The Data Protection Law defines, in particular, personal data and data processing, regulates the rights of data subjects and the obligations of data controllers, consent rules, data localisation and cross-border data transfer.
The Data Protection Law does not contain an exhaustive list of data that is deemed to be “personal data”. Thus, what constitutes personal data must be assessed on a case-by-case basis. Personal data is defined as any information referring directly or indirectly to an identified or identifiable individual (the “data subject”).
The Data Protection Law also sets forth special categories of personal data. These cover information referring to a person’s racial or ethnic origin, political opinions, religious or philosophical beliefs, personal health, sex life and criminal record. In addition, the processing of biometric data is regulated by the Data Protection Law.
Back to top ↑
Data processing operations
The Data Protection Law applies to all personal data processing operations performed within Russia. However, in recent years Roskomnadzor successfully blocked several websites that contained personal data of Russian citizens and have been hosted or managed from abroad.
Personal data operations under the Data Protection Law include any processing, such as data collection, storage, recording, deletion, transfer.
The Data Protection Law does not apply to personal data processing performed by individuals for their private needs.
Back to top ↑
Rights of the data subjects
Under the Data Protection Law, a data subject has the right to:
- request details of the processing of his/her personal data by a data controller (what data is being processed and why, etc.);
- revoke his/her consent to the data processing at any time;
- request, in certain cases, the rectification, blocking or deletion of his/her personal data; and/or
- be compensated for damages, including for moral harm.
Obtaining consent from the data subjects
Personal data may only be processed (i) based on the prior, voluntary, express and informed consent of the individual (data subject); or (ii) if the law expressly permits processing without the data subject’s consent.
Consent can be given in any form: orally, in writing, electronically or by implication. The data controller must ensure that it can prove that consent was duly obtained. In certain cases, the law requires written consent as described below.
Consent must be obtained in written form (“Qualified Consent”) when:
- special categories of personal data and/or biometric personal data are processed;
- personal data is transferred to countries which do not ensure an adequate level of protection of personal data (“Unsafe Countries”);
- decisions are taken automatically and such a decision could influence the rights and freedoms of a data subject; and
- employees’ personal data is transferred to a third party, including companies of the same group.
Qualified Consent must contain the following elements:
- name, address and passport details of the data subject;
- name and address of the personal data controller;
- purpose of the personal data processing;
- list of the personal data to be processed for which consent is given;
- list of the operations to be performed with the personal data and a general description of the methods to be used for personal data processing;
- term during which the personal data will be processed and how consent can be withdrawn; and
- data subject’s signature.
Back to top ↑
Cross-border transfer of personal data
The Data Protection Law distinguishes two types of cross-border data transfer:
- the transfer of data to countries with adequate protection of personal data (“Safe Countries”); and
- the transfer of data to unsafe Countries.
Safe Countries comprise signatories to the Strasbourg Convention and countries that are included by Roskomnadzor in the Safe Countries List. Roskomnadzor occasionally amends this list, which now consists of 22 countries.
The cross-border transfer of personal data to Safe Countries may be performed in accordance with the requirements for internal data transfer. The cross-border transfer to Unsafe Countries requires Qualified Consent to be obtained from the data subject, except in cases expressly provided by the law.
Back to top ↑
Data controllers and data processors
The Data Protection Law defines the data controller as an entity (either a state agency, municipal authority or a legal entity) or individual who organises the processing of and/or processes personal data. It also determines the purposes and scope of processing, the content of personal data to be processed and actions performed with the data.
Main obligations for data controllers
The main obligations of the personal data controllers are to:
- notify Roskomnadzor of their intention to process personal data, except when an exemption applies;
- ensure personal data security;
- adopt a personal data processing policy which includes the list of data, the purposes of data processing, etc.;
- appoint a data protection officer responsible for the organisation of data processing within the company;
- periodically perform internal audits and assessments of the effectiveness of measures applied to protect personal data;
- retain control over such measures and the level of protection of personal data (in particular in cases where data processing is outsourced); and
- ensure that the recording, systemisation, accumulation, storage, clarification (updating, modification) and retrieval of Russian citizens’ personal data is conducted in databases located within Russia.
Exceptions to the requirement to notify Roskomnadzor of the intention to process personal data
Notification is not required, in particular, to process (i) personal data of employees, when such data is processed by their employer for the purposes of employment relations; (ii) personal data received by the data controller to conclude and perform an agreement with the respective data subject; (iii) data made public by the data subject.
According to the law, personal data must be protected against unauthorised access, alteration, transfer, disclosure by transfer or deletion as well as damage and accidental destruction. In order to ensure the security of personal data, the data controller must, in particular:
- use technical devices certified by the competent Russian authorities and keep a record of the devices on which the personal data is stored;
- determine the level of damage which may be caused in the event of unauthorised processing of personal data; and
- establish rules relating to access to personal data.
The Data Protection Law does not provide further details on the technical and organisational measures mentioned above, although some detailed requirements are provided in the relevant regulatory orders.
Data controllers who collect personal data of Russian citizens must ensure that the recording, systemisation, accumulation, storage, clarification (updating, modification) and retrieval of Russian citizens’ personal data are conducted only in databases located within Russia. There are a limited number of exceptions to this requirement, which usually do not apply to business.
When notifying Roskomnadzor of the commencement of processing of personal data, data controllers are required to state the location of the database containing Russian citizens’ personal data.
Back to top ↑
Data controllers may outsource the processing of personal data. To do so they must enter into an agreement with a data processing service provider (a “Technical Processor”). The agreement must contain certain substantial conditions as set out by the Data Protection Law. Data controllers nevertheless remain responsible to data subjects for the fulfilment of their obligations. The Technical Processor must ensure the confidentiality and protection of the personal data.
Back to top ↑