Data Protection Authority Registration and Data Protection Officer Requirements for Data Controllers: Russian Federation8 September 2023
A Q&A discussing obligations for private-sector data controllers in the Russian Federation to notify, register with, or obtain authorization from the data protection authority under the Russian Federation's comprehensive data protection law before processing personal data. It also discusses any requirements for data controllers to appoint a data protection officer (DPO) and any applicable notification or registration obligations relating to DPO appointments. This Q&A does not cover notification, registration, or authorization requirements for data processors or arising under sectoral laws.
For an overview of the data protection law in the Russian Federation, see Country Q&A, Data Protection in the Russian Federation: Overview.
Data Protection Authority
1. What is the name and contact information of the country's data protection authority or supervisory authority responsible for data protection?
The Federal Service for Supervision of Communications, Information Technology, and Mass Media (Roskomnadzor).
DPA Contact Information
Notification or Registration
2. Does the country's comprehensive data protection law require private-sector data controllers to notify or register with the data protection authority before processing personal data?
Yes. Under the Federal Law No. 152-FZ on Personal Data (July 27, 2006) (Personal Data Law), a data operator, which is similar to a data controller, must notify the Federal Service for Supervision of Communications, Information Technology, and Mass Media (Roskomnadzor) before it starts to process personal data (Article 22(1), Personal Data Law), subject to limited exceptions.
The data operator can submit the notification on paper or electronically using the Roskomnadzor website and it must contain the following information (Article 22(3) and (4), Personal Data Law.):
- The company name of data operator.
- The purposes of personal data processing. For each purpose, the data operator must specify data categories, types of data subjects, lawful basis, and data processing actions and methods.
- A description of privacy compliance and security measures performed by the data operator.
- Information on the protection of IT systems according to the requirements established by the Russian Government.
- The contact information of the DPO.
- The start date of the personal data processing.
- The duration of processing or the conditions for terminating the personal data processing.
- Information on the:
- existence of cross-border data transfers;
- location of any database containing the personal data of Russian Federation citizens.
Roskomnadzor registers the data operator within 30 days of receiving the notification, assuming the regulator does not have additional questions or inquiries.
Roskomnadzor maintains a register of data operators based on the information that contained in the notifications it receives. Except for the security measures performed by data operators, the information in the notification becomes publicly available once included in the register (Article 22(4), Personal Data Law).
A data operator may be exempt from the statutory notification requirements and able to process personal data without notification in several rare cases. For example, where the personal data is (Article 22(2), Personal Data Law.):
- Included in IT systems that have acquired state computer IT system status under the applicable laws or in state IT systems created for the purposes of state security and public order.
- Processed without the use of automated systems.
- Processed under the laws and regulations relating to transport security.
The data operator does not pay any official fee for notification and registration.
3. Does the country's comprehensive data protection law require private-sector data controllers to seek authorization from the data protection authority before processing personal data?
Under the Personal Data Law, data operators do not need to obtain authorization from the data protection authority before processing personal data.
Data Protection Officers
4. Does the country's comprehensive data protection law require private-sector data controllers to appoint a data protection officer?
Under the Personal Data Law, data operators must take measures that are necessary and sufficient to ensure proper personal data processing, including appointing a data protection officer (DPO) (Article 18.1(1), Personal Data Law).
Among other things, the DPO must (Article 22.1, Personal Data Law.):
- Exercise internal controls over the operator's and its employees' compliance with the Personal Data Law and data security requirements./li>
- Inform employees of the requirements of the Personal Data Law, data operator’s internal policies, and data security requirements./li>
- Organize the receipt and processing of data subjects’ requests and control the responses to those requests.
5. If the comprehensive data protection law requires private-sector data controllers to appoint a data protection officer (DPO), do data controllers have any obligations to notify or communicate the DPO's contact details to the data protection authority or register with the data protection authority?
Under the Personal Data Law, data operators must notify the data protection officer's contact details to Roskomandzor (including the name, postal address, phone number, and email address.