Use the Lexology Navigator tool to compare the answers in this article with those from other jurisdictions.
Collection and storage of data
Collection and management
In what circumstances can personal data be collected, stored and processed?
Any processing of personal data, including collection and storage, is subject to the data subject’s consent, with certain exceptions set out in the Personal Data Act.
Are there any limitations or restrictions on the period for which an organisation may (or must) retain records?
The personal data legislation does not define a specific term during which an organisation may (or must) retain personal data records. However, the Personal Data Act prescribes that retention (ie, storage) of personal data must last no longer than is required for the purposes of processing the personal data, unless a specific term of storage or retention is set out by the law or by an agreement to which the data subject is a party, beneficiary or guarantor.
Do individuals have a right to access personal information about them that is held by an organisation?
Individuals have the right to request a broad range of information about their personal data from organisations. This right may be restricted if:
- the relevant personal data – including personal data obtained through special investigative techniques, counterintelligence and intelligence operations – is processed for the purposes of national defence, state security or law enforcement;
- the personal data is processed by agencies that have:
- detained the personal data subject on suspicion of committing an offence;
- brought criminal charges against the personal data subject; or
- applied restraint measures to the personal data subject before a charge is brought;
- the personal data is processed in accordance with the legislation on anti-money laundering or combating the financing of terrorism;
- access to the subject’s personal data may infringe the rights and legitimate interests of third parties; or
- the personal data is processed in accordance with the transport security legislation.
Do individuals have a right to request deletion of their data?
Yes, individuals have the right to request the data operator to correct, block or delete their personal data where such data is incomplete, outdated, incorrect, unlawfully obtained or unnecessary for the stated purposes of processing.
Is consent required before processing personal data?
Consent is required before processing personal data, with the exception of situations explicitly stipulated in the Personal Data Act (see below).
If consent is not provided, are there other circumstances in which data processing is permitted?
No consent of the personal data subject is required in cases where the personal data processing is:
- necessary to:
- achieve objectives stipulated by law or an international agreement to which Russia is party; and
- exercise and discharge functions, powers and responsibilities imposed on the data operator by law;
- carried out in connection with a person’s engagement in constitutional, civil, administrative or criminal proceedings, or proceedings in arbitration (commercial) courts;
- necessary to execute a court ruling, or a ruling of another authority or official subject to execution in accordance with the enforcement legislation;
- required to execute the powers of state authorities;
- necessary for the performance and execution of an agreement to which the personal data subject is a beneficiary or guarantor;
- necessary to protect the life, health or other vital interests of the personal data subject, if it is impossible to obtain consent otherwise;
- necessary to exercise the rights and legitimate interests of the data operator or third parties, or to achieve important social objectives, provided that this does not infringe the rights and freedoms of the personal data subject;
- necessary for the conduct of the professional activities of journalists or other legitimate media activities, or of scientific, literary or other creative activities, provided that this does not infringe the rights and legitimate interests of the personal data subject;
- carried out for statistical or other research purposes, except for the purposes set out in the Personal Data Act, subject to mandatory anonymisation of the personal data;
- carried out with respect to personal data made publicly available by the personal data subject; or
- subject to publication or mandatory disclosure in accordance with federal law.
What information must be provided to individuals when personal data is collected?
There are no specific requirements on what information must be provided to individuals when their personal data is collected. However, the Personal Data Acts requires that the processing of personal data be limited to achieving specific, pre-defined and lawful goals. Therefore, such goals should be communicated to the personal data subject when his or her personal data is collected. Moreover, the personal data subject may always request information related to the processing of his or her personal data, including:
- confirmation of the collection of the personal data;
- the legal basis and goals for processing the personal data, as well as the processing methods;
- the name and location of the data operator, and information on persons (except for the operator’s employees) that have access to the personal data;
- the scope and source of processed personal data relating to a corresponding data subject, as well as the term of such processing, including storage;
- information on completed or contemplated international transfers of the personal data; and
- the name and address of the person processing the personal data, where applicable.
Click here to view the full article.