If you are an owner of website where registration, placing orders, and accepting applications are provided, you also should know how to collect and process personal data without breaching the Russian Federal Law "On Personal Data". This will help to avoid liability for violations in the field of personal data protection in Russia.
Foreign companies operating in the Russian market are confronted with a variety of regulatory acts governing the processing of personal data, as well as many government bodies that oversee this area. Failure to comply with the regulations may result in fines, administrative suspension of activity or dismissal.
Let us take a closer look at Federal Law No.152 On Personal Data, what it stands for and how you can make your business in Russia compliant.
What is personal data?
According to Russia data privacy law, it refers to any information related to a directly or indirectly identified or identifiable individual (‘data subject’). Personal data means all information about an individual, including:-
• Full name
• Birthdate,
• Address of place of residence
• Phone number;
• E-mail address;
• Date and place of birth;
• Passport data;
• Information about military duty;
• Photo;
• Links to accounts on social networks;
• Information about education, profession, work experience;
• Information about marital status.
Who are the personal data operators?
The operator of personal data is any individual or entity working with personal data. If users can register on your website, leave a request for a call, place an order, purchase any product, subscribe to a newsletter, etc., then you fall under the regulation of the Personal Data Law. Regardless of who administers website, its owner is responsible for violating the legislation on personal data.Russia Privacy Law - Impact on Your Business
The law can affect your business if it is based in Russia, or is based outside of Russia but your customers are Russian citizens.If you fail to comply, your business stands at the risk of being imposed the steep penalty amounting up to 300 000 USD.
How to comply with personal data legislation?
In order to strictly comply with legal requirements, we recommend:- Post an agreement on the processing of personal data on your website, after reading which the website user can express his consent to the processing of personal data.
- Request only the necessary data. For example, you will hardly need passport data to apply for a simple email newsletter subscription. This information may be the basis for bringing website owner to administrative responsibility.
- Provide individuals with information regarding what data about him is stored in your databases, why you process received data, and to whom you transfer it.
- Delete all user information after receiving a request.
- Store personal data in a place, which excludes third-party access.
- Develop a regulation on the processing of personal data. Employees must sign the document.
- Register as a personal data operator in Roskomnadzor.
- A list of the requested information;
- The specific purposes of collecting this information;
- The procedure for processing personal data with an exhaustive list of actions that can be carried out with personal data;
- Name and address of the organization engaged in the processing of personal data;
- The period during which the consent to the processing of personal data is valid, the method of withdrawal of consent.
What should the regulation on the processing of personal data contain?
When placing a provision on the processing of personal data on the website, do not forget to indicate in it:
Does the requirement to use a server in Russia apply to foreign companies?
Even in case a company operates online, with no physical presence in Russia, its activities are targeted at Russia and must meet the requirement of the law.According to the law when collecting personal data, the operator is obliged to ensure the recording, systematization, accumulation, storage, updating (updating, changing), the extraction of personal data of citizens of the Russian Federation using databases located on the territory of the Russian Federation.
Thus, it is possible to collect, process and store a database of personal data about Russian citizens only on servers located in Russia. If your website is located on a foreign hosting, and at the same time you collect and process data about citizens of the Russian Federation, then your domain may be included in the Register of violators of data subjects’ rights. Roskomnadzor maintains the registry.
Is it possible to transfer personal data to the provider?
Under the Russian law, companies are required to ensure the security of personal data of Russian employees and customers. However, it is not forbidden to trust the storage and processing of such data to a third party - cloud provider.In 152-FZ there is no prohibition on data storage in the cloud. The only condition is that the data center of a cloud provider should be located in Russia. According to the clarifications of the Ministry of Communications, data can also be transferred abroad, for example, for processing. However, the first time they need to be recorded on a server that is physically located on the territory of the Russian Federation.
Remember, a cloud provider is not personal data operator! This means that in case of data leaks, your company will held responsible, not the provider. You should ensure reliable personal data protected infrustructure (such as Cloud FZ-152) is provided, as well as the company itself correctly manages data, and correctly arranges access to the information within organization.
A provider cannot decide to whom and on what conditions to open company data, so the owner of the data and infrastructure should carefully approach the access settings.
When choosing a cloud, opt for providers that are certified to store and protect personal data of Russian citizens Under the Russian Personal Data Protection Legislation (152-FZ). They must have the license of the FSTEC (Federal Service for Technical and Export Control) and the FSB. These documents ensure that provider complies with the requirements of Order No. 21 of the FSTEC that defines the technical requirements for security.