Understanding Russian Federal Law on Personal Data Protection: A Comprehensive Guide

In Russia, the primary legislation governing personal data protection is the Federal Law on Personal Data (No. 152-FZ), adopted in 2006. This law establishes the framework for how personal data is handled by organizations and individuals within the country.

What is the Federal Law on Personal Data (No. 152-FZ)?

The Federal Law on Personal Data (No. 152-FZ), also known as the Russian Data Protection Law, is the primary legislation governing the collection, processing, storage, and transfer of personal data in Russia. It was initially enacted in 2006 and has undergone numerous amendments since then, the most recent being in February 2023.

Who does the law apply to?

The Federal Law on Personal Data applies broadly to any entity, both individuals and organizations, who handle personal data of Russian citizens, regardless of their location. This means the law extends to:

Individuals: If you collect, process, or store personal data of Russian citizens in your personal capacity, you are subject to the law. This might include, for example, sharing contact information of other residents on a community forum or running a small online business that handles customer data.
Organizations: This encompasses everything from small businesses and startups to large corporations. Any organization, regardless of its size or industry, that collects, processes, or stores personal data of Russian citizens needs to comply with the law. This includes data collected through websites, apps, customer interactions, employee records, and more.
Foreign organizations: Even if you are not based in Russia, the law applies to you if you handle personal data of Russian citizens. This means you need to ensure your data practices comply with the law, regardless of your own country's data protection regulations.

Therefore, the scope of the law reaches a wide range of individuals and organizations involved in any way with the handling of personal data belonging to Russian citizens.

What is personal data under the law?

The Federal Law on Personal Data defines personal data as any information that can be used to directly or indirectly identify a specific individual. This broad definition encompasses a wide range of data points, including:

Basic identifiers: Name, surname, patronymic (middle name), date of birth, place of birth, address, phone number, email address, passport number, social security number
Physical and biometric characteristics: Gender, race, ethnicity, nationality, hair color, eye color, height, weight, fingerprints, DNA
Professional and financial information: Job title, education level, employment history, salary, bank account information, investment records, property ownership
Online and digital data: IP address, device ID, cookie data, browsing history, search queries, social media activity, location data

It's important to note that even indirectly identifiable information is considered personal data under the law. This means that seemingly anonymous data could be combined with other information to identify an individual. For example, a combination of IP address, browsing history, and location data could be used to identify a specific person.

What are the special categories of personal data?

The Federal Law also recognizes and regulates special categories of personal data requiring stricter protection. The special categories listed in the law essentially serve the same purpose as sensitive data in other privacy frameworks.

Here are the special categories of personal data under the Russian law:

Biometric data: This includes fingerprints, DNA, iris scans, voice recordings, and other unique physical characteristics used for identification.
Racial or ethnic origin: This includes information about a person's race, ethnicity, or national origin.
Political opinions: This includes information about a person's political beliefs or affiliations.
Religious or philosophical beliefs: This includes information about a person's religious or philosophical beliefs.
Trade union membership: This includes information about a person's membership in a trade union.
Health data: This includes information about a person's physical or mental health, medical history, and genetic data.
Sex life: This includes information about a person's sexual orientation or sexual behavior.

Processing of these special categories is heavily restricted and requires:

Explicit consent from the individual, except in specific cases like legal requirements or protecting someone's life or health.
Additional organizational and technical measures to ensure the security and confidentiality of the data.
Notification to the regulatory body (Roskomnadzor) in certain situations.

Therefore, despite not being explicitly called "sensitive data," these special categories in the Russian law receive similar protections and restrictions as sensitive data in other jurisdictions.

Additionally:

The law also regulates personal data relating to a person's criminal record and alleged criminal offences. This data is subject to similar restrictions and protections as the special categories.
Government-issued identification numbers like social security numbers are considered personal data and require appropriate safeguards during processing.

Overall, the Russian data protection law, through its special categories and additional regulations, provides an extensive framework for safeguarding sensitive personal information. Organizations handling such data need to be aware of these requirements and implement appropriate measures to comply with the law.

In the Russian data protection law, consent plays a crucial role in legitimizing the processing of personal data. However, consent under the law has specific requirements and limitations that organizations must understand to handle data lawfully.

Voluntary and specific: Consent must be freely given, not obtained through coercion or undue influence. The individual must specifically understand what data is being collected and processed, for what purpose, and by whom.
Informed: The organization seeking consent must provide clear and comprehensive information about the data processing, including:
- The scope of personal data being collected.
- The purpose of processing the data.
- The intended recipients of the data.
- The individual's rights regarding their data, such as access, rectification, and erasure.
Explicit and documented: Consent must be obtained explicitly, typically through a written document or electronic confirmation. Documenting the consent helps ensure proof and traceability in case of future disputes.
Revocable: Individuals have the right to withdraw their consent at any time, and organizations must provide a simple and accessible method for doing so.

While consent is the primary legal basis for processing personal data in Russia, the law allows for a few exceptions where consent is not necessary:

Fulfilling a legal obligation: Organizations can process data without consent when required by law, such as fulfilling tax obligations or complying with court orders.
Protecting the vital interests of the individual or another person: This allows data processing necessary to protect someone's life or health in emergency situations.
Performing a contract or public function: Data processing can be justified when necessary to fulfill a contract with the individual or when carrying out a public function assigned to the organization by law.
Legitimate interests of the data operator or a third party: Under certain conditions, organizations can process data based on their legitimate interests, such as improving their services or preventing fraud. However, this must not unfairly prejudice the interests or rights of the individual.

Managing consent under the Russian data protection law (Federal Law No. 152-FZ) requires following specific procedures and implementing appropriate technical and organizational measures. Here are some key steps to consider:

Understand the Requirements:
- Clearly identify the personal data you collect and the purposes for which you process it.
- Determine whether consent is the necessary legal basis for processing each type of data and for each purpose.
- If consent is required, review the specific rules that apply for informed, voluntary, and documented consent.
Design a Consent Mechanism:
- Choose a clear and transparent way to present consent requests, such as a written form, online checkbox, or pop-up notification.
- Ensure the request contains all the required information about the data processing, including its purpose, data categories, rights of the individual, and contact details for questions.
- Use plain language and avoid technical jargon to make the information easily understandable.
Obtain Consent:
- Make sure individuals can freely choose to agree or disagree without pressure or undue influence.
- Offer separate consent options for different purposes or data categories, allowing granular control over how their data is used.
- Record the consent explicitly through a signature, checkbox tick, or electronic confirmation.
Manage Consent Records:
- Maintain a secure and centralized repository for all consent records.
- Develop a system for easily retrieving and verifying consent for specific datasets and processing activities.
- Include procedures for updating or withdrawing consent based on the individual's request.
Implement Technical Measures:
- Use secure technologies to collect and store consent data, such as encryption and access controls.
- Implement audit trails to track the consent process and prevent unauthorized modifications.
- Regularly review and update your systems and procedures to comply with the latest legal requirements and best practices.

What the data subject rights under the law?

Under the Russian data protection law, data subjects are granted several rights to control and protect their personal information. Here are the key data subject rights under Russian data protection law:

Right to Information and Access (Article 14): Data subjects have the right to know about the processing of their personal data. Data controllers are obliged to provide information about the processing purposes, the source of the data, the methods of processing, and details about third parties with whom the data may be shared.
Right to Consent (Article 9): Data subjects' consent is required for the processing of their personal data, except in cases stipulated by law. Consent must be voluntary, specific, and informed, and data subjects have the right to withdraw their consent at any time.
Right to Rectification (Article 16): Data subjects have the right to request the rectification of inaccurate or incomplete personal data held by data controllers. Data controllers must take measures to correct the data in a timely manner.
Right to Deletion (Right to be Forgotten) (Article 17): Data subjects have the right to request the deletion of their personal data when the processing is no longer necessary, or when the data subject withdraws their consent. Data controllers must comply with such requests unless there are legal grounds for the data's retention.
Right to Restriction of Processing (Article 18): Data subjects can request the restriction of processing in certain cases, such as disputing the accuracy of the data or objecting to processing. During the restriction period, data controllers are allowed to store the data but not process it further.
Right to Data Portability (Article 20.1): Data subjects have the right to receive their personal data in a structured, commonly used, and machine-readable format. They may also request the transfer of their data to another data controller.
Right to Object (Article 21): Data subjects can object to the processing of their personal data, including processing for direct marketing purposes. Data controllers must cease processing the data unless there are legitimate grounds that override the interests, rights, and freedoms of the data subject.
Automated Decision-Making and Profiling Rights (Article 22): Data subjects have the right not to be subject to decisions based solely on automated processing, including profiling, that significantly affect their rights and freedoms.
Right to Complain to the Data Protection Authority (Roskomnadzor) (Article 22.1): Data subjects can file complaints with the Russian data protection authority, Roskomnadzor, if they believe that their rights under the law have been violated.

These rights collectively aim to empower individuals and ensure the fair and lawful processing of their personal data in accordance with Russian data protection legislation. Organizations handling personal data in Russia are obligated to respect and uphold these rights to maintain compliance and protect the privacy of data subjects.

What are the legal bases for processing personal data under the law?

The Russian data protection law outlines several legal bases for processing personal data, empowering organizations to collect and handle data while respecting individual privacy rights. Understanding these bases is crucial for organizations operating in Russia or handling data of Russian citizens.

Consent: Most common, but must be informed and freely given.
Legal Obligations: Fulfilling legal requirements like taxes or court orders.
Vital Interests: Protecting someone's life or health in emergencies.
Contracts or Public Functions: Processing data necessary for contracts or assigned public duties.
Legitimate Interests: Defined interests that don't unfairly affect individual privacy.

Regardless of the chosen legal basis, organizations must always ensure responsible data handling, implement appropriate security measures, and respect individuals' data subject rights under the law.

What security measures are required to protect personal data?

The Russian Federal Law emphasizes the importance of data security and requires organizations to implement appropriate organizational and technical measures to protect personal data from unauthorized access, destruction, modification, blocking, copying, provision, distribution, or any other unlawful actions.

The specific security measures required will depend on the nature, scope, and sensitivity of the personal data being processed. Organizations should adopt a layered approach to security, implementing a combination of organizational and technical measures to ensure comprehensive protection. It's also crucial to regularly review and update security practices to keep pace with evolving threats and technological advancements.

Can personal data be transferred outside of Russia?

The transfer of personal data outside of Russia is subject to certain restrictions and requirements under the Federal Law on Personal Data. It's not a complete ban, but organizations need to ensure they comply with the specific regulations before transferring data across borders.

Generally, cross-border transfers are allowed. In principle, organizations can transfer personal data of Russian citizens outside of Russia, but they must meet certain conditions and requirements. However, there must be a legal basis for processing the data within Russia before it can be transferred. This means ensuring consent or another valid legal basis (e.g., fulfilling legal obligations) exists for handling the data domestically.

The country receiving the data must provide an adequate level of protection for personal data. This can be achieved through various mechanisms:

Adequacy decisions: The Russian data protection authority (Roskomnadzor) can issue adequacy decisions for specific countries, recognizing their data protection laws as offering equivalent protection to those in Russia.
Standard contractual clauses: Organizations can use pre-approved standard contractual clauses adopted by the Russian government or the European Commission to ensure adequate protection in the receiving country.
Binding corporate rules: For multinational companies, binding corporate rules approved by Roskomnadzor can be used to regulate data transfers within the group.

Additionally, in certain cases, organizations must notify the Russian DPA (Roskomnadzor) before transferring personal data outside of Russia. This typically applies to transfers involving sensitive data or large data volumes. Regardless of the chosen mechanism, organizations remain responsible for ensuring the security of personal data throughout the transfer process. This includes implementing appropriate technical and organizational measures to protect the data from unauthorized access, loss, or damage.

Is a Data Protection Officer (DPO) required?

Whether a Data Protection Officer (DPO) is mandatory under the Russian data protection law depends on the specific circumstances of the organization.

It is mandatory to appoint a DPO if your organization is a legal entity (e.g., company, non-profit, etc.). This applies regardless of the size or type of your organization or the amount of personal data you process.

It is optional for you to appoint a DPO if you operate as an individual entrepreneur. However, it is still recommended for organizations handling large amounts of sensitive personal data or engaging in high-risk processing activities.

Is a Data Protection Impact Assessment (DPIA) required?

While Russian data protection law does not specifically require a DPIA, it emphasizes the need for data controllers to implement appropriate security measures and safeguards to protect personal data. The law generally outlines the obligations of data controllers in terms of ensuring the security and confidentiality of personal data, obtaining consent, and adhering to the principles of necessity and proportionality.

How to handle data breach and data breach notifications?

Handling a data breach and managing data breach notifications are critical aspects of data protection and are often subject to legal requirements. In the context of Russian data protection law, here is a general guide on how to handle a data breach and the steps involved in data breach notifications:

Initial Response:
- Identify the breach: Determine the nature, scope, and potential impact of the breach, including the types of personal data affected and the number of individuals involved.
- Contain the breach: Take immediate steps to stop the unauthorized access or disclosure of data, such as isolating affected systems, changing passwords, and patching vulnerabilities.
- Assemble a response team: Gather key personnel, including IT security, legal, communications, and senior management, to coordinate the response.
Investigation:
- Investigate the cause: Conduct a thorough investigation to determine the root cause of the breach and identify any vulnerabilities that need to be addressed.
- Assess the impact: Evaluate the potential harm to individuals whose data was compromised, considering the sensitivity of the data and the likelihood of misuse.
- Preserve evidence: Secure and preserve any evidence related to the breach for potential legal or regulatory investigations.
Notification:
- Roskomnadzor: Notify the Russian data protection authority (Roskomnadzor) within 24 hours of discovering the breach, providing details about the nature of the breach, the categories of data affected, and the number of individuals involved.
- Affected individuals: Notify individuals whose personal data was compromised without undue delay, providing clear and concise information about the breach, its potential consequences, and measures they can take to protect themselves. The notification should be made in a way that is accessible to the individuals, such as through email, letter, or public announcement.
Remediation:
- Remediate vulnerabilities: Take steps to address the vulnerabilities that led to the breach and strengthen security measures to prevent future incidents.
- Monitor for further risks: Continue to monitor systems and networks for any signs of further unauthorized access or data compromise.
Documentation and Review:
- Document the breach: Thoroughly document all aspects of the breach, including the initial response, investigation, notification, and remediation actions.
- Review and update policies: Review and update data security policies and procedures to reflect lessons learned from the breach and ensure ongoing compliance with the law.

Enforcement and penalties under the Russian law

The Russian Data Protection Law contains a series of enforcement mechanisms and penalties to ensure compliance with its provisions. These actions serve to deter violations, punish non-compliance, and incentivize organizations to handle personal data responsibly.

Enforcement Mechanisms

Roskomnadzor investigations: The Federal Service for Supervision in the Sphere of Telecom, Information Technologies and Mass Communications (Roskomnadzor) is the primary regulatory body responsible for enforcing the law. It can conduct inspections, request information, and order corrective actions if it suspects non-compliance.
Administrative fines: For violations of the law, Roskomnadzor can impose significant administrative fines. The amount of the fine depends on the specific violation, the nature and scope of the data involved, and the organization's history of compliance. Fines can range from 10,000 rubles (approximately $130) to 18 million rubles (approximately USD 230,000) for legal entities and up to 300,000 rubles (approximately USD 4,000) for individual entrepreneurs.
Suspension of data processing: In severe cases, Roskomnadzor can order the suspension of data processing activities until the organization addresses the violation. This can have significant consequences for organizations that rely on data processing for their operations.
Blocking of websites: For online violations, Roskomnadzor has the authority to block websites and online content deemed to be in breach of the law. This can have a serious impact on the online visibility and commercial activities of organizations.
Criminal liability: In rare cases, individuals responsible for intentional and significant violations of the data protection law could face criminal charges, including fines or imprisonment.

Penalties for Specific Violations

Failure to appoint a Data Protection Officer (DPO) when mandatory: fine of up to 50,000 rubles (USD 650).
Failure to notify Roskomnadzor of a data breach within 24 hours: fine of up to 3 million rubles (USD 39,000).
Processing personal data without consent or a valid legal basis: fine of up to 300,000 rubles (USD 4,000) for individual entrepreneurs and up to 6 million rubles (USD 78,000) for legal entities.
Transferring personal data outside of Russia without authorization: fine of up to 1 million rubles (USD 13,000).

By taking these steps, organizations can avoid costly penalties and build trust with individuals regarding their personal data handling practices.

Recent developments under the Russian law

Here are the recent developments in the Russian data protection landscape as of October 26, 2023:

Draft Amendments to the Data Protection Law

In June 2023, the Russian government published draft amendments to the Data Protection Law for public discussion. These proposed changes include:

Expanding the scope of the law: Bringing new categories of personal data and data processing activities under its purview.
Strengthening data subject rights: Granting individuals additional rights, such as the right to object to profiling and automated decision-making, and the right to data portability across platforms.
Introducing new obligations for data controllers: Requiring data controllers to implement data minimization practices, conduct regular data privacy impact assessments, and appoint data protection officers in certain cases.
Heightening penalties for non-compliance: Significantly increasing the fines for data breaches and other violations.

The public consultation period for these draft amendments ended in September 2023. The government is currently reviewing the feedback received and is expected to finalize the amendments in the coming months.

Roskomnadzor's Increased Activity

The Russian data protection authority, Roskomnadzor, has become more active in enforcing the law and investigating potential violations. In recent months, it has:

Imposed fines on several companies: For non-compliance with data protection requirements, including failure to notify Roskomnadzor of data breaches and lack of proper data security measures.
Blocked websites and online content: For violations involving personal data processing and content deemed harmful.
Issued guidance and clarifications: On various aspects of the data protection law, such as the requirements for cross-border data transfers and the use of facial recognition technology.

This increased activity from Roskomnadzor highlights the importance of organizations complying with the data protection law to avoid penalties and reputational damage.

Emerging Legal Challenges

Several legal challenges are currently playing out in Russia regarding data protection, including:

The use of facial recognition technology: There is ongoing debate about the legality and ethical implications of using facial recognition in public spaces and for commercial purposes.
The localization of personal data: The requirement for certain types of personal data to be stored on servers located within Russia is facing challenges from businesses and international organizations.
The potential for conflict with other laws: There are concerns that the data protection law may conflict with other laws and regulations, such as those related to national security and law enforcement.

These legal challenges are likely to shape the future of data protection in Russia and will require careful monitoring by organizations operating in the country.

Complying with Secure Privacy

At Secure Privacy, we understand the critical importance of data protection and compliance with the Federal Law No. 152-FZ for businesses operating in Russia or handling data of Russian citizens. Our comprehensive privacy management platform empowers organizations to meet the stringent requirements of this law effectively.

By choosing Secure Privacy, you can:

Streamline compliance efforts: Simplify data localization, manage data subject requests, and automate reporting processes.
Mitigate risks: Minimize the potential for fines and penalties through proactive data security measures and breach notification support.
Demonstrate commitment: Show your dedication to data privacy and build trust with Russian customers and regulators.

Our platform is your trusted partner in navigating the complexities of the Russian data protection law. Schedule a call today to learn more about how Secure Privacy can elevate your organization's data protection practices.