The presentation of Pavel Antonov from the seminar organized by Accountor and Tieto on "NEW RULES ON KEEPING PERSONAL DATA IN RUSSIA"

1. AMENDMENTS TO THE FEDERAL LAW
“ON PERSONAL DATA”:
IMPLICATIONS FOR BUSINESSES
PAVELANTONOV,ACCOUNTOR
8.7.2015

2. GROUNDS FOR LEGAL REGULATION OF
PERSONAL DATA HANDLING RELATIONS
•Respect for personal rights and fundamental freedoms;
•Necessity for strengthening personal rights and guarantees of
fundamental freedoms, namely the right for privacy with a view to
increasing the transboundary flow of automatically processed
personal data;
•Adherence to the concept of freedom of information regardless of
boundaries;
•Necessity for combining the fundamental values of personal privacy
with free international information exchange.
8.7.20152

3. INTERNATIONAL LEGISLATION
• The Convention for the Protection of Individuals with regard to
Automatic Processing of Personal Data (Strasbourg, January 28th
1981) (as amended on June 15th 1999)
This Convention was ratified by the Federal Law №160-ФЗ of
December 19th 2005. It came into force in the Russian Federation on
September 1st 2013.
• The Additional Protocol to the Convention for the Protection of
Individuals with regard to Automatic Processing of Personal Data
on supervisory bodies and transboundary data transfer
Signed by the RF on March 13th 2006. Has not been ratified. It is planned
to consider the possibility of regulatory bodies being consolidated
according to the Protocol in the very near future.
8.7.20153

4. INTERNATIONAL LEGISLATION
•Directive 95/46/EC of the European Parliament and of the Council of 24th
October 1995 on the Protection of Individuals with
Regard to the Processing of Personal Data and on the Free
Movement of Such Data (as revised in the Regulation 1882/2003 of the
European Parliament and of the Council of 29th September 2003)
• Directive 2002/22/EC of the European Parliament and of the Council of
7th March 2002 on the Universal Services and Users Rights Concerning
the Electronic Communication Networks and Services (Universal Services
Directive)
• Directive 2002/58/EC of the European Parliament and of the Council of
12th July 2002 Concerning the Processing of Personal Data and the
Protection of Privacy in the Electronic Communications Sector (Protection
of Privacy in the Electronic Communications Directive)
8.7.20154

5. RUSSIAN LEGISLATION
• Constitution of the Russian Federation (approved by the
nation-wide voting on 12th December 1993)
• Federal Law №160-ФЗ of 19th December 2005 “On the
Ratification of the EC Convention for the Protection of
Individuals with regard to Automatic Processing of
Personal Data”
• Federal Law №149-ФЗ of 27th July 2006 “On Information,
Information Technologies and Data Protection” (with the
latest amendments of 21st July 2011)
• Federal Law №152-ФЗ of 27th July 2006 “On Personal
Data” (with the latest amendments of 5th April 2013)
8.7.20155

6. RUSSIAN LEGISLATION
• Labour Code of the Russian Federation of 30th December
2001 №197-ФЗ (with the latest amendments of 21st June
2012)
• Federal Law №63-ФЗ of 6th April 2011 “On the Electronic
Signature”
• Federal Law №67-ФЗ of 12th June 2002 “On the
Electoral Rights and the Right to Participate in Referendums
(Basic Guarantees for Citizens of the Russian Federation)”
• Federal Law №99-ФЗ of 7th May 2013 “On the Amendments
to a Number of Legislative Acts with regard to the Adoption of
the Federal Laws “On the Ratification of the EC Convention
for the Protection of Individuals with regard to Automatic
Processing of Personal Data” and “On Personal Data””
8.7.20156

7. EDICTS OF THE PRESIDENT OF THE RUSSIAN
FEDERATION
• Edict of the President of the Russian Federation №351 of
17th March 2008 “On Measures to Provide the Information
Security of the Russian Federation when Using International
Data and Telecommunications Networks ”
• Edict of the President of the Russian Federation №609 of
30th May 2005 “On the Approval of the Russian Federation
Civil Officers Personal Data and Personal File Maintenance
Regulation”
• Edict of the President of the Russian Federation №188 of 6th
March 1997 “On the Approval of the Confidential Data List”
8.7.20157

8. THE RF GOVERNMENT REGULATIONS
• The RF Government Regulation №1119 of 1st November 2012 “On the Approval
of the Requirements for the Assurance of Personal Data Security at their
Processing within the Information Systems of Personal Data”
• The RF Government Regulation №584 of 13th June 2012 “On the Approval of the
Payment System Data Protection Regulation”
• The RF Government Regulation №211 of 21st March 2012 “On the Approval of
the List of Measures to Ensure Compliance with the Federal Law “On Personal
Data””
• The RF Government Regulation №125 of 4th March 2010 “On the List of
Personal Data Held on Electronic Media Devices that Contain Information on RF
Citizens’ Primary Identity Documents Giving the RF Citizens the Right to Leave
and Enter The Russian Federation”
8.7.20158

9. THE RF GOVERNMENT REGULATIONS
• The RF Government Regulation №687 of 15th September 2008 “On the Approval of
the Non-automated Personal Data Processing Peculiarities Regulation”
• The RF Government Regulation №512 of 6th July 2008 “On the Approval of
Requirements for Biometric Personal Data, Tangible Media, and Storage
Technologies Outside of the Personal Data Information Systems”
• The RF Government Regulation №756 of 12th December 2005 “On Submitting a
Proposal to the President of the Russian Federation to Sign the Additional Protocol
to the Convention for the Protection of Individuals with regard to Automatic
Processing of Personal Data on supervisory bodies and transboundary data transfer”
• The RF Government Regulation №1233 of 3rd November 1994 “On the Approval of
the Regulation of Procedures for the Handling of Sensitive Information which is of
Restricted Distribution in the Federal Agencies of the Executive Authority”
8.7.20159

10. REGULATORY LEGAL ACTS OF THE FEDERAL
AGENCIES OF THE RUSSIANFEDERATION
• Ministry of Communications and Mass Media of the RF Order №312 of 14th November 2011 “On
the Approval of the Administrative Procedure for the Federal Service for the Supervision of
Communications, Information Technology, and Mass Media to Fulfill the Federal Duty for the
Supervision of the Compliance of Personal Data Processing with the Applicable Legal
Requirements of the Russian Federation”
•Ministry of Communications and Mass Media of the RF Order №346 of 21st December 2011 “On
the Approval of the Administrative Procedure for the Federal Service for the Supervision of
Communications, Information Technology, and Mass Media to Provide the Federal Service
“Maintenance of a Personal Data Processors Register””
•The Federal Security Service of the RF and the Federal Service for Technology and Export
Control of the RF Order №416/489 of 31 August 2010 “On the Approval of Security Requirements
for the Data Contained in Public Information Systems”
• The Federal Security Service of the RF Order №378 of 10 July 2014 “On the Approval of the List
and Content of Technical and Organizational Measures to Ensure Personal Data Security at its
Processing within the Information Systems of Personal Data”
8.7.201510

11. THEFEDERALSERVICEFORTHESUPERVISIONOF
COMMUNICATIONS,INFORMATIONTECHNOLOGIESAND
MASSMEDIA’S(ROSCOMNADZOR)ORDERS
• Roscomnadzor Order №246 of 13th April 2011 “On the Approval of
Regulation of Data Processing in the Federal Service for the Supervision of
Communications, Information Technology, and Mass Media Headquarters”
• Roscomnadzor Order №621 of 20 June 2012 “On the Approval of
Regulation of the Authorized Body for the Protection of the Subjects of the
Personal Data Rights Advisory Board”
•Regulation for the Authorized Body for the Protection of the Subjects of the
Personal Data Rights Advisory Board
• Roscomnadzor Order №996 of 5th September 2013 “On the Approval of the
Measures and Requirements for Personal Data Depersonalization”
8.7.201511

12. Clause Violation Penalty
Administrative Offences
Code
Clause 5.27
Part 1. Violations of
labour laws and other
regulatory legal acts
containing norms of
labour laws
Violations of labour laws
and other regulatory legal
acts containing norms of
labour laws (personal data
regulations)
FINE:
for public officers –
1,000 – 5,000 RUB
for legal entities -
30,000 – 50,000 RUB
Clause 5.27
Part 4. Violations of
labour laws and other
regulatory legal acts
containing norms of
labour laws
The same violations
committed by a person
who has already been
subjected to administrative
punishment for a similar
offence (personal data
regulations)
FINE:
for public officers –
10,000 – 20,000 RUB, or
disqualification for 1-3
years
for legal entities -
50,000 – 70,000 RUB
RESPONSIBILITY
8.7.201512

13. Clause Violation Penalty
Administrative Offences
Code
Clause 5.39
Denial of information
Wrongful refusal to provide a
person with information about
his/her personal data
processing
FINE:
for public officers -
1,000 – 3,000 RUB
Clause 13.11
Violation of personal
data collection, storage,
use or dissemination
procedures
Violation of personal data
collection, storage, use or
dissemination procedures
established by law
FINE:
for public officers -
500 – 1,000 RUB
for legal entities -
5,000 – 10,000 RUB
RESPONSIBILITY
8.7.201513

14. Clause Violation Penalty
Administrative Offences
Code
Clause 13.11.1
Dissemination of
information about job
vacancies that contains
discriminatory restrictions
(on personal data)
Dissemination of information
about job vacancies that
contains discriminatory
restrictions (on personal data)
FINE:
for public officers –
3,000 – 5,000 RUB
for legal entities -
10,000 – 15,000 RUB
Clause 13.12
1. Violation of data
protection rules
Violation of rules, set out in
the license for data protection
activities
FINE:
for public officers -
1,500 – 2,500 RUB
for legal entities -
15,000 – 20,000 RUB
RESPONSIBILITY
8.7.201514

15. Clause Violation Penalty
Administrative Offences Code
Clause 13.12
2. Violation of
data protection
rules
Using uncertified information
systems, databanks and databases,
as well as uncertified information
security products, when they are
subject to compulsory certification
FINE:
for public officers -
2,500 – 3,000 RUB
for legal entities -
20,000 – 25,000 RUB
with or without
information security
products confiscation
Clause 13.14
Disclosure of
information of
restricted
distribution
Disclosure of information (personal
data) that has restricted distribution
under federal law, committed by a
person having access to such
information in connection with his/her
professional duty
FINE:
for private individuals -
500 – 1,000 RUB
for public officers -
4,000 – 5,000 RUB
RESPONSIBILITY
8.7.201515

16. Clause Violation Penalty
Administrative Offences
Code
Clause 19.15
Failing to comply on
time with the regulatory
body’s lawful order
Failing to comply with the
lawful order of
Roscomnadzor
FINE:
for public officers -
1,000 – 2,000 RUB
for legal entities -
10,000 – 20,000 RUB
Clause 19.7
Failure to present data
(information)
Failure to present data to
Roscomnadzor or failure to
do it on time
FINE:
for public officers -
300 – 500 RUB
for legal entities -
3,000 – 5,000 RUB
RESPONSIBILITY
8.7.201516

17. Clause Violation Penalty
CRIMINAL CODE
Clause 137
1. Violation of
privacy
Illegal collection or
dissemination of an individual’s
private information that
constitutes his/her personal or
family secrets without his/her
consent, or disclosure of such
information in a public
statement, a publicly displayed
work, or in the mass media
FINE: up to 200,000 RUB,
or compulsory community
service of 120 to 180 hours,
or correctional labour of up
to 1 year, or compulsory
labour for up to 2 years, or
arrest for up to 4 months
Clause 137
2. Violation of
privacy
The same violation committed
by a person using his/her
official position
FINE: up to 300,000 RUB,
or compulsory labour for up
to 4 years, or arrest for up
to 6 months, or
imprisonment for up to 4
years
RESPONSIBILITY
8.7.201517

18. Clause Violation Penalty
CRIMINAL CODE
Clause 140
Denial of
information to an
individual
Wrongful refusal by a public
officer to provide personal data
collected in accordance with
established procedure
FINE: up to 200,000 RUB,
or salary for 18 months, or
deprivation of the right to
practice certain activities
for up to 5 years
Clause 272
Wrongful access
to computerized
information
Wrongful access to
computerized information
protected by law (personal
data)
FINE: up to 200,000 RUB,
or imprisonment for up to 2
years (part 1) +
aggravations with more
strict penalties
RESPONSIBILITY
8.7.201518

19. Clause Violation Penalty
LABOUR CODE
Clause 81
Termination of labour
contract by the
employer
Disclosure of another
employee’s personal data
Termination of labour
contract by the employer
Clause 238
Employee’s liability for
damages caused for
the employer
The employee is liable for
reimbursing the actual
direct damage caused to
the employer
The employee is liable for
reimbursing the actual
direct damage caused to
the employer
RESPONSIBILITY
8.7.201519

20. PERSONAL DATA:
DEFINITIONS AND CATEGORIES
Personal data – any information relating to a directly or
indirectly identified, or identifiable, natural person (a
personal data subject)
Personal data: full name, place of birth, year of birth,
month of birth, family status, property status,
professional status, address, social status, educational
level, revenues
8.7.201520

21. PERSONAL DATA:
DEFINITIONS AND CATEGORIES
Special categories of personal data: race, political views,
philosophical convictions, intimate life, nationality,
religious beliefs, state of health
Biometric personal data: data that reflects biological and
physiological make-up of an individual and that allows
them to prove their identity
8.7.201521

22. INFORMATION SYSTEMS
1. IS that processes PD of the processor’s employees,
2. IS that processes PD of individuals who are NOT the
processor’s employees
2.1. IS that processes special categories of PD
2.2. IS that processes biometric PD
2.3. IS that processes publicly available PD
8.7.201522

23. DON’T NEED TO NOTIFY ROSCOMNADZOR
 PD of company employees in accordance with the
Labour Code
 PD received by the processor as a result of executing
a contract with the personal data subject (PD is not to be
disseminated or passed to third parties)
 PD that consists only of the full name of an individual
 PD needed only for a one-time entry permission
 Non-automatically processed PD
8.7.201523

24. AMENDMENTS OF 1ST SEPTEMBER 2015,
FEDERAL LAW №242-ФЗ
Amendments to Federal Law №149-ФЗ of 27th
July 2006 «On Information, Information
Technologies and Data Protection»
Clause 15.5. Procedures for restricting access
to information being processed in violation of the
Russian Federation’s data protection laws
8.7.201524

25. AMENDMENTS OF 1ST SEPTEMBER 2015,
FEDERAL LAW №242-ФЗ
In order to restrict access to online information that
is being processed in violation of the personal data
protection laws, Roscomnadzor establishes the
automated information system “Register of violators
of personal data subjects’ rights”
IMPORTANT: An entity can be put on the Register
only by a court decision
8.7.201525

26. AMENDMENTS OF 1ST SEPTEMBER 2015,
FEDERAL LAW №242-ФЗ
The Register of violators include:
1) domain names and/or URLs of website pages that contain
PD violating the law;
2) IP-addresses that allow identification of websites that
contain PD being processed in violation of the law;
3) reference to the court decision that has become
enforceable;
4) notification of eliminating the violation;
5) date of notifying the communications service provider
about the data resource in order to restrict access to this
resource.
8.7.201526

27. AMENDMENTS OF 1ST SEPTEMBER 2015,
FEDERAL LAW №242-ФЗ
APPLYING THE PENALTY– RESTRICTING
ACCESS TO DATA RESOURCES
 Within 3 business day of receiving the court decision,
Roscomnadzor will notify the service provider in both Russian and
English about the violation
 Within 1 business day the provider notifies the resource owner
 Within 1 business day the owner must take appropriate measures
If such measures aren’t taken
ACCESS TO THE RESOURCE CAN BE RESTRICTED
AFTER ELIMINATING THE VIOLATION the resource owner notifies
ROSCOMNADZOR about it and ROSCOMNADZOR (or its
representative) has
3 days to exclude the violator from the Register
8.7.201527

28. AMENDMENTS OF 1ST SEPTEMBER 2015,
FEDERAL LAW №242-ФЗ
Amendments to the Federal Law №149-ФЗ of 27th July
2006 «On Information, Information Technologies and
Data Protection»
Clause 16. Holders of data and information system
processors are liable for ensuring that databases
used for collecting, recording, systematizing,
accumulating, storing, rectifying (updating,
changing), and extracting the personal data of
citizens of the Russian Federation are placed within
the territory of the Russian Federation
8.7.201528

29. AMENDMENTS OF 1ST SEPTEMBER 2015,
FEDERAL LAW №242-ФЗ
Amendments to the Federal Law №152-ФЗ of 27th July
2006 “On Personal Data”
Clause 18. While collecting personal data, including
collecting it through the Internet
telecommunications system, the processor is liable
for ensuring that all recording, systematizing,
accumulating, storing, rectifying (updating,
changing), and extracting of personal data of
citizens of the Russian Federation is carried out with
the use of databases that are placed within the
territory of the Russian Federation
8.7.201529

30. AMENDMENTS OF 1ST SEPTEMBER 2015,
FEDERAL LAW №242-ФЗ
Amendments to the Federal Law №152-ФЗ of 27th July
2006 “On Personal Data”
Clause 22. Notifications sent to Roscomnadzor must
contain the following new information:
location of the database containing
the personal data of citizens of
the Russian Federation
8.7.201530

31. AMENDMENTS OF 1ST SEPTEMBER 2015,
FEDERAL LAW №242-ФЗ
Amendments to the Federal Law №152-ФЗ of 27th July
2006 “On Personal Data”
Clause 23. Roscomnadzor receives the new power:
the right to restrict access to data that is
being processed in violation of the RF data
protection laws, through following relevant
legally established procedures
8.7.201531

32. WHAT ACTIONS ARE TO BE TAKEN BEFORE
1ST SEPTEMBER 2015 COMES?
LEGAL ACTIONS:
1. Send notification to Roscomnadzor, making sure to
provide it with information on the location of databases
containing PD
2. Check the current state of documentation on compliance
with Federal Laws 152-ФЗ and 242-ФЗ and rectify
defects, including:
assigning an authorized person,
preparing consent forms (for different parties – partners,
employees, applicants, etc.),
preparing amendments to various types of existing contracts,
internal audit of company activities
8.7.201532

33. WHAT ACTIONS ARE TO BE TAKEN BEFORE
1ST SEPTEMBER 2015 COMES?
TECHNICAL ACTIONS:
DEVELOPMENT AND IMPLEMENTATION OF ALL
INSTRUCTIONS AND TECHNICAL SOLUTIONS
NECESSARY TO LOCALIZE PROCESSING OF
PERSONAL DATA OF CITIZENS OF THE RUSSIAN
FEDERATION
8.7.201533

34. 1. ROSCOMNADZOR SCHEDULED INSPECTIONS
2. UNSCHEDULED INSPECTIONS (customers, suppliers, competitors)
3. INSPECTIONS FOLLOWING EMPLOYEES COMPLAINTS – THE HIGHEST
RISK LEVEL (NUMBER OF COMPLAINTS RECEIVED BY
ROSCOMNADZOR IN 2013 – 6153)
RISKS OF TAKING NO NOTICE OF THE CHANGES
8.7.201534
Year Total number of
inspections
Total number of PD
inspections
Number of
inspections in St.
Petersburg
2015 2650 1223 30
2014 2873 1308 30

35. WHAT ACTIONS ARE TO BE TAKEN BEFORE
1ST SEPTEMBER 2015 COMES?
TAKING INTO ACCOUNT
AMENDMENTS MADE TO FEDERAL
LAWS 152-ФЗ AND 149-ФЗ IT MAY BE
CONCLUDED THAT THE RISKS ARE
QUITE HIGH. THAT IS WHY WE
RECOMMEND YOU DEVELOP AND
IMPLEMENT A PROPER ACTION PLAN
AIMED TO ENSURE FULL
COMPLIANCE WITH THE PERSONAL
8.7.201535

36. 8/7/1536
PASSION FOR RESULTS