Personal data systems must be brought into line with the legislation by 1 January 2010.

19.11.2009

Legal Update No.  87.

Goltsblat BLP reminds you that 1 January 2010 is the effective date for certain provisions of Federal Law of 27 July 2006 No. 152-FZ “On Personal Data” (the Federal Law) imposing additional requirements on personal data systems.

From this effective date onwards, the majority of personal data systems will have to undergo the newly-introduced procedure for assessing their compliance with the regulatory documents governing this area. The new provisions supplement the requirements established previously by the Federal Law for obtaining the individual’s consent to processing of his/her personal data and for operators to notify Roskomnadzor of initiated personal data processing.

In this connection, all operators processing personal data will now be required to classify the personal data systems.

Operators are government and municipal authorities, legal entities and individuals who determine the purpose and procedure for processing personal data and organise or carry out the said processing.

Personal data consists of any information relating to a certain person, specifically: name, address, property status, income and other information.

Personal data systems are understood as aggregated personal data, as well as the technologies and technical means for processing them (gathering, systematising, storing, using, distributing, etc.).

For the purposes of classifying personal data systems, personal data are divided into four categories:

  • category 1 - personal data concerning an individual’s race, nationality, political views, religious and philosophical convictions, state of health and personal life;
  • category 2 - personal data making it possible to identify the individual and obtain additional information about him/her (apart from personal data relating to category 1);
  • category 3 - personal data making it possible to identify the individual;
  • category 4 - impersonal and (or) publicly available data.

For the purposes of a differentiated approach to ensuring the security of personal data depending on the nature and volume of the personal data processed, the relevant systems are allotted classes 1, 2, 3 or 4.

Accordingly, the assessment of compliance by data systems with the personal data security requirements depends on the class:

  • Classes 1 and 2 (existence of a large volume of data and/or data relating to individuals’ personal lives) - mandatory certification;
  • Class 3 -  declaration of compliance;
  • Class 4 (only impersonal and/or publicly accessible data) - not subject to mandatory compliance assessment.

Depending on the data system class, the operator has to carry out a variety of measures to protect the personal data.

In addition to assessment of compliance by personal data systems, regulatory acts also envisage certification of the information security products used in the data systems. For instance, encryption facilities are subject to certification by the Federal Security Service of Russia.

After 1 January 2010, personal data operators will also be required to hold licences for the licensed types of confidential information protection activities they perform. In particular, if the operator uses encryption facilities, a licence from the Federal Security Service of Russia to maintain encryption facilities will be needed.

Failure to observe these requirements may be classified as an offence under a whole series of articles of the Administrative Offences Code of the Russian Federation. These include: violation of the procedure for processing personal data; violation of the licence requirements and conditions; and performance of a licensed activity in the absence of a licence.

Please also note that it is not yet clear exactly how certain rules of the Federal Law are to be enforced in practice. There is, moreover, a possibility that the effective date of certain of its provisions might be deferred, since a relevant bill is currently under consideration by the State Duma of the Russian Federation.

For additional information, please contact:

Elena Trusova, Partner,
Intellectual Property,
Goltsblat BLP,
by e-mail: info@gblplaw.com 

Contact details

For all issues related to publications, news and press releases, please contact:

Ksenia Soboleva

Head of PR and Communications

Subscription

Получайте новости об изменениях в законодательстве с экспертными комментариями наших юристов и обзоры актуальных юридических вопросов в соответствии с теми областями права, которые представляют для вас интерес.