On 31 July, the Russian data protection authority, Roskomnadzor, issued guidance for data operators on the drafting of privacy policies to comply with Russian data protection law. Russia’s 2006 privacy law – Federal Law No. 152-FZ of 27 July 2006 “On Personal Data” (Personal Data Law) – requires, among other things, that Russian data operators must adopt a privacy policy that describes how they process personal data. This notice requirement is similar to the approach in Europe. Furthermore, data operators shall publish such a policy online when personal data is collected online or otherwise provide unrestricted access to the policy when personal data is collected offline. The guidance – although non-binding and recommendatory in nature – emphasizes the regulator’s compliance expectations and should therefore be taken into account by organizations acting as data operators in Russia.Roskomnadzor generally considers it important for data operators to adopt a relatively detailed data processing policy so that data subjects are aware of all potential actions to be taken with their personal data, such as the purposes for processing and recipients of their personal data. Roskomnadzor expects companies to proactively control the processing of their personal data to comply with the data processing notice.

The guidance states that the policy must contain, in general, such information as the:

  • main purpose of the policy and definitions used in the policy (e.g., personal data, processing, etc.);
  • main rights and obligations of the data operator and data subjects;
  • purposes for personal data processing;
  • legal grounds for personal data processing (i.e., laws, consents, agreements concluded with data subjects, etc.);
  • volume and categories of personal data processed. For each category of data subjects, Roskomnadzor recommends that a company list all the personal data it collects and processes tied to specific purposes and indicate all cases of processing special categories of personal data or biometric data);
  • procedures and conditions for personal data processing (i.e., actions to be undertaken with respect to personal data, information on the transfer of personal data, grounds for ceasing personal data processing, storage terms, and information on compliance with the law’s data localization requirement);
  • procedures for updating, correcting, deleting, or destroying personal data; and
  • procedures for responding to data subjects’ requests.

The guidance also states that, in case there is a need to share personal data with third parties (e.g., service providers or business partners), data operators should explain the measures they take to protect personal data. Specifically, a data operator’s policy should explain that the data operator enters into contracts with third party recipients to protect the personal data. The policy should also list the purposes for such sharing, the volume of personal data to be transferred, data use restrictions (including confidentiality obligations), and security measures (including specific organizational and technical measures). Finally, the policy should set forth the name and addresses of third party recipients of personal data.

Though these recommendations are generally in line with the principles stipulated in the Personal Data Law, and generally were understood by the market as best practices before the guidance was issued, certain of the recommendations in the guidance would require more attention and efforts by data operators (e.g., recommendations on listing all third parties receiving personal data along with details about the data transferred).

Since its 1 July 2017 implementation, there is a separate administrative liability for non-compliance with the obligations to publish the privacy policy and to provide unrestricted access to such policy. Violations of these provisions may result in a warning or a fine up to RUB 30,000 (approx. USD 500) for legal entities. This new administrative liability was adopted as part of a set of more diversified and increased administrative fines available for data protection obligations, which we covered in an earlier post here.

Although the guidance is non-binding and of a recommendatory nature, it is likely that Roskomnadzor, when conducting compliance investigations, will consider whether data operators are following the guidance. Therefore, data operators should strongly take these recommendations into account when developing privacy policies to comply with the Personal Data Law.