The Russian State Duma passed Russian Federal Law No. 152-FZ in July 2006. It was one of the few data protection laws in place before the General Data Protection Regulation (GDPR) came into effect.
Since the law has passed, several amendments have been introduced to ensure that the law is well-equipped to deal with the current technological and data privacy challenges. One of the amendments is regarding the data localization requirement that requires storing and retaining data belonging to Russian citizens in databases within Russia. This still allows data to be transferred across borders if cross-border transfer conditions are met.
As per the recent amendment 266-FZ that comes into effect on 1 September 2022, the processing of personal data via contractual arrangements between the data subject and the operator is possible only if the contract does not contain any conditions restricting the right and freedoms of data subjects.
Here are all the important things an organization needs to know to achieve compliance with the law:
1. Who Needs to Comply with the Law
Here’s what kind of data is covered as well as the geographical jurisdiction of this law:
a. Material Scope
This law applies to federal state government bodies, state government bodies of constituent entities of the Russian Federation, other state bodies, legal entities, or any other organizations that collect and process data for commercial purposes.
However, this law shall not apply in the following cases:
- Personal data collected by individuals for personal and family purposes;
- Files kept by the State Archives of the Russian Federation;
- Collection of personal data classified as a state secret;
- Activities of courts in the Russian Federation per Federal Law No. 152-FZ.
b. Territorial Scope
The law applies to any legal entity, including any foreign entity with a legal presence in Russia that collects personal data in Russia. The law also applies to entities not established in the Russian Federation if they purposefully direct their activities towards the Russian Federation and benefit from those activities.
As per the recent amendment law 266-FZ, the law also applies to the processing of personal data of citizens of the Russian Federation carried out by foreign legal entities or foreign individuals based on an agreement to which citizens of the Russian Federation are parties or based on the consent of Russian citizens.
2. Obligations for Organizations
Per Federal Law No. 152-FZ, all data processors and data controllers have certain obligations towards the data subjects whose data they collect. Some of these obligations and responsibilities include the following:
Lawful Basis Requirements
An operator can only proceed with data processing on one of the following lawful basis:
- Data processing is conducted with the consent of the data subject;
- Data processing is required to attain the purposes stipulated by an international agreement of the Russian Federation or by law;
- Data processing is conducted in connection with the involvement of the individual in constitutional, civil, administrative, criminal court proceedings, and court proceedings in arbitration courts;
- Data processing is required for the execution of powers of federal bodies;
- Data processing is required for the execution of a judicial act;
- Data processing is required for the processing of a contract under which the data subject is a beneficiary or guarantor;
- Data processing is required for the professional activities of a journalist and/or the legal activities of the media or for the purpose of scientific, literary, or other creative activity, provided that it does not infringe upon the rights and liberties of the data subject;
- Data processing is required for statistical and research purposes;
- Data processing is required for the protection of vital interests of the data subject if it is not possible to obtain their consent;
- Data processing for public access provided by the data subject at their request;
- Processing of personal data that are subject to publication or compulsory disclosure per federal laws
Consent Requirements
Consent is one of the primary legal bases for data processing. Any consent gained from the data subject must be:
- Freely given (free will of the data subject)
- Specific (specific and separate consent for specific and separate data processing purposes, e.g., consent for the publicly disseminated data must be obtained separately)
- Informed (personal data processing notice is required before the processing)
- Conscientious
- Substantive (introduced by the recent Amendment Law 266-FZ)
- Unambiguous (introduced by the recent Amendment Law 266-FZ)
The data subjects have the right to rescind their consent at any time. In such an event, the data controller/processor must cease the processing of personal data or arrange for it to be terminated, and if the storage of personal data is no longer required for the purposes of processing data, data controllers must destroy or ensure its destruction within a period not exceeding ten working days from the date of receipt of the said data withdrawal request.
Written consent is required for the following data processing activities:
- Cross-border data transfers from Russia to countries that do not have an adequacy decision;
- Processing of sensitive personal data;
- Processing of biometric personal data;
- Processing of personal data for automated decision-making;
- Processing or transferring of employees’ data to third parties;
Additional amendments were made to Federal Law 152-FZ in March 2021, which introduced new consent requirements for “publicly disseminated data”. This is particularly impactful on the activities of organizations that distribute or disseminate data subjects’ data to an unlimited number of individuals, such as posting such data on a publicly available website.
As such, these organizations are subject to the following consent obligations when it comes to such “publicly disseminated data”:
- Such consent must be sought separately;
- Data controllers/processors must allow the data subject to select the categories of personal data which they permit for dissemination;
- Silence/inaction from the data subject is not the equivalent of consent to the processing of personal data;
- The data subject can request restrictions on the transfer of their personal data. These restrictions will not apply to third parties getting access to their personal data or the data processing carried out in the state, public, and other public interests;
- The data subject can rescind their consent at any time, following which any and all transfer of their personal data must stop.
Lastly, a data controller/processor must gain a user’s express consent before sending them direct marketing communications of any kind. If the user rescinds their consent from receiving such communications, the data controller/processor must cease their data processing at once.
Since an individual under the age of 18 cannot legally consent to any form of data processing, consent must be acquired from the legal guardian or parental authority.
Security Requirements
The law states that an operator must take the necessary legal, organizational, and technical measures to ensure the security of personal data.
As per amendment law 266-FZ, data controllers are also required to ensure that data processors take necessary measures to protect personal data and ensure confidentiality.
Data Breach Notification Requirements
From September 1, 2022, data operators must notify Roskomnadzor of security breaches concerning personal information if the incident results in the illegal or accidental transfer of personal data. Transfer of personal data means the provision, distribution, or access of data.
- Regarding illegal or accidental data transfers, the notification must be made within 24 hours from the incident's detection time. The notification must at least include information on the alleged causes that led to the violation of data subjects’ rights, the alleged harm, and mitigation measures.
- Within 72 hours, the notification must be made on the results of the internal investigation of the identified incident and any information about the persons whose actions caused the incident.
Data Protection Officer Requirement
Organizations must employ a data protection officer (DPO) in case of the following:
- The data processing is carried out by a public body;
- The nature of data processing carried out by a data processor/controller requires the monitoring of data subjects on a large scale;
- The data processor/controller collects large quantities of special categories of data;
- The organization employs a certain number of employees within the Russian Federation.
While there are no additional criteria related to hiring a DPO, it is highly recommended that an organization's DPO be someone that understands Federal Law No. 152-FZ thoroughly to ensure all of its and its amendments' provisions are employed adequately within an organization.
Data Protection Impact Assessment
There is no explicit requirement for a data protection impact assessment under the law. However, the law mandates all operators to take the appropriate measures to assess the effectiveness of the measures taken to protect the collected personal data.
Cross Border Data Transfer Requirements
Transfers of data outside Russia to countries that are members of the Council of European Convention on the Protection of Individuals concerning Automated Processing of Personal Data (Strasbourg Convention) and other countries providing adequate data protection guarantees as per the Roskomnadzor are allowed.
The regulatory body Roskomnadzor is responsible for approving a list of countries that provide adequate data protection despite not being parties to the Strasbourg Convention. These countries include Australia, Gabonese Republic, Israel, Qatar, Canada, Malaysia, Mongolia, Bangladesh, New Zealand, Angola, Belarus, Benin, Zambia, Kazakhstan, Costa Rica, Korea, Mali, Niger, Peru, Singapore, Tajikistan, Uzbekistan, Chad, Vietnam, Togolese Republic, Brazil, Nigeria, South Africa, and Japan.
Data transfers to countries that are either not parties to the Strasbourg Convention nor are approved by the regulatory authority as providing adequate protection can take place on one of the following grounds:
- The data subject’s consent in writing has been obtained
- The data transfer is provided for by international treaties of the Russian Federation
- The data transfer is provided in federal laws for purposes of protecting constitutional systems, the country’s defense and state security, or for the safe operation of the transport complex
- The data transfer is for the execution of a contract to which the data subject is a party to
- The data transfer is for the protection of vital interests of the data subject or other persons, and it is impossible to obtain their consent
However, any cross-border transfers may be prohibited or limited to protect the foundations of the constitutional system of the Russian Federation, public morality and health, rights, and legitimate interests of citizens or to ensure national defense and state security.
Before transferring personal data, an operator must carry out an assessment to ensure the proposed country has these reliable data protection mechanisms in place. As per the recent amendment 266-FZ that will come into effect from September 1, 2022, the data operator must notify the regulatory authority of the intention to carry out the cross-border data transfer.
Also, data controllers that collect personal data of Russian citizens are required to ensure that recording, systematization, accumulation, storage, clarification, and extraction of personal data is done using databases located in Russia. This data localization requirement applies to foreign entities that carry out targeted activities in the territory of the Russian Federation and collect personal data of Russian citizens.
3. Data Subject Rights
Like all other major data protection laws globally, Federal Law No. 152-FZ ensures all users or personal data subjects have certain rights and control over their data. Data subject rights can be exercised under specific circumstances and have exemptionsThese rights include the following:
a. Right of Access to Personal Data
All data subjects have the right to access all personal data collected by the organization.
Additionally, the data subject can request access to the following information:
- Confirmation of the data processing by the operator;
- Legal grounds and the purpose behind the data processing by the operator;
- Methods used in data processing by the operator;
- Contact information of the operator;
- Source of the data collected;
- The period of the data processing, including the period for which they are kept;
- The procedure behind the exercise of the data subject rights;
- Information on any cross-border data transfers, whether the data subject's data has been a part of any cross-border transfers;
- Contact information of the person carrying out the data processing on behalf of the operator
Data access requests must be responded to within ten working days as per recent amendments to the law.
b. Right to Rectification & Erasure of Personal Data
All data subjects have the right to request an operator to rectify, block or destroy their personal data if the data collected has since become outdated, incomplete, or obsolete. The data subject can also exercise the right to the erasure of data if data is no longer needed for its purpose.
c. Right of Data Subjects in Relation to Decision-Taking Solely on the Basis of Automated Processing of Their Personal Data
A data subject may request an operator to cease using automated decision-making based on their collected data if they feel their rights or interests are being infringed.
d. Right of Data Subjects Where Their Personal Data Are Processed for the Purpose of the Market Promotion of Goods
An operator may collect data subject's personal data for direct marketing purposes if they have collected prior consent from the data subject. This may include promoting goods, works, and services on the market.
A data subject may request an operator to cease sending them any such communications or material. The operator must immediately stop their direct marketing activities to the data subject once such a request is made. If the storage of data is no longer required for the purposes the data was collected for, organizations must destroy the data or ensure its destruction within a period not exceeding thirty days from the date of receipt of the withdrawal request by the data subject.
However, as per the amendment 266-FZ that will come into effect on September 1, 2022, the data operator is obliged to stop the processing of personal data within a period of 10 working days from the date the operator receives the request.
e. Rights in Relation to Publicly Disseminated Data
Data subject’s consent is required to distribute or allow the personal data to be disseminated to an unlimited number of persons. Such consent must be obtained separately from other kinds of consent.
4. Regulatory Authority
The Federal Service for Supervision of Communications, Information Technology, and Mass Media (Roskomnadzor) is the main supervisory body enforcing the country's data privacy law. It is the authorized federal executive body exercising control and supervision functions in compliance with the Federal Law on Personal Data provisions.
5. Penalties for Non-compliance
In March 2021, changes were introduced to penalties related to non-compliance with Federal Law No. 152-FZ by data processors or data controllers.
The law provides for compensation for moral harm and the imposition of administrative fines for violation of data localization requirements, violation of data protection legislation, or failing to obtain consent as per the requirements.
The minimum to the maximum amount that can be awarded is as follows:
- The fine for citizens is in the amount of two thousand to six thousand rubles
- The fine for officials is from ten thousand to twenty thousand rubles
- The fine for legal entities is from sixty thousand to one hundred thousand rubles
Repeated commission of an administrative offense is subject to the following administrative fines:
- The fine for citizens is in the amount of four thousand to twelve thousand rubles
- The fine for officials is from twenty thousand to fifty thousand rubles
- The fine for individual entrepreneurs is from fifty thousand to one hundred rubles
- The fine for legal entities is from one hundred to three hundred thousand rubles.
6. How an Organization Can Operationalize the Law
Simply knowing their responsibilities and obligations is often not enough for organizations. Achieving compliance with the law is often easier said than done, owing to how many complications can arise. Thankfully, many of these problems can be alleviated if an organization has a strong base to work on. Hence, here are some ways an organization can operationalize the law:
- Have a privacy policy that is easily understandable and communicates all the organization's obligations and data subjects' rights effectively;
- Hire a competent DPO that understands the law and can provide advice on keeping the organization's data collection practices compliant with the law;
- Ensure all the company's employees and staff are acutely aware of their responsibilities under the law;
- Conduct regular data protection impact assessments as well as data mapping exercises to ensure maximum efficiency in your compliance efforts;
- Notify the relevant authorities and affected data subjects of any data breaches promptly.
7. How can Securiti Help
Users are now more educated and vigilant about websites or organizations collecting any form of data on them online. Additionally, almost every major country now has a data protection law of some kind in effect or is drafting one. This has meant that organizations have had to amend and evolve their data collection practices to ensure they meet their legal obligations without losing their users' confidence.
However, owing to the sheer amount of data involved, most organizations may find this herculean task reasonably intimidating. The margin for error is extremely low, and violations of any kind are punished heavily.
This is where Securiti can help.
Securiti is a market leader in providing enterprises with data governance and compliance solutions. These include robotic DSR fulfillment, data mapping, and breach management, among others.
Request a demo today to see what else Securiti has to offer and how it can help your Federal Law No. 152-FZ compliance efforts.
