Data protection (privacy) laws in Russia

Russia has a framework of laws designed to protect the personal data of its citizens. The primary law governing data protection is Federal Law No. 152-FZ "On Personal Data" (the “Personal Data Law”), enacted in 2006. This law establishes the legal basis for the processing of personal data and aims to ensure the protection of the rights and freedoms of individuals when their personal data is processed.

Key Principles of the Personal Data Law:

• Legality: Processing must be based on lawful grounds, such as the data subject's consent or a specific legal obligation.

• Fairness: Processing must be conducted fairly and transparently.

• Purpose Limitation: Personal data must be collected for specified, explicit, and legitimate purposes and not further processed in a manner incompatible with those purposes.

• Data Minimization: The data processed must be adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed.

• Accuracy: Personal data must be accurate and, where necessary, kept up to date. Inaccurate data must be erased or rectified without delay.

• Storage Limitation: Personal data must be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.

• Integrity and Confidentiality: Personal data must be processed in a manner that ensures appropriate security, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical or organizational measures.

Key Obligations for Data Controllers (Operators):

Under the Personal Data Law, data controllers (referred to as "operators") are required to:

• Obtain valid consent from data subjects before processing their personal data, unless another legal basis exists. Consent must be freely given, specific, informed, and unambiguous.

• Notify the Roskomnadzor (Federal Service for Supervision of Communications, Information Technology and Mass Media), the Russian data protection authority, of their processing activities before commencing data processing. There are some exceptions to this notification requirement.

• Implement appropriate technical and organizational measures to ensure the security of personal data. This includes measures to prevent unauthorized access, disclosure, alteration, or destruction of data.

• Provide data subjects with access to their personal data upon request, allowing them to correct inaccuracies and object to the processing of their data.

• Localize the storage of personal data of Russian citizens within Russia. This requires data controllers to use databases located within Russia to process and store the personal data of Russian citizens, with certain exceptions.

• Appoint a data protection officer (DPO) in certain circumstances, particularly if the operator processes special categories of personal data or conducts large-scale processing.

Special Categories of Personal Data:

The Personal Data Law defines "special categories of personal data" as data relating to racial or ethnic origin, political opinions, religious or philosophical beliefs, health, intimate life, and criminal record. The processing of special categories of personal data is subject to stricter requirements and generally requires explicit consent from the data subject.

Cross-Border Data Transfers:

The Personal Data Law regulates the cross-border transfer of personal data. Transfers to countries that do not provide an adequate level of data protection are restricted. The Roskomnadzor publishes a list of countries that are considered to provide an adequate level of data protection.

Enforcement and Penalties:

The Roskomnadzor is responsible for enforcing the Personal Data Law. Violations of the law can result in administrative penalties, including fines. In some cases, criminal liability may also apply.

Recent Developments:

Amendments to the Personal Data Law are frequently introduced to address emerging issues and align with international standards. Staying abreast of these developments is crucial for organizations operating in Russia.