n this browser, the site may not be displayed correctly. We recommend that You install a more modern browser.

Chrome Safari Firefox Opera IE  
GORODISSKY & PARTNERS 
PATENT AND TRADEMARK
ATTORNEYS IP LAWYERS since 1959
 
print version

Data protection in the Russian Federation: overview

6 August 2018

This Q&A guide gives a high-level overview of data protection rules and principles, including obligations on the data controller and the consent of data subjects; rights to access personal data or object to its collection; and security requirements. It also covers cookies and spam; data processing by third parties; and the international transfer of data. This article also details the national regulator; its enforcement powers; and sanctions and remedies.

To compare answers across multiple jurisdictions, visit the Data protection Country Q&A tool

This article is part of the global guide to data protection. For a full list of contents, please visit global.practicallaw.com/dataprotection-guide

Regulation

Legislation

1. What national laws regulate the collection and use of personal data?

General laws

The main provisions of data protection and privacy law can be found in the:

  • Strasbourg Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data 2005 (Strasbourg Convention).
  • Russian Constitution 1993 (Articles 23 and 24).
  • Federal Law No. 149-FZ on Information, Information Technologies and Data Protection 2006 (Data Protection Act).
  • Federal Law No. 152-FZ on Personal Data 2006 (Personal Data Protection Act).

The principal law in this area is the Personal Data Protection Act.

Sectoral laws

Data protection-specific provisions can also be found in various sectoral laws, for example, the:

  • Russian Labour Code (Chapter 14).
  • Russian Air Code (Article 85.1).
  • Federal Law No. 323 on the Fundamentals of Protection of the Health of Citizens in the Russian Federation.

There are also certain local administrative regulations and official requirements that regulate the collection, storage and use of personal data, issued by the:

  • Russian President.
  • Russian Government.
  • Federal Service for Supervision of Communications, Information Technology and Mass Media (Roskomnadzor).
  • Federal Service for Technical and Export Control (FSTEC).
  • Federal Security Service (FSS).

Scope of legislation

2. To whom do the laws apply?

Data protection laws apply to all data operators and third parties acting under the authorisation of data operators.

Russian data protection laws do not contain the concepts of "data controller" and "data processor". However, the Personal Data Protection Act does refer to the concepts of "data operator" and "person acting under the instructions" of the data operator.

A data operator can be a state or municipal body, legal or physical person that both:

  • Organises and/or carries out (alone or jointly with other persons) the processing of personal data.
  • Determines the purposes of personal data processing, the content of personal data, and the actions (operations) related to personal data.

The data processing can be delegated to a third party, subject to the data subject's consent, who will be acting under the authorisation of the data operator on the basis of the corresponding agreement, or by operation of a special state or municipal act.

3. What data is regulated?

Data protection laws regulate all personal data processed by data operators or third parties. Personal data is any information directly or indirectly related to an identified or identifiable individual (data subject).

Russian data protection legislation does not distinguish between direct personal data and indirect personal data. Therefore, personal data will be regarded as "direct" or "indirect" depending on the facts of each case.

4. What acts are regulated?

Data protection laws apply to all acts of data processing, including collection, recording, systematisation, accumulation, storage, alteration (update, modification), retrieval, use, transfer (dissemination, provision, access), anonymisation, blocking, deletion or destruction of data. Electronic (automated) and manual (non-automated) records of personal data, and mixed data processing, are subject to the data protection legislation.

5. What is the jurisdictional scope of the rules?

Data protection laws do not contain any express provisions regarding their jurisdictional or territorial effect. Therefore, it is generally presumed that the national data protection rules apply to:

  • Data processing that occurs in, or is targeted at Russia.
  • The collection, storage and use of personal data of Russian citizens (data subjects).

This is regardless of where the data operators are established and located.

In the context of cross-border data flow, the national data protection legislation can also be applied to a certain extent if a Russian individual is a party to a data transfer or user agreement, or consents to the processing of her/his personal data by a foreign data operator.

What are the main exemptions (if any)?

Data protection laws do not apply to the following actions:

  • Processing of personal data by individuals solely for personal and family needs (provided the rights of data subjects are not infringed).
  • Organisation of storage, collection, recordation and use of archived documents containing personal data in accordance with the national laws on archive funds and matters.
  • Processing of personal data that can be referred to as state secrecy data.
  • Submission by the competent authorities of data related to the activities of courts in Russia in accordance with the relevant court legislation.

Notification

7. Is notification or registration required before processing data?

A data operator that is processing personal data must notify Roskomnadzor before it starts to process personal data. The notification can be submitted by the data operator on paper or electronically.

The notification must contain the following information:

  • The name and address of the data operator.
  • The purposes of processing of the personal data.
  • The categories of personal data.
  • The categories of data subjects whose data is being processed.
  • The list of consented actions in relation to personal data, and a general description of the methods of data processing used by the data operator.
  • The description of IT systems and security measures (including encryption).
  • The name and contact details of the data protection officer.
  • The start date of processing of the personal data.
  • The duration of processing or the conditions for terminating the processing of personal data.
  • Information on cross-border data transfer.
  • The location of the database that will contain the personal data of Russian individuals (see Question 21).

Roskomnadzor will register the data operator within 30 days of the date of receipt of the corresponding notification (in the absence of any further questions or enquiries). The information listed above (except the description of the data operator's IT systems and corresponding security measures) becomes publicly available once included in the register. Roskomnadzor maintains a register of data operators based on the information that is contained in the notifications it receives. The register of data operators is public and can be found in Russian, see http://rkn.gov.ru/personal-data/register.

The notification/registration requirement applies to any data operator that is involved in the processing of different categories of personal data inside or outside the territory of Russia (or processing personal data of Russian citizens) and uses its internal IT system or database subject to the data protection legislation. However, a data operator may be exempted from this statutory requirement and able to process personal data without notification/registration in certain circumstances. For example, where the personal data:

  • Is only processed under labour law.
  • Has been received by the data operator in connection with a contract with a data subject (individual), provided that the personal data:
    • is not transferred to third parties without the individual's consent;
    • is only used to perform the contract or to enter into further contracts with the individual.
  • Relates to a certain type of processing by a public association or religious organisation acting under the applicable laws, provided that the personal data is not distributed or disclosed to third parties without the data subject's consent.
  • Has been made publicly available by the data subject.
  • Consists only of the surname, first name and patronymic of the data subject.
  • Is necessary for granting the data subject one-time access into the premises where the data operator is located.
  • Is included in IT systems that have acquired the status of state computer IT systems under the applicable laws, or in state IT systems created for the purposes of state security and public order.
  • Is processed without the use of automated systems under the applicable laws subject to compliance with the rights of the data subject.
  • Is processed in accordance with the laws and regulations relating to transport security.

Notification and registration do not require the payment of any official fee.

Main data protection rules and principles

Main obligations and processing requirements

8. What are the main obligations imposed on data controllers to ensure data is processed properly?

The main obligations imposed on data operators to ensure that personal data is processed properly are as follows:

  • Defining the categories of personal data, the purposes of data processing and the duration of processing.
  • Obtaining the data subject's consent (unless otherwise provided by law).
  • Appointing a data protection officer, adopting a data protection policy (and other required documents) and taking other appropriate security (especially legal, technical and organisational) measures to prevent unauthorised/unlawful data processing and breach of the data protection legislation.
  • Locating the data centre or data server in the territory of Russia, if data of Russian individuals is to be processed by the data operator (see Question 21).
  • Notifying Roskomnadzor for the purposes of registration (unless otherwise provided by law) (see Question 7).

9. Is the consent of data subjects required before processing personal data?

In most cases, the data subject's consent will be required before processing personal data. The data subject's consent must be specific, informed and wilful.

Unless otherwise provided by law, the data subject's consent can be obtained in any form, including online. Where the law requires the data subject's consent to be given in writing (for example, for biometric data processing), implied or inferred consent will not be regarded as valid.

E-signatures are allowed and can be used in accordance with the provisions of the applicable law on digital signatures, if the data subject's consent constitutes an electronic form of the consent document.

The data operator has the burden of proof that the data subject's consent has been received.

There is no prescribed or approved form of consent. However, the Personal Data Protection Act specifies the information that must appear in the written consent of the data subject:

  • First name, middle name, surname and address of the data subject, ID number (for example, passport number), date of issue of the ID and issuing authority.
  • First name, middle name, surname and address of the representative of the data subject, number of the ID (for example, passport), date of issue of the ID and the issued authority, details of the power of attorney or other applicable document (if the consent has been given by the data subject's representative).
  • First name, middle name, surname and address of the data operator.
  • Purpose of the data processing.
  • List of consented personal data.
  • First name, middle name, surname and address of any third party that is processing the personal data under the authorisation of the data operator.
  • List of consented actions in relation to personal data, and a general description of the methods of data processing used by the data operator.
  • Duration of data subject's consent, and method of its revocation.
  • Signature of the data subject.

A minor's personal data can be processed with the consent of a lawful representative.

10. If consent is not given, on what other grounds (if any) can processing be justified?

The processing of personal data without the data subject's consent can be justified in certain circumstances. For example, if data processing is required for:

  • Purposes defined by an international treaty or under Russian law.
  • Certain judicial purposes.
  • The performance of certain powers by the federal authorities that provide state and municipal services.
  • An agreement with the data subject or an agreement where the data subject is the beneficiary or guarantor.
  • The protection of life, health or other vital interests of the data subject.
  • The protection of the data operator's or third parties' rights and interests, or for public purposes, provided there are no breaches of the rights and freedoms of the data subject.
  • Professional journalistic, media, scientific, literary or other creative activities, provided there are no breaches of the rights and freedoms of the data subject.
  • Statistical or other scientific purposes (provided the relevant personal data has been made anonymous).
  • The processing of data that has been made publicly available by the data subject at his/her request.
  • Mandatory publication or disclosure in accordance with the applicable law.

Special rules

11. Do special rules apply for certain types of personal data, such as sensitive data?

Under the Personal Data Protection Act, sensitive data refers to any information that relates to nationality, racial or ethnic origin, political opinions, religious or philosophical beliefs and the state of a person's health or sex life. Sensitive data can only be processed if the:

  • Data subject has provided his/her written consent to the data processing.
  • Personal data has been made publicly available by the data subject.
  • Processing is required under an international treaty of Russia on re-admission (for example, the return of immigrants to the country).
  • Processing is performed for the all-Russian population census.
  • Processing is performed under the relevant laws on social support, employment or pensions.
  • Processing is required for the protection of the life, health or vital interests of the data subject or other individuals, provided that it is impossible to obtain the data subject's consent.
  • Processing is made by a person who is engaged in various medical activities for certain medical purposes, provided the processing is carried out by a professional subject to medical confidentiality.
  • Processing is performed by public societies or religious organisations in relation to the personal data of their members for the purposes defined by their articles of incorporation, provided the personal data is not transferred to third parties without the data subject's written consent.
  • Processing is required for the establishment or enforcement of rights of the data subject or third parties, or for the administration of justice.
  • Processing is made in accordance with Russian legislation on state defence, security, anti-terrorism, transport safety, anti-corruption, law enforcement, execution, criminal investigation and prosecution.
  • Processing is made by the prosecutors' offices in the context of special prosecution enforcement.
  • Processing is made under the insurance legislation.
  • Processing is made by state authorities, municipal agencies or organisations for the purposes of child adoption.
  • Processing is made in accordance with the applicable laws on citizenship.

The processing of sensitive personal data (where it is permitted by the law) will be terminated immediately if the reasons for the processing no longer exist.

Rights of individuals

12. What information should be provided to data subjects at the point of collection of the personal data?

At the point of collection of the personal data, the data subject must be provided with the following information:

  • The purpose of data collection/processing.
  • The volume of data collection/processing.
  • The term of data collection/processing.
  • Details of the data operator (or any third party acting under the data operator's authorisation).
  • Other information provided by law.

13. What other specific rights are granted to data subjects?

The data subject has the right to access the data being processed by the data operator and the right to receive information related to data processing, including:

  • Confirmation of the data processing by the data operator.
  • The legal grounds and purposes of data processing.
  • The methods and purposes of data processing used by the data operator.
  • The name and location of the data operator, and information on the persons (except for employees) who have access to the personal data or to whom personal data may be disclosed under the agreement with the data operator or under the law.
  • The duration of data processing, including the duration of storage of personal data.
  • Information on any completed or prospective cross-border data transfer.
  • Other information provided by the Personal Data Protection Act and other laws.

In addition, the data subject has the right to:

  • Data correction and blockage.
  • Object to data processing.
  • Object to direct marketing.
  • Object to decisions being made solely on the basis of automated data processing.
  • Complain about the actions or omissions of the data operator and claim compensation of losses, including moral damages.

14. Do data subjects have a right to request the deletion of their data?

Data subjects can request the deletion of their personal data if the data is:

  • Incomplete.
  • Out of date.
  • Inaccurate.
  • Unlawfully obtained.
  • Not necessary for the declared purposes of data processing.

Security requirements

15. What security requirements are imposed in relation to personal data?

The data operator must take necessary and sufficient protective measures to comply with data protection legislation, including the following:

  • Appointing a data protection officer.
  • Adopting a data protection policy and other documents, including local/corporate rules, intended for the prevention and detection of breaches of the data protection legislation.
  • Implementing the relevant legal, organisational and technical security measures.
  • Performing internal controls and/or audits to ensure data processing compliance with the data protection legislation and the data operator's policy, documents and/or local rules.
  • Evaluating the damages that may be caused to data subjects in the event of a breach of data protection legislation.
  • Disclosing the relevant provisions of the data protection legislation and data protection requirements that define its policy, documents and/or local rules to its employees.

In any event, the data operator must take the necessary legal, organisational and technical measures for the protection of personal data against any unauthorised/illegal or accidental access, destruction, modification, blocking, copying, provision, or distribution, as well as against any other unauthorised actions with regard to personal data. Additional security measures can be established by:

  • Locating security threats in the course of processing personal data in the relevant IT systems.
  • Providing the appropriate level of protection of processing of personal data in the relevant IT systems.
  • Applying different certified methods of protection of personal data (including encryption).
  • Evaluating the efficiency of security measures (before the implementation of any security measures).
  • Recording any computer media that contains personal data.
  • Revealing unauthorised access to personal data.
  • Retrieving personal data that has been modified or destroyed due to unauthorised access.
  • Adopting rules governing access to personal data being processed in the relevant IT systems, the registration and recording of all actions related to personal data in the relevant IT systems, control over security measures regarding personal data, and the level of protection of the relevant IT systems.

16. Is there a requirement to notify personal data security breaches to data subjects or the national regulator?

There is generally no legal requirement to report data breaches to data subjects or to Roskomnadzor.

When locating or detecting unauthorised processing of personal data, the data operator (or the relevant authorised person) must terminate the processing within three business days.

If it is not possible to convert unauthorised personal data processing into a lawful processing, the data operator must destroy the personal data within ten business days.

Following the termination of processing of personal data or destruction of personal data, the data operator must notify the data subject (or its representative).

If the request for termination or destruction was made by Roskomnadzor, the notification must be sent to Roskomnadzor.

Processing by third parties

17. What additional requirements (if any) apply where a third party processes the data on behalf of the data controller?

The data subject must consent to the transfer of personal data to third parties. Third parties are subject to the same legal requirements and obligations as data operators and must comply with the data processing rules defined by law. The data operator will be liable for all acts or omissions of third parties acting under its authorisation, while the respective third parties will be liable to the data operator for any data breach.

Electronic communications

18. Under what conditions can data controllers store cookies or equivalent devices on the data subject's terminal equipment?

The law does not define "cookies". There are also no official guidelines from Roskomnadzor (or other state agency) on the use, application or distribution of cookies.

Under the Data Protection Act, a person distributing information must provide the addressee with the explicit option of rejecting the information (when using a method that allows for the identification of the addressee), including when sending regular postal messages and electronic messages. Therefore, it is generally presumed that all types of cookies require the opt-in consent of the data subject (in the absence of more specific legislation on this point).

19. What requirements are imposed on the sending of unsolicited electronic commercial communications (spam)?

Unsolicited electronic commercial communications (spam) are not allowed in Russia. Such communications can only be sent with the addressee's prior consent and must be immediately stopped on his/her request. Failure to comply with these requirements can lead to different types of liability, including administrative liability.

International transfer of data

Transfer of data outside the jurisdiction

20. What rules regulate the transfer of data outside your jurisdiction?

Article 12 of the Personal Data Protection Act regulates cross-border data flows. In the event of an international transfer of personal data, all data operators must ensure (before the transfer is made) that the rights and interests of the respective data subject are fully protected in an adequate manner in the corresponding foreign country. All countries that are signatories to the Strasbourg Convention are considered to be jurisdictions that provide "adequate protection" of the rights and interests of data subjects. In addition, Roskomnadzor has adopted an official list of countries (including Australia, Argentina, Canada, Israel, Mexico and New Zealand) that secure an adequate protection level for the purposes of cross-border transfers of personal data.

International data transfer to any jurisdiction with the adequate protection level is not subject to any restriction, provided that the consent of the respective data subject has been received.

Cross-border transfers of personal data to countries that do not provide a level of adequate protection are only permitted if the:

  • Written consent of the respective data subject has been received.
  • Cross-border data transfer is allowed under an international treaty that Russia is a party to.
  • Cross-border data transfer is allowed under applicable laws as necessary for the purposes of:
    • protecting the Russian constitutional system;
    • protecting the national state defence and state security;
    • securing the maintenance of the Russian transportation system, and protecting the interests of individuals, society and the state in the transportation sector from illegal intrusion.
  • Cross-border data transfer is made for the performance of a contract to which the data subject is a party to.
  • Cross-border data transfer is required to protect the data subject's life, health or other vital interests and it is impossible to obtain his/her prior consent in writing.

Typically, companies that are acting as data operators will check for the adequate protection level of data protection before transferring any personal data abroad. In addition, companies will obtain written consent from the respective data subjects or execute international data transfer agreements with the respective data subjects. Following these steps, companies will proceed with cross-border data transfers in accordance with their internal corporate rules or policies (as applicable).

21. Is there a requirement to store (certain types of) personal data inside the jurisdiction?

On 21 July 2014, the President of the Russian Federation signed Federal Law No. 242-FZ on Amendments to Certain Legislative Acts of the Russian Federation for Clarification of Personal Data Processing in Information and Telecommunication Networks (New Data Protection Law), which became effective on 1 September 2015.

The New Data Protection Law amends the Personal Data Protection Act mainly through the introduction of:

  • Certain new obligations for data operators with regard to the collection, storage and processing of personal data of Russian citizens (individuals).
  • A new mechanism for Roskomnadzor to block websites and online resources that illegally process the personal data of Russian citizens (individuals).

Specifically, the New Data Protection Law introduces an obligation on all data operators to ensure the recording, systematisation, accumulation, storage, change and extraction of personal data of Russian citizens with the use of data centres located in the territory of the Russian Federation in the course of collection of relevant personal data of individuals, including via the internet. This means that any personal data of Russian citizens collected by data operators must be stored in servers, IT systems, databases or data centres located in Russia.

The New Data Protection Law does not expressly stipulate this, but the requirement is interpreted as prohibiting the storage of personal data of Russian citizens outside Russia (without locating the personal data of Russian citizens in Russia at first). Therefore, through a literal interpretation of the New Data Protection Law, local and foreign companies (data operators) must process or organise the processing of personal data of Russian citizens in Russia in the first place, subject to compliance with all other general requirements of the data protection legislation.

In general, the New Data Protection Law does not:

  • Prohibit access to servers, IT systems or data centres that are located within the Russian territory from abroad.
  • Impose any special restrictions on the subsequent transfers, including cross-border transfers, of personal data related to Russian citizens.
  • Prohibit the duplication of personal data of Russian citizens onto foreign databases or servers.
Data transfer agreements

22. Are data transfer agreements contemplated or in use? Have any standard forms or precedents been approved by national authorities?

Data transfer agreements are not specifically regulated by the law, but they are widely used in practice, especially when foreign parties are involved. Roskomnadzor has not adopted a standard form of data transfer agreement. Therefore, any data transfer agreement will be drafted in accordance with the specific circumstances and executed by the parties under the basic principle of freedom of contact.

23. Is a data transfer agreement sufficient to legitimise transfer, or must additional requirements (such as the need to obtain consent) be satisfied?

A data transfer agreement is generally sufficient to legitimise the international transfer of personal data, provided the data subject's consent is expressly stated in, or attached to, such agreement. In certain instances, data transfer agreements will be executed as trilateral contracts.

In addition, the data operator must notify Roskomnadzor about its right to cross-border data transfer at the time of sending the notification for the purposes of registration.

24. Does the relevant national regulator need to approve the data transfer agreement?

Roskomnadzor does not need to approve or register the data transfer agreement. The data transfer agreement must be executed by the respective data operator, third party and data subject in writing to be effective and enforceable.

Enforcement and sanctions

25. What are the enforcement powers of the national regulator?

Roskomnadzor has certain enforcement powers and is responsible for the following:

  • Sending out requests to individuals/legal entities and obtaining necessary information on data processing.
  • Carrying out inspections and checking the information contained in notifications on the processing of personal data submitted by data operators, or engaging with other state agencies for this specific purpose.
  • Rectifying, blocking or destroying false or illegally-obtained personal data.
  • Limiting access to data that is processed in breach of the data protection legislation (see Question 21).
  • Suspending or terminating the processing of personal data that has been initiated by a breach of data protection legislation.
  • Bringing civil actions before the competent courts for the protection of the rights of data subjects and representing the interests of data subjects before the trial.
  • Filing petitions with the FSTEC, FSS and other state agencies for the purposes of suspending or cancelling relevant licences.
  • Submitting materials to the Prosecutor's Office and other law enforcement agencies for the purposes of commencement of criminal cases for data breaches.
  • Issuing binding orders and bringing guilty parties to administrative liability.

26. What are the sanctions and remedies for non-compliance with data protection laws?

In Russia, non-compliance with data protection laws can be generally punishable with:

  • Civil sanctions (for example, moral damages).
  • Administrative sanctions (for example, administrative fines).
  • Criminal sanctions (for example, imprisonment).

Russian data protection laws have been enforced quite heavily in recent years, and data subjects have sent many complaints to Roskomnadzor. There has also been a growing number of appeals by data operators against the orders and decisions of Roskomnadzor imposing different sanctions on data operators and blocking their internet resources. As a result, national case law and court practice relating to sanctions for non-compliance with Russian data protection laws continues to develop constantly.

Amendments to relevant data protection laws and the Russian Code on Administrative Offences came into force on 1 July 2017, increasing administrative sanctions for data breaches substantially. Data protection breaches have been categorised into the following types of privacy violations, which are subject to the following administrative fines (unless the offence constitutes a crime):

  • Personal data processing in cases not provided by applicable laws and personal data processing incompatible with the processing purposes (a warning can be issued instead of a fine):
    • individuals: RUR1,000 to RUR3,000;
    • individual entrepreneurs: RUR5,000 to RUR10,000;
    • company officers and government officials: RUR5,000 to RUR10,000;
    • companies: RUR30,000 to RUR50,000.
  • Personal data processing carried out without the data subject's written consent in cases where such consent is necessary, or with a written consent that does not meet mandatory requirements:
    • individuals: RUR3,000 to RUR5,000;
    • individual entrepreneurs: RUR10,000 to RUR20,000;
    • company officers and government officials: RUR10,000 to RUR20,000;
    • companies: RUR15,000 to RUR75,000.
  • Failure to publish or provide access to a privacy policy or information on requirements for personal data protection (a warning can be issued instead of a fine):
    • individuals: RUR700 to RUR1,500;
    • individual entrepreneurs: RUR5,000 to RUR10,000;
    • company officers and government officials: RUR3,000 to RUR6,000;
    • companies: RUR15,000 to RUR30,000.
  • Failure to provide an individual information on his/her personal data processing (a warning can be issued instead of a fine):
    • individuals: RUR1,000 to RUR2,000;
    • individual entrepreneurs: RUR10,000 to RUR15,000;
    • company officers and government officials: RUR4,000 to RUR6,000;
    • companies: RUR20,000 to RUR40,000.
  • Failure to satisfy (within the prescribed term) a request on personal data clarification, blocking or destruction (in cases where personal data is incomplete, outdated, imprecise, illegitimately received, or unnecessary for the announced purpose of data processing) (a warning can be issued instead of a fine):
    • individuals: RUR1,000 to RUR2,000;
    • individual entrepreneurs: RUR10,000 to RUR20,000;
    • company officers and government officials: RUR4,000 to RUR10,000;
    • companies: RUR25,000 to RUR45,000.
  • Failure to comply with security requirements while storing tangible media containing personal data, and unauthorised access that results in illegitimate or accidental access to personal data or its destruction, modification, blocking, copying, submission or dissemination:
    • individuals: RUR700 to RUR2,000;
    • individual entrepreneurs: RUR10,000 to RUR20,000;
    • company officers and government officials: RUR4,000 to RUR10,000;
    • companies: RUR25,000 to RUR50,000.
  • Failure of a state or municipal authority to meet the obligation to anonymise personal data or to comply with the anonymisation methods or requirements (a warning can be issued instead of a fine): RUR3,000 to RUR6,000.

If Roskomnadzor investigates and identifies any data breach, it is empowered to:

  • Initiate an administrative offence case.
  • Prepare the administrative offence report against the infringer.
  • Bring the administrative case to court.
  • Regulator details

Regulator details

Federal Service for Supervision of Communications, Information Technology and Mass Media (Roskomnadzor)

http://eng.rkn.gov.ru

Main areas of responsibility. Supervision of legitimate data processing, accepting notifications, performing registration and maintaining the register of data operators, carrying out inspections and enforcement, adopting official regulations and guidelines. The website is available in English and Russian.

Online resources

Roskomnadzor

http://rkn.gov.ru

Description. Russian version of the official website of Roskomnadzor. The website contains official, up-to-date information on data protection regulation, enforcement and legislation in Russia. The website also provides access to the special data protection portal, the online register of data operators and the annual reports of activities of Roskomnadzor.

http://eng.rkn.gov.ru

Description. English version of the official website of Roskomnadzor. The website contains the official translation of certain pages of the Russian version of the official website of Roskomnadzor and some legal aspects and news related to data protection in Russia.

http://eng.pd.rkn.gov.ru

Description. Official English data protection portal maintained by Roskomnadzor. The portal contains the annual reports of activities of Roskomnadzor, certain information on international activities of Roskomnadzor (and its representatives), and a list of national and international data protection legislation.

Share:
Back