1. What national laws regulate the collection and use of personal data?
The main provisions of data protection and privacy law can be found in the:
- Strasbourg Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data 2005 (Strasbourg Convention).
- Russian Constitution 1993 (Articles 23 and 24).
- Federal Law No. 149-FZ on Information, Information Technologies and Data Protection 2006 (Data Protection Act).
- Federal Law No. 152-FZ on Personal Data 2006 (Personal Data Protection Act).
The principal law in this area is the Personal Data Protection Act.
Data protection specific provisions can also be found in various sectoral laws, for example, the:
- Russian Labour Code (Chapter 14).
- Russian Air Code (Article 85.1).
- Federal Law No. 323 on the Fundamentals of Protection of the Health of Citizens in the Russian Federation.
There are also certain local administrative regulations and official requirements that regulate the collection, storage and use of personal data, issued by the:
- Russian President.
- Russian Government.
- Federal Service for Supervision of Communications, Information Technology and Mass Media (Roskomnadzor).
- Federal Service for Technical and Export Control (FSTEC).
- Federal Security Service (FSS).
Scope of legislation
2. To whom do the laws apply?
Data protection laws apply to all data operators and third parties acting under the authorisation of data operators. Russian data protection laws do not contain the concepts of "data controller" and "data processor". However, the Personal Data Protection Act does refer to the concept of "data operator". A data operator can be a state or municipal body, legal or physical person that both:
- Organises and/or carries out (alone or jointly with other persons) the processing of personal data.
- Determines the purposes of personal data processing, the content of personal data, and the actions (operations) related to personal data.
The data processing can be shifted to a third party, subject to the data subject's consent, who will be acting under the authorisation of the data operator on the basis of the corresponding agreement, or by operation of the special state or municipal act.
3. What data is regulated?
Data protection laws regulate all personal data that is processed by data operators or third parties. Personal data is any information (directly or indirectly) related to an identified or identifiable individual (data subject).
Russian data protection legislation does not distinguish between direct personal data and indirect personal data. Therefore the personal data will be regarded as "direct" or "indirect" depending on the facts of each situation.
4. What acts are regulated?
Data protection laws apply to all acts of data processing, including collection, recording, systematisation, accumulation, storage, alteration (update, modification), retrieval, use, transfer (dissemination, provision, access), depersonalisation, blocking, deletion or destruction of data. Electronic (automated) and manual (non-automated) records of personal data will be subject to the data protection legislation.
5. What is the jurisdictional scope of the rules?
Data protection laws do not contain any express provisions regarding their jurisdictional or territorial effect. Therefore, it is generally presumed that the national data protection rules apply to:
- Data processing that occurs in, or targeted at Russia.
- Collection, storage as well as the use of personal data of Russian citizens (data subjects).
This is regardless of where the data operators are established and located. In the context of cross-border data flow, the national data protection legislation can also be applied to a certain extent, provided the Russian individual is a party to the corresponding data transfer agreement.
6. What are the main exemptions (if any)?
The following exemptions apply to the scope of regulation of data protection laws:
- Processing of personal data by individuals solely for personal and family needs (provided the rights of data subjects are not infringed).
- Organisation of storage, collection, recordation and use of archived documents containing personal data in accordance with the national laws on archive funds and matters.
- Processing of personal data that can be referred to as state secrecy data.
- Submission by the competent authorities of data related to the activities of courts in Russia in accordance with the relevant court legislation.
7. Is notification or registration required before processing data?
A data operator that is processing personal data must notify Roskomnadzor before it begins to process personal data. The notification can be submitted by the data operator on paper or electronically.
The notification must contain the following information:
- The name and address of the data operator.
- The purposes of processing of the personal data.
- The categories of personal data.
- The categories of data subjects whose data is being processed.
- List of consented actions in relation to personal data, and a general description of the methods of data processing used by the data operator.
- The description of IT systems and security measures (including encryption).
- The name and contact details of the data protection officer.
- The start date of processing personal data.
- The duration of processing or the conditions for terminating the processing of personal data.
- Cross-border data transfer information.
- The location of the database that will contain the personal data of Russian individuals (as of 1 September 2015) (see Question 21).
Roskomnadzor will register the data operator within 30 days of the date of receipt of the corresponding notification (in the absence of any further questions or inquiries). The information listed above (except the description of the data operator's IT systems and corresponding security measures) becomes publicly available once included in the register. Roskomnadzor maintains a register of data operators based on the information that is contained in the notifications it receives. The register of data operators is public and can be found in Russian, see http://rkn.gov.ru/personal-data/register/.
The notification/registration requirement will be applicable to every data operator that is involved in the processing of different categories of personal data in the territory of Russia (or processing personal data of Russian citizens) and uses its internal IT system or database subject to the data protection legislation. However, the data operator will be discharged of this statutory requirement and will be able to process personal data without notification/registration in certain circumstances.
For example, where the personal data:
- Is only processed under the labour law.
- Has been received by the data
operator in connection with a contract with a respective data
subject (individual), provided that the personal data:
- is not transferred to third parties without the individual's consent;
- is only used to perform the contract or to enter into further contracts with the individual.
- Relates to a certain type of processing by a public association or religious organisation acting under the applicable laws, provided that the personal data is not distributed or disclosed to third parties without the data subject's consent.
- Has been made publicly available by the data subject.
- Consists only of the surname, first name and patronymic of the data subject.
- Is necessary for granting the data subject one-time access into the premises where the data operator is located.
- Is included in IT systems that have acquired the status of state computer IT systems under the applicable laws, or in state IT systems created for the purposes of state security and public order.
- Is processed without the use of automated systems under the applicable laws subject to compliance with the rights of the data subject.
- Is processed in accordance with the laws and regulations relating to transport security.
Notification and registration does not require the payment of any official fee.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.