By Anastasia Petrova, Firm:  Alrud

Russia has not yet implemented legislation implementing GDPR provisions into national law, but the Russian Data Protection Authority has issued guidance for Russian companies on GDPR compliance.

Since many Russian companies have branch or representative offices or subsidiaries in the EU or in target European markets, ensuring compliance with the GDPR has been quite a hot topic in Russia during the past year. In particular, this concern was expressed by, among others, e-commerce companies, banks, carriers, telecoms operators and social networks.

At first, the Russian DPA was sceptical about the GDPR’s applicability to Russian entities and there is still no national legislation implementing GDPR requirements. However, eventually the Russian DPA issued brief practical guidance regarding territorial applicability of the GDPR, intended to instruct Russian companies on GDPR compliance.

Further, on 10 October 2018 Russia signed a protocol modernising the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data dd. 1981 (Convention 108). As a party to Convention 108, Russia will have to incorporate the amendments under the protocol and ensure their proper enforcement.

The protocol significantly increases the level of data protection and specifies principles and requirements already implemented in the GDPR. In this sense, incorporation of the protocol’s provisions into national legislation will be a step forward for the harmonisation of Russian data protection legislation with European. Potential novelties in Russian data protection legislation include an obligation to notify data breaches, the roles of data processor and data recipient, new types of sensitive data and a ‘privacy by design’ principle.

At the moment Russian companies have not faced GDPR enforcement. However, in August 2018, Belarusian citizen Christian Shinkevich filed a complaint against the well-known Russian social network Vkontakte to the Polish data protection authority. He suggested that Vkontakte’s data processing practices did not meet the privacy standards introduced by the GDPR. This case is still under consideration and currently it is hard to predict its possible outcome.