Russia: Personal Data protection

Milan, 23 November 2018 – All legal entities and/or individuals who independently or in cooperation with other entities organize and/or process personal data of Russian citizens in Russia (“Personal Data”) as well as determine the purposes and scope of personal data processing (“Operator”) shall comply with the requirements provided by Russian law and, in particular, Federal Law no. 152-FZ of July 27, 2006 “On personal data” (“Law on Personal Data”).

Pursuant to the Law on Personal Data, an Operator shall comply with several security and technical requirements, administrative and organizational requirements as well as Personal Data localization requirements.

In particular, regarding the above mentioned localization requirements, it worth to mention that any Operator shall establish a database where to record, systematize, accumulate, store, modify and extract Personal Data on the territory of the Russian Federation. The localization requirement does not exclude or hinder anyhow the further cross border transfer of Personal Data, which shall be firstly recorded and/or processed on the territory of the Russian Federation and, thereafter, they could be transferred, without any further or special consensus of the owner of the Personal Data, to facilities located in other countries ensuring that the rights and interests of the owners of such Russian Personal Data are fully protected, meaning with it the countries which are the signatories of the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (Strasbourg, January 28, 1981).

The control over Operators regarding the compliance with the Law on Personal Data is operated by the Federal Service for Supervision of Communications, Information Technology and Mass Media (“Roskomnadzor”), which is entitled, among the rest, on the basis of a Russian court decision, to block any access to the online resource (website/s) run by Operators in breach of the law requirements.

Despite some exceptions, all Operators are required to notify Roskomnadzor the beginning of the activity of processing of Personal Data.

The Operators acting in breach of Russian Personal Data legislation may be subject to the administrative, civil and criminal liability.

The contents of this publication is for informational purposes only. It is not intended to provide legal or other professional advice or opinions on specific facts or matters. Pavia e Ansaldo assumes no liability in connection with the use of this publication.