Types of data considered personal in Russia
Personal data is any information directly or indirectly related to an individual identified or identifiable based on such information (personal data subject).
National laws regulating collection and use of personal data
Data protection (privacy) laws in Russia include:
- Strasbourg Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data 2005 (Strasbourg Convention);
- Federal Law No. 152-FZ on Personal Data 2006 (Personal Data Protection Act);
- Federal Law No. 38-FZ on Advertisement 2006.
The Personal Data Protection Act constitutes the backbone of Russian privacy laws. The main supervising authority is the Federal Service for Supervision of Communications, Information Technology and Mass Media (Roskomnadzor).
Russian requirements to data localization
Data localization or data residency principle requires that all data related to Russian citizens be stored inside Russian Federation. According to article 18 of the Russian Personal Data Protection Act, data residency principle is bound to a foreign legal entity, if only it collects data directly within the boundaries of the Russian Federation. If personal data was received from another legal entity, the data localization principle is not applicable. Obtaining consent of a person to store his/her personal data outside Russian Federation does not exclude the data localization principle. The data localization requirement only applies to personal data of Russian citizens. If it is not possible to determine citizenship, then all data collected within the boundaries of the Russian Federation shall be localized.
Application of data localization and Russian data protection (privacy) laws to foreign legal entities
Data localization and other requirements of the Russian data protection (privacy) laws may apply to a foreign legal entity even if it has no office in Russia, but its activity is connected with Russia. The connection of a legal entity’s activity with Russia may be identified by the following:
- Using Russian domain names (.ru, .рф., .su, .москва., .moscow, etc.);
- Website has been localized into Russian (except automatic translation) and one of the below is also true:
а) payment in RUB;
b) goods can be delivered to Russia, services or content can be used in Russia;
c) advertisement in the Russian language;
d) other evidence that the website owner plans to sell on the Russian market.
Maximum fine for breach of data protection (privacy) laws in Russia amounts up to 75,000 RUB (around 1100 EUR) and may be accompanied by website blocking.