1. Authors: Jon Hellevig and Artem Usov.
Jon Hellevig, Managing partner of Hellevig, Klein & Usov Artem Usov, Partner of Hellevig, Klein & Usov
LinkedIn: http://www.linkedin.com/in/jonhellevig LinkedIn: : http://ru.linkedin.com/pub/artem-
Facebook: http://www.facebook.com/jonhellevig usov/28/34b/b82
E-mail: jon.hellevig@hku.ru E-mail: artem.usov@awaragroup.com
Website: www.hkupartners.com Website: www.hkupartners.com
PERSONAL DATA PROTECTION IN RUSSIA: RISKS WITH COLLECTING AND
PROCESSING PERSONAL DATA
Many activities require the processing of information about individuals and legal entities:
security (background checks), due diligence on people, database creation, promotion of goods
and services (marketing), and others. The federal law “On Personal Data,” passed last year
(hereinafter the “Personal Data Law”), introduced some amendments that concern these
procedures. With this law in mind, we can summarize what Russia’s personal data legislation
looks like, and what it means for those persons and organizations (hereinafter “operators”)
deciding to engage in personal data processing.
Operators entering the Russian market are confronted by a maze of regulations that deal with
processing of personal data, overseen by a variety of state organizations. Failure to comply with
these regulations can result in fines, suspensions, or demotions. In such a situation, the advice of
legal consultants with long experience of the Russian labor market is practically a necessity.
Individuals vs. legal entities
There are two distinctions that must be made when considering this issue. The first is that
individuals and legal entities are treated according to different sets of rules. The second is the
MOSCOW, ST.PETERSBURG, TVER, YEKATERINBURG, KYIV, HELSINKI
www.hkupartners.com

2. distinction between what can be obtained without someone’s consent, and information requiring
consent in order to be obtained.
The processing of data concerning individuals is governed by the more complicated set of rules.
First, there are instances where an individual’s consent is not required. In such cases, operators
merely have to prove that they have grounds to engage in such processing. However, certain
other cases require written consent.
Acquiring consent requires that the operator have a purpose for processing data. In addition to
consent, it is also mandatory to acquire a license for the protection of personal data. The
requirements, however, do not end with the issuance of these documents by the relevant state
bodies. Operators often have to prove that they possess the appropriate equipment, premises, and
personnel for processing data. Furthermore, when they have finished with the data, they must
destroy or depersonalize it.
Another important aspect is that operators must fulfill a number of obligations when engaged in
processing. These obligations include duties to provide certain information to the person whose
data is being processed, and to implement a range of mandatory organizational and technical
measures designed to protect the data.
For legal entities, the situation is correspondingly simpler. When selecting contractors or
performing due diligence, for instance, all kinds of open sources are available to operators: state
registers, official databases, the mass media, and so on. Some types of information on legal
entities remain restricted. These can include anything that constitutes a trade secret or state
secret, as well as certain forms of financial information.
Generally speaking, considerable amounts of information about legal entities can be obtained
from open sources. However, if access to certain types of information is restricted, attempts to
obtain it may result in criminal prosecution.
What are the chief dangers for an operator?
It must be borne in mind that improper processing of personal information can lead to
prosecution. Russia has several regulatory bodies that exercise oversight in this area, and
operators can be taken to court for failure to comply with the Personal Data Law.
Lack of compliance can be constituted by a number of offenses: breach of the data protection
rules; illegal activities in the field of data protection; and failure to submit, or late submission of,
notice of personal data processing. Punishment depends on the type of violation. One can be
charged with fines ranging from 5,000 up to 50,000 rubles, or be subject to suspension or
demotion.
For these reasons, operators in the Russian market that are unfamiliar with Russian laws on data
processing are taking a risk when they engage in such processing. The web of regulations and
requirements is complicated, and can be easily violated without constant observance of the rules.
MOSCOW, ST.PETERSBURG, TVER, YEKATERINBURG, KYIV, HELSINKI
www.hkupartners.com

3. In this situation, the assistance of a legal adviser with long experience dealing with Russian laws
and regulations is strongly recommended.
FURTHER INQUIRIES:
We at Hellevig, Klein & Usov stand by to give further advice on questions of personal data
protection, background (security) checks on individuals in connection with employment and
entering into contracts, due diligences and database creation.
We may offer our Data Protection and Background Check white paper that deals in detail with
these issues as well as individual advice with any of the issues.
If you want to discuss this article, please contact the authors:
Jon Hellevig, Managing partner of Hellevig, Klein & Usov
Facebook: http://www.facebook.com/jonhellevig
LinkedIn: http://www.linkedin.com/in/jonhellevig
E-mail: jon.hellevig@hku.ru
Artem Usov, Partner of Hellevig, Klein & Usov
LinkedIn: http://ru.linkedin.com/pub/artem-usov/28/34b/b82
E-mail: artem.usov@hku.ru
Copyright Hellevig, Klein & Usov LLC
MOSCOW, ST.PETERSBURG, TVER, YEKATERINBURG, KYIV, HELSINKI
www.hkupartners.com