Russia: Implemented Law No. 152-FZ on Personal Data including data protection regulation

On 23 January 2007, Law No. 152-FZ on Personal Data, including data protection regulation, entered into force. The Law establishes rules for the processing of personal data and measures to ensure the protection of the rights to privacy and personal and family information. Personal data is defined as any information relating to an individual that allows its identification, including last name, first name, patronymic, year, month, date and place of birth, address, marital, social, property status, education, profession, and income. Data operator is defined as entities that organise or carry out the processing of personal data. The processing of personal data includes collecting, systematising, storing, using, transferring, depersonalising, deleting and blocking. Furthermore, the Law outlines principles of personal data processing, conditions for the processing of personal data, obligations to the confidentiality of personal data and conditions for consent to the processing of personal data to be valid. The Law specifies that data operators must obtain explicit consent from individuals to process special categories of data and biometric data. Regarding cybersecurity, the Law requires entities collecting personal data to implement measures to ensure the security of personal data during their processing. In particular, the Law states that entities are required to implement organisational and technical measures, such as encryption, to ensure the protection of personal data. The authorised body for ensuring the protection of the rights of data subjects and compliance with the Law's provisions is the Federal Service for Supervision of Communications, Information Technology and Mass Media (Roskomnadzor). Finally, the Law specifies that prior to the processing of personal data, the entities are required to notify Roskomnadzor regarding their intention to process data and outlines exemptions to the requirement.