š·šŗ Russia
Informations
Extracts :
Extract :
There is no mention of this.
2021
Reference :
Russia Data protection overview | DataGuidance
(Data Protection Overview 2021)/ DataGuidance reports
Extracts :
Extract :
"The Law on Personal Data does not outline requirements on nationality or place of residence in relation to the processing of personal data of data subjects."
2022
Reference :
GDPR vs countries' comparison | DataGuidance
Comparison of GDPR vs countries' data protection laws, definitions etc. - RUS
Extracts :
Extract :
"The laws outlined above apply to any entities, including state and municipal authorities, legal entities, and individuals that process personal data through the use of automated means, including via an infor- mation/telecommunication network, or without automated means if the nature of the manual process- ing is similar to the automated processing, i.e. allows one to search personal data in a card catalogue or archive with the use of an algorithm."
2021
Reference :
Russia Data protection overview | DataGuidance
(Data Protection Overview 2021)/ DataGuidance reports
Extracts :
Extract :
"As amended, the Personal Data Law has extraterritorial effect and applies to any processing of personal data by foreign persons (including corporate entities): (i) pursuant to a contract with a Russian citizen; (ii) pursuant to other agreements between foreign persons and Russian citizens; or (iii) if a Russian citizen consented to having their personal data processed by a foreign person.
Previously, the Personal Data Law had no express extraterritorial effect and, per prior regulatory guidance, was limited to processing of personal data that took place in Russia or in connection with Internet services aimed at individuals located in Russia. The Amendments therefore significantly expand the Personal Data Lawās scope. Companies processing personal data of Russia-based individuals may want to assess (or reassess) whether they are subject to the Personal Data Law."
2022
Reference :
Russian Data Protection Updates: Key Points for International Businesses
Updated Russian data protection regulations
Link to reference Extracts :
Extract :
"Data controller: The Law on Personal Data refers to a 'data operator,' which is an entity who, separately
or jointly with other entities, arranges and/or carries out personal data processing, as well as de-termines the purposes of personal data processing, scope of personal data to be processed, and actions
(operations) performed on personal data.
Data processor: There is no definition of 'data processor' in the Law on Personal Data. However, the
Law on Personal Data imposes obligations on a 'person carrying out the processing of personal data on
the instructions of an operator.'"
2021
Reference :
Russia Data protection overview | DataGuidance
(Data Protection Overview 2021)/ DataGuidance reports
Extract :
"Data controller: A 'responsible party' is a public or private body that determines the purpose and
means for processing personal information of a data subject.
Data processor: An 'operator' is a party that processes personal information on behalf of a responsible
party, without coming under the direct authority of the responsible party."
2021
Reference :
South Africa Data protection overview | DataGuidance
(Data Protection Overview 2021)/ DataGuidance reports
Extracts :
Extract :
"As amended, the Personal Data Law has extraterritorial effect and applies to any processing of personal data by foreign persons (including corporate entities): (i) pursuant to a contract with a Russian citizen; (ii) pursuant to other agreements between foreign persons and Russian citizens; or (iii) if a Russian citizen consented to having their personal data processed by a foreign person.
Previously, the Personal Data Law had no express extraterritorial effect and, per prior regulatory guidance, was limited to processing of personal data that took place in Russia or in connection with Internet services aimed at individuals located in Russia. The Amendments therefore significantly expand the Personal Data Lawās scope. Companies processing personal data of Russia-based individuals may want to assess (or reassess) whether they are subject to the Personal Data Law."
2022
Reference :
Russian Data Protection Updates: Key Points for International Businesses
Updated Russian data protection regulations
Link to reference Extracts :
Extract :
Data entered based on reference.
2021
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
Data entered based on reference.
2021
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
Data entered based on reference.
2021
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
Data entered based on reference.
2021
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
Data entered based on reference.
2021
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
Data entered based on reference.
2021
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
Data entered based on reference.
2021
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
Data entered based on reference.
2021
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
Data entered based on reference.
2021
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
Data entered based on reference.
2022
Reference :
Russia Data protection overview | DataGuidance
Updated DataGuidance reports
Extracts :
Extract :
Data entered based on reference.
2021
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
Data entered based on reference.
2021
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
Data entered based on reference.
2021
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
Data entered based on reference.
2021
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
Data entered based on reference.
2021
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
Data entered based on reference.
2021
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
Data entered based on reference.
2021
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
"Since March 2021, Russia has increased the fines for different types of violations of the Russian personal data laws. Now Roskomnadzor has the power to impose fines of up to RUB 500,000 (approx. USD 6,900). There are different sanctions for different violations and a personal data audit may potentially result in a number of different fines for different types of violations. However, while there could be several fines, they are not likely to be multiplied by the amount of the affected data subjects.
Earlier, since December 2019, Russia substantially increased the fines for non-compliance with the localization requirements. Such fines may be imposed both on legal entities and their responsible executives. If legal entities commit such violations for the first time, the fines will be within the range of approx. USD 31,000 - 93,000. Fines for repeat violations for legal entities will be within the range of approx. USD 93,000 - 280,000. Importantly, fines for repeat violations may potentially be imposed several times.
A company's directors and officers (i.e., DPO) responsible for a violation may also be subject to administrative fines. Additionally, if administrative fines for violation of personal data requirements are imposed on a corporate executive who is an expatriate employee, he/she may be denied visa and entry into Russia for the next 3 years."
2021
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
"The maximum administrative fine for violations of the Law on Personal Data is RUB 18 million (approx. ā¬193,920) under Article 13.11(9) of the Code of Administrative Offenses. This fine is established for a repeated violation of Article 18(5) of the Law on Personal Data."
2022
Reference :
GDPR vs countries' comparison | DataGuidance
Comparison of GDPR vs countries' data protection laws, definitions etc. - RUS
Extracts :
Extract :
"Since March 2021, Russia has increased the fines for different types of violations of the Russian personal data laws. Now Roskomnadzor has the power to impose fines of up to RUB 500,000 (approx. USD 6,900). There are different sanctions for different violations and a personal data audit may potentially result in a number of different fines for different types of violations. However, while there could be several fines, they are not likely to be multiplied by the amount of the affected data subjects.
Earlier, since December 2019, Russia substantially increased the fines for non-compliance with the localization requirements. Such fines may be imposed both on legal entities and their responsible executives. If legal entities commit such violations for the first time, the fines will be within the range of approx. USD 31,000 - 93,000. Fines for repeat violations for legal entities will be within the range of approx. USD 93,000 - 280,000. Importantly, fines for repeat violations may potentially be imposed several times.
A company's directors and officers (i.e., DPO) responsible for a violation may also be subject to administrative fines. Additionally, if administrative fines for violation of personal data requirements are imposed on a corporate executive who is an expatriate employee, he/she may be denied visa and entry into Russia for the next 3 years."
2021
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
"In a few cases, breach of the Russian privacy laws can constitute a criminal offense, such as
if information containing an individual's private or family secret is illegally collected or is disseminated in mass media or in public speeches;
in case of illegitimate electronic access to personal data resulting in its copying, modification, blocking or removal; or
in case of illegitimate exploitation of personal data for the purposes of legal entities establishment.
Companies cannot be held criminally liable in Russia, but a company's responsible directors or officers may potentially be held criminally liable for the company's offense.
Potential sanctions for the above criminal offenses vary from minimal criminal fines to criminal imprisonment of up to seven years with or without criminal disqualification for up to five years."
2021
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
Data entered based on reference.
2023
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
Data entered based on reference.
2021
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
Data entered based on reference.
2021
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
"Under the Law on Personal Data, the data subject has the right to lodge a complaint with the supervisory authority."
2022
Reference :
GDPR vs countries' comparison | DataGuidance
Comparison of GDPR vs countries' data protection laws, definitions etc. - RUS
Extracts :
Extract :
"In a few cases, breach of the Russian privacy laws can constitute a criminal offense, such as
if information containing an individual's private or family secret is illegally collected or is disseminated in mass media or in public speeches;
in case of illegitimate electronic access to personal data resulting in its copying, modification, blocking or removal; or
in case of illegitimate exploitation of personal data for the purposes of legal entities establishment.
Companies cannot be held criminally liable in Russia, but a company's responsible directors or officers may potentially be held criminally liable for the company's offense.
Potential sanctions for the above criminal offenses vary from minimal criminal fines to criminal imprisonment of up to seven years with or without criminal disqualification for up to five years."
2021
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
Data entered based on reference.
2021
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
No direct stipulations by the Russian regulations. Operators may decide to conduct this assessment by themselves.
2022
Reference :
GDPR vs countries' comparison | DataGuidance
Comparison of GDPR vs countries' data protection laws, definitions etc. - RUS
Extracts :
Extract :
"The Law on Personal Data does not outline pseudonymisation (depersonalisation) as a data security measure."
2022
Reference :
GDPR vs countries' comparison | DataGuidance
Comparison of GDPR vs countries' data protection laws, definitions etc. - RUS
Extracts :
Extract :
"The Law on Personal Data does not contain similar notification
requirements. If the operator receive data subjectās
inquiry about a possible data breach, the operator must
investigate the matter. When the data breach is found and
eliminated, the operator must report to the data subject."
2022
Reference :
GDPR vs countries' comparison | DataGuidance
Comparison of GDPR vs countries' data protection laws, definitions etc. - RUS
Extracts :
Extract :
"The Law on Personal Data does not contain similar notification
requirements. If the operator received Roskomnadzor's
inquiry about a possible data breach, the operator must
investigate the matter and report to Roskomnadzor."
2022
Reference :
GDPR vs countries' comparison | DataGuidance
Comparison of GDPR vs countries' data protection laws, definitions etc. - RUS
Extracts :
Extract :
There is no comment by DataGuidance.
2022
Reference :
GDPR vs countries' comparison | DataGuidance
Comparison of GDPR vs countries' data protection laws, definitions etc. - RUS
Extracts :
Extract :
Data entered based on reference.
2021
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
Data entered based on reference.
2021
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
Data entered based on reference.
2021
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
"The Law on Personal Data does not include the right to object. However, data subjects can demand the
ceasure of illegal processing.
Withdrawal of opt-in consent can also be regarded as equivalent to the right to opt-out."
2021
Reference :
Russia Data protection overview | DataGuidance
(Data Protection Overview 2021)/ DataGuidance reports
Extracts :
Extract :
"Russian law does not include the right to data portability."
2022
Reference :
Russia Data protection overview | DataGuidance
Updated DataGuidance reports
Extracts :
Extract :
"8.7. Right not to be subject to automated decision-making
Under Article 16 of the Law on Personal Data, solely automated decision-making is not permitted if the
decision produces legal consequences for data subject or significantly affects data subject's rights and
legal interests."
2021
Reference :
Russia Data protection overview | DataGuidance
(Data Protection Overview 2021)/ DataGuidance reports
Extracts :
Extract :
"8.1. Right to be informed
The right to be informed means that the data controller shall make the policies containing information
about data processing available to the data subjects concerned."
2021
Reference :
Russia Data protection overview | DataGuidance
(Data Protection Overview 2021)/ DataGuidance reports
Extracts :
Extract :
Data entered based on reference.
2021
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
"Upon the request of a data subject, a data controller shall provide any record containing the personal
data of the data subject. If such record contains personal data of other data subjects, this information
must be excluded from the tangible medium provided to the data subject. A data controller may refuse
a data subject access to his/her personal data if such access infringes upon the legal interests of a data
controller and/or third parties."
2021
Reference :
Russia Data protection overview | DataGuidance
(Data Protection Overview 2021)/ DataGuidance reports
Extracts :
Extract :
"8.3. Right to rectification
The data subject has the right to require the rectification of personal data where the personal data is incomplete,
inaccurate, outdated, processed unlawfully, or no longer needed to achieve the specific purpose
of data processing."
2021
Reference :
Russia Data protection overview | DataGuidance
(Data Protection Overview 2021)/ DataGuidance reports
Extracts :
Extract :
"8.4. Right to erasure
In addition to the right of rectification, the data subject has the right to require the blocking and destruction
of personal data where the personal data is incomplete, inaccurate, outdated, processed unlawfully,
or no longer needed to achieve the specific purpose of data processing."
2021
Reference :
Russia Data protection overview | DataGuidance
(Data Protection Overview 2021)/ DataGuidance reports
Extracts :
Extract :
Data entered based on reference.
2021
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
Data entered based on reference.
2021
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
Data entered based on reference.
2021
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
Data entered based on reference.
2021
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
"The cross-border transfer of personal data into the territories of foreign
states that do not provide adequate protection of the rights of data subjects
may be conducted in the following cases:
1) If the data subject has given their consent to the cross-border transfer of
their personal data;
2) In the cases stipulated by international agreements of the Russian
Federation;
3) In the cases stipulated by federal laws as necessary to protect the
foundations of the constitutional order of the Russian Federation, to ensure
national defense and state security, to ensure the stable and safe operation of
the transport system, and to protect personal interests, society, and the state
in the transport sector against acts of unlawful interference;
4) For the purpose of the execution of an agreement to which the data
subject is a party;
5) For the purpose of protecting the life, health or other vital interests of the
data subject or other entities if it is not possible to obtain the written consent
of the data subject."
2019
Reference :
RUSSIAN FEDERATION FEDERAL LAW ON PERSONAL DATA
Information on Russia's data protection regulation | Unofficial text in ENG | DataGuidance
Link to reference Extracts :
Extract :
Data entered based on reference.
2021
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
Data entered based on reference.
2021
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
Data entered based on reference.
2021
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
Data entered based on reference.
2022
Reference :
International Data transfer Agreements | DataGuidance
Comparison of international data transfer agreements
Extracts :
Extract :
Data entered based on reference.
2021
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
Data entered based on reference.
2021
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
Data entered based on reference.
2022
Reference :
International Data transfer Agreements | DataGuidance
Comparison of international data transfer agreements
Extracts :
Extract :
Data entered based on reference.
2021
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
Data entered based on reference.
2021
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
Data entered based on reference.
2021
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
No direct stipulations by the Russian regulations. Operators may decide to conduct this assessment by themselves.
2022
Reference :
GDPR vs countries' comparison | DataGuidance
Comparison of GDPR vs countries' data protection laws, definitions etc. - RUS
Extracts :
Extract :
The Russian law introduces the position of the DPO (as per the GDPR).
2022
Reference :
GDPR vs countries' comparison | DataGuidance
Comparison of GDPR vs countries' data protection laws, definitions etc. - RUS
Extracts :
Extract :
"There are no specific requirements about the DPO's
professional qualities, education or expert knowledge"
2022
Reference :
GDPR vs countries' comparison | DataGuidance
Comparison of GDPR vs countries' data protection laws, definitions etc. - RUS
Extracts :
Extract :
"The Law on Personal Data outlines the tasks of the DPO which include the responsibility to: inform the op- erator's employees of the provisions of Russian personal data laws, inter- nal privacy policies, and data protec- tion requirements; and organise the receipt and consideration of re- quests and inquiries of data sub- jects and their representatives and/or monitor the receipt and con- sideration of such requests and in- quiries."
2022
Reference :
GDPR vs countries' comparison | DataGuidance
Comparison of GDPR vs countries' data protection laws, definitions etc. - RUS
Extracts :
Extract :
"Under the Law on Personal Data, each legal entity must officially appoint the DPO independently of its affiliates. It is illegal to designate one person on behalf of the whole group of companies. However, several companies may use one and the same person as their DPO since the external service providers are not prohibited."
2022
Reference :
GDPR vs countries' comparison | DataGuidance
Comparison of GDPR vs countries' data protection laws, definitions etc. - RUS
Extracts :
Extract :
Data entered based on reference.
2021
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
"Under the Law on Personal Data, the data subject has the right to be informed about data processing in particular: legal basis, purposes and methods of data processing, the identity of the operator, as well as cross-border data transfer."
2022
Reference :
GDPR vs countries' comparison | DataGuidance
Comparison of GDPR vs countries' data protection laws, definitions etc. - RUS
Extracts :
Extract :
There is no comment by DataGuidance.
2022
Reference :
GDPR vs countries' comparison | DataGuidance
Comparison of GDPR vs countries' data protection laws, definitions etc. - RUS
Extracts :
Extract :
"The right to be informed means that the data controller shall make the policies containing information about data processing available to the data subjects concerned.
The data processing policies shall contain a range of details regarding data processing activities, in par- ticular, categories of processed data, purposes of processing, operations performed on data, methods of processing, information on international transfers, etc."
2021
Reference :
Russia Data protection overview | DataGuidance
(Data Protection Overview 2021)/ DataGuidance reports
Extract :
Extracts :
Extract :
Data entered based on reference.
2021
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extract :
Extracts :
Extract :
Data entered based on reference.
2021
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extract :
Extracts :
Extract :
"The right to be informed means that the data controller shall make the policies containing information about data processing available to the data subjects concerned.
The data processing policies shall contain a range of details regarding data processing activities, in par- ticular, categories of processed data, purposes of processing, operations performed on data, methods of processing, information on international transfers, etc."
2021
Reference :
Russia Data protection overview | DataGuidance
(Data Protection Overview 2021)/ DataGuidance reports
Extract :
Extracts :
Extract :
Data entered based on reference.
2021
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extract :
Extracts :
Extract :
Extracts :
Extract :
"There is no obligation for data controllers and/or data processors to maintain data processing records. However, some companies maintain similar records as good practice and convenient tool in order to monitor and record data processing activities, data flows, and compliance with applicable legal require- ments."
2022
Reference :
Russia Data protection overview | DataGuidance
Updated DataGuidance reports
Extracts :
Extract :
There is no direct regulation in Russia. In practice, many companies record their processing operations for demonstrating compliance and determine the content of the records by themselves.
2022
Reference :
GDPR vs countries' comparison | DataGuidance
Comparison of GDPR vs countries' data protection laws, definitions etc. - RUS
Extracts :
Extract :
Data entered based on reference.
2021
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference | Name | Short name | Classification | Jurisdiction | Year of creation |
|---|---|---|---|---|
| Federal Antimonopoly Service (FAS) | Regulator | Under the government authority | 2004 | |
| Federal Service for Supervision of Communications, Information Technology and Mass Media (Roskomnadzor) | Roskomnadzor | Regulator | Under the government authority | 2008 |
| Central Bank of Russia (CBR) | Regulator | Under the government authority | 1990 | |
| Federal Security Service (FSB) | Regulator | Under the government authority | 1995 | |
| Ministry of Digital Development, Communications and Mass Media | Regulator | Ministry | 2008 |
| Legal text name | Original text name | Legislation type | Year signed | Regulation status | In effect since | Latest update initiated | Latest update areas | Latest update signed year |
|---|---|---|---|---|---|---|---|---|
| Federal Law of 27 July 2006 No. 152-FZ on Personal Data | Federal Law of 27 July 2006 No. 152-FZ on Personal Data | General privacy/data protection law | 2006 | Active | 2006 | 2022 | Several aspects | 2023 |