The Russian Ministry of Communications has recently published on their web-site a commentary to the Federal Law No 242-FZ dated 21 July 2014 ("Law) introducing data localisation requirements (“Guidance”) - http://minsvyaz.ru/ru/personaldata/.
The Guidance was prepared on the basis of information received from the business community, academicians and public authorities including Roskomnadzor (the Russian DPA) and the upper chamber of the Russian Parliament. The Guidance provides clarification in relation to the application, effect and certain provisions of the Law and does not have the mandatory status of the secondary legislation which was widely anticipated to be published.
The aim of the Guidance was to avoid ambiguities of application of the Law, for instance, the following:
- Application of the law to web-sites of foreign companies. The Guidance clarifies that the Law will apply to the Internet resources (web-sites, Internet web pages) through which the foreign company's activities are targeting the territory of Russia by way of:
- using a Russian top-level domain such as .ru, .su, .moscow, etc; and/or
- having a Russian language web-site which:
- offers payment in Roubles; or
- provides that the agreement which is entered into on such web-site may be discharged in Russia (by delivering goods, providing services or using a digital content in Russia); or
- advertising in Russian language which refers to the respective web-site; or
- other circumstances which clearly indicate the intention of the web-site owner to include the Russian market into its business strategy.
- Collection of data. The obligation to localise data processing under the Law arises where personal data of the Russian citizens is collected which means actively obtaining data directly from the data subjects or through the third parties which are retained to do so. Personal data which is accidentally provided, for example, via e-mail or post or contact information of the employees or representatives of a company which is received by another company in the course of their legitimate activities does not qualify as collection of data.
- Cross-border transfer of data. The Ministry clarifies that subject to compliance with the general rules on trans-border transfer of data, personal data of the Russian citizens which is initially entered into and modified in a primary data base in Russia may be transferred to a secondary data base abroad which is administered by the other companies or individuals.
The Guidance further provides answers to frequently asked questions, for example, about processing of employee data, processing of personal data by Russian and foreign airlines for booking and etc. In one of such answers the Ministry clarifies that the form of the DPA's notification will be amended to include the location of the database (-es) in Russia. Such amended notification is not available yet. The data operators who have previously notified the DPA of data processing will have ten working days from 1 September 2015 when the Law comes into effect to notify the DPA of the location of the data bases.