1. Personal Data Protection (Privacy) Legislation in Russia
In Russia, the privacy legislation can be summarized as follows:
1.1. Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, signed and ratified by the Russian Federation on December 19, 2005;
1.2 the Law of the Russian Federation “On Personal Data” as of 27.07.2006 No. 152-FZ, which regulates the processing of personal data by means of automation equipment. It is the operator who is required to comply with the Act;
1.3 The “Regulations on protection of personal data processed by means of personal data systems” enacted by the Russian Government Regulation which came into force on 17.11.2007 No. 781. The Regulations contain comprehensive security guidelines to be complied with when processing and storing personal data;
1.4 The Law of the Russian Federation “On Advertisement” dated 13.03.2006 No. 38-FZ. Said Law regulates marketing communications sent inter alia by means of electronic channels including e-mail & SMS & etc;
1.5 The Russian Code on Administrative Infractions as of 30.12.2001 No.195-FZ. Said Code regulates issues of responsibility for administrative infractions in connection with processing of personal data or delivering of advertisement.
2. Outline of the Notions Utilized in the Legislation in Force
2.1 Personal data is any information pertaining to identified or identifiable with the help of said information natural person (personal data subject), including his surname, given name, patronymic, date, month, year and place of birth, home address, family & social & property status, education, profession, income, other information;
2.2 Sensitive personal data means personal data relating to:
- race or ethnic background
- political opinions
- religious beliefs
- health condition
- sexual life
2.3 Processing is anything that may be done to or with personal data, inter alia gathering, putting into order, collecting, storing, updating, using, distributing (including transfer), depersonalizing, blocking or erasing such data;
2.4 Operators is the entity which manages and/or performs data processing, as well as determines the purposes and manner of data processing. In most cases both supervising company and the entity which operates the relevant direction or service are regarded as operators;
2.5 Personal data system is data system which includes personal data recorded in the data base as well as information technologies and technical means which are used for processing of said data.
3. Rights of Personal Data Subjects
The legislation gives certain rights to personal data subjects in respect of personal data gathered from them. These include:
3.1 An entitlement to access to information pertaining to operator and to the processed personal data;
3.2 A right to request cancellation of processing, blocking or modifying of the personal data which have been obtained in violation of the laws, are inadequate or obsolete; and
3.3 A right to call for immediate cancellation of processing for the purposes of direct marketing.
Operators to whom Russian legislation applies must send notification to the local body of Russian Federal Service on Supervision over Mass Media, Telecommunications and Safeguarding of the Cultural Heritage (afterward referred to as, the “Federal Service on Telecommunications”) for each district of Russia where he possesses personal data processing facilities. For Moscow it shall be Moscow Department of the abovementioned federal service. Such a notification is necessary for inclusion of the operator into specific Register and shall be performed by the operators who have been processing personal information prior to coming into force of the Federal law “On Personal Data” dated 27.07.2006 and continue to process it after its enactment prior to January 1, 2008. Those operators who haven’t been processing personal information with the help of their own or third party’s equipment situated in Russia before the enactment of the abovementioned law must dispatch the notification before they actually commence processing personal data. It is necessary that the abovementioned notification contains information provided for by the applicable legislation.
Scope of application of Russian data protection legislation: Russian laws apply when the operator uses his own or third-party data processing equipment located in Russia. And also in cases where the data has been already transmitted outside Russia, but there has been an infringement of personal data subject’s rights prior to or during such a transfer. If the data is transmitted outside Russia properly, it will be afterwards regulated by the legislation of country of destination and implications of the Russian law will not apply thereto.
In most cases, the Federal Service on Telecommunications only has authority in over data stored or processed in Russia. Nevertheless the legal implications of the Russian legislation on personal data protection shall apply in respect of the data already transferred outside Russia in case the rights of individuals, whose personal data has been gathered and processed using machinery situated in Russia, have been infringed prior to or during such transfer (e.g. An operator transferred data to a country where personal data doesn’t enjoy adequate protection without prior written consent of a data subject). In that case the Federal Service on Telecommunications may file lawsuits against operators to protect the rights of the personal data subjects and impose respective fines for breach of the data protection legislation.
This article was compiled basing on expertise of a Russian Moscow-based law firm - Confederation, Barristers-in-Law. It may prove to be useful to those who are thinking about starting business in Russia, Moscow.