Goltsblat BLP advises that Federal Law 261-FZ dated 25 July 2011 "On Amendments to the Federal Law on Personal Data" came into effect on 27 July 2011. It applies to legal relations arising from 1 July 2011.
The Law introduces the following key changes:
The main concepts relating to personal data and the principles for processing personal data have been specified.
Requirements have been established on operators with regard to delegation of personal data processing to third parties. To this effect, approval must be obtained from the data subject, the operator must enter into a relevant agreement with such a third party, requiring it to observe confidentiality of the personal data and ensure its protection during processing, as well as requirements on personal data protection. In this case, the person processing the personal data on the operator's instructions does not have to obtain approval from the data subject for processing their personal data. The liability before the data subject remains with the operator.
The data subject or his/her representative may give consent to processing the personal data in any form allowing receipt of the requisite consent to be proved.
The cross-border personal data transfer procedure has been determined in more detail. This procedure depends on whether foreign countries are party to the Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data. In addition, the competent authority for protection of the rights of data subjects has to approve the list of countries not party to the above Convention that still ensure proper protection of rights of data subjects.
New requirements have been established with regard to data subjects’ requests to access their personal data. Apart from the information on the data subject's identity document, the request must include confirmation that the given person has relations with the operator (contract No., contract date, conventional symbols and/or other information) or other information confirming that the personal data have been processed by the operator, as well as the signatures of the data subjects or their representatives.
According to the Law, a person’s right to access his/her personal data may be restricted when: the personal data are processed pursuant to the legislation on anti-money laundering and combating terrorist financing measures; personal data are processed as envisaged by the legislation of the Russian Federation on transportation security.
The Law establishes measures for ensuring performance of the operator's obligations. The choice and list of such measures is left to the discretion of operators. In particular, they may include appointment of a person responsible for organising processing of personal data, publication of local regulations or other documents relating to processing of personal data, internal control over processing of personal data, etc.
The Law introduces a new concept: degrees of protection for personal data processed by information systems, these depending on the potential harm that might be caused to the data subject, the volume and contents of the processed data and the activities during which they are processed. The data protection degrees, as well as requirements on protection of personal data and tangible media containing biometrical personal data, are to be determined by the Government of the Russian Federation.
Legal entities are required to appoint a person responsible for organising processing of personal data, who must follow the instructions of the legal entity's executive body and report to it.
The person responsible for organising personal data processing is required to exercise internal control over compliance by the operator and its employees with the legislation on personal data, to acquaint employees with the legislation regulating these issues, and to arrange for receipt and processing of applications and requests from data subjects.
One provision entitles a person whose rights have been infringed during processing of personal data to claim compensation for moral damage, such compensation to be paid irrespective of compensation for damage to property and losses incurred thereby.
Apart from federal and regional authorities, the right to issue regulations on certain issues relating to processing of personal data has been granted to the Bank of Russia and local government authorities.
For all issues related to publications, news and press releases, please contact:
If you would like to receive our legal alerts and updates highlighting current legal issues relevant to your areas of interest and providing expert commentary by our lawyers, please click on "Sign Up" and fill out the form.