Data Protection Authority Registration and Data Protection Officer Requirements for Data Controllers: Russian Federation21 June 2021
A Q&A discussing obligations for private-sector data controllers in the Russian Federation to notify, register with, or obtain authorization from the data protection authority under the Russian Federation's comprehensive data protection law before processing personal data. It also discusses any requirements for data controllers to appoint a data protection officer (DPO) and any applicable notification or registration obligations relating to DPO appointments. This Q&A does not cover notification, registration, or authorization requirements for data processors or arising under sectoral laws.
For an overview of the data protection law in the Russian Federation, see Country Q&A, Data Protection in the Russian Federation: Overview.
Data Protection Authority
1. What is the name and contact information of the country's data protection authority or supervisory authority responsible for data protection?
The Federal Service for Supervision of Communications, Information Technology, and Mass Media (Roskomnadzor).
DPA Contact Information
Notification or Registration
2. Does the country's comprehensive data protection law require private-sector data controllers to notify or register with the data protection authority before processing personal data?
Yes. Under the Federal Law No. 152-FZ on Personal Data (July 27, 2006) (Personal Data Law), a data operator, which is similar to a data controller, must notify the Federal Service for Supervision of Communications, Information Technology, and Mass Media (Roskomnadzor) before it starts to process personal data (Article 22(1), Personal Data Law), subject to limited exceptions.
The data operator can submit the notification on paper or electronically using the Roskomnadzor website and it must contain the following information (Article 22(3)(1) to (11), Personal Data Law, as amended by Federal Law No. 242-FZ on Amending Certain Legislative Acts Concerning Updating the Procedure for Personal Data Processing in Information-Telecommunication Networks (July 21, 2014)):
- The purposes of personal data processing.
- The categories of personal data.
- The categories of data subjects whose data is being processed.
- The legal grounds for the processing.
- A list of proposed actions involving the personal data and a general description of the processing methods the data operator is using.
- A description of relevant IT systems and security measures (including encryption).
- The start date of the personal data processing.
- The duration of processing or the conditions for terminating the personal data processing.
- Information on the existence of cross-border data transfers.
- Information on the location of any database containing the personal data of Russian Federation citizens.
Roskomnadzor registers the data operator within 30 days of receiving the notification, assuming the regulator does not have additional questions or inquiries.
Roskomnadzor maintains a register of data operators based on the information that contained in the notifications it receives. Except for the description of the data operator's IT systems and corresponding security measures, the information in the notification becomes publicly available once included in the register. (Article 22(4), Personal Data Law.)
A data operator may be exempt from the statutory notification requirements and able to process personal data without notification in certain circumstances. For example, where the personal data (Article 22(2)(1) to (9), Personal Data Law, as amended by Federal Law No. 519-FZ on Amendments to Personal Data Law (December 30, 2020) (in Russian)):
- Is processed only under labor law.
- Has been received by the data operator in connection with a contract with a data subject, provided that the personal data is:
- not transferred to third parties without the data subject's consent; or
- used only to perform the contract or to enter into further contracts with the data subject.
- Relates to a certain type of processing by a public association or religious organization acting under the applicable laws, provided that the personal data is not distributed or disclosed to third parties without the data subject's consent.
- Is data that the data subject permitted to be distributed and the data operator complies with the rules governing processing and transferring that type of data.
- Consists only of the data subject's surname, first name, and patronymic.
- Is necessary for granting the data subject one-time access into the premises where the data operator is located.
- Is included in IT systems that have acquired state computer IT system status under the applicable laws or in state IT systems created for the purposes of state security and public order.
- Is processed without the use of automated systems under the applicable laws subject to compliance with the data subject's rights.
- Is processed under the laws and regulations relating to transport security.
The data operator does not pay any official fee for notification and registration.
3. Does the country's comprehensive data protection law require private-sector data controllers to seek authorization from the data protection authority before processing personal data?
No. Under the Federal Law No. 152-FZ on Personal Data (July 27, 2006), data operators do not need to obtain authorization from the data protection authority before processing personal data.
Data Protection Officers
4. Does the country's comprehensive data protection law require private-sector data controllers to appoint a data protection officer?
Yes. Under the Federal Law No. 152-FZ on Personal Data (July 27, 2006) (Personal Data Law), data operators must take measures that are necessary and sufficient to ensure proper personal data processing, including appointing a data protection officer (DPO) (Article 18.1(1), Personal Data Law).
The DPO must (Article 22.1, Personal Data Law.):
- Exercise internal controls over the operator's and its employees' compliance with personal data protection requirements under Russian Federation law, including the Personal Data Law.
- Inform the operators' employees of their obligations concerning personal data processing under Russian Federation law, including the Personal Data Law.
- Organize the receipt and processing of data subject requests and control the responses to those requests.
5. If the comprehensive data protection law requires private-sector data controllers to appoint a data protection officer (DPO), do data controllers have any obligations to notify or communicate the DPO's contact details to the data protection authority or register with the data protection authority?
Under the Federal Law No. 152-FZ on Personal Data (July 27, 2006), data operators must notify or communicate the data protection officer's information to the data protection authority, including their name, address, phone number, and email.