Tougher Requirements for Personal Data Operators in Russia

From July 1 new requirements apply to all individuals and legal entities that process or organize the processing of personal data.

The new requirements apply to the vast majority of legal entities in Russia, and these requirements are in many respects stricter than in many European countries. The most important of them apply to personal data information systems maintained by the operators, staffing and notification obligations, and transborder transfer of personal data.

 

 

The amendments to the Federal Law "On Personal Data" (the "Personal Data Law") significantly change the whole text of the Personal Data Law, including its definitions, principles and terms for personal data processing, operators' obligations, etc.

However, the most important changes are the following:

  1. The Russian Government is to set certain levels of protection for personal data, so information systems that process personal data must meet the requirements applicable to the respective level of protection. The means of information protection (hardware and software) used by operators must be checked for conformity in a formal procedure.
  2. All personal data operators that are legal entities must appoint a person responsible for organization of personal data processing. Such person internally controls observance of Russian legislation with respect to personal data, and he is accountable to the executive body of the operator.
  3. Those operators that performed personal data processing prior to 1 July 2011 must provide the data protection authority with the following information no later than 1 January 2013:
    • legal basis for personal data processing;
    • information on persons responsible for organization of personal data processing;
    • information on the existence or absence of transborder transfer of personal data when processing them; and
    • information on security of personal data meeting the governmentally established requirements on personal data protection.
  4. It is now clarified that the countries with an adequate level of protection of personal data include at least the member states to the 1981 Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data. Other countries can be recognized as countries with an adequate level of personal data protection by the data protection authority.

The amendments to the Personal Data Law were passed on 25 July, but they have retroactive effect and apply starting from 1 July 2011.

Actions to Consider

Since levels of protection of personal data have not yet been adopted by the Russian Government, we recommend monitoring the legislation in order to ensure compliance of the information systems processing personal data with the levels of protection. Adoption of such levels of protection may cause significant expense for personal data operators in upgrading their information systems.

Personal data operators must also appoint a person responsible for organization of personal data protection and provide the data protection authority with the abovementioned information prior to 1 January 2013.

Personal data operators must also perform the following actions on a regular basis:

  1. identify threats to the safety of personal data when processing them in personal data information systems;
  2. apply organizational and technical measures for maintenance of the safety of personal data when processing them in personal data information systems;
  3. apply means of information protection approved by the respective authorities;
  4. evaluate the effectiveness of the measures aimed at the safety of personal data before putting personal data information systems into operation;
  5. register personal data media;
  6. discover facts of unauthorized access to the personal data and take counter steps;
  7. recover personal data modified or destroyed as a result of unauthorized access;
  8. establish rules for access to the personal data being processed in personal data information systems and register all actions performed with personal data in such information systems; and
  9. control the measures aimed at maintaining the safety of personal data and the protection level of personal data information systems.

Conclusion

The enactment of these amendments to the Personal Data Law will significantly affect all personal data operators in Russia. They will face additional obligations to comply with new requirements which are in many respects stricter than in many European countries. In particular, the new requirements may require the upgrading of personal data information systems and such an upgrade may cause additional expense.

For further information please contact Edward Bekeschenko or Dmitry Lysenko in the Moscow office of Baker & McKenzie.

Baker & McKenzie

Share/Save