personal data protection law in russia - accountor

NEW FEDERAL DATA PROTECTION LAW AND

ITS PRACTICAL IMPLICATIONS FOR FOREIGN

COMPANIES IN RUSSIA

BUSINESS BREAKFAST IN HELSINKI, OCTOBER 15 TH, 2015

PAVEL ANTONOV, ACCOUNTOR

15.10.2015

GROUNDS FOR LEGAL REGULATION OF PERSONAL DATA HANDLING RELATIONS

• Respect for personal rights and fundamental freedoms;

• Necessity for strengthening personal rights and guarantees of

fundamental freedoms, namely the right for privacy with a view to

increasing the cross-border flow of automatically processed

personal data;

• Adherence to the concept of freedom of information regardless

of boundaries;

• Necessity for combining the fundamental values of personal

privacy with free international information exchange.

15.10.20152

INTERNATIONAL LEGISLATION

• Convention for the protection of individuals with regard to automatic processing of personal data (Strasbourg, January 28th 1981) (as amended on June 15th 1999)

This Convention was ratified by the Federal Law №160-ФЗ of December 19th 2005. It came into force in the Russian Federation on

September 1st 2013.

• Additional Protocol to the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data regarding supervisory authorities and transborder data flows

Signed by the RF on March 13th 2006. Has not been ratified. It is planned to consider the possibility of regulatory bodies being consolidated according to the Protocol in the very near future.

15.10.20153

INTERNATIONAL LEGISLATION•Directive 95/46/EC of the European Parliament and of the Council of 24th

October 1995 on the Protection of Individuals with Regard to the Processing

of Personal Data and on the Free Movement of Such Data (as revised in the

Regulation 1882/2003 of the European Parliament and of the Council of 29th

September 2003)

• Directive 2002/22/EC of the European Parliament and of the Council of 7th

March 2002 on the Universal Services and Users Rights Concerning the

Electronic Communication Networks and Services (Universal Services

Directive)

• Directive 2002/58/EC of the European Parliament and of the Council of

12th July 2002 Concerning the Processing of Personal Data and the

Protection of Privacy in the Electronic Communications Sector (Protection of

Privacy in the Electronic Communications Directive)

15.10.20154

RUSSIAN LEGISLATION

• Constitution of the Russian Federation (approved by the nation-wide voting on 12th December 1993)

• Federal Law №160-ФЗ of 19th December 2005 “On the Ratification of the EC Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data”

• Federal Law №149-ФЗ of 27th July 2006 “On Information, Information Technologies and Data Protection” (with the latest amendments of 21st July 2011)

• Federal Law №152-ФЗ of 27th July 2006 “On Personal Data” (with the latest amendments of 5th April 2013)

15.10.20155

RUSSIAN LEGISLATION

• Labour Code of the Russian Federation of 30th December 2001 №197-ФЗ (with the latest amendments of 21st June 2012)

• Federal Law №63-ФЗ of 6th April 2011 “On the Electronic Signature”

• Federal Law №67-ФЗ of 12th June 2002 “On the Electoral Rights and the Right to Participate in Referendums (Basic Guarantees for Citizens of the Russian Federation)”

• Federal Law №99-ФЗ of 7th May 2013 “On the Amendments to a Number of Legislative Acts with regard to the Adoption of the Federal Laws “On the Ratification of the EC Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data” and “On Personal Data””

15.10.20156

EDICTS OF THE PRESIDENT OF THE RUSSIAN FEDERATION

• Edict of the President of the Russian Federation №351 of 17th March

2008 “On Measures to Provide the Information Security of the Russian

Federation when Using International Data and Telecommunications

Networks ”

• Edict of the President of the Russian Federation №609 of 30th May

2005 “On the Approval of the Russian Federation Civil Officers Personal

Data and Personal File Maintenance Regulation”

• Edict of the President of the Russian Federation №188 of 6th March

1997 “On the Approval of the Confidential Data List”

15.10.20157

THE RF GOVERNMENT REGULATIONS

• The RF Government Regulation №1119 of 1st November 2012 “On the Approval of the

Requirements for the Assurance of Personal Data Security at their Processing within the

Information Systems of Personal Data”

• The RF Government Regulation №584 of 13th June 2012 “On the Approval of the Payment

System Data Protection Regulation”

• The RF Government Regulation №211 of 21st March 2012 “On the Approval of the List of

Measures to Ensure Compliance with the Federal Law “On Personal Data””

• The RF Government Regulation №125 of 4th March 2010 “On the List of Personal Data

Held on Electronic Media Devices that Contain Information on RF Citizens’ Primary Identity

Documents Giving the RF Citizens the Right to Leave and Enter The Russian Federation”

15.10.20158

THE RF GOVERNMENT REGULATIONS• The RF Government Regulation №687 of 15th September 2008 “On the Approval of

the Non-automated Personal Data Processing Peculiarities Regulation”

• The RF Government Regulation №512 of 6th July 2008 “On the Approval of

Requirements for Biometric Personal Data, Tangible Media, and Storage Technologies

Outside of the Personal Data Information Systems”

• The RF Government Regulation №756 of 12th December 2005 “On Submitting a

Proposal to the President of the Russian Federation to Sign the Additional Protocol to

the Convention for the Protection of Individuals with regard to Automatic Processing of

Personal Data on supervisory bodies and cross-border data transfer”

• The RF Government Regulation №1233 of 3rd November 1994 “On the Approval of

the Regulation of Procedures for the Handling of Sensitive Information which is of

Restricted Distribution in the Federal Agencies of the Executive Authority”

15.10.20159

REGULATORY LEGAL ACTS OF THE FEDERAL AGENCIES OF THE RUSSIAN FEDERATION

• Ministry of Communications and Mass Media of the RF Order №312 of 14th November 2011 “On the

Approval of the Administrative Procedure for the Federal Service for the Supervision of Communications,

Information Technology, and Mass Media to Fulfill the Federal Duty for the Supervision of the Compliance

of Personal Data Processing with the Applicable Legal Requirements of the Russian Federation”

•Ministry of Communications and Mass Media of the RF Order №346 of 21st December 2011 “On the

Approval of the Administrative Procedure for the Federal Service for the Supervision of Communications,

Information Technology, and Mass Media to Provide the Federal Service “Maintenance of a Personal

Data Processors Register””

•The Federal Security Service of the RF and the Federal Service for Technology and Export Control of the

RF Order №416/489 of 31 August 2010 “On the Approval of Security Requirements for the Data

Contained in Public Information Systems”

• The Federal Security Service of the RF Order №378 of 10 July 2014 “On the Approval of the List and

Content of Technical and Organizational Measures to Ensure Personal Data Security at its Processing

within the Information Systems of Personal Data”

15.10.201510

THE FEDERAL SERVICE FOR THE SUPERVISION OF COMMUNICATIONS, INFORMATION TECHNOLOGIES AND

MASS MEDIA’S (ROSCOMNADZOR) ORDERS

• Roscomnadzor Order №246 of 13th April 2011 “On the Approval of Regulation of

Data Processing in the Federal Service for the Supervision of Communications,

Information Technology, and Mass Media Headquarters”

• Roscomnadzor Order №621 of 20 June 2012 “On the Approval of Regulation of

the Authorized Body for the Protection of the Subjects of the Personal Data Rights

Advisory Board”

• Regulation for the Authorized Body for the Protection of the Subjects of the

Personal Data Rights Advisory Board

• Roscomnadzor Order №996 of 5th September 2013 “On the Approval of the

Measures and Requirements for Personal Data Depersonalization”

15.10.201511

Clause Violation Penalty

Administrative Offences Code

Clause 5.27

Part 1. Violations of

labour laws and other

regulatory legal acts

containing norms of

labour laws

Violations of labour laws

and other regulatory legal

acts containing norms of

labour laws (personal data

regulations)

FINE:

for public officers –

1,000 – 5,000 RUB

for legal entities -

30,000 – 50,000 RUB

Clause 5.27

Part 4. Violations of

labour laws and other

regulatory legal acts

containing norms of

labour laws

The same violations

committed by a person who

has already been subjected

to administrative

punishment for a similar

offence (personal data

regulations)

FINE:


10,000 – 20,000 RUB, or

disqualification for 1-3

years


50,000 – 70,000 RUB

RESPONSIBILITY

15.10.201512



Clause 5.39

Denial of information

Wrongful refusal to provide a

person with information about

his/her personal data processing

FINE:

for public officers -

1,000 – 3,000 RUB

Clause 13.11

Violation of personal data

collection, storage, use or

dissemination

procedures

Violation of personal data

collection, storage, use or

dissemination procedures

established by law

FINE:


500 – 1,000 RUB


5,000 – 10,000 RUB

RESPONSIBILITY

15.10.201513



Clause 13.11.1

Dissemination of information

about job vacancies that

contains discriminatory

restrictions (on personal

data)

Dissemination of information

about job vacancies that

contains discriminatory

restrictions (on personal data)

FINE:


3,000 – 5,000 RUB


10,000 – 15,000 RUB

Clause 13.12

1. Violation of data protection

rules

Violation of rules, set out in the

license for data protection

activities

FINE:


1,500 – 2,500 RUB


15,000 – 20,000 RUB

RESPONSIBILITY

15.10.201514



Clause 13.12

2. Violation of

data protection

rules

Using uncertified information systems,

databanks and databases, as well as

uncertified information security

products, when they are subject to

compulsory certification

FINE:


2,500 – 3,000 RUB


20,000 – 25,000 RUB

with or without information

security products

confiscation

Clause 13.14

Disclosure of

information of

restricted

distribution

Disclosure of information (personal

data) that has restricted distribution

under federal law, committed by a

person having access to such

information in connection with his/her

professional duty

FINE:

for private individuals -

500 – 1,000 RUB


4,000 – 5,000 RUB

RESPONSIBILITY

15.10.201515


Administrative Offences

Code

Clause 19.15

Failing to comply on time

with the regulatory body’s

lawful order

Failing to comply with the

lawful order of

Roscomnadzor

FINE:


1,000 – 2,000 RUB


10,000 – 20,000 RUB

Clause 19.7

Failure to present data

(information)

Failure to present data to

Roscomnadzor or failure to

do it on time

FINE:


300 – 500 RUB


3,000 – 5,000 RUB

RESPONSIBILITY

15.10.201516


CRIMINAL CODE

Clause 137

1. Violation of

privacy

Illegal collection or dissemination

of an individual’s private

information that constitutes

his/her personal or family secrets

without his/her consent, or

disclosure of such information in

a public statement, a publicly

displayed work, or in the mass

media

FINE: up to 200,000 RUB, or

compulsory community

service of 120 to 180 hours,

or correctional labour of up

to 1 year, or compulsory

labour for up to 2 years, or

arrest for up to 4 months

Clause 137

2. Violation of

privacy

The same violation committed by

a person using his/her official

position


compulsory labour for up to 4

years, or arrest for up to 6

months, or imprisonment for

up to 4 years

RESPONSIBILITY

15.10.201517


CRIMINAL CODE

Clause 140

Denial of

information to an

individual

Wrongful refusal by a public

officer to provide personal data

collected in accordance with

established procedure


salary for 18 months, or

deprivation of the right to

practice certain activities

for up to 5 years

Clause 272

Wrongful access to

computerized

information

Wrongful access to computerized

information protected by law

(personal data)


imprisonment for up to 2

years (part 1) + aggravations

with more strict penalties

RESPONSIBILITY

15.10.201518


LABOUR CODE

Clause 81

Termination of labour

contract by the

employer

Disclosure of another

employee’s personal data

Termination of labour

contract by the employer

Clause 238

Employee’s liability for

damages caused for

the employer

The employee is liable for

reimbursing the actual direct

damage caused to the

employer

The employee is liable for

reimbursing the actual

direct damage caused to

the employer

RESPONSIBILITY

15.10.201519

PERSONAL DATA: DEFINITIONS AND CATEGORIES

Personal data – any information

relating to a directly or indirectly

identified, or identifiable, natural

person (a personal data subject)

Personal data: full name, place of

birth, year of birth, month of birth,

family status, property status,

professional status, address, social

status, educational level, revenues

15.10.201520

PERSONAL DATA: DEFINITIONS AND CATEGORIES

Special categories of personal

data: race, political views,

philosophical convictions, intimate

life, nationality, religious beliefs,

state of health

Biometric personal data: data that

reflects biological and physiological

make-up of an individual and that

allows them to prove their identity

15.10.201521

INFORMATION SYSTEMS

1. IS that processes PD of the processor’s employees,

2. IS that processes PD of individuals who are NOT the

processor’s employees

2.1. IS that processes special categories of PD

2.2. IS that processes biometric PD

2.3. IS that processes publicly available PD

4 LEVELS OF PD PROTECTION DEPENDING ON PD

CATEGORY, HAZARD TYPE AND NUMBER OF PD OWNERS

(Categorization in process of the recommended DD)

15.10.201522

DON’T NEED TO NOTIFY ROSCOMNADZOR

PD of company employees in

accordance with the Labour Code

PD received by the processor as a result

of executing a contract with the personal

data subject (PD is not to be disseminated

or passed to third parties)

PD that consists only of the full name of

an individual

PD needed only for a one-time entry

permission

Non-automatically processed PD

15.10.201523

AMENDMENTS OF 1ST SEPTEMBER 2015, FEDERAL LAW №242-FZ

Amendments to Federal Law №149-FZ of 27th July 2006 «On

Information, Information Technologies and Data Protection»

Clause 15.5. Procedures for restricting access to information

being processed in violation of the Russian Federation’s data

protection laws

15.10.201524


In order to restrict access to online information that is

being processed in violation of the personal data

protection laws, Roscomnadzor establishes the

automated information system “Register of violators of

personal data subjects’ rights”

IMPORTANT: An entity can be put on the Register

only by a court decision

15.10.201525

AMENDMENTS OF 1ST SEPTEMBER 2015, FEDERAL LAW №242-FZThe Register of violators include:

1) domain names and/or URLs of website pages that contain PD

violating the law;

2) IP-addresses that allow identification of websites that contain

PD being processed in violation of the law;

3) reference to the court decision that has become enforceable;

4) notification of eliminating the violation;

5) date of notifying the communications service provider about

the data resource in order to restrict access to this resource.

15.10.201526


APPLYING THE PENALTY– RESTRICTING ACCESS

TO DATA RESOURCES Within 3 business day of receiving the court decision, Roscomnadzor will

notify the service provider in both Russian and English about the violation

Within 1 business day the provider notifies the resource owner

Within 1 business day the owner must take appropriate measures

If such measures aren’t taken

ACCESS TO THE RESOURCE CAN BE RESTRICTED

AFTER ELIMINATING THE VIOLATION the resource owner notifies

ROSCOMNADZOR about it and ROSCOMNADZOR (or its representative) has

3 days to exclude the violator from the Register

15.10.201527


Amendments to the Federal Law №149-FZ of

27th July 2006 «On Information, Information

Technologies and Data Protection»

Clause 16. Holders of data and information

system processors are liable for ensuring

that databases used for collecting,

recording, systematizing, accumulating,

storing, rectifying (updating, changing), and

extracting the personal data of citizens of

the Russian Federation are placed within

the territory of the Russian Federation

15.10.201528


Amendments to the Federal Law №152-FZ of 27th July

2006 “On Personal Data”

Clause 18. While collecting personal data, including

collecting it through the Internet telecommunications

system, the processor is liable for ensuring that all

recording, systematizing, accumulating, storing, rectifying

(updating, changing), and extracting of personal data of

citizens of the Russian Federation is carried out with the

use of databases that are placed within the territory of the

Russian Federation

15.10.201529


Amendments to the Federal

Law №152-FZ of 27th July

2006 “On Personal Data”

Clause 22. Notifications sent to

Roscomnadzor must contain

the following new information:

location of the database

containing the personal data of

citizens of the RF

15.10.201530


Amendments to the Federal Law

№152-FZ of 27th July 2006 “On

Personal Data”

Clause 23. Roscomnadzor receives

the new power:

the right to restrict access to data

that is being processed in violation of

the RF data protection laws, through

following relevant legally established

procedures

15.10.201531

1. ROSCOMNADZOR SCHEDULED INSPECTIONS

2. UNSCHEDULED INSPECTIONS (customers, suppliers, competitors)

3. INSPECTIONS FOLLOWING EMPLOYEES COMPLAINTS – THE HIGHEST RISK LEVEL

(NUMBER OF COMPLAINTS RECEIVED BY ROSCOMNADZOR IN 2013 – 6153)

RISKS OF TAKING NO NOTICE OF THE CHANGES

15.10.201532

Year Total number of

inspections

Total number of

PD inspections

Number of

inspections in

St. Petersburg

Number of

inspections in

Moscow

2015 2650 1223 30 116

2014 2873 1308 30 130

FAQ: OPERATION OF THE LAW WITH REGARD TO TERRITORY AND PERSONS

COMMENTS FROM MINISTRY OF TELECOM AND MASS COMMUNICATIONS

15.10.201533

Obligations to localize single processes of personal

data handling apply to foreign operators provided

they carry out targeted activity to the territory of the

Russian Federation and in the absence of

exceptions expressly stipulated in Part 5 of Article

18 of the Federal Law “On Personal Data”(ex.,

international agreement for which purposes the

processing is carried out).

FAQ: OPERATION OF NEW LAW IN TIMECOMMENTS FROM MINISTRY OF TELECOM AND MASS

COMMUNICATIONS

15.10.201534

Recording, classification, accumulation, storage,

clarification (update, change), extraction of

personal data of the Russian Federation citizens

within the collection process, that will be

performed beginning from 1 September2015, shall

be carried out considering the new requirements of

the Federal Law №152-FZ, namely, by using

databases located in the Russian Federation.

FAQ: DEFINITION OF PERSONAL DATA COLLECTION COMMENTS FROM MINISTRY OF TELECOM AND MASS

COMMUNICATIONS

15.10.201535

Targeted process of obtaining personal data by the

operator directly from a personal data subject or via third

parties involved specially for this process.

Only those personal data are subject to localization, which

were obtained by the operator as a result of its goal-oriented

activity as to organization of personal data collection, and

not due to accidental (unrequested) arrival of personal data,

eg., due to incoming emails or other mails, which include

personal data.

FAQ: TRANSBORDER PD TRANSMISSIONCOMMENTS FROM MINISTRY OF TELECOM AND MASS

COMMUNICATIONS

15.10.201536

PD of a RF citizen originally entered into a database

in the RF and updated there (“primary database”) can

be further transmitted to the databases located

outside the RF (“secondary databases”), administrated

by other entities, subject to the provisions on

transborder data transmission.

Provision of a remote access to the databases

located in the RF from the territory of another state is

not prohibited by the Federal Law №242.

FAQ: AIRLINES AND TICKET RESERVATION COMPANIES COMMENTS FROM MINISTRY OF TELECOM AND MASS

COMMUNICATIONS

15.10.201537

The provisions of Part 5, Article 18 of the Federal

Law “On Personal Data” do not cover Russian and

foreign air carriers’ operations connected with the

gathering and processing of personal data of citizens of

the Russian Federation, which is used for making

reservations, or issuing and granting tickets, baggage

tickets and other documents, because they fall within

the exception contained in Clause 2, Part 1, Article 6 of

the Federal Law “On Personal Data”.

FAQ: HOW TO RECOGNIZE THE RF CITIZENSHIP?COMMENTS FROM MINISTRY OF TELECOM AND MASS

COMMUNICATIONS

15.10.201538

This issue is not regulated by law.

The Operator on its own shall resolve the issue based

on the specifics of its activity.

It is possible to apply the provisions of Part 5 of

Article 18 of the Federal Law “On Personal Data” to all

personal data which were collected in the RF.

FAQ: IMPACT ON HR DOCUMENTATIONCOMMENTS FROM MINISTRY OF TELECOM AND MASS

COMMUNICATIONS

15.10.201539

Transborder transmission of this type of personal data is

possible.

If personal data processing falls under the exceptions

provided by Clauses 2, 3, 4, 8 of Part 1 of Article 6 of the

Federal Law “On Personal Data” , the provisions of Part 5 of

Article 18 of 152-FZ are not applied.

Qualification is done by the operator . Correctness is

verified by the authorized federal body during control

activities.

WHAT ACTIONS ARE TO BE TAKEN?

TAKING INTO ACCOUNT AMENDMENTS

MADE TO FEDERAL LAWS 152-FZ AND 149-

FZ IT MAY BE CONCLUDED THAT THE RISKS

ARE QUITE HIGH.

WE RECOMMEND YOU DEVELOP AND

IMPLEMENT A PROPER ACTION PLAN AIMED

TO ENSURE FULL COMPLIANCE WITH THE

PERSONAL DATA PROTECTION LAWS.

15.10.201540


LEGAL ACTIONS:

1. Send notification to Roscomnadzor, making sure to provide it

with information on the location of databases containing PD

2. Check the current state of documentation on compliance

with Federal Laws 152-FZ and 242-FZ and correct defects,

including:

assigning an authorized person,

preparing consent forms (for different parties – partners,

employees, applicants, etc.),

preparing amendments to various types of existing contracts,

internal audit of company activities

15.10.201541


TECHNICAL ACTIONS:

TO LOCALIZE PROCESSING OF PERSONAL DATA OF

CITIZENS OF THE RUSSIAN FEDERATION

TO TRANSFER IT SYSTEMS, OR

TO USE READY TECHNICAL SOLUTIONS

15.10.201542

15/10/1543

PASSION FOR RESULTS