Changes in personal data processing in information and telecommunications networks in 2015


Legal update No 493

Goltsblat BLP LLP advises again of the developments in personal data processing and storage established by the Russian legislation.

Under Federal Law No. 242-FZ of 21 July 2014, when collecting personal data, personal data operators (including information system operators) must provide for recording, systematising, accumulating, storing, elaborating (updating and modifying) and retrieving Russian citizens' personal data using databases located in the Russian Federation. Since the majority of businesses fall within this category, the requirement may be expected to impact on most companies in any way liaising with individuals for business purposes (for example, retailers, product manufacturers and suppliers conducting promotional campaigns involving collection of buyers' personal data), including companies that provide services to individuals via the Internet (delivery and booking services, etc.).

Amendments to the Law "On Personal Data" introduced by Federal Law No. 526-FZ of 31 December 2014 establish that the requirement on storing personal data on servers located in Russia will come into effect on 1 September 2015.

How to prepare for the developments in 2015

The forthcoming developments in the legal framework for personal data processing make it advisable to streamline corporate practices, namely to:

  • Examine the company’s methods for obtaining personal data;
  • Analyse the personal data use and storage structure;
  • Set up a system for obtaining consent to processing and cross-border transfer of personal data;
  • Establish liaisons with Russian data centres for the purposes of storing and/or routing personal data;
  • Notify the Federal Supervisory Service for Telecommunications, Information Technology and Communications (“Roskomnadzor”) on the location of the servers in the Russian Federation;
  • Develop a mechanism for automatically anonymising personal data when transfer of such data is required for commercial purposes and individuals do not have to be specifically identified.

Liability under the effective legislation

Roskomnadzor is authorised to exercise control over implementation of the new personal data legislation requirements. Operators must inform Roskomnadzor, in a personal data processing notice, of where such databases are located.

To restrict access to Internet-based information processed in breach of the personal data legislation, an automated information system "Register of Data Subject Rights Abusers" will be created.

Information system operators processing personal data in violation of the requirements on using Russia-based databases might have access to their websites blocked by an effective court decision on a case on violation of the personal data legislation based on an individual's complaint.

Administrative fines for violating the procedure for collecting, storing, using or distributing personal data so far remain unchanged in Article 13.11 of the Code of Administrative Offences of the Russian Federation and legal entities may be fined RUB 5,000 – 10,000 for each identified violation. Roskomnadzor may also issue an instruction to eliminate such violations, including by way of blocking or destroying unreliable or illegally obtained personal data.

Contact details


If you would like to receive our legal alerts and updates highlighting current legal issues relevant to your areas of interest and providing expert commentary by our lawyers, please click on "Sign Up" and fill out the form.