Russia’s privacy laws first appeared on the radar of multinational companies after Russia introduced the socalled ‘personal data localization’ requirements and subsequently blocked user access to a large social network for failure to comply.
Recently the Russian data protection authority, Roskomnadzor, has been giving foreign companies with a local Russian presence another issue to worry about. Roskomnadzor has been sending out various requests to companies for information about the processing of personal data; this information must be in the form of a special notice and must be filed by the company within 30 days of receiving such a request. However, even if a company does not receive such a request, it should still consider complying with the notification requirement.
Below is a brief Q&A based on the questions our clients ask us most often about this subject.
Q: Is it necessary to respond to an inquiry and file the notice on personal data processing?
Yes. The overwhelming majority of companies have to notify Roskomnadzor about their personal data processing activities. There are several exceptions, but these rarely apply in practice.
Even if you believe that you are totally within the boundaries of the exceptions and do not have to file a notice, in its written demands the authority usually requires companies to provide virtually the same information based on a different mandatory requirement of the law.
Fines for failure to respond may seem seductively low – less than USD 100. The real risk, however, is that Roskomnadzor may consider this a red flag and schedule the company for an audit in the next calendar year, as it frequently happens in practice.
Q: What information is to be disclosed?
The notification form is rather comprehensive. In the notification, companies have to describe each data processing activity by indicating the category of the data subject and personal data involved, the legal grounds for processing, and the purpose and time period of the processing.
Companies must also list security measures, countries where the data is transferred to, and the locations of their servers, and they must indicate the name of their data protection officer.
Gathering this data may be quite a challenge. Describing all data processing activities typically requires making an inventory of all outgoing and incoming data at the local level. While a general description may exist on a global level, the details need to be significantly adapted in order to comply with Russian law.
Q: Do I need to describe the data processing in detail?
The law requires descriptions of general processing frameworks rather than specific cases of data processing. In particular, it is not necessary to reference specific contracts, list specific data recipients, or provide the contents of communications.
An important detail is that the notification has to be fully consistent with other privacy-related documents in the company. It is quite common that during audits, Roskomnadzor compares privacy policies and consent forms with the notice filed by the company. Any inconsistency means that the company either failed to provide a correct and up-to-date notice or lacks the necessary policies, consents, etc. related to the processing of personal data.
Q: Are the notifications publicly available?
Yes. The registry of notifications is publicly searchable by company name and registration details. Furthermore, the database has been indexed by Google and other search engines and may unexpectedly turn up in search results. The public version does not, however, disclose the security measures listed in the notification.
Q: How do companies usually approach such inquiries?
Most companies struggle to comply with the obligation to register as operators of personal data with Roskomnadzor. For example, in 2017-2018 Roskomandzor found notice-related breaches of the law in approximately 900 planned audits out of 1,368 total, that is, in 65% of the cases.
Given the limited time to respond in the event of an official inquiry, you have to act fast. The first thing to do is to nominate a local officer responsible for collecting information. This could be the data protection officer (DPO), if you already have one (and if not, make sure to appoint a DPO as soon as feasible since all companies are required to have one!).
He or she will usually be the focal point for the whole effort, working in close contact with all other departments and with local counsel experienced in filing such requests. Departments that require the closest attention are typically HR, followed by IT, marketing and sales. In our experience, HR-related data processing is especially complicated because of the restrictive rules applicable to the processing of employee data under Russian law. The issue does not get any easier given how much employee data is gathered and that such data is often shared globally.
As outside counsel, one of our jobs is to ask the right questions of the people in charge of the relevant business processes. In fact, proper team play between all parties involved may be more crucial than simple knowledge of the law. It is often the case that the responsible persons simply forget or do not think of certain processes as subject to disclosure. Experience with similar cases and industry knowledge help prevent such mishaps and reduce the time and effort necessary to complete the notification.
Once an inventory of data processing activities has been completed, the company must:
1. identify the areas where corrective action needs to be taken, and
2. decide which issues should be resolved pre- and post-notification.
Q: Can I prepare the notification based on globally prepared personal data documents?
While they may certainly help, such documents need to be adapted. The easy part is to use the wording of the local law to describe the security measures to be adopted. What is complicated, however, are the grounds for processing.
In comparison to Europe, consent is the key ground for data processing in Russia. The legitimate interest ground that is often used in European documents has a very limited scope under Russian law and is virtually limited to overdue debt collection. Relying on performance of a contract with the personal data subject will require you to show that the contract would be impossible to perform without the collection of personal data
Q: What about the question of where I keep data on Russian citizens?
Since 2015, companies are obliged to use a server in Russia to record, store, retrieve and update the personal data of Russian citizens. Since this rule applies to, among others, local employees, each local presence has to have a Russia-based server.
The question in the notification form asking for the location of the database containing the personal data of Russian citizens is essentially a request to confirm that the company complies with these requirements by indicating the physical address of the Russian IT facilities where the server is located.
Q: Do I have to wait for any approval by Roskomnadzor to commence processing?
Roskomnadzor usually processes notices within 30 days, after which it registers a company as an operator of personal data and adds its details to a publicly searchable register on its website.
Q: Am I obliged to update the notification?
Yes. This requirement is often overlooked, but companies have to update their notifications to the regulator within 10 days if the actual data processing activities taking place deviate from the description in previouslysubmitted notifications.
Q: Do you expect any changes in this procedure? Can we wait until this requirement is abolished?
We do not currently expect any major changes to or abolishment of the notification procedure.
However, Roskomnadzor periodically updates its recommended forms and official guidance on the notification procedure. Its law enforcement practice also evolves over time.
Zoomd Custom Site Search