Home / Doing business in Russia 2020 / Personal data protection / Scope of the Data Protection Law
  1. Introduction
    1. Political and administrative structure
    2. Legal environment
  2. Common forms of business structures for foreign investors
    1. Main types of structure
    2. Registration, liquidation and reorganisation of business structures
    3. Shareholders’ and participants’ agreements
    4. Strategic industries
  3. Anti-monopoly issues
    1. General legal and regulatory framework
    2. Scope of application of the Competition Law
    3. Anti-competitive practices and restriction of competition
    4. Liability
  4. Tax system
    1. General approach
    2. Corporate taxation
    3. Incentives
    4. Special tax regimes
    5. Taxation of individuals
    6. Double taxation treaties
  5. Customs regulations
    1. General approach
    2. Mutual trade between the EEU members
    3. Trade between EEU and non-EEU countries
  6. Currency control
    1. Foreign currency transactions
    2. Consequences of breach/Penalties
  7. Lending in Russia
    1. Lending documents and governing law
    2. Jurisdiction
    3. International finance transactions and repatriation requirements
    4. Security interests
    5. Recognition of security trusts
    6. Syndicated loans
    7. Enforcement
    8. Suretyships and guarantees
    9. Bankruptcy considerations
    10. Other lending related issues
  8. Employment and migration
    1. Formalising the employment relationship
    2. Managing employment relationships
    3. Terminating an employment agreement
    4. Specifics of employing foreign nationals
  9. Personal data protection
    1. General approach
    2. Scope of the Data Protection Law
    3. Liability
    4. Right to be forgotten
  10. Intellectual property
    1. General approach
    2. Contractual aspects of intellectual property rights
    3. Rights over the results of intellectual activity
    4. Company names, trade names, trademarks and appellations of origin
    5. Intellectual property rights infringements
    6. IP Court
  11. Advertising issues
    1. General approach
    2. Scope of application of the Advertising Law
    3. Violations of the Advertising Law
    4. Liability
  12. Anti-corruption and compliance
    1. General approach
    2. Legal framework
    3. Compliance requirements for companies
    4. Concept of corruption in Russian law
    5. Possible targets of bribery
    6. Liability and penalties for corruption
    7. Example of sector-specific anti-corruption measures
  13. Real estate and construction
    1. Rights to real estate
    2. Real estate transactions
    3. Resolution of real estate disputes
    4. Planning and construction issues
  14. Corporate bankruptcy
    1. Insolvency criteria
    2. Stages of bankruptcy proceedings
  15. Import substitution and production localisation in Russia
    1. Measures affecting goods importation and current import substitution legislation
    2. Localisation incentives
    3. Sector-specific impact of import restrictions and localisation requirements
  16. Banking sector
    1. Legislative and regulatory framework
    2. Licensing and operations
    3. Deposit insurance
    4. The anti-money laundering law
    5. Bank secrecy
    6. FATCA and CRS
  17. Environment, energy efficiency and renewables
    1. Environment
    2. Energy efficiency
    3. Renewables
  18. Infrastructure and public private partnerships
    1. General approach
    2. Key PPP legislation
    3. Russian PPP environment
    4. Financing
    5. Legal issues
    6. Prospects for infrastructure projects
  19. Oil & gas
    1. Legislative framework
    2. Ownership and licensing
    3. Restrictions on foreign investors
    4. Licences
    5. PSAs

Scope of the Data Protection Law

Personal data 

The Data Protection Law defines, in particular, personal data and data processing, regulates the rights of data subjects and the obligations of data controllers, consent rules, data localisation and cross-border data transfer.

The Data Protection Law does not contain an exhaustive list of data that is deemed to be “personal data”. Thus, what constitutes personal data must be assessed on a case-by-case basis. Personal data is defined as any information referring directly or indirectly to an identified or identifiable individual (the “data subject”).

The Data Protection Law also sets forth special categories of personal data. These cover information referring to a person’s racial or ethnic origin, political opinions, religious or philosophical beliefs, personal health, sex life and criminal record. In addition, the processing of biometric data is regulated by the Data Protection Law.

Back to top ↑

Data processing operations

The Data Protection Law applies to all personal data processing operations performed within Russia. However, in recent years Roskomnadzor successfully blocked several websites that contained personal data of Russian citizens and have been hosted or managed from abroad. 

Personal data operations under the Data Protection Law include any processing, such as data collection, storage, recording, deletion, transfer. 

The Data Protection Law does not apply to personal data processing performed by individuals for their private needs.

Back to top ↑

Rights of the data subjects

Under the Data Protection Law, a data subject has the right to:

  • request details of the processing of his/her personal data by a data controller (what data is being processed and why, etc.);
  • revoke his/her consent to the data processing at any time;
  • request, in certain cases, the rectification, blocking or deletion of his/her personal data; and/or
  • be compensated for damages, including for moral harm.

Obtaining consent from the data subjects

Personal data may only be processed (i) based on the prior, voluntary, express and informed consent of the individual (data subject); or (ii) if the law expressly permits processing without the data subject’s consent. 

Consent can be given in any form: orally, in writing, electronically or by implication. The data controller must ensure that it can prove that consent was duly obtained. In certain cases, the law requires written consent as described below.

Qualified consent

Consent must be obtained in written form (“Qualified Consent”) when:

  • special categories of personal data and/or biometric personal data are processed; 
  • personal data is transferred to countries which do not ensure an adequate level of protection of personal data (“Unsafe Countries”);
  • decisions are taken automatically and such a decision could influence the rights and freedoms of a data subject; and
  • employees’ personal data is transferred to a third party, including companies of the same group. 

Qualified Consent must contain the following elements:

  • name, address and passport details of the data subject;
  • name and address of the personal data controller;
  • purpose of the personal data processing;
  • list of the personal data to be processed for which consent is given;
  • list of the operations to be performed with the personal data and a general description of the methods to be used for personal data processing;
  • term during which the personal data will be processed and how consent can be withdrawn; and
  • data subject’s signature.

Back to top ↑

Cross-border transfer of personal data

The Data Protection Law distinguishes two types of cross-border data transfer:

  • the transfer of data to countries with adequate protection of personal data (“Safe Countries”); and
  • the transfer of data to unsafe Countries.

Safe Countries comprise signatories to the Strasbourg Convention and countries that are included by Roskomnadzor in the Safe Countries List. Roskomnadzor occasionally amends this list, which now consists of 22 countries.

The cross-border transfer of personal data to Safe Countries may be performed in accordance with the requirements for internal data transfer. The cross-border transfer to Unsafe Countries requires Qualified Consent to be obtained from the data subject, except in cases expressly provided by the law.

Back to top ↑

Data controllers and data processors

The Data Protection Law defines the data controller as an entity (either a state agency, municipal authority or a legal entity) or individual who organises the processing of and/or processes personal data. It also determines the purposes and scope of processing, the content of personal data to be processed and actions performed with the data.

Main obligations for data controllers

The main obligations of the personal data controllers are to:

  • notify Roskomnadzor of their intention to process personal data, except when an exemption applies; 
  • ensure personal data security;
  • adopt a personal data processing policy which includes the list of data, the purposes of data processing, etc.; 
  • appoint a data protection officer responsible for the organisation of data processing within the company;
  • periodically perform internal audits and assessments of the effectiveness of measures applied to protect personal data; 
  • retain control over such measures and the level of protection of personal data (in particular in cases where data processing is outsourced); and
  • ensure that the recording, systemisation, accumulation, storage, clarification (updating, modification) and retrieval of Russian citizens’ personal data is conducted in databases located within Russia. 

Exceptions to the requirement to notify Roskomnadzor of the intention to process personal data

Notification is not required, in particular, to process (i) personal data of employees, when such data is processed by their employer for the purposes of employment relations; (ii) personal data received by the data controller to conclude and perform an agreement with the respective data subject; (iii) data made public by the data subject.

Technical requirements

According to the law, personal data must be protected against unauthorised access, alteration, transfer, disclosure by transfer or deletion as well as damage and accidental destruction. In order to ensure the security of personal data, the data controller must, in particular:

  • use technical devices certified by the competent Russian authorities and keep a record of the devices on which the personal data is stored;
  • determine the level of damage which may be caused in the event of unauthorised processing of personal data; and
  • establish rules relating to access to personal data. 

The Data Protection Law does not provide further details on the technical and organisational measures mentioned above, although some detailed requirements are provided in the relevant regulatory orders. 

Localisation requirements

Data controllers who collect personal data of Russian citizens must ensure that the recording, systemisation, accumulation, storage, clarification (updating, modification) and retrieval of Russian citizens’ personal data are conducted only in databases located within Russia. There are a limited number of exceptions to this requirement, which usually do not apply to business.

When notifying Roskomnadzor of the commencement of processing of personal data, data controllers are required to state the location of the database containing Russian citizens’ personal data.

Back to top ↑


Data controllers may outsource the processing of personal data. To do so they must enter into an agreement with a data processing service provider (a “Technical Processor”). The agreement must contain certain substantial conditions as set out by the Data Protection Law. Data controllers nevertheless remain responsible to data subjects for the fulfilment of their obligations. The Technical Processor must ensure the confidentiality and protection of the personal data.

Back to top ↑

Key contacts

Anton Bankovskiy
Anton Bankovskiy
Head of Intellectual Property
T +7 495 786 40 63