to establish and maintain a security system.
  • Obligation to assess and assign a level of importance to the critical infrastructure, subject to notification to the authority in charge.
  • Mandatory reporting of all incidents threatening the security of the critical infrastructure.
  • Assessment of security level.

Penalties/enforcement

To be adopted.

Is there a national computer emergency response team (CERT) or computer security incident response team (CSIRT)? 

A National Coordination Center for Computer Incidents will be created under the Law, but it has not yet been set up.

Is there a national incident management structure for responding to cybersecurity incidents?

This or similar procedure should be adopted by the authority in charge.

Other cybersecurity initiatives 

Regulations supporting the Law are expected to be adopted soon.

 

 < back to Overview

Authors

Konstantin-Bochkarev
Konstantin Bochkarev
Counsel
Moscow