Many activities require the processing of information about individuals and legal entities: security (background checks), due diligence on people, database creation, promotion of goods and services (marketing), and others. The federal law “On Personal Data,” passed last year (hereinafter the “Personal Data Law”), introduced some amendments that concern these procedures. With this law in mind, we can summarize what Russia’s personal data legislation looks like, and what it means for those persons and organizations (hereinafter “operators”) deciding to engage in personal data processing.
Operators entering the Russian market are confronted by a maze of regulations that deal with processing of personal data, overseen by a variety of state organizations. Failure to comply with these regulations can result in fines, suspensions, or demotions. In such a situation, the advice of legal consultants with long experience of the Russian labor market is practically a necessity.
Individuals vs. legal entities
There are two distinctions that must be made when considering this issue. The first is that individuals and legal entities are treated according to different sets of rules. The second is the distinction between what can be obtained without someone’s consent, and information requiring consent in order to be obtained.
The processing of data concerning individuals is governed by the more complicated set of rules. First, there are instances where an individual’s consent is not required. In such cases, operators merely have to prove that they have grounds to engage in such processing. However, certain other cases require written consent.
Acquiring consent requires that the operator have a purpose for processing data. In addition to consent, it is also mandatory to acquire a license for the protection of personal data. The requirements, however, do not end with the issuance of these documents by the relevant state bodies. Operators often have to prove that they possess the appropriate equipment, premises, and personnel for processing data. Furthermore, when they have finished with the data, they must destroy or depersonalize it.
Another important aspect is that operators must fulfill a number of obligations when engaged in processing. These obligations include duties to provide certain information to the person whose data is being processed, and to implement a range of mandatory organizational and technical measures designed to protect the data.
For legal entities, the situation is correspondingly simpler. When selecting contractors or performing due diligence, for instance, all kinds of open sources are available to operators: state registers, official databases, the mass media, and so on. Some types of information on legal entities remain restricted. These can include anything that constitutes a trade secret or state secret, as well as certain forms of financial information.
Generally speaking, considerable amounts of information about legal entities can be obtained from open sources. However, if access to certain types of information is restricted, attempts to obtain it may result in criminal prosecution.
What are the chief dangers for an operator?
It must be borne in mind that improper processing of personal information can lead to prosecution. Russia has several regulatory bodies that exercise oversight in this area, and operators can be taken to court for failure to comply with the Personal Data Law.
Lack of compliance can be constituted by a number of offenses: breach of the data protection rules; illegal activities in the field of data protection; and failure to submit, or late submission of, notice of personal data processing. Punishment depends on the type of violation. One can be charged with fines ranging from 5,000 up to 50,000 rubles, or be subject to suspension or demotion.
For these reasons, operators in the Russian market that are unfamiliar with Russian laws on data processing are taking a risk when they engage in such processing. The web of regulations and requirements is complicated, and can be easily violated without constant observance of the rules. In this situation, the assistance of a legal adviser with long experience dealing with Russian laws and regulations is strongly recommended.
We at Hellevig, Klein & Usov stand by to give further advice on questions of personal data protection, background (security) checks on individuals in connection with employment and entering into contracts, due diligences and database creation.
We may offer our Data Protection and Background Check white paper that deals in detail with these issues as well as individual advice with any of the issues.