Review of the Russian law on Personal Data

Given the global digitalization and personal data protection, we would like to bring to your attention the main aspects of the Russian Law on Personal Data which any foreign business operating in Russia should take into consideration.

What do foreign entrepreneurs need to know?

“Localization” of data bases

• What does “localization” mean?

Localization requirement means that the company collecting personal data must record, systematize, accumulate, store, clarify and extract them using local databases in the territory of the Russian Federation.

NB! The requirement applies directly to those companies which collect data, but not those which receive it from the third parties.

• Responsibility

At the moment, administrative fines for violation of the localization requirement range from 2 to 6 million rubles and from 6 to 18 million rubles for a repeated violation.

Who has already suffered?

– In 2016, Roskomnadzor blocked the LinkedIn social network;

– In 2019, the court imposed a fine of 4 million rubles on Facebook and Twitter.

Requirements for written consent to personal data processing

The law specifies a list of cases when the consent of the subject of personal data to their processing must be in writing.

• Processing of special categories of personal data
• Transfer of data about employees of the Russian representative office / branch to the head office abroad
• Transfer of personal data to countries where there is no adequate legislation to ensure their protection

In this case, written consent can be obtained either in paper or in electronic form.

Personal data processing notice

The law establishes the obligation of companies to notify the authorized body for the protection of the rights of subjects of personal data (Roskomnadzor) about the start of processing of personal data

Who should notify?

• Representative offices of foreign companies in Russia
• Branches of foreign companies
• Companies registered in Russia

Personal data processing order

If a representative office or a branch of a foreign company engages other companies (for example, a consulting firm) in the processing of personal data, then the order for such processing shall be made in writing.

The Law on Personal Data contains a closed list of requirements for the form of such an order.

At the same time, when instructing the processing of personal data to third parties, it is still the operator who is responsible to the subject of personal data.

Special requirements for foreign companies in the field of personal data

• Use of a domain name associated with the Russian Federation or a subject of the Russian Federation (.ru, .рф, .moscow, etc.)
• Availability of the Russian-language version of the website

At the same time, a website with a Russian-language version must also meet a number of requirements. For example, the possibility of payments in rubles, the presence of advertising in Russian.

• Placement of the personal data processing policy on the information resource

Outcome

It should be borne in mind that the requirements for personal data may apply to foreign companies, even if they do not have a physical presence in the Russian Federation. At the same time, government agencies will assess the “involvement” of such a company in the processing of personal data on the Russian territory according to the criteria of the focus of its activities on the Russian market and Russian citizens.