„Do they even have Data Protection rules in Russia” is a question that – in variations – we often encounter during our professional routine. The answer is always the same, as Russian law does protect Personal Data.
The changes made to the Federal Law No. 152-FZ on Personal Data 2006 (Personal Data Protection Act) (in the following: „DPA RU”) on September 1st, 2015 has just recently shifted the public’s attention to Russian Data Protection Law and has triggered a broad discussion, as already reported by us. Essentially, these changes mean that a Russian Citizen’s Personal Data must be stored on servers located in Russia.
The starting point of all contemplations concerning the processing of Personal Data is Russia’s decision of 2001 to initiate negotiations on acceding to the WTO. Aiming at an adequate level of Personal Data protection, Russia has passed a federal law concerning the ratification of the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data. This is also the reason for the Russian regulations’ similarities with European Data Protection law.
This leads to five aspects that must always be taken into consideration if Personal Data of Russian citizens are to be processed:
1. Data Protection Officer
The Controller (in Russian: „Operator”) must appoint a Data Protection Officer (“DPO”), Art. 18.1 § 1.1 DPA RU. In most cases, the Operator will appoint an internal DPO. The DPO is only subject to the management’s instructions and is responsible for internal checks and controls in the company.
The DPO is also responsible for informing staff on statutory and local Data Protection regulations. The DPO complies with this duty by training staff on Data Protection rules and regulations and by collecting the internal rules and guidelines on Personal Data processing in the organization and compiling written and signed acknowledgements of these regulations by each staff member.
Also, the DPO ensures a timely processing of complaints and inquiries concerning Data Protection.
2. Data Protection Concept, Procedural Registry (in Russian: Guidelines or Internal Strategies)
The Controller is obliged to determine the guidelines for processing Personal Data; such may include instructions, concepts, procedures, etc. Also, he is legally responsible for compliance with the company guidelines and procedures concerning Personal Data processing.
These Internal Strategies shall include provisions concerning internal revisions and audits on the processing of Personal Data as well as information about protective measures that have been initiated. This Data Protection concept can be published on the undertaking’s official website (please find examples here, here or here).
3. Notification Duties
The „Federal Service for Supervision of Communications, Information Technology and Mass Media“ (in short: „Roskomnadzor“) is the competent supervisory Data Protection authority and publishes a Registry of Operators that process Personal Data. Any undertaking must therefore notify the Roskomnadzor prior to beginning the processing of Personal Data.
In September 2015, notification duties were extended to include the physical location (postal address) of the Personal Data. The Roskomnadzor therefore holds prior notifications to be insufficient and must, in accordance with regulatory practice, be either renewed or amended. An activity report by the Roskomnadzor of 01.09.2016 shows that approximately 63,000 (17.5 %) of all Controllers have complied with the broadened notification duties.
4. Legal Basis for Processing and Consent
Personal Data may only be processed
- if it is based on a statutory provision, or
- based on a data subject’s consent,
(Art. 6 DPA RU).
The Russian Data Protection laws do not require consent to be declared in a specific form, however, it defines the mandatory minimum content. For this reason, the law stipulates information that must be included in such a declaration of consent. Data subjects may withdraw their consent at any time with future effect and / or object to the processing operations.
5. Controls
With respect to controlling Data Protection compliance, Russian Law names three (!) regulatory authorities to control and sanction compliance with the provisions described above:
- Roskomnadzor – monitors and protects the data subjects’ rights,
- FSB – the domestic Russian Secret Service monitors IT-Security in respect of encryption,
- FSTEC – monitors the maintaining of technical-organizational measures (e.g. virus protection, firewalls IDS/IPS, access controls, etc.).
The legal basis stipulating the authorities’ control rights is the Federal Law „On the protection of Rights of Legal Entities and Sole Proprietorships in the Exercise of State Control (Supervision) and Municipal Control” of 26.12.2008 N 294-FZ (as amended, 2016).
For example, this law stipulates that governmental authorities may not exceed a maximum of 50 hours per calendar year when controlling sole proprietors. An overview on planned controls can be found on the Russian General Prosecutor’s Website.
Please note: Since September 1st, 2015, the planned controls are not binding for the Roskomnadzor anymore. Activity Reports and Schedules for controls by the Roskomnadzor can now be found on a separate website. The activity report for the first quarter of 2016 notes that 405 violations were recorded in connection with 237 regular controls. The violations can be classified in three categories:
The report also shows that the Roskomnadzor has carried out 25 extraordinary controls. It is striking that 70 % of all violations are based on failure to comply with concrete requirements demanded by the regulatory authority prior to the controls. In other words, the respective companies had positive knowledge what to do and when, yet failed to comply.
Also, the Roskomnadzor has assessed 327 websites during the first 90 days of 2016. In most cases, the websites failed to include an adequately precise Data Protection concept.