Accountor together with Vineyard organized a business breakfast on the theme: “NEW PERSONAL DATA LEGISLATION HAS COME INTO FORCE IN RUSSIA: WHAT ARE THE PRACTICAL IMPLICATIONS FOR FOREIGN COMPANIES?” in Helsinki on 15th of October.
Understanding Cyber Crime Litigation: Key Concepts and Legal Frameworks
Personal Data Protection Law in Russia - Accountor
1. NEW FEDERAL DATA PROTECTION LAW AND
ITS PRACTICAL IMPLICATIONS FOR FOREIGN
COMPANIES IN RUSSIA
BUSINESSBREAKFASTINHELSINKI,OCTOBER15TH,2015
PAVELANTONOV,ACCOUNTOR
15.10.2015
2. GROUNDS FOR LEGAL REGULATION OF
PERSONAL DATA HANDLING RELATIONS
• Respect for personal rights and fundamental freedoms;
• Necessity for strengthening personal rights and guarantees of
fundamental freedoms, namely the right for privacy with a view to
increasing the cross-border flow of automatically processed
personal data;
• Adherence to the concept of freedom of information regardless
of boundaries;
• Necessity for combining the fundamental values of personal
privacy with free international information exchange.
15.10.20152
3. INTERNATIONAL LEGISLATION
• Convention for the protection of individuals with regard to
automatic processing of personal data (Strasbourg, January
28th 1981) (as amended on June 15th 1999)
This Convention was ratified by the Federal Law №160-ФЗ of
December 19th 2005. It came into force in the Russian Federation on
September 1st 2013.
• Additional Protocol to the Convention for the Protection of
Individuals with regard to Automatic Processing of Personal
Data regarding supervisory authorities and transborder data
flows
Signed by the RF on March 13th 2006. Has not been ratified. It is
planned to consider the possibility of regulatory bodies being
consolidated according to the Protocol in the very near future.
15.10.20153
4. INTERNATIONAL LEGISLATION
•Directive 95/46/EC of the European Parliament and of the Council of 24th
October 1995 on the Protection of Individuals with Regard to the Processing
of Personal Data and on the Free Movement of Such Data (as revised in the
Regulation 1882/2003 of the European Parliament and of the Council of 29th
September 2003)
• Directive 2002/22/EC of the European Parliament and of the Council of 7th
March 2002 on the Universal Services and Users Rights Concerning the
Electronic Communication Networks and Services (Universal Services
Directive)
• Directive 2002/58/EC of the European Parliament and of the Council of
12th July 2002 Concerning the Processing of Personal Data and the
Protection of Privacy in the Electronic Communications Sector (Protection of
Privacy in the Electronic Communications Directive)
15.10.20154
5. RUSSIAN LEGISLATION
• Constitution of the Russian Federation (approved by the
nation-wide voting on 12th December 1993)
• Federal Law №160-ФЗ of 19th December 2005 “On the
Ratification of the EC Convention for the Protection of
Individuals with regard to Automatic Processing of Personal
Data”
• Federal Law №149-ФЗ of 27th July 2006 “On Information,
Information Technologies and Data Protection” (with the latest
amendments of 21st July 2011)
• Federal Law №152-ФЗ of 27th July 2006 “On Personal Data”
(with the latest amendments of 5th April 2013)
15.10.20155
6. RUSSIAN LEGISLATION
• Labour Code of the Russian Federation of 30th December 2001
№197-ФЗ (with the latest amendments of 21st June 2012)
• Federal Law №63-ФЗ of 6th April 2011 “On the Electronic
Signature”
• Federal Law №67-ФЗ of 12th June 2002 “On the
Electoral Rights and the Right to Participate in Referendums
(Basic Guarantees for Citizens of the Russian Federation)”
• Federal Law №99-ФЗ of 7th May 2013 “On the Amendments to
a Number of Legislative Acts with regard to the Adoption of the
Federal Laws “On the Ratification of the EC Convention for the
Protection of Individuals with regard to Automatic Processing of
Personal Data” and “On Personal Data””
15.10.20156
7. EDICTS OF THE PRESIDENT OF THE RUSSIAN
FEDERATION
• Edict of the President of the Russian Federation №351 of 17th March
2008 “On Measures to Provide the Information Security of the Russian
Federation when Using International Data and Telecommunications
Networks ”
• Edict of the President of the Russian Federation №609 of 30th May
2005 “On the Approval of the Russian Federation Civil Officers Personal
Data and Personal File Maintenance Regulation”
• Edict of the President of the Russian Federation №188 of 6th March
1997 “On the Approval of the Confidential Data List”
15.10.20157
8. THE RF GOVERNMENT REGULATIONS
• The RF Government Regulation №1119 of 1st November 2012 “On the Approval of the
Requirements for the Assurance of Personal Data Security at their Processing within the
Information Systems of Personal Data”
• The RF Government Regulation №584 of 13th June 2012 “On the Approval of the Payment
System Data Protection Regulation”
• The RF Government Regulation №211 of 21st March 2012 “On the Approval of the List of
Measures to Ensure Compliance with the Federal Law “On Personal Data””
• The RF Government Regulation №125 of 4th March 2010 “On the List of Personal Data
Held on Electronic Media Devices that Contain Information on RF Citizens’ Primary Identity
Documents Giving the RF Citizens the Right to Leave and Enter The Russian Federation”
15.10.20158
9. THE RF GOVERNMENT REGULATIONS
• The RF Government Regulation №687 of 15th September 2008 “On the Approval of
the Non-automated Personal Data Processing Peculiarities Regulation”
• The RF Government Regulation №512 of 6th July 2008 “On the Approval of
Requirements for Biometric Personal Data, Tangible Media, and Storage Technologies
Outside of the Personal Data Information Systems”
• The RF Government Regulation №756 of 12th December 2005 “On Submitting a
Proposal to the President of the Russian Federation to Sign the Additional Protocol to
the Convention for the Protection of Individuals with regard to Automatic Processing of
Personal Data on supervisory bodies and cross-border data transfer”
• The RF Government Regulation №1233 of 3rd November 1994 “On the Approval of
the Regulation of Procedures for the Handling of Sensitive Information which is of
Restricted Distribution in the Federal Agencies of the Executive Authority”
15.10.20159
10. REGULATORY LEGAL ACTS OF THEFEDERAL
AGENCIES OF THE RUSSIANFEDERATION
• Ministry of Communications and Mass Media of the RF Order №312 of 14th November 2011 “On the
Approval of the Administrative Procedure for the Federal Service for the Supervision of Communications,
Information Technology, and Mass Media to Fulfill the Federal Duty for the Supervision of the Compliance
of Personal Data Processing with the Applicable Legal Requirements of the Russian Federation”
•Ministry of Communications and Mass Media of the RF Order №346 of 21st December 2011 “On the
Approval of the Administrative Procedure for the Federal Service for the Supervision of Communications,
Information Technology, and Mass Media to Provide the Federal Service “Maintenance of a Personal
Data Processors Register””
•The Federal Security Service of the RF and the Federal Service for Technology and Export Control of the
RF Order №416/489 of 31 August 2010 “On the Approval of Security Requirements for the Data
Contained in Public Information Systems”
• The Federal Security Service of the RF Order №378 of 10 July 2014 “On the Approval of the List and
Content of Technical and Organizational Measures to Ensure Personal Data Security at its Processing
within the Information Systems of Personal Data”
15.10.201510
11. THEFEDERALSERVICEFORTHESUPERVISIONOF
COMMUNICATIONS,INFORMATIONTECHNOLOGIESAND
MASSMEDIA’S(ROSCOMNADZOR)ORDERS
• Roscomnadzor Order №246 of 13th April 2011 “On the Approval of Regulation of
Data Processing in the Federal Service for the Supervision of Communications,
Information Technology, and Mass Media Headquarters”
• Roscomnadzor Order №621 of 20 June 2012 “On the Approval of Regulation of
the Authorized Body for the Protection of the Subjects of the Personal Data Rights
Advisory Board”
• Regulation for the Authorized Body for the Protection of the Subjects of the
Personal Data Rights Advisory Board
• Roscomnadzor Order №996 of 5th September 2013 “On the Approval of the
Measures and Requirements for Personal Data Depersonalization”
15.10.201511
12. Clause Violation Penalty
Administrative Offences Code
Clause 5.27
Part 1. Violations of
labour laws and other
regulatory legal acts
containing norms of
labour laws
Violations of labour laws
and other regulatory legal
acts containing norms of
labour laws (personal data
regulations)
FINE:
for public officers –
1,000 – 5,000 RUB
for legal entities -
30,000 – 50,000 RUB
Clause 5.27
Part 4. Violations of
labour laws and other
regulatory legal acts
containing norms of
labour laws
The same violations
committed by a person who
has already been subjected
to administrative
punishment for a similar
offence (personal data
regulations)
FINE:
for public officers –
10,000 – 20,000 RUB, or
disqualification for 1-3
years
for legal entities -
50,000 – 70,000 RUB
RESPONSIBILITY
15.10.201512
13. Clause Violation Penalty
Administrative Offences Code
Clause 5.39
Denial of information
Wrongful refusal to provide a
person with information about
his/her personal data processing
FINE:
for public officers -
1,000 – 3,000 RUB
Clause 13.11
Violation of personal data
collection, storage, use or
dissemination
procedures
Violation of personal data
collection, storage, use or
dissemination procedures
established by law
FINE:
for public officers -
500 – 1,000 RUB
for legal entities -
5,000 – 10,000 RUB
RESPONSIBILITY
15.10.201513
14. Clause Violation Penalty
Administrative Offences Code
Clause 13.11.1
Dissemination of information
about job vacancies that
contains discriminatory
restrictions (on personal
data)
Dissemination of information
about job vacancies that
contains discriminatory
restrictions (on personal data)
FINE:
for public officers –
3,000 – 5,000 RUB
for legal entities -
10,000 – 15,000 RUB
Clause 13.12
1. Violation of data protection
rules
Violation of rules, set out in the
license for data protection
activities
FINE:
for public officers -
1,500 – 2,500 RUB
for legal entities -
15,000 – 20,000 RUB
RESPONSIBILITY
15.10.201514
15. Clause Violation Penalty
Administrative Offences Code
Clause 13.12
2. Violation of
data protection
rules
Using uncertified information systems,
databanks and databases, as well as
uncertified information security
products, when they are subject to
compulsory certification
FINE:
for public officers -
2,500 – 3,000 RUB
for legal entities -
20,000 – 25,000 RUB
with or without information
security products
confiscation
Clause 13.14
Disclosure of
information of
restricted
distribution
Disclosure of information (personal
data) that has restricted distribution
under federal law, committed by a
person having access to such
information in connection with his/her
professional duty
FINE:
for private individuals -
500 – 1,000 RUB
for public officers -
4,000 – 5,000 RUB
RESPONSIBILITY
15.10.201515
16. Clause Violation Penalty
Administrative Offences
Code
Clause 19.15
Failing to comply on time
with the regulatory body’s
lawful order
Failing to comply with the
lawful order of
Roscomnadzor
FINE:
for public officers -
1,000 – 2,000 RUB
for legal entities -
10,000 – 20,000 RUB
Clause 19.7
Failure to present data
(information)
Failure to present data to
Roscomnadzor or failure to
do it on time
FINE:
for public officers -
300 – 500 RUB
for legal entities -
3,000 – 5,000 RUB
RESPONSIBILITY
15.10.201516
17. Clause Violation Penalty
CRIMINAL CODE
Clause 137
1. Violation of
privacy
Illegal collection or dissemination
of an individual’s private
information that constitutes
his/her personal or family secrets
without his/her consent, or
disclosure of such information in
a public statement, a publicly
displayed work, or in the mass
media
FINE: up to 200,000 RUB, or
compulsory community
service of 120 to 180 hours,
or correctional labour of up
to 1 year, or compulsory
labour for up to 2 years, or
arrest for up to 4 months
Clause 137
2. Violation of
privacy
The same violation committed by
a person using his/her official
position
FINE: up to 300,000 RUB, or
compulsory labour for up to 4
years, or arrest for up to 6
months, or imprisonment for
up to 4 years
RESPONSIBILITY
15.10.201517
18. Clause Violation Penalty
CRIMINAL CODE
Clause 140
Denial of
information to an
individual
Wrongful refusal by a public
officer to provide personal data
collected in accordance with
established procedure
FINE: up to 200,000 RUB, or
salary for 18 months, or
deprivation of the right to
practice certain activities
for up to 5 years
Clause 272
Wrongful access to
computerized
information
Wrongful access to computerized
information protected by law
(personal data)
FINE: up to 200,000 RUB, or
imprisonment for up to 2
years (part 1) + aggravations
with more strict penalties
RESPONSIBILITY
15.10.201518
19. Clause Violation Penalty
LABOUR CODE
Clause 81
Termination of labour
contract by the
employer
Disclosure of another
employee’s personal data
Termination of labour
contract by the employer
Clause 238
Employee’s liability for
damages caused for
the employer
The employee is liable for
reimbursing the actual direct
damage caused to the
employer
The employee is liable for
reimbursing the actual
direct damage caused to
the employer
RESPONSIBILITY
15.10.201519
20. PERSONAL DATA:
DEFINITIONS AND CATEGORIES
Personal data – any information
relating to a directly or indirectly
identified, or identifiable, natural
person (a personal data subject)
Personal data: full name, place of
birth, year of birth, month of birth,
family status, property status,
professional status, address, social
status, educational level, revenues
15.10.201520
21. PERSONAL DATA:
DEFINITIONS AND CATEGORIES
Special categories of personal
data: race, political views,
philosophical convictions, intimate
life, nationality, religious beliefs,
state of health
Biometric personal data: data that
reflects biological and physiological
make-up of an individual and that
allows them to prove their identity
15.10.201521
22. INFORMATION SYSTEMS
1. IS that processes PD of the processor’s employees,
2. IS that processes PD of individuals who are NOT the
processor’s employees
2.1. IS that processes special categories of PD
2.2. IS that processes biometric PD
2.3. IS that processes publicly available PD
4 LEVELS OF PD PROTECTION DEPENDING ON PD
CATEGORY, HAZARD TYPE AND NUMBER OF PD OWNERS
(Categorization in process of the recommended DD)
15.10.201522
23. DON’T NEED TO NOTIFY ROSCOMNADZOR
PD of company employees in
accordance with the Labour Code
PD received by the processor as a result
of executing a contract with the personal
data subject (PD is not to be disseminated
or passed to third parties)
PD that consists only of the full name of
an individual
PD needed only for a one-time entry
permission
Non-automatically processed PD
15.10.201523
24. AMENDMENTSOF 1ST SEPTEMBER 2015,
FEDERAL LAW №242-FZ
Amendments to Federal Law №149-FZ of 27th July 2006 «On
Information, Information Technologies and Data Protection»
Clause 15.5. Procedures for restricting access to information
being processed in violation of the Russian Federation’s data
protection laws
15.10.201524
25. AMENDMENTSOF 1ST SEPTEMBER 2015,
FEDERAL LAW №242-FZ
In order to restrict access to online information that is
being processed in violation of the personal data
protection laws, Roscomnadzor establishes the
automated information system “Register of violators of
personal data subjects’ rights”
IMPORTANT: An entity can be put on the Register
only by a court decision
15.10.201525
26. AMENDMENTSOF 1ST SEPTEMBER 2015,
FEDERAL LAW №242-FZ
The Register of violators include:
1) domain names and/or URLs of website pages that contain PD
violating the law;
2) IP-addresses that allow identification of websites that contain
PD being processed in violation of the law;
3) reference to the court decision that has become enforceable;
4) notification of eliminating the violation;
5) date of notifying the communications service provider about
the data resource in order to restrict access to this resource.
15.10.201526
27. AMENDMENTSOF 1ST SEPTEMBER 2015,
FEDERAL LAW №242-FZ
APPLYING THE PENALTY– RESTRICTING ACCESS
TO DATA RESOURCES
Within 3 business day of receiving the court decision, Roscomnadzor will
notify the service provider in both Russian and English about the violation
Within 1 business day the provider notifies the resource owner
Within 1 business day the owner must take appropriate measures
If such measures aren’t taken
ACCESS TO THE RESOURCE CAN BE RESTRICTED
AFTER ELIMINATING THE VIOLATION the resource owner notifies
ROSCOMNADZOR about it and ROSCOMNADZOR (or its representative) has
3 days to exclude the violator from the Register
15.10.201527
28. AMENDMENTSOF 1ST SEPTEMBER 2015,
FEDERAL LAW №242-FZ
Amendments to the Federal Law №149-FZ of
27th July 2006 «On Information, Information
Technologies and Data Protection»
Clause 16. Holders of data and information
system processors are liable for ensuring
that databases used for collecting,
recording, systematizing, accumulating,
storing, rectifying (updating, changing), and
extracting the personal data of citizens of
the Russian Federation are placed within
the territory of the Russian Federation
15.10.201528
29. AMENDMENTSOF 1ST SEPTEMBER 2015,
FEDERAL LAW №242-FZ
Amendments to the Federal Law №152-FZ of 27th July
2006 “On Personal Data”
Clause 18. While collecting personal data, including
collecting it through the Internet telecommunications
system, the processor is liable for ensuring that all
recording, systematizing, accumulating, storing, rectifying
(updating, changing), and extracting of personal data of
citizens of the Russian Federation is carried out with the
use of databases that are placed within the territory of the
Russian Federation
15.10.201529
30. AMENDMENTSOF 1ST SEPTEMBER 2015,
FEDERAL LAW №242-FZ
Amendments to the Federal
Law №152-FZ of 27th July
2006 “On Personal Data”
Clause 22. Notifications sent to
Roscomnadzor must contain
the following new information:
location of the database
containing the personal data of
citizens of the RF
15.10.201530
31. AMENDMENTS OF1ST SEPTEMBER 2015,
FEDERAL LAW №242-FZ
Amendments to the Federal Law
№152-FZ of 27th July 2006 “On
Personal Data”
Clause 23. Roscomnadzor receives
the new power:
the right to restrict access to data
that is being processed in violation of
the RF data protection laws, through
following relevant legally established
procedures
15.10.201531
32. 1. ROSCOMNADZOR SCHEDULED INSPECTIONS
2. UNSCHEDULED INSPECTIONS (customers, suppliers, competitors)
3. INSPECTIONS FOLLOWING EMPLOYEES COMPLAINTS – THE HIGHEST RISK LEVEL
(NUMBER OF COMPLAINTS RECEIVED BY ROSCOMNADZOR IN 2013 – 6153)
RISKS OF TAKING NO NOTICE OF THE CHANGES
15.10.201532
Year Total number of
inspections
Total number of
PD inspections
Number of
inspections in
St. Petersburg
Number of
inspections in
Moscow
2015 2650 1223 30 116
2014 2873 1308 30 130
35. FAQ:DEFINITIONOFPERSONALDATACOLLECTION
COMMENTSFROMMINISTRYOFTELECOMANDMASS
COMMUNICATIONS
15.10.201535
Targeted process of obtaining personal data by the
operator directly from a personal data subject or via third
parties involved specially for this process.
Only those personal data are subject to localization, which
were obtained by the operator as a result of its goal-oriented
activity as to organization of personal data collection, and
not due to accidental (unrequested) arrival of personal data,
eg., due to incoming emails or other mails, which include
personal data.
36. FAQ:TRANSBORDERPDTRANSMISSION
COMMENTSFROMMINISTRYOFTELECOMANDMASS
COMMUNICATIONS
15.10.201536
PD of a RF citizen originally entered into a database
in the RF and updated there (“primary database”) can
be further transmitted to the databases located
outside the RF (“secondary databases”), administrated
by other entities, subject to the provisions on
transborder data transmission.
Provision of a remote access to the databases
located in the RF from the territory of another state is
not prohibited by the Federal Law №242.
37. FAQ:AIRLINESANDTICKETRESERVATIONCOMPANIES
COMMENTSFROMMINISTRYOFTELECOMANDMASS
COMMUNICATIONS
15.10.201537
The provisions of Part 5, Article 18 of the Federal
Law “On Personal Data” do not cover Russian and
foreign air carriers’ operations connected with the
gathering and processing of personal data of citizens of
the Russian Federation, which is used for making
reservations, or issuing and granting tickets, baggage
tickets and other documents, because they fall within
the exception contained in Clause 2, Part 1, Article 6 of
the Federal Law “On Personal Data”.
39. FAQ:IMPACTONHRDOCUMENTATION
COMMENTSFROMMINISTRYOFTELECOMANDMASS
COMMUNICATIONS
15.10.201539
Transborder transmission of this type of personal data is
possible.
If personal data processing falls under the exceptions
provided by Clauses 2, 3, 4, 8 of Part 1 of Article 6 of the
Federal Law “On Personal Data” , the provisions of Part 5 of
Article 18 of 152-FZ are not applied.
Qualification is done by the operator . Correctness is
verified by the authorized federal body during control
activities.
40. WHAT ACTIONS ARE TO BE TAKEN?
TAKING INTO ACCOUNT AMENDMENTS
MADE TO FEDERAL LAWS 152-FZ AND 149-
FZ IT MAY BE CONCLUDED THAT THE RISKS
ARE QUITE HIGH.
WE RECOMMEND YOU DEVELOP AND
IMPLEMENT A PROPER ACTION PLAN AIMED
TO ENSURE FULL COMPLIANCE WITH THE
PERSONAL DATA PROTECTION LAWS.
15.10.201540
41. WHAT ACTIONS ARE TO BE TAKEN?
LEGAL ACTIONS:
1. Send notification to Roscomnadzor, making sure to provide it
with information on the location of databases containing PD
2. Check the current state of documentation on compliance
with Federal Laws 152-FZ and 242-FZ and correct defects,
including:
assigning an authorized person,
preparing consent forms (for different parties – partners,
employees, applicants, etc.),
preparing amendments to various types of existing contracts,
internal audit of company activities
15.10.201541
42. WHAT ACTIONS ARE TO BE TAKEN?
TECHNICAL ACTIONS:
TO LOCALIZE PROCESSING OF PERSONAL DATA OF
CITIZENS OF THE RUSSIAN FEDERATION
TO TRANSFER IT SYSTEMS, OR
TO USE READY TECHNICAL SOLUTIONS
15.10.201542