Russia: Data Protection & Cyber Security

The In-House Lawyer Logo

This country-specific Q&A provides an overview to data protection and cyber security laws and regulations that may occur in Russia.

This Q&A is part of the global guide to Data Protection & Cyber Security. For a full list of jurisdictional Q&As visit http://www.inhouselawyer.co.uk/practice-areas/data-protection-cyber-security/

  1. Please provide an overview of the legal framework governing privacy in your jurisdiction (e.g., a summary of the key laws, who is covered by them, what sectors, activities or data do they regulate, and who enforces the laws enforced)?

    The primary law governing data and privacy issues is the Constitution of the Russian Federation, which grants citizens the right to privacy of correspondence, telephone conversations, mail, telegraph and other communications. The core laws that develop these constitutional principles are:

    • Federal Law “On Personal Data” dated 27 July 2006 No. 152-FZ (“Personal Data Law”), which is the principal law in the sphere of data and privacy;
    • Federal Law “On Information, Information Technologies and Protection of Information” dated July 27, 2006 No. 149- FZ provides for rights relating to use of information, protection of information, use of information technologies;
    • Federal Law “On Security of Critical Information Infrastructure of the Russian Federation” dated July 26, 2017, No. 187-FZ is on ensuring security of so-called critical information infrastructure and obligations of critical information infrastructure subjects;
    • Labour Code of the Russian Federation dated December 30, 2001 No. 197-FZ regulates processing employees’ data.

    Also important administrative regulations have been issued by the Russian authorities, namely:

    • “Requirements to Security of Personal Data Processed in Information Systems of Personal Data” approved by the Decree of the Government of the Russian Federation dated November 1, 2012 No. 1119;
    • “Scope and Composition of Organizational and Technical Measures to Ensure Security of Personal Data Processed in Information Systems of Personal Data” approved by the Order of the Federal Service for Export and Technical Control dated February 18, 2013 No. 21;
    • “Scope and Composition of Organizational and Technical Measures to Ensure Security of Personal Data Processed in Information Systems of Personal Data with Use of Cryptographic Protection of Information Required to Comply with Personal Data Security Requirements Stated by the Government of the Russian Federation with respect to each Security Level” approved by the Order of the Federal Security Service dated July 10, 2014 No. 378;
    • “Regulations on Peculiarities of Personal Data Processing Carried Out without Automated Means” approved by the Decree of the Government of the Russian Federation dated September 15, 2008 No. 687.

    The main regulators in the area of data protection are as follows:

    • Russian Data Protection Authority – Federal Service for Supervision of Communications, Information Technology, and Mass Media (“Roskomnadzor”) is a supervisory authority in the area of personal data protection. It carries out its functions through its central office and regional offices responsible for supervision over data controllers in their respective regions of Russia.
    • Russian Federal Service for Technical and Export Control (“FSTEC”) is an authority responsible for supervision over protection of confidential information with use of technical tools.
    • Russian Federal Security Service (“FSB”) is an authority responsible for supervision over protection of confidential information with use of encryption tools.
  2. Are there any registration or licensing requirements for entities covered by these laws and, if so, what are the requirements? Are there any exemptions?

    Registration with Roskomnadzor. There is a basic requirement to file a notification with Roskomnadzor on processing of personal data (“PII”) and thereby register as a data controller. There are, however, some exceptions to this rule, namely where PII:

    1. is processed in order to fulfil obligations imposed on the data controller in accordance with employment laws;
    2. is processed to fulfil the contract with the data subject, provided that the PII is used by the data controller solely for performance of that contract and not provided to the third parties;
    3. is made publicly available by a data subject;
    4. relates to members of the public association or religious organization and processed by such association or organization for performance of the legitimate tasks set out by their constituent documents, provided that PII is not distributed or disclosed to the third parties without data subjects’ written consents;
    5. includes data subjects’ names, patronymics and surnames only;
    6. is necessary for granting to data subject one-time authorization to access the data controller’s territory, or for similar purposes;
    7. is included in the state information systems and state PII information systems created to protect the state and public order;
    8. is processed without use of automated means;
    9. is processed in accordance with Russian laws on transportation security in order to ensure sustainable and secure functioning of the transport system, preserve private, social and public interests, and protect the public order.

    Roskomnadzor construes these exceptions very narrowly and practically speaking majority of companies processing data should register as the data controllers.

    Notification must be filed by the company once and with respect to all PII processing activities (i.e., those relating to all data subjects, such as employees, clients, representatives of business partners etc.). If there are any changes in PII processing activities, the data controller must notify Roskomnadzor of those changes within 10 business days. Registration does not include payment of state duties or other fees. There is an approved template of the registration form that should be completed.

    Formally speaking, the data controller should notify Roskomnadzor prior to starting PII processing activities. However, from practical perspective the registration with Roskomnadzor is not a precondition of such processing.

    Licensing requirements. Processing of PII does not require the company to obtain any prior authorization such as license.

    However, there are certain services in the area of data protection, which may be provided only by the companies authorized to do so under the respective licenses. Such services in particular include technical protection of confidential information (including PII) and protection of information with use of encryption tools. The licensing bodies are FSTEC and FSB accordingly.

    The licensing requirements apply only where services are rendered to the third party. They are not applicable to security measures implemented by the company for its own business needs.

  3. How do these laws define personally identifiable information (PII) versus sensitive PII? What other key definitions are set forth in the laws in your jurisdiction?

    Personal Data Law defines PII as any information relating to (directly or indirectly) identified or identifiable individual (data subject). This definition is construed in a very broad manner by the courts and Roskomnadzor. In this regard, information will likely be considered PII if it allows even indirect identification of a data subject. However, quite often defining whether this or that information constitutes PII is case-by-case analyses.

    Other important definitions under Personal Data Law are as follows:

    Data controller means a legal entity arranging (alone or jointly with others) and/or carrying out processing of PII, as well as defining the purposes of processing, the operations performed on the PII (types of processing), the scope and the categories of the PII.

    Data Processor means a person carrying out processing of PII upon assignment of the data controller.

    Processing of PII means any action (operation) or set of actions (operations) performed with the use of automated means or without such, including collection, recording, systematization, accumulation, storage, specifications (updating, modification), retrieval, use, transfer (dissemination, provision, access), depersonalization, blockage, deletion, destruction of PII.

    Automated processing of PII means processing of PII using means of computer technology.

    Distribution of PII means any actions aimed at disclosure of PII to an unlimited number of people (audience).

    Provision of PII means actions aimed at disclosure of PII to a specified (limited) number of people (audience).

    Blocking of PII means the temporary termination of the data processing.

    Destruction of PII means actions which make it impossible to recover PII from information systems and/or the destruction of media holding PII.

    Anonymization of PII means actions which make it impossible to identify the data subject from PII without additional information.

    Information system of PII means set of PII contained in databases and information technologies and technical means ensuring their processing.

    Cross-border (international) transfer of PII means the transfer of PII abroad to foreign state authorities, foreign citizens or foreign legal entities.

    For details regarding processing of sensitive PII, please refer to Q.6.

  4. Are there any restrictions on, or principles related to, the general processing of PII – for example, must a covered entity establish a legal basis for processing PII in your jurisdiction or must PII only be kept for a certain period? Please outline any such restrictions or “fair information practice principles” in detail?

    The key principles relating to processing of PII are set out by the Personal Data Law:

    • Processing of PII shall be lawful. In particular, it implies ensuring legal grounds for data processing by the data controller.
    • Purpose limitation principle implying that processing of PII shall be limited to achievement of specific lawful purpose and PII shall not be processed for other incompatible purpose.
    • It is prohibited to accumulate the databases containing PII processed for different incompatible purposes.
    • Data minimization principle implying that scope and content of PII shall be limited to what is necessary to achieve the specific data processing purpose. PII being collected and processed shall not be excessive in the context of the data processing purpose.
    • PII shall be kept accurate, complete and up-to-date. Data controller shall rectify or delete data, which is inaccurate or incomplete.
    • Once purposes of processing are achieved, PII shall not be stored in a way allowing identification of the data subject, unless otherwise is provided by legislation or agreement where data subject is a party, a beneficiary or guarantor. Once the purposes of processing are achieved PII shall be destroyed or anonymized, unless otherwise is provided by legislation.
  5. Are there any circumstances where consent is required or typically used in connection with the general processing of PII and, if so, are there are rules relating to the form, content and administration of such consent?

    Under Personal Data Law, PII can only be processed based on appropriate legal ground. In practice, data subject’s consent is the most widespread legal ground.

    Consent shall be fully informed, precise (informative) and freely given. It shall be opt-in consent - concept of opt-out consent does not work in Russia. The data subject may revoke consent at any time. In such a case, the data controller is obliged to terminate processing unless there are other legal grounds for its continuing.

    In certain cases, Russian laws require data subject’s written consent. E.g., in case of data transfer to ‘inadequate’ jurisdictions; inclusion of PII to publicly available sources of information (e.g. address books, corporate networks in the intranet, etc.); processing of sensitive or biometric PII; transfer of employees’ PII to third parties (including, affiliates of the employing entity); collection of the employees’ PII from third parties (i.e. not requesting data directly from the employees).

    Written consent must be executed in hard copy with data subject’s wet signature and contain certain details prescribed by legislation, namely:

    • data subject’s name, address and passport details;
    • name, address, and passport details of data subject’s representative, details of a documents confirming representative’s authorization (where consent is given by such individual);
    • name and address of the data controller;
    • purpose of PII processing;
    • categories of PII to be processed;
    • name and address of the data processors;
    • operations on PII (collection, recording, systematization etc.) and general description of data processing methods (automated, manual, mixed);
    • term of consent and procedure of its withdrawal.
    • Such consent may be signed by digital signature. However, such signature should be so-called reinforced qualified signature (a signature based on encryption solution and provided by state authorized accreditation center) which makes this option impractical for majority of companies.

    Under current enforcement practice there should be consent covering only one purpose of the data processing. One consent template covering several purposes will not be compliant.

  6. What special requirements, if any, are required for processing sensitive PII? Are there any categories of PII that are prohibited from collection?

    Sensitive PII is the PII relating to racial or ethnic origin, political commitments, religious or philosophical beliefs, health or sex life.

    Generally, this PII can be processed, however based on limited scope of grounds as such written consent of a data subject to processing (form and content of this consent is subject to certain statutory requirements); data subject made this data publicly available; processing is necessary to protect life, health and other vital interests of a data subject or third parties provided that obtaining of the consent is not possible; in some other cases provided by Russian laws, which rarely apply in practice.

    Information on data subject’s criminal records may be processed by public authorities within their powers and by other persons in cases explicitly prescribed by federal laws. In particular, processing of information on criminal records is required in the course of applying for certain jobs (e.g. teaching activities).

    Please note that employer shall not process employee’s PII on his/her membership in public associations or labour union activities if otherwise in not provided by laws.

    Russian law also distinguishes biometric PII. This is data relating to physiological and biological characteristics of an individual which allow the individual to be identified and which is actually used by the data controller for the purpose of identification. Such data may only be processed with the written consent of the data subject (subject to some statutory requirements to its form and content) or pursuant to Russian law and applicable international treaties.

  7. How do the laws in your jurisdiction address children’s PII?

    Russian data protection laws do not set out any specific rules with regard to processing of children’s PII.

    As per Russian laws, children (i.e. those under the age of 18) exercise their rights and protect their interests through their parents (other legal representatives). Thus, strictly speaking, where children’s PII is processed and this requires consent, such consent should be requested from parents (other legal representatives).

    However, in certain cases starting from 14 children may act more or less independently, e.g. to make some small-scale transactions on their own, etc. Thus, where children’s PII is processed in the context of such transactions, consent of the parent/ legal representative is not needed. However, in practice there is no unified approach to the notion of small-scale transaction and age threshold requiring parental consent to data processing.

    Currently Russian Parliament is considering a draft bill on processing of children’s PII. Under this draft bill, processing of such data will be significantly restricted and will only be allowed based on parental consent (with exceptions only for children who started employment activity).

  8. Are owners or processors of PII required to maintain any internal records of their data processing activities or to establish internal processes or written documentation? If so, please describe how businesses typically meet these requirements.

    Formally speaking, Russian law does not specify the roles of a PII owner and processor. Instead, there are notions of a data controller (i.e. entity determining the purposes and terms of processing) and a person carrying out processing of PII upon assignment and on behalf of the data controller. In essence, the notion of such person corresponds to the meaning of a data processor under EU regulations.

    Under Russian laws, there is no direct obligation of controllers and processors to maintain consolidated records of processing activities as they are prescribed to do in accordance with the European laws.

    In the meantime, Russian laws require the controllers to implement a number of internal policies and maintain certain records in order to ensure accountability of data processing activities. Such policies and records include:

    • PII Processing Policy: first layer of the Privacy Policy containing the consolidated information on the data subjects’ whose PII is being processed by the controller, categories of their personal data, purposes and legal grounds for PII processing, terms of processing, general security measures implemented by the controller, transfer of PII to third parties etc.;
    • List/Records of PII Information Systems: the document accumulating and systematizing the information about the controller’s automated and non-automated PII systems;
    • PII List/Records: the document accumulating and systematizing the information on the categories of data subjects and their PII processed by the controller along with purposes, legal grounds, and terms of PII processing.
    • List/Records of Individuals Authorized to Access the PII to Perform Their Job Duties: the document specifying the categories of data subjects and their PII along with job titles of controller’s employees authorized to access such data to perform their job duties.
  9. Are consultations with regulators recommended or required in your jurisdiction and in what circumstances?

    As per Russian data protection laws, there are no mandatory or recommended consultations with the regulators on the aspects of compliance. Roskomnadzor regularly arranges “days of open doors” where representatives of Roskomnadzor express their views on actual issues of privacy and their interpretation of the laws, as well as answers the questions from the public. These are not binding though, since Roskomnadzor is the authority having administrative powers in the field of data protection and is not competent to issue normative acts in this field.

  10. Do the laws in your jurisdiction require or recommend conducting risk assessments regarding data processing activities and, if so, in what circumstances? How are these risk assessments typically carried out?

    Russian data protection laws require the data controllers to perform assessment of PII security systems at least each three years. The data controller may perform such assessment itself or engage the contractor having the license for the technical protection of confidential information issued by FSTEC (see Q. 2 above). Such assessment implies that the data controller:

    1. identifies and categorizes the types of security treats and sources of such treats (this is so-called security threat modeling);
    2. identifies the security characteristics (integrity, accessibility, confidentiality) affected by each security threat;
    3. determines the appropriate level of data protection and choses the legal, organizational, and technical security measures required to neutralize the identified threats.

    Russian law is quite prescriptive in this regard and contains guidance and methodologies on how these procedures should be carried out.

  11. Do the laws in your jurisdiction require appointment of a data protection officer, or other person to be in charge of privacy or data protection at the organization? What are the data protection officer’s legal responsibilities?

    It is mandatory to appoint a data protection officer (“DPO”) under Personal Data Law. The DPO shall undertake the following duties:

    • Conduct internal control over the compliance of the data controller and its employees with the applicable legislation.
    • Ensure the awareness of the data controller’s employees of the requirements of the applicable legislation and the requirements of the data controller’s policies.
    • Arrange the receipt and consideration of requests submitted by data subjects.

    The DPO shall be accountable to the executive body of a data controller.

    Apart from the above-mentioned key functions, Russian law does not provide for any further guidance on specific tasks and powers of the DPO. These issues are subject to the internal (corporate) rules of the data controller.

  12. Do the laws in your jurisdiction require providing notice to individuals of the business’ processing activities? If so, please describe these notice requirements (e.g. posting an online privacy notice).

    Under Russian law all aspects of processing should be reflected in the internal data processing policies.

    As per Russian legislation and recommendations of Roskomnadzor internal policy on data processing shall contain the following sections:

    • data controller’s identity (name, address);
    • terms and definitions used in the document;
    • explanation of the policy’s goals;
    • purposes of data processing;
    • lawful basis/legal grounds for data processing, categories of data subjects whose PII is processed and categories of PII being processed;
    • operations on PII and general description of PII processing methods;
    • information on transfer of PII to the third parties, including cross-border transfer of PII;
    • information on data processors engaged to process PII on behalf of the data controller;
    • information on measures taken to ensure security and confidentiality of PII;
    • terms of PII processing, including retention terms and conditions regarding termination of processing;
    • data subjects’ rights and how they can exercise their rights.

    Policy shall be drafted in Russian (or bilingual). If data controller has its website or app, it shall make it available to website/app’s users.

    Practically speaking, there should be a general data protection policy covering all issues above and a number of more detailed policies setting out in details how this or another aspect of data processing is carried out (e.g., a separate policy on data retention and procedure of data destruction; policy setting out procedure of how different departments should react on data subject’s queries about their rights, etc.).

    Policies should be duly implemented in the company which means i) policy is approved by the order of the company’s General director (other duly authorized officer), ii) policy is in line with Russian law and iii) all employees put their wet signatures in special acknowledgment form confirming that they are aware with the policy’s provisions (so-called “familiarization procedure”).

  13. Do the laws in your jurisdiction apply directly to service providers that process PII, or do they typically only apply through flow-down contractual requirements from the owners?

    The laws apply first of all to data controllers who are responsible for activities of the data processors engaged. Most of obligations under Russian PII laws are addressed to the data controllers, not processors. Some provisions (e.g., regarding general rules on data security) apply directly both to controllers and processors.

    Where service provider is an independent data controller, all obligations are imposed on such provider by virtue of law and it bears all regulatory risks. However, in most cases the service providers engaged in data processing position themselves as data processors.

    The scope of obligations of data processors and data controller are pretty the same. Data processors are also obliged to apply requirements of Russian data legislation, maintain confidentiality of PII as well as implement security measures provided for by the legislation. However, more precise scope of the processor’s security measures shall be specified in the controller’s assignment/instructions. So, although the general security obligation applies to the data processor (service provider) directly by virtue of law, the way to comply with such obligation shall be agreed with the data controller.

    The important regulatory difference between these two roles is that data processors are not obliged to obtain consents of data subjects or verify whether there are other legal grounds enabling them to process the data since this is an obligation of data controllers. The data processors are accountable only to data controllers and not data subjects. Therefore, data controllers take all responsibility for the violations committed by data processors before data subjects.

    There were some drafts bill suggesting to impose more obligations directly on processors. However, they have not been enacted.

  14. Do the laws in your jurisdiction require minimum contract terms with service providers or are there any other restrictions relating to the appointment of service providers (e.g. due diligence or privacy and security assessments)?

    Processing of data by service providers requires conclusion of the data processing/transfer agreement. The agreement shall contain a number of mandatory terms, namely:

    • list of operations on PII carried out by the service provider;
    • security and confidentiality obligation of the service provider;
    • purposes of the data transfer;
    • list of security measures to be taken by the service provider (in accordance with Russian data protection laws).
  15. Is the transfer of PII outside the jurisdiction restricted? If so, please describe these restrictions and how businesses typically comply with them (for example, does cross-border transfer of PII require notification to or authorization form a regulator?)

    Russian law does not prohibit cross-border (international) transfer of PII. The key requirements to the international data transfers are i) conclusion of the data processing agreement and ii) ensuring legal ground to the transfer.

    Legal grounds for the international transfer depend on country where the data recipient is located. In this regard, there are jurisdictions providing adequate level of data protection and those who fail to provide that level.

    “Adequate” jurisdictions are:

    • States - parties to the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (CETS No. 108) – e.g., European Union members; and
    • Countries considered adequate by Roskomnadzor (e.g. Australia, Israel, Canada, New Zealand, Republic of Korea, Kazakhstan, Singapore, Chile, Japan etc.).

    Where PII is transferred to “adequate” jurisdictions, general list of legal grounds apply. If the jurisdiction is not adequate, legal grounds enabling transfer are quite limited (e.g. data subjects' written consent (which must meet a number of requirements to its form and content), performance of the contract to which the data subject is a party).

  16. What security obligations are imposed on PII owners and on service providers, if any, in your jurisdiction?

    Both data controller and data processor are required to ensure security and confidentiality of PII being processed. The important difference is that the scope of measures implemented by the processor depends on the data controller’s assignment/instructions.

    Russian data protection laws set out four-layered approach to the data protection.

    As the first layer, the Personal Data Law sets out very broad list of security measures that might be applied by the data controller. Such general measures, for example, include appointment of the data protection officer, data recovery, implementation of internal policies, use of information security tools, keeping records of PII media etc.

    In addition to the general measures prescribed by laws, Russian Government defined a number of specific measures the data controller shall implement (second layer). The extent of these measures will depend on the types of security threats to the PII. The companies shall perform security threat modelling of the database or system that processes/stores PII in order to identify and categorize the threats that most likely will affect the database or system.

    Based on the security threat modelling, the information system shall be placed into one of three categories of security threats. The category of security threat will determine the level of data protection and particular set of security measures that must be implemented to safeguard the PII.

    There is another detailed statutory guidance on how different organizational and technical security measures prescribed by the Russian Government shall be implemented (third layer). This guidance is provided by FSTEC (see Q.1).

    In its respective order, FSTEC specifies general groups of security measures (e.g., identification and authentication of persons and objects having access to PII; restricting software environment; ensuring safety of machine-readable mediums which are used for storage and processing of PII; recording of any events related to information protection; ensuring of antivirus protection, etc.). Each of the outlined general groups includes the list of more particular measures, which are mandatory for particular level of PII protection. This list is named “basic list of security measures”.

    The fourth layer includes implementation of the exact solutions corresponding to the basic security measures required to the company.

    Practically speaking, all mentioned guidance are quite general and give discretion to companies regarding security threat modeling . So, in the course of auditing its data protection system the company may considerably influence particular level of data protection and applicable data security measures.

  17. Does your jurisdiction impose requirements of data protection by design or default?

    Formally speaking, Russian laws do not explicitly introduce the concepts of data protection by design and data protection by default in the way they are set out, for example, by EU laws. However, general data protection principles and requirements (data minimization, purpose limitation, security etc.) imply that the company shall always consider the data protection aspects when designing and implementing certain solution/system, and from the scratch ensure privacy of individuals concerned. So, practically speaking, privacy by design and by default principles are implied in Russian data protection laws, not being mentioned directly though.

  18. Do the laws in your jurisdiction address security breaches and, if so, how does the law define “security breach”?

    There is no general statutory definition of security breach under Russian law.

    However, there is a general obligation of all data controllers to keep PII secure (so, disclosure of data to the third party is permitted only on special grounds). Key PII security indicators are PII integrity, confidentiality, and accessibility. So, in case any of such PII characteristics is affected, the PII should not be considered secure, and the incident shall be treated as a security breach.

    As regards industry-specific definitions, Russian laws set out different definitions describing the security breaches. For example, the laws governing information security in the Russian national payment system define the security incident as any event that caused or may cause unauthorized funds transfer or failure to provide funds transfer services.

    There is also a definition of computer incidents set out by Russian laws on security of critical information infrastructure (“CII”) governing various aspects of information security in such critical industries as healthcare, science, transport, communications, energetics, banking and finance, fuel and energy, nuclear energetics, defense, rocket and space, metallurgy, chemical industry. The CII laws define the computer incident as any fact of breach or termination of functioning of CII facility, communication network used for interconnection of CII facilities, and (or) security breach of information processed by such CII facility, including due to the computer attack.

  19. Under what circumstances must a business report security breaches to regulators, to individuals, or to other persons or entities? If breach notification is not required by law, is it recommended by the regulator and what is the typical custom or practice in your jurisdiction?

    There is no general obligation to notify data subjects, regulators or any other parties of data breaches in a sense that such data breach notification is specified, e.g., in the European law.

    Filing of such notifications on voluntary basis is not widespread among companies doing business in Russia. However, there are some other types of notifications.

    Notification upon request. Under Russian laws, data subjects have certain rights (see Q.20). If in the course of considering the data subject’s request the data controller finds out that PII is processed unlawfully (i.e. without appropriate legal ground such as consent, contractual necessity etc.), it shall:

    1. either ensure appropriate legal ground for processing (e.g., request consent) and thereby rectify the violation;
    2. or if it is not possible - to destruct unlawfully processed PII.

    Once this is done, the data controller shall notify data subject of this. Notification should be also filed to the regulator if the request is submitted by the regulator. This is so-called “notification upon request”.

    Modernized Convention 108 and expected amendments. On October 10, 2018, Russia has signed a Protocol modernizing Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (1981), hereinafter – “Convention 108”. Under the modernized Convention 108, the data controller shall without delay notify at least the regulator of data breaches, which may seriously interfere with individuals rights and fundamental freedoms. Convention 108 does not expand further on data breach notification.

    It was reported that the regulator has started to elaborate a draft bill to amend the Personal Data Law to incorporate provisions of the modernized Convention 108.

    Industry specific notification requirements. Russian laws also set out certain industry specific types of data breach notifications. For example, certain obligations to notify of data breaches are imposed on the players of Russian payment system (financial institutions) as well as on owners of CII facilities (see Q.18), which were assigned a category of importance upon specific classification procedure.

  20. Do the laws in your jurisdiction provide individual rights, such as the right to access and the right to deletion? If so, please provide a general description on what are the rights, how are they communicated, what exceptions exist and any other relevant details.

    Russian laws set out the following data subjects’ rights:

    • To withdraw the consent at any moment. In this case, the data controller should terminate processing of PII based on consent within 30 calendar days.
    • To access PII. The data subject is entitled to request from the data controller the confirmation of processing by that data controller and a range of details regarding data processing activities (e.g., categories of processed data, purposes of processing, operations performed on data, methods of processing, information on international transfers, et.). If the data subject requests, he/she should be provided with the copy of PII (e.g., copy of documents containing PII, extracts from automated information system where data is processed).
    • To require rectification, blocking and destruction of PII in case data is incomplete, inaccurate, outdated, processed unlawfully or no longer needed to achieve the specific purpose of data processing.
    • To lodge a complaint to Roskomnadzor or a court, some others.

    There are some requirements applicable to both company and data subject in order to comply with right and exercise them respective (e.g., deadlines, specific format of request/ response, exemptions to the obligation to comply with the request, etc.).

  21. Are individual rights exercisable through the judicial system or enforced by a regulator or both? When exercisable through the judicial system, does the law in your jurisdiction provide for a private right of action and, if so, in what circumstances? Are individuals entitled to monetary damages or compensation if they are affected by breaches of the law? Is actual damage required or is injury of feelings sufficient?

    As we noted above, individuals are entitled to file a complaint with Roskomnadzor, the State Prosecution Office or Labour Inspections (if processing is in the context of employment relations), as well as to file a claim with a competent court to challenge the actions (or omissions) of the data controller.

    In such claim they can ask for compensation of material and moral damages caused by illegal processing of their PII.

    Moral damages are physical or moral sufferings and are calculated on case-by-case basis. Material damages include direct damages and loss of profits. The amount of material damages shall be evidenced.

  22. How are the laws governing privacy and data protection enforced? What is the range of fines and penalties for violation of these laws? Can PII owners appeal to the courts against orders of the regulators?

    Most cases where violation of data protection laws occurs evoke administrative liability. Criminal sanctions are extremely rare in practice. However, their application cannot be excluded in case of serious violations, such as the intentional dissemination of PII.

    Russian Code of Administrative Offences dated December 30, 2001 No. 195-FZ sets out administrative fines up to 75,000 rubles (approx. USD 1,150) per violation (the exact amount depends on the type of violation) and up to 500 000 (approx. 7 500 USD) for violation relating to direct marketing and promotion related contacts with individual/data subject.

    In certain cases, where there are several violations of one type (e.g. in case the data controller processes PII of several individuals without lawful basis) the fine may be imposed repeatedly per violation.

    Roskomnadzor is entitled to request data controller to rectify violation of the Personal Data Law. Failure to do so may entail inspection of Roskomnadzor and, consequently, imposing an administrative fine.

    Likewise, where processing of PII on the website or in the app violates data protection laws, access to such website/app may be restricted from Russia upon the respective court decision. Widely known example is LinkedIn case, which was blocked in 2016 due to failure to comply with the localization requirement. It is still not available for Russian users.

    Russian criminal code provides for the criminal liability for individuals and company’s officers for illegal dissemination of the information protected by law, for illegal collection and dissemination of the information on individuals’ private life, comprising his/her personal or family secret without consent of the individual, for violation of privacy of correspondence and phone conversations. Criminal liability may arise in different forms up to imprisonment. This type of liability rarely applies in practice.

    Orders of regulators may be challenged by PII owners in courts.

    Each year Roskomnadzor discloses results of the inspections (in aggregated form, without referring to particular cases). Most frequent violations over the last years are as follows: failure to register as data controller in the state register maintained by Roskomnadzor; absence of data subject’s consents or non-compliance of consent forms with statutory requirements; improper data storage; failure to timely destruct the data.

  23. Does the law include any derogations, exclusions or limitations other than those already described? Please describe the relevant provisions.

    Russian law provides for so-called localization requirement. It implies that certain operations on PII of the Russian citizens (namely recording, systematization, accumulation, storage, adaptation/alteration, and retrieval) shall be carried out in database(s) located in Russia once such data is collected.

    In other words, once PII is collected, it shall be placed in the database located in Russia (‘primary’ database) so that all mentioned operations on data should be carried out locally. Afterwards, the data can be transferred abroad for further processing (to so-called ‘secondary’ database).

    Please pay attention that local database should be maintained accurate and updated - operations required for updating/rectifying PII shall be primarily made in the local database(s).

  24. Please describe any restrictions on monitoring or profiling in your jurisdiction including the use of tracking technologies such as cookies – how are these terms defined and what restrictions are imposed, if any?

    Russian data protection laws do not directly address the issues of profiling and monitoring, including the use of tracking technologies such cookies.

    Roskomnadzor and courts stick to quite conservative approach considering such activities PII processing subject to the general rules. The only legal ground in such case will be individual’s explicit opt-in consent (e.g., by way of placing a tick-box form, banner, or pop-up window requesting the individual’s consent on home page of the website).

    Use of purely technical cookies (i.e. ones, which are strictly necessary for functioning of the website, unlike cookies allowing target advertisement, marketing analytics, etc.) is a grey area in terms of compliance and there is no unified approach regards legal grounds for their use. Many companies stick to risk-oriented approach considering that the consent is not required and it is possible to rely on other legal grounds (such as preserving legitimate interest of the data controller).

    Apart from the legal grounds for profiling and monitoring, it is required to describe them as processing activities in the data controller’s Privacy/Confidentiality Policy. For example, a separate Cookies Policy can be drafted and posted on the website or certain sections can be incorporated in the general Privacy Policy. Such Policy shall be available in Russian (or in bilingual format).

  25. Please describe any laws addressing email communication or direct marketing?

    Direct marketing communications are governed by both advertising and data protection laws, which set out similar rules in this regard. Direct marketing communications with the data subject are only allowed if the data subject has provided his/her prior opt-in consent (no exceptions in this regard).

    Practically speaking, such consent may be obtained with use of tick-box or a “Subscribe” button, provided that such tick-box or button are not bundled with other consents (e.g. acceptance of Terms of Use or general consent to processing of PII as described in the Privacy Policy) and the tick-box is not pre-ticked. Otherwise, Russian regulators may say that consent was not freely given by the data subject.

    Each marketing communication shall contain a link in order to unsubscribe from further receipt of such marketing communications or, alternatively, information on how the recipient can unsubscribe.

    Once the data subject unsubscribes (withdraws his/her consent) from marketing communications, the data controller shall immediately terminate direct marketing communications and processing of PII for this purpose – the laws do not set out any grace period in this regard.