Russian Federal Law on Personal Data

Principles for processing personal data

Article 5 of the Law on Personal Data provides for the following principles:

Pointer

The processing of personal data must be carried out on a lawful and fair basis.

Pointer

The processing of personal data should be limited to the achievement of specific, predetermined, and legitimate purposes, and it is prohibited to process personal data that is incompatible with the purposes of collecting personal data.

Pointer

It is prohibited to combine databases containing personal data, the processing of which is carried out for purposes that are incompatible with each other.

Pointer

Only personal data that meet the purposes of their processing are subject to processing.

Pointer

The content and scope of the processed personal data must correspond to the stated purposes of processing, and the processed personal data should not be excessive in relation to the stated purposes of their processing.

Pointer

When processing personal data, the accuracy of personal data, their sufficiency, and, if necessary, their relevance in relation to the purposes of processing personal data must be ensured. The controller must take the necessary measures or ensure that they are taken to remove or clarify incomplete or inaccurate data.

Pointer

Storage of personal data should be carried out in a form that allows the data subject to be determined no longer than required by the purposes of processing personal data, if the period of storage of personal data is not established by federal law or by an agreement to which the data subject is a party, beneficiary, or guarantor. The processed personal data is subject to destruction or depersonalisation upon reaching the goals of processing or in case of loss of the need to achieve these goals, unless otherwise provided by federal law.

The Trust Challenge

Key Obligation and Consequences

As of 1 September 2022, the Personal Data Law applies in cases where foreign legal entities and/or natural persons process Russian nationals' personal data on the basis of either agreements concluded with data subjects or their consent. This rule may be understood such that non-Russian data controllers will be obliged to comply with all provisions of the Personal Data Law, including the requirement to process data "with the use of databases located in the territory of the Russian Federation'' (the so-called "data localisation requirement").

Data controllers have numerous obligations to data subjects. In particular, data controllers shall:

  • Provide certain information regarding the processing of data subject's personal data upon their request
  • Provide access to personal data.
  • Eliminate violations in the processing of personal data upon the request of a data subject.
  • Keep personal data confidential and ensure the preservation of confidentiality of data by data processors.
  • Data controllers shall specify what data is held or cease the processing of the personal data and destroy the data of a data subject upon their request, if such personal data is inaccurate or processed illegally.

Data controllers shall take sufficient organizational, legal, and technical measures for the security and confidentiality of processed personal data. The Law on Personal Data provides for a basic list of measures to ensure personal data security. Along with these measures, companies must implement additional security measures in accordance with the procedures set out in Decree No. 1119.

Decree No. 1119 stipulates four levels of security of personal data processed in information systems. Each level determines the particular security measures which must be undertaken. In order to implement these measures, the support of the company's IT department and/or external IT organizations, or experts competent in Russian information security regulations is required.

Data controllers are required to conduct an audit for compliance with Russian data protection requirements at least once every three years.

Data controllers may fulfill all information security requirements themselves, or they may outsource this function to a specialized organization possessing the required licenses.

The Trust Challenge

Key Challenges in brief:

As for data breach notifications, beginning from 1 September 2022 the Law on Personal Data now provides an obligation of data controllers to notify Roskomnadzor when a data breach is revealed.

The procedure for notification of Roskomnadzor about the incident has two steps:

within 24 hours: a notification on:

  • Causes of data breach.
  • Alleged harm.
  • Security measures undertaken.
  • Details on authorized official of a data controller to interact in relation to data breach.

Within 72 hours: a notification on:

  • Internal investigation results.
  • Persons who caused the data breach.
  • A data controller now should ensure interaction with GosSOPKA. The interaction procedure is to be adopted by the Federal Security Service. Such an interaction implies that a data controller will transmit information about computer incidents that led to the unlawful transfer (provision, distribution, access) of personal data to GosSOPKA.

Nevertheless, data controllers are not required to notify data subjects of data breaches that have occurred.

The amendments to article 12 of the Personal Data Law provide that a data controller must notify Roskomnadzor prior to conducting cross-border transfers. The notice must describe, among other things.

  • The destination country.
  • The lawful basis of the transfer.
  • The purpose of the transfer.
  • Data categories.

Roskomnadzor has the power to prohibit the notified cross-border transfer within 10 business days of receipt of the notice.

Article 6(3) of the Personal Data Law currently requires the following mandatory clauses to be added to data processing agreements.

  • Processing purposes and actions.
  • Data confidentiality and security undertakings.
  • IT security requirements.

The amendments supplement the list of mandatory clauses with the following

  • The full list of processed data categories.
  • Auditing and data breach reporting procedures.
  • The processor's obligations to fulfill the data localisation requirement and perform various compliance measures

Key data subject rights encoded within Russian Federal Law on Personal Data are as follows.

  • Right to be informed: The right to be informed means that the data controller shall make the policies containing information about data processing available to the data subjects concerned.
  • Right to access: A data controller shall provide any record containing the personal data of the data subject. If such a record contains personal data of other data subjects, this information must be excluded from the tangible medium provided to the data subject. A data controller may refuse a data subject access to their personal data if such access infringes upon the legal interests of a data controller and/or third parties.
  • Right to rectification: The data subject has the right to require the rectification of personal data where the personal data is incomplete, inaccurate, outdated, processed unlawfully, or no longer needed to achieve the specific purpose of data processing.
  • Right to erasure: In addition to the right of rectification, the data subject has the right to require the blocking and destruction of personal data where the personal data is incomplete, inaccurate, outdated, processed unlawfully, or no longer needed to achieve the specific purpose of data processing.
  • Right not to be subject to automated decision-making: Under Article 16 of the Law on Personal Data, solely automated decision-making is not permitted if the decision produces legal consequences for the data subject or significantly affects the data subject's rights and legal interests.
Win-Win Situation

Solutions

Our AI-based, patented solution, TurtleShield PI (Privacy Intelligence) discovers all personal and sensitive data in structured and unstructured data systems across on-premises and multi-cloud environments. TurtleShield DI (Data Inventory) enables organizations to inventory & map their entire “Data footprint”, enabling them to protect what matters the most.

Often there are silos within entities or business and IT teams and it is challenging to get a full picture of data going outside organization and which is coming into organization, especially when data is shared with third parties, vendors, business partners and much more. Our TurtleShield PI (Privacy Intelligence) creates a data map based on your “data sharing”, to facilitate you to take action on it.

TurtleShield DM (Data Minimization) helps businesses minimize excess data and adhere to data minimization principle. This is data hygiene control and we are approaching it from a risk reduction and compliance perspective. We scan large data sets to scan for excess data using Machine Learning and find out excess data including personal data. This can eliminate operational inefficiencies and save cost by removing the unwanted data and legal cost of having it with respect to regulatory compliance.

With TurtleShield RTBF (Right to Be Forgotten) provides the businesses the capabilities to comply with mandatory deletion of personal data by providing the capabilities to delete the data on request along with the validation of the deletion.

Search capability in large datasets to fulfill data subject requests in totality and at rapid space. Assumption that data only exists in databases and nowhere else is often not reality as customer data exists in many sources. Using Machine learning and AI we crawl across data sources and predict where PII can exist.

The Trust Challenge

Key Obligations & Consequences

Pointer

Applicability:

As of 1 September 2022, the Personal Data Law applies in cases where foreign legal entities and/or natural persons process Russian nationals' personal data on the basis of either agreements concluded with data subjects or their consent. This rule may be understood such that non-Russian data controllers will be obliged to comply with all provisions of the Personal Data Law, including the requirement to process data "with the use of databases located in the territory of the Russian Federation'' (the so-called "data localisation requirement").

Pointer

Obligations to data subjects:

Data controllers have numerous obligations to data subjects. In particular, data controllers shall.

  • Provide certain information regarding the processing of data subject's personal data upon their request.
  • Provide access to personal data.
  • Eliminate violations in the processing of personal data upon the request of a data subject.
  • keep personal data confidential and ensure the preservation of confidentiality of data by data processors.
  • Data controllers shall specify what data is held or cease the processing of the personal data and destroy the data of a data subject upon their request, if such personal data is inaccurate or processed illegally.
Pointer

Obligations relating to security and technical measures:

Data controllers shall take sufficient organizational, legal, and technical measures for the security and confidentiality of processed personal data. The Law on Personal Data provides for a basic list of measures to ensure personal data security. Along with these measures, companies must implement additional security measures in accordance with the procedures set out in Decree No. 1119.

Decree No. 1119 stipulates four levels of security of personal data processed in information systems. Each level determines the particular security measures which must be undertaken. In order to implement these measures, the support of the company's IT department and/or external IT organizations, or experts competent in Russian information security regulations is required.

Data controllers are required to conduct an audit for compliance with Russian data protection requirements at least once every three years.

Data controllers may fulfill all information security requirements themselves, or they may outsource this function to a specialized organization possessing the required licenses.

The Trust Challenge

Key Challenges in brief:

Pointer

Data Breach Notification

As for data breach notifications, beginning from 1 September 2022 the Law on Personal Data now provides an obligation of data controllers to notify Roskomnadzor when a data breach is revealed.

The procedure for notification of Roskomnadzor about the incident has two steps.

Within 24 hours: a notification on.

  • Causes of data breach.
  • Alleged harm.
  • Security measures undertaken.
  • Details on authorized official of a data controller to interact in relation to data breach.

Within 72 hours: a notification on.

  • Internal investigation results.
  • Persons who caused the data breach.
  • A data controller now should ensure interaction with GosSOPKA. The interaction procedure is to be adopted by the Federal Security Service. Such an interaction implies that a data controller will transmit information about computer incidents that led to the unlawful transfer (provision, distribution, access) of personal data to GosSOPKA.

Nevertheless, data controllers are not required to notify data subjects of data breaches that have occurred.

Pointer

Cross-border transfers

The amendments to article 12 of the Personal Data Law provide that a data controller must notify Roskomnadzor prior to conducting cross-border transfers. The notice must describe, among other things.

  • The destination country.
  • The lawful basis of the transfer.
  • The purpose of the transfer.
  • Data categories.

Roskomnadzor has the power to prohibit the notified cross-border transfer within 10 business days of receipt of the notice.

Pointer

Data processing agreements

Article 6(3) of the Personal Data Law currently requires the following mandatory clauses to be added to data processing agreements.

  • Processing purposes and actions.
  • Data confidentiality and security undertakings.
  • IT security requirements.

The amendments supplement the list of mandatory clauses with the following.

  • The full list of processed data categories.
  • Auditing and data breach reporting procedures.
  • The processor's obligations to fulfill the data localisation requirement and perform various compliance measures
Pointer

Fulfillment of Data Subject Rights

Key data subject rights encoded within Russian Federal Law on Personal Data are as follows.

  • Right to be informed: The right to be informed means that the data controller shall make the policies containing information about data processing available to the data subjects concerned.
  • Right to access: A data controller shall provide any record containing the personal data of the data subject. If such a record contains personal data of other data subjects, this information must be excluded from the tangible medium provided to the data subject. A data controller may refuse a data subject access to their personal data if such access infringes upon the legal interests of a data controller and/or third parties.
  • Right to rectification: The data subject has the right to require the rectification of personal data where the personal data is incomplete, inaccurate, outdated, processed unlawfully, or no longer needed to achieve the specific purpose of data processing.
  • Right to erasure: In addition to the right of rectification, the data subject has the right to require the blocking and destruction of personal data where the personal data is incomplete, inaccurate, outdated, processed unlawfully, or no longer needed to achieve the specific purpose of data processing.
  • Right not to be subject to automated decision-making Under Article 16 of the Law on Personal Data, solely automated decision-making is not permitted if the decision produces legal consequences for the data subject or significantly affects the data subject's rights and legal interests.
Win-Win Situation

Solutions

Pointer

Data discovery, inventory and mapping:

Our AI-based, patented solution, TurtleShield PI (Privacy Intelligence) discovers all personal and sensitive data in structured and unstructured data systems across on-premises and multi-cloud environments.
TurtleShield DI (Data Inventory) enables organizations to inventory & map their entire “Data footprint”, enabling them to protect what matters the most.

Pointer

Third party Privacy Intelligence (monitors third party sharing):

Often there are silos within entities or business and IT teams and it is challenging to get a full picture of data going outside organization and which is coming into organization, especially when data is shared with third parties, vendors, business partners and much more. Our TurtleShield PI (Privacy Intelligence) creates a data map based on your “data sharing”, to facilitate you to take action on it.

Pointer

Data Minimization:

TurtleShield DM (Data Minimization) helps businesses minimize excess data and adhere to data minimization principle. This is data hygiene control and we are approaching it from a risk reduction and compliance perspective. We scan large data sets to scan for excess data using Machine Learning and find out excess data including personal data. This can eliminate operational inefficiencies and save cost by removing the unwanted data and legal cost of having it with respect to regulatory compliance.

Pointer

Right to be Forgotten (RTBF) with Assured Deletion:

With TurtleShield RTBF (Right to Be Forgotten) provides the businesses the capabilities to comply with mandatory deletion of personal data by providing the capabilities to delete the data on request along with the validation of the deletion.

Pointer

Enable Data subject rights with cost savings and compliance in totality:

Search capability in large datasets to fulfill data subject requests in totality and at rapid space. Assumption that data only exists in databases and nowhere else is often not reality as customer data exists in many sources. Using Machine learning and AI we crawl across data sources and predict where PII can exist.

Featured News & Blogs

Be the first to catch our latest updates,
happenings and more.

Follow us