September 10, 2021

Overview of the Russian Law on Personal Data

Overview of the Russian Law on Personal Data

Federal Law of 27 July 2006 No. 152-FZ on Personal Data is the principal law governing data protection in Russia - it is based on the international instruments on privacy and data protection in certain aspects, and it contains ideas similar to those of the GDPR.

In a nutshell

The Law on Personal Data was amended in December 2020, which came into effect on 1 March 2021 and significantly changed the legal landscape with regard to the use of publicly available personal data, while also clarifying the conditions of consent to the further processing of such data. Foreign companies operating in Russia are confronted with a variety of data privacy acts and laws that govern processing of the personal citizens’ data. Failure to comply with these acts may result in fines as well as other administrative cutoffs. This especially impacts banks and financial sector, medical foundations, travel industry, and all kinds of e-commerce businesses.

The Roskomnadzor

The main regulatory authority for data protection in Russia is the Federal Service for Communications, Information technology and Mass Communications Supervision - The Roskomnadzor, who are responsible for:

  • The monitoring of data processing activities of data controllers through systematic measures.
  • The verification of information submitted by data controllers to the Roskomnadzor.
  • Overseeing data controllers to specify, block, cease the processing of, and destroy inaccurately or illegally received personal data.
  • Restricting access to information processed in violation of the Law on Personal Data.
  • Executing the suspension and cessation of the processing of personal data that is in violation of the Law on Personal Data.
  • Filing claims to court on the behalf of data subjects, as well as representing them in court.
  • Bringing persons to administrative liability for infringement of the Law on Personal Data.
  • Dealing with the claims of citizens and legal entities concerning the processing of personal data.
  • The maintenance of the registry of data controllers.
  • Active measures to improve the protection of personal data subjects' rights.
  • The technical supervision of the implementation of technologies and tools in the FSB and FSTEC to improve information protection.