2. Webinar schedule
I. Legal framework for personal data protection in Russia
II. Personal data protection in the medicine field
3. Legal acts regulating personal data protection
Constitution of the Russian Federation;
Federal Law No. 152- FZ “On personal data”;
Labour Code;
Code for administrative offences;
Federal Law No. 149 – FZ “On information, information technologies
and protection of information;
Resolutions of the Government;
Acts issued by specialised ministries and services.
4. Definition of the term ‘personal data’
Personal data are any information relating to a directly or indirectly
identified or identifiable individual ("data subject").
This definition is in line with the Strasbourg Convention of 1981
Text, graphic,
biometrical, photo, May be identified with
acoustic, digital … the use of accessible means
Any relating
information
5. The principles of personal data processing (1)
1. Legality and fairness
“Processing personal data should be performed on a legal and fair basis.”
2. Purpose
“Personal data processing should be limited to achieving specific
purposes that should be specified preliminarily and be legal. It is
prohibited to process personal data in a way that is not consistent with
the purposes for which personal the data were collected”.
“The content and scope of processed personal data have to comply with
the purposes of processing personal data. Personal data that are
processed must not be excessive with regard to the declared purposes of
their processing.”
6. The principles for personal data processing (2)
3. Proportionality
“Only data that correspond to the purposes of their processing should be
processed .”
4. Data quality
“(…) it is necessary to ensure that personal data are accurate, sufficient,
and, if necessary, up-to-date in relation to the purposes of processing
personal data.”
5. Term of processing
“Personal data must not be stored longer than it is necessary for the
purposes of personal data processing”
(NB. A timeframe to process personal data may be also provided by the law
or by an agreement with the data subject.)
7. Legal grounds for personal data processing
Processing
personal data
upon consent without the consent of
of the data subject the data subject
form of consent
only in cases directly
qualified form of consent: any form proving provided by the law
For special categories of
personal data, biometrical
that the consent
personal data, cross border was duly obtained
transfer of personal data
8. Processing personal data without the consent of
the data subject (1)
1. Requirements of the laws:
Achievement of purposes provided by :
international treaty signed by the Russian Federation;
the Russian law;
Execution by the operator of the obligations or functions provided by the
law;
2. Execution of justice, and execution of the act of the court;
9. Processing personal data without the consent of
the data subject (2)
3. Providing state or municipal services;
4. Contract relations:
execution of a contract:
the data subject is a party, a beneficiary
or a guarantor under the contract;
signing of a contract:
upon the initiative of the data subject;
If the data subject is a beneficiary
or guarantor under the contract;
5. Protection of life, health or other vital interests of the data
subject, if it is impossible to obtain his/her consent;
10. Processing personal data without the consent of
the data subject (3)
6. Legal interests and socially important purposes:
protecting the rights and legal interests of the operator and third parties;
achieving socially important purposes;
Condition: rights and freedoms of the data subject are not violated;
7. Particular types of activities:
journalist or other legal activity of mass media;
scientific work;
literature (activity of writer);
other creative activity;
Condition: rights and interests of the data subject are not violated;
11. Processing personal data without the consent of
the data subject (4)
8. Statistics or other research purposes
• Except for for promoting goods and services and political agitation;
• Condition: mandatory depersonalisation of personal data;
9. If public access to personal data is
provided by the data subject at his/her
request;
10. Processing personal data that should be made public under
the law;
12. Obligations of a personal data operator
Inform the Personal Data Authority of its intent to process
personal data (must be done prior to processing of personal
data). Exceptions: cases provided by the law;
Do not disclose information to third persons without the
consent of the data subject;
Bear the burden of proof for obtaining the consent of a data
subject;
13. Protection of employees’ personal data
Purposes of processing employees’ personal data:
compliance with the provisions of the law;
recruitment;
promotion;
education;
personal safety;
control of work quality.
Obligations of the employer:
to ensure the confidentiality of personal data;
not to disclose personal data without the consent of the employee.
14. The specifics of processing personal data in the
medicine field
1. Patients’ and doctors’ personal databases established by new
Russian Federal Law on Healthcare, dated 23 November 2011;
2. Processing of medical professionals’ personal data by the
pharmaceutical companies;
3. “Medical secrecy”
15. Personal data protection within clinical trials
The personal data of clinical trials patients are a “specific” type of
personal data because of information on the state of health.
The main legal issues are:
Patient’s information list ;
Transferring personal data to the Sponsor and its affiliates;
Cross-border transfer of personal data in the case of international multi-
centre clinical trials.
16. Thank you for your attention!
CMS, Russia
Gogolevsky Blvd. 11, 119019 Moscow
+7(495) 786 4000
Vsevolod Tyupa, Senior Associate
Vsevolod.Tyupa@cmslegal.ru
+7 (495) 786 4097
Anastasiya Lemysh, Associate, Avocat à la Cour
Anastasiya.Lemysh@cmslegal.ru
+7 (495) 786 3076
Защита персональных данных: согласие, обработка, трансграничная передача. 30 ноября 2011 16