Executive Summary: Employers in Russia and companies doing business in Russia should be prepared to comply with recently enacted requirements governing storage and processing of the personal data of Russian citizens, which are designed to provide additional protection for this data.
Over the last few months, we have started to see a trend in Russia towards greater protection of personal data of its citizens and greater attention to data privacy.
One major step in providing added protection was the implementation of new localization requirements for Russian personal data.
Effective September 1, 2015, data controllers processing personal data of Russian nationals are now required to initially store and process the personal data in databases located in Russia.
Personal data of Russian nationals can still be transferred abroad, but only after first processing such data into the primary local Russian database(s) and subject to compliance with Russian cross-border transfer rules.
These new data localization requirements cover both Russian and foreign companies with a presence in Russia. These requirements will also apply to foreign companies that have no presence in Russia but target the Russian market, e.g. online retailers shipping goods to Russia.
Data controllers with a presence in Russia must also disclose the location of the database(s) in a notification form to be filed with the Russian Data Protection Authority.
These new localization requirements became effective just in time for the Russian Data Protection Authority's (‘Roskomnadzor') announced plan for increased inspections in 2016 aimed at checking compliance with data privacy legislation, including the new localization requirements.
Altogether, Roskomnadzor intends to conduct over 1,000 inspections of companies in the e-commerce, banking, automotive, cosmetics and IT industries. A list is published of the companies that will be inspected, though the list only includes Russian entities.
The inspection involves a review of all the required internal documents and policies required to be in place as well as the IT documents that will demonstrate compliance with the data protection laws, including new data localization requirements.
Key Takeaways: Employers in Russia and any company doing business in Russia should be sure to review their policies and procedures for processing and storing individuals' personal information. The new localization requirements may require companies to overhaul their policies and procedures to comply with the new requirements. With the increased inspections by the Data Protection Authority, it is recommended that companies not only review their policies and procedures for compliance with the localization requirements, but also Russia's data protection requirement as a whole, and do so sooner rather than later.
This article was co-authored with Irina Anyukhina who is a partner at the ALRUD Law Firm in Moscow.