HOME

TheInfoList



OR:

Data protection (privacy) laws in Russia are a rapidly developing branch in Russian legislation that have mostly been enacted in the 2005 and 2006. The Russian Federal Law on Personal Data (No. 152-FZ), implemented on July 27, 2006, constitutes the backbone of Russian
privacy law Privacy law is the body of law that deals with the regulating, storing, and using of personally identifiable information, personal healthcare information, and financial information of individuals, which can be Personally identifiable information ...
s and requires data operators to take "all the necessary organizational and technical measures required for protecting
personal data Personal data, also known as personal information or personally identifiable information (PII), is any information related to an identifiable person. The abbreviation PII is widely accepted in the United States, but the phrase it abbreviates ha ...
against unlawful or accidental access". Amendment was signed on December 20, 2020 and came into effect on March 1, 2021. The amendment requires "personal data made publicly available" needs to receive consent from the data subject. Russia's
Federal Service for Supervision of Communications, Information Technology and Mass Media The Federal Service for Supervision of Communications, Information Technology and Mass Media, abbreviated as ''Roskomnadzor'' (RKN) (russian: Роскомнадзор КН, is the Russian federal executive agency responsible for monitoring, co ...
is the government agency tasked with overseeing compliance.


Applicable laws

*Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, signed and ratified by the Russian Federation on December 19, 2005; *the
Law of the Russian Federation The primary and fundamental statement of laws in the Russian Federation is the Constitution of the Russian Federation. Hierarchy Constitutionism Adopted by national referendum on 12 December 1993 with 54.5% of the vote, the Constitution took ...
“On Personal Data” as of 27.07.2006 No. 152-FZ, regulating the processing of personal data by means of automation equipment. It is the operator who is required to comply with that Act; *the “Regulations on securing personal data being processed in personal data systems” enacted by the Russian Government Regulation as of 17.11.2007 No. 781. The Regulations contain mandatory security regulations to be complied with when processing and storing personal data; *the Federal law “On Advertisement” as of 13.03.2006 No. 38-FZ. This regulates
marketing communications Marketing Communications (MC, marcom(s), marcomm(s) or just simply communications) refers to the use of different marketing channels and tools in combination.Tomse, & Snoj, 2014 Marketing communication channels focus on how businesses communicate ...
sent inter alia by electronic means including e-mail,
SMS Short Message/Messaging Service, commonly abbreviated as SMS, is a text messaging service component of most telephone, Internet and mobile device systems. It uses standardized communication protocols that let mobile devices exchange short text ...
etc.; *the Russian Code on Administrative Infractions dated 30.12.2001 No.195-FZ. This regulates issues of responsibility for commission of administrative offences in connection with processing of personal data or distribution of marketing communications.


Definitions

*personal data is any information related to identified or identifiable on the basis of such information individual (personal data subject), including last name, given name,
patronymic A patronymic, or patronym, is a component of a personal name based on the given name of one's father, grandfather (avonymic), or an earlier male ancestor. Patronymics are still in use, including mandatory use, in many countries worldwide, alt ...
, date, month, year and place of birth, address, family, social, property status, education, profession, income, other information; *sensitive personal data means personal data relating to: ** Race or ethnic origin ** Political opinions ** Religious beliefs ** Health condition **
Sexual life ''Sexual Life'' is a 2004 American comedy-drama film written and directed by Ken Kwapis, who would go on to chronicle modern romantic life in the better-known '' He's Just Not That Into You'' in 2009. Produced by Ken Aguado and distributed by Sho ...
*processing is anything that can be done to or with personal data, including obtaining, organizing, accumulating, holding, adjusting (updating, modifying), using, disclosing (including transfer), impersonating, blocking or destroying such data; *operator is an entity which organizes and/or performs data processing, as well as determines the purposes and manner of data processing. In most cases both mother company and an entity which manages the relevant facility or service offered will be operators; *personal data system is a data system which includes personal data recorded in the data base as well as information technologies and technical equipment which make possible processing of such data.


Basic rules contained in the applicable legislative acts

Consent Consent occurs when one person voluntarily agrees to the proposal or desires of another. It is a term of common speech, with specific definitions as used in such fields as the law, medicine, research, and sexual relationships. Consent as und ...
of the individual is required for processing of his personal data. This rule doesn't apply where such processing is necessary for performance of the contract, to which an individual is a party. One shall bear in mind that a personal data subject is entitled at any time to revoke his previously granted consent, which obliges the operator to stop processing of such personal data and destroy it within three business days (unless other period of time was agreed on by the operator and an individual) after the date of such revocation, and notify the personal data subject of the fact that his personal data has been destroyed. More specifically, processing of personal data for the purpose of direct marketing may be performed subject to prior consent of personal data subjects. Lack of such consent is presumed unless the operator proves the contrary. Processing of personal data for the purposes indicated above must be immediately ceased at the demand of personal data subject. At the time of obtaining of personal data the operator is obliged, subject to request of an individual, to communicate to the latter information relating to the operator and the process of prospective processing. If personal data is obtained not directly from a personal data subject, the operator prior to processing such information must provide the individual with the following information: *name and address of the operator or his representative; *purpose and legal grounds of personal data processing; *expected users of personal data; and *the rights of the individual in accordance with federal law “On Personal Data” dated 27.07.2006 No. 152-FZ. Generally, it is prohibited to process in any way sensitive personal data of the individual, save for the cases where express written consent, containing all conditions provided for by the law, has been obtained from the individual prior to processing. Generally, to transfer personal data outside the Russian Federation, the operator will have to make sure, prior to such transfer, that the rights of personal data subjects will enjoy adequate and sufficient protection in the country of destination. Until 1 September 2015 the position of Federal Service on Telecommunications the governmental body responsible for personal data protection was that adequate and sufficient protection exists only in those foreign states which signed and ratified Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data. Nevertheless, there are three major exceptions which permit transfer of personal data to the countries where lower or no standard of personal data protection applies, namely: * When transfer is necessary for performance of a contract to which an individual is a party * When a personal data subject gave his prior written consent, containing all conditions provided for by the law, to such transfer * When transfer is necessary for performance by the Russian Federation of its obligations under international agreement on readmission On 1 September 2015 a new "Article 18 (5)" came into effect more strictly limiting the export of data. The Russian legislation imposes strict limitations on using of the electronic means of communication for direct marketing. Namely, express consent should be obtained from the individual before marketing communications are sent to him by email or SMS. Lack of such prior consent is presumed unless the sender proves the contrary. The law provides for immediate cessation of sending marketing communications at the individual’s short notice. It should be also noted that in Russia it is expressly prohibited to send emails or SMS messages using autodial. To send marketing communications by post, operator must obtain specific permission from the Federal Service on Telecommunications. Unfortunately the procedure of obtaining of such permission hasn’t been established yet. Where personal data is processed it should be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed. Personal data being processed shall enjoy confidential regime. It implies employment by the operator of sufficient technical and organisational means designed to prevent unauthorised access of any third parties to processed personal information. Procedures (including issuance of internal regulations or decrees) must be in place to regulate the process of access to such confidential information. Personal data should be accurate and kept up to date where necessary. The operator is obliged to ensure accessibility of personal information for examination by personal data subjects at their request. In case such subjects find that this information is outdated or inadequate, the operator will be obliged to stop processing of such information until the required modifications are introduced. Personal data should not be kept for longer than is necessary for the purposes for which they are processed, which requires its destruction after such purposes have been fulfilled or in case their fulfillment is not required any more. Personal data must be processed in accordance with the rights of personal data subjects under applicable data protection legislation. An operator will be in breach of this principle if, amongst other things, he: *contravenes the rights of access provisions set out in the legislation; *fails to comply with a request to cease processing within the time limit specified by the law or agreed on by the parties. Procedures must be in place to ensure that computer systems are configured appropriately to allow accurate recording of the giving of consents in all relevant cases, described herein. Procedures must also be in place to ensure that any notices or requests are responded to and dealt with promptly. Appropriate technical and organization measures must be taken against unauthorized or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data. Operators should consider appropriate measures to ensure data integrity (for electronic processing), including the installation of virus protection software and firewalls, adopting encryption for data transfers, using privacy enhancing technologies and making regular backups that are securely stored. For manual processing, consideration should be given to appropriate security measures, such as storage of paper records in lockable, fire-proof cabinets. The relevant provisions require effective protection of personal data. Mandatory regulations on protection of such data are currently being developed by
Federal Security Service The Federal Security Service of the Russian Federation (FSB) RF; rus, Федеральная служба безопасности Российской Федерации (ФСБ России), Federal'naya sluzhba bezopasnosti Rossiyskoy Feder ...
(hereinafter, the “FSS”) to be issued within two months. For the moment, according to information received from FSS specialist during telephone consultation, FSS has a preliminary draft of the said regulations which may be modified as the final version of said regulations is to be issued within two months. The draft in its current version provides for protection of all personal data being transferred outside Russia in form of
encryption In cryptography, encryption is the process of encoding information. This process converts the original representation of the information, known as plaintext, into an alternative form known as ciphertext. Ideally, only authorized parties can decip ...
. It is worth mentioning, that for the time being, it is practically possible to use only Russian encryption software and equipment for that purpose.


Individual rights

The legislation gives certain rights to personal data subjects in respect of personal data held about them. These include: *a right of access to information relating to operator and to the processed personal data; *a right to demand cessation of processing, blocking or modifying of the personal data which have been illegally obtained, are inadequate or outdated; and *a right to demand immediate cessation of processing for the purposes of direct marketing.


Personal data categories

The legislation describes certain personal data categories: *Public - personal data obtained only from publicly available personal data sources created in accordance with art. 8 of The Russian Federal Law on Personal Data (No. 152-FZ) *Biometric - information that characterizes the physiological and biological characteristics of a person on the basis of which it's possible to establish his personality and which are used by the personal data operator to identify the subject of the personal data. *Special - personal data relating to race, ethnic origin, political opinions, religious beliefs, health condition, sexual life of personal data subjects. *Other - personal data that doesn't belong to any of the above categories (public, biometric, special).


Notification

Operators to whom Russian legislation applies are required to send notification to the territorial body of Russian Federal Service on Supervision over Mass Communications, Telecommunications and Preservation of the Cultural Heritage (hereinafter, the “Federal Service on Telecommunications”) for each
region In geography, regions, otherwise referred to as zones, lands or territories, are areas that are broadly divided by physical characteristics (physical geography), human impact characteristics (human geography), and the interaction of humanity and t ...
of Russia where he possesses personal information processing facilities. For Moscow it will be Moscow Department of the above mentioned federal service. Such notification is necessary for inclusion of the operator into specific Register and shall be made by the operators who have been processing personal information prior to enactment of the Federal law “On Personal Data” dated 27.07.2006 and continue to process it after its enactment prior to January 1, 2008. Those operators who haven’t been engaged in processing of personal information using their own or third party’s equipment located in Russia prior to enactment of the said law must send the notification before they actually start processing personal data. It is important that the said notification contain information provided for by the applicable legislation.


Jurisdiction

Scope Scope or scopes may refer to: People with the surname * Jamie Scope (born 1986), English footballer * John T. Scopes (1900–1970), central figure in the Scopes Trial regarding the teaching of evolution Arts, media, and entertainment * Cinem ...
of application of Russian Data Protection legislation: Russian laws apply when the operator uses his own or third-party data processing equipment located in Russia. As well as in cases where the data has been already transferred outside Russia, but there has been a violation of personal data subject’s rights prior to or during such transfer. If the data is transferred outside Russia duly, it will be subsequently regulated by the laws of country of destination and implications of Russian law will not apply thereto. In most cases, the Federal Service on Telecommunications only has jurisdiction in relation to data held or processed in Russia. Nevertheless, the legal implications of the Russian legislation on data protection will apply in respect of the data already transferred outside Russia in case the rights of individuals, whose personal data has been collected and processed using equipment located in Russia, have been violated prior to or during such transfer (e.g., an operator transferred personal data to a country where personal data don’t enjoy adequate protection without prior written consent of a data subject). In that case the Federal Service on Telecommunications may file lawsuits against operators to protect the rights of the personal data subjects and impose respective fines for violation of the data protection legislation.


See also

*
Data sovereignty Data sovereignty is the idea that data are subject to the laws and governance structures of the nation where they are collected. The concept of data sovereignty is closely linked with data security, cloud computing, network sovereignty and technol ...
*
Data localization Data localization or data residency law requires data about a nation's citizens or residents to be collected, processed, and/or stored inside the country, often before being transferred internationally. Such data is usually transferred only after m ...
*
Privacy Privacy (, ) is the ability of an individual or group to seclude themselves or information about themselves, and thereby express themselves selectively. The domain of privacy partially overlaps with security, which can include the concepts of a ...
*
Information privacy Information privacy is the relationship between the collection and dissemination of data, technology, the public expectation of privacy, contextual information norms, and the legal and political issues surrounding them. It is also known as data pr ...
(data protection) *
Data governance Data governance is a term used on both a macro and a micro level. The former is a political concept and forms part of international relations and Internet governance; the latter is a data management concept and forms part of corporate data govern ...
*
National data protection authorities There are several National data protection authorities across the world, tasked with protecting information privacy. In the European Union and the EFTA member countries, their status was formalized by the Data Protection Directive and they were ...


References


External links


Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data

Russian legislation on-line data base(in Russian)

Alternative data base of the Russian laws - some available in English

Encyclopaedia of Russian lawfilerskeepers, Russian records retention schedules
{{DEFAULTSORT:Data Protection (Privacy) Laws In Russia Law of Russia
White Paper Personal Data Protection in Russia