On 26 July 2011, President Medvedev signed a federal law on clarifying the rules for handling and transferring personal data, as well as the rules and responsibilities of the operators and subjects of personal data (the “Law”).
Specifically, the Law (i) clarifies and expands the provisions and conditions for handling personal data; (ii) stipulates the terms and conditions according to which personal data may be received from third parties; and (iii) requires additional information that must be included in a letter of consent in order to handle personal data and notification of the regulator of this handling.
The Law also (i) outlines the basic criteria for the protection of personal data; (ii) changes the scope of authority of the Government of the Russian Federation, the Federal Security Service and the Federal Service for Technical and Export Control to establish the requirements for protecting personal data; and (iii) gives the state bodies, the Bank of Russia as well as the associations and unions of operators the right to determine, under certain circumstances, threats to the protection of personal data.
The Law also requires operators to take a number of additional measures. Specifically, operators must (i) appoint a person responsible for handling personal data; (ii) publish or by other means allow unlimited access to documents that describe its policies in respect of handling personal data, as well as access to information on how it is fulfilling the requirements to protect personal data.
Operators that handled personal data up to 1 July 2011 have until 1 January 2013 to present additional information, as provided by the law, on these operations to the authorised bodies for the protection of the rights of the subjects of personal data.
The revised Law is applicable to any legal relationships that have started since 1 July 2011.
[Federal Law No. 261-FZ “On Amending the Federal Law ‘On Personal data’”, dated 25 July 2011]