- November 16, 2017
One of the latest publications by the Russian regulator Roskomnadzor clarified some issues of processing personal data by online stores – https://rkn.gov.ru/news/rsoc/news51712.htm (Russian).
According to the Federal Law “On Personal Data” (or the Data Protection Law), personal data of Russian citizens must be collected and processed only with their consent, unless otherwise established by law. Thus, online stores must obtain such consent in any legal relationship with their visitors which requires the use of their personal data, except for the cases when such legal relationship is considered a public offer or any other form of contractual relations.
Does this affect other websites?
Despite the fact that Roskomnadzor released the above-mentioned clarifications with respect to online stores, most websites (including corporate blogs, landing pages, etc.) must comply with the Data Protection Law. If the visitor’s data you received via website (e.g., a filled-out contact form, account registration, newsletter subscription, etc.) appears to be personal data of Russian citizens, and there exists no contract between your organization and the personal data subjects, and you intend to process, store and use this data – the Russian law considers you a personal data operator. Most personal operators must notify Roskomnadzor of their activities (we will elaborate on this later).
What does the term “personal data” mean in Russia?
According to the law, personal data is defined as any information directly or indirectly related to an identified or identifiable individual (personal data subject).
Not a very comprehensive and clear definition, if you ask us.
The response from the Ministry of Communications doesn’t give much either:
“A more accurate definition of personal data, including the creation of a defined list of personal data, does not appear feasible. The law does not imply any clarifications of this term by additional regulations.”
In 2015, Head of Roskomnadzor, Alexander Zharov, gave an interview to Lenta.ru and defined personal data as “a set of information that allows establishing your identity. Alternatively, if you have already been identified, the required data refers exactly to you without any errors. For example, a photo, full name, phone number and e-mail address allow identification of a person rather accurately. However, a photo and name “Olya” can’t be considered personal data; the same goes for a lone e-mail address or phone number. It is the set of data that is important.”
Nevertheless, there is no approved list of what – or in what combination – must be considered personal data. Russian lawyers endlessly argue on this matter, using certain precedents or logical conclusions as their argumentation. Based on their conclusions, we suggest referring to this list of personal data:
- Full Name
- Date and place of birth
- Passport details
- Marital status, social status, and property status
- Website visitor behavior data
- Cookie files
- Geolocation data
- Link to social media profile
What are personal data operators required to do?
If your company is a personal data operator, you must draft and publish on your website the document defining the policy regarding the processing of personal data (which we will discuss further on).
You should also keep in mind the rules of personal data localization. To make a long story short, personal data of Russian citizens must be stored on servers located within the territory of Russia.
Note that an “A” record in DNS doesn’t always indicate the real server location. For example, there might be a situation when this “A” record indicates a Russian gateway server connected to a German hosting server via VPN. If you want to be 100% sure of your website server location, we advise sending a request to your hosting provider.
Beyond that, make sure your company is listed in the register of personal data operators. You can check it here. If you haven’t yet had your company added to the register, you must submit a notification via the Roskomnadzor website, make a copy of this notification, add the executive’s signature and corporate seal, and send it to your local Roskomnadzor office.
Websites owners that process personal data don’t have to notify Roskomnadzor in cases when:
- personal data of visitors is processed only under labor law;
- a contract has been concluded with the data subject, and provided that such data is not being distributed or transferred to third parties;
- personal data has been made publicly accessible by the data subject;
- you have been assigned to process personal data on behalf of a third party (the operator that is responsible for personal data processing) on the basis of a contract;
- you obtain only a full name of the data subject (without any additional information)
What must be included in the Data Processing Policy?
Roskomnadzor and the members of the Youth Chamber of its Advisory Board have prepared some recommendations on the drafting of such a policy. They suggest including the following items in the document:
- General Provisions. The purpose, main definitions, rights and responsibilities of the operator and subjects of personal data.
- Purpose of personal data collection. The processing of personal data must be limited to the achievement of specific, predefined and legitimate purposes.
- Legal basis for the processing of personal data (legislation in accordance with which the operator carries out the processing of personal data).
- Volume and categories of processed personal data, categories of personal data subjects. The content and volume of processed personal data must be in line with the stated processing purposes. It is recommended to list all the processed personal data for each category of data subjects and for each specific purpose. In addition, if applicable, the policy should describe all the possible cases of processing special categories of personal data and biometric personal data.
- Procedures and conditions of personal data processing. In this section, it is recommended to specify the list of actions performed by the operator with respect to the personal data, as well as the processing methods used by the operator, processing time, and conditions for termination of the processing. If you outsource personal data processing to a third party, it’s best to make sure you define the conditions of personal data transfer for such cases. It is also recommended to include the information on privacy protection measures.
- Updating, correction, removal and destruction of personal data, responding to requests for access to personal data by data subjects.
The complete list of recommendations can be found here.
How website visitors can grant you permission to process their personal data
To receive visitors’ consent to process their personal data you can do the following: make it mandatory for them to check a special checkbox (e.g. with the text “I agree to the Data Processing Policy”) while submitting a website contact form or subscribing to a newsletter.
In the case of processing biometric and special categories of personal data or storage of the data within the border of a country which doesn’t ensure sufficient data security (please refer to the list of Roskomnadzor), the procedures are more complicated: operators must be granted written consent from the subject of the personal data.
Here’s what your organization should do to avoid a fine of RUB 290,000
Violation of the Personal Data Law (Article 13.11 Paragraphs 1-6 of the Code of Administrative Offences of the Russian Federation) may result in the following fines for a legal entity (fines for company officials excluded):
- Processing of personal data in cases not provided for by law, or incompatible with the purposes of data collection:
— for company officials: from RUB 5,000 to 10,000
— for legal entities: from RUB 30,000 to 50,000
- Processing of personal data without written consent (when required):
— for company officials: from RUB 10,000 to 20,000
— for legal entities: from RUB 15,000 to 75,000
- Failure to publish and provide public access to the corporate Data Processing & Protection Policy:
— for company officials: from RUB 3,000 to 6,000
— for legal entities: from RUB 15,000 to 30,000
- Failure to provide data subjects with information on the processing of their personal data:
— for company officials: from RUB 4,000 to 6,000
— for legal entities: from RUB 20,000 to 40,000
- Failure to fulfil the obligation to detail, block, or delete personal data on the request from the data subject:
— for company officials: from RUB 4,000 to 10,000
— for legal entities: from RUB 25,000 to 45,000
- Failure to secure personal data processed without the use of automation which led to unauthorized or accidental access to personal data
— for company officials: from RUB 4,000 to 10,000
— for legal entities: from RUB 25,000 to 50,000
Let’s wrap it up. In order to avoid any fines and claims from state regulators we recommend:
- Check if your organization falls into the category of personal data operators;
- If it does, develop a corporate Personal Data Processing Policy based on the recommendations of Roskomnadzor, post it on your company website, and make it publicly available for visitors;
- Have your company listed in the Register of Personal Data Operators if you haven’t done it yet;
- Always request website visitors’ consent to processing of their personal data by asking them to accept the terms of the Personal Data Processing Policy (make sure you provide a valid link to the text of the document);
- Ensure the storage of personal data of Russian citizens within the country’s borders (on servers located in Russia);
- Make sure that your organization has developed internal documentation for personal data processing;
- Obtain permission from personal data subjects to process their data if your organization uses contractors’ services in any area of its activities.