1. Processing of Personal Data.
What’s new?
by Anton Kabakov
Hellevig, Klein & Usov
November 21, 2014
1
2. 2 2
From 1.1.2015 all Russian citizens’
personal data should be stored
only in Russia!
3. 3 3
Amendments to the law:
Russian citizens’ personal
data need to be recorded,
compiled, stored, refined
(updated, modified), extracted
using databases located in
Russia with certain
exceptions.
4. 1. What is considered to be “personal data” and what is
not?
2. Is it currently allowed to transfer personal data abroad?
3. What are the changes to the law and what do they really
state?
4. When these changes are expected to come into force?
4 4
5. • Russian definition of "personal data" is "broad" and borrowed from
European Union law
5 5
Russia
(Art. 3 (1)(1) of the Federal Law On Personal Data
dated July 27, 2006)
European Union
(Art. 2 Directive 95/46/EC of the European Parliament and of
the Council of 24 October 1995 on the protection of
individuals with regard to the processing of personal data
and on the free movement of such data)
Any information related to directly
or indirectly identified or identifiable
natural person.
Any information relating to an identified
or identifiable natural person. An
identifiable person is one who can be
identified, directly or indirectly, in
particular by reference to an identification
number or to one or more factors specific
to his physical, psychological, mental,
economic, cultural or social identity.
6. Vadim Ampelonsky (official representative of state controlling body
- Roskomnadzor): "The minimum set of personal data necessary for
the identification of the person is a combination of the first and last
name and photograph of the subject”.
(http://lenizdat.ru/articles/1124854/).
Physiological and biological features of a person on the basis of
which one can identify him (Part 1, Art. 11 of the Law On Personal
Data).
Can a person be identified by the IP-address of his computer, his e-mail
account, or Skype account?
6 6
Which data are sufficient to
identify a person?
7. 7 7
Mr. Homer JMayr. SHimoMmprs.e oSrn iJm,a Sypa sSfoiemntyp Isnosnpector at the
Springfield Nuclear Power Plant
8. Information considered to be personal data identifying a person:
Passport data
Fingerprinting information
Name together with photograph
Name together with the date of birth, and information about the parents
and their dates of birth
Information not sufficient to identify a person and not considered personal
data:
Solely the name or registered address of the person
Blood group, etc.
Nationality
8 8
9. Public
Biometric
Special ("sensitive"), i.e., data relating to racial or ethnic
origin, political opinions, religious or philosophical beliefs,
health, private life
Depersonalized? Is it still personal data if the natural
person is not any longer identifiable?
NEW REGULATION WILL APPLY TO ALL KINDS OF PERSONAL
DATA
9 9
Kinds of personal data.
10. 10
Law On Personal Data:
Cross-border transfer of personal data to foreign states that are parties to
the Convention for the Protection of Individuals with regard to Automatic
Processing of Personal Data, as well as other foreign countries ensuring
adequate protection of the rights of subjects of personal data is carried out
in accordance with this federal law, and may be prohibited or limited in
order to protect the constitutional system of the Russian Federation,
morality, health, rights and lawful interests of citizens, national defense
and state security.
Convention on the Protection of Individuals with regard to
Automatic Processing of Personal Data:
A party shall not prohibit or subject to special authorization cross-border
flows of personal data going to the territory of another party, for the sole
purpose of protecting privacy.
11. a) Parties to the on the Protection of Individuals with regard to Automatic
b) Ensuring adequate protection of the rights of the subjects of the personal
11
Sure, if personal data is transferred in foreign countries:
Processing of Personal Data (which Russia is a party to) OR
Ministry of
Labor guidelines
Amendments to
Administrative Offenses
and Criminal Codes
data OR
c) Any of the countries with the written consent of the individual
Exceptions: Race, political opinion, religious convictions or other beliefs, health or
private life, criminal record.
12. Russian citizens’ personal data will need to
be recorded, compiled, stored, refined
(updated, modified), extracted using
databases located in Russia.
12 12
Companies will be required to notify the
state agency of the location database with
personal data.
State authorities will be entitled to block
the site violating the law On Personal Data.
13. When are these changes expected to come into force?
Who fall under its scope? Territorial or extraterritorial
principle of operation of the new law?
Are all categories of personal data of Russian citizens (public,
biometric, special) prohibited from being stored using a
database located abroad?
Will it not be possible to store personal data abroad
duplicating if on the Russian databases (mirrors)?
If personal data is stored on mobile device (phone, laptop)
how to comply with the requirement to keep it in Russia?
13 13
14. Personal data may recorded and stored abroad in cases where
processing of personal data is necessary for inter alia:
achieving the goals of an international treaty of the Russian
Federation or the law, for fulfillment of operator’s obligations /
function set out by law
Does this mean that mandatory HR information may be stored
abroad as previously?
14
15. If data is transferred cross border, apparently it
will be stored abroad.
As long as cross-border transfer of personal data
is allowed, there could be no prohibition to
store data abroad.
It is possible to have solely mirror-databases in
Russia 15
16. Questions Responses
How do the restrictions correlate
with the Convention of the Council
of Europe?
Can be personal data be stored in
Russia and abroad?
Can one store depersonalized
personal data abroad?
Opinion of Roskomnadzor:
- Personal data may be transmitted
abroad. After use it must be
deleted;
- Personal data may not be stored
abroad.
Opinion of presidential
administration: No. It must be stored
only in Russia.
Technically, yes.
16
17. A public authority may require the hosting
provider to block the site on the basis of a
court decision.
Fine on the offending company of up to RUB
10,000
17 17
18. 18
Individual files a claim
together with the court
decision to state
Получение
объяснений
Применение
дисциплинарного
взыскания
agency
Court rules that site
violates Law on Personal
Data
Hosting provider sends
notice to owner of
resource
State agency
sends notice to
hosting provider
Owner of resource must
remove the violation
Hosting provider limits
access
19. 19
State agency opens access
Owner of resource or
hosting provider contacts
Применение
дисциплинарного
взыскания
state agency
Owner of resource
removes violation/
Court cancels earlier
decision
20. American and European models of cross-border transfer of personal data
The Russian model for cross-border transfer of personal data leans toward
that of the EU.
20 20
USA European Union
There are no restrictions on
cross-border transfer of
personal data
Is not a country that
provides the appropriate
level of protection of
personal data from the EU
perspective
Safe Harbor Regulations
Cross-border transfer of personal data is
allowed only in countries that ensure an
adequate level of protection of these data
Requirements for the cross-border transfer
of personal data can be applied to their
subsequent transfer (art. 40 of the Proposal
for a General Data Protection Regulation)
Planned transition from territorial to
extraterritorial model (item 19 of the
Preamble of the Proposal for a General Data
Protection Regulation)
21. Recommendation:
Notify state authorities of personal data processing. If the
company plans to process personal data, we recommend that
prior to the entry into force of the law it notify the state authority.
In that case, it does not need to specify the location of the
databases with personal data.
Duplicate personal data in Russia, keeping original data abroad?
Transfer depersonalized data abroad?
Audit HR documents to identify those which may be stored
21
abroad
Duplicate personal data stored on mobile devices on servicers
located in Russia?
22. • Measures must be necessary and sufficient to protect personal data against unauthorized access,
destruction, copying, distribution or other misuse.
• The operator independently determines the composition and the list of measures that are
necessary and sufficient to fulfill the requirements of the Law.
22 22
Legal and organizational Technical
Consent to process personal data,
Local policy documents in relation to the
processing of personal data,
Evaluation of the harm that may be caused to
citizens in the case of the processing of their
personal data in violation of the law,
Ensure unlimited access to policy documents of
the operator in respect of the processing of
personal data which meet the requirements for
the protection of personal data.
Accounting for machine storage devices of
personal data,
Application of approved procedures for
assessment of means of information protection,
Recovery of personal data, modified or destroyed
by unauthorized access to it.
23. 15.1.2012 23
Offices in 3 countries:
Russia
Ukraine
Finland
150 professionals
at your service
Partnerships:
AEB
AmCham
AHK
SVKK
SPIBA