Russian Data Protection Laws: Essential Guide on Compliance Requirements in Russia

Russian data protection landscape 

Personal data protection landscape is a sensitive area that demands close consideration for companies entering Russian market. This is especially true for banks and financial sector, medical foundations, travel industry, and all kinds of e-commerce businesses.

Although the Russian market owns major potential for foreign companies, global business players see Russian data localization laws as a major obstacle to scale their business into the region. 

Foreign companies operating in the country are confronted with a variety of data privacy acts and laws that govern processing of the personal citizens’ data. Failure to comply with these acts may result in fines as well as other administrative cutoffs.

This page offers a brief guide to compliance with the regulations for Russian data privacy laws and will be useful both for foreign companies operating or considering operations in Russia.

Data localization laws in Russia

What national laws regulate the collection, usage, and disclosure of personal data? 

The main laws regulating personal data protection and privacy in Russia include:

• Constitution of the Russian Federation (Articles 23 and 24).
• Federal Law No. 149-FZ of July 27, 20,6 on Information, Informational Technologies, and the Protection of Information (Information Law).
• Federal Law No. 152-FZ of July 27, 2006 on Personal Data (Personal Data Law).

The principal law in this area, and the primary focus of this article is the Personal Data Law FZ 152.

How to comply with personal data legislation in Russian Federation

FZ 152 can affect your business both if it is based in Russia and if it is based outside of Russia, but Russian citizens are your customers. Let’s review some frequently asked questions about FZ 152 law.

In which cases does the requirement to use a server in Russia apply to foreign companies?

According to the law, while collecting personal data, the operator is obliged to secure the recording, systematization, accumulation, storage, updating, extraction of personal data of citizens of the Russian Federation using databases located on the territory of the Russian Federation.

Therefore, even if a company operates online, with no physical presence in Russia and its activities are targeted at Russian citizens, the company must follow the requirements of the law.

If your website is located on a foreign hosting, but you collect and process data about citizens of the Russian Federation, your domain may be included in the Register of violators of data subjects’ rights. The registry is maintained by Roskomnadzor.

As a result, you should typically collect, process, and store a database of personal data about Russian citizens on servers located in Russia. 

Is it possible to transfer personal data to a company’s data residency & protection partner?

Under the FZ 152 law, companies are allowed to trust the storage and processing of restricted data to a third party, provided that the data center of a cloud provider is located in Russia. 

Personal data can also be transferred abroad – for example, for processing. Yet, first a copy needs to be recorded on a server that is physically located on the territory of the Russia.

As your data protection partner in Russia, InCountry complies with Federal Law No. 152. We hold ourselves to the highest standards in the industry. That’s why we’re constantly improving our solutions by staying ahead of the latest trends, building security into every layer of offerings, and adapting to the latest compliance standards.

You should ensure reliable personal data protected infrastructure is provided, as well as the company itself correctly manages data, and correctly arranges access to the information within an organization.

When choosing a cloud, opt for providers that are certified to store and protect the personal data of Russian citizens Under the Russian Personal Data Protection Legislation (152-FZ) – such as InCountry. Please check our certificates and licenses here.

What are the essential steps a foreign company needs to take to manage data risks and sustain regulatory compliance?

In order to manage data risks and maintain regulatory and regular privacy compliance while doing business in Russia, it is essential to consider following these steps.

• defining overall business processes, data flows and relevant data categories
• appointing a local data protection officer (DPO) who will be in charge of the compliance processes
• adopting local data protection policies and other required privacy documents
• implementing appropriate security measures company-wide. 
• providing the underlying agreements with all third parties and data processors. 
• ‘localization’ of the corresponding database or IT system in the territory of Russia is a must if the personal data of Russian individuals is collected online. 

Finally, we highly recommend carrying out regular data protection audits to help ensure ongoing data privacy compliance with national data protection requirements and regulations. This will help stay compliant when laws are amended or updated.

Every stage of the data protection project must be defined in detail from the beginning. It will become the foundation for effective future data maintenance and development. 

It is vital to remember, that cohesion of the personal data processing should be well-defined for each company – within its business processes.

Any changes in such processes – e.g. in the security protocols, access systems, the staff of IT structure should reflect updates to the related policies, IT architecture, and risk models. 

Fines for non-compliance with Russian data privacy laws

Russian Federation has implemented strict penalties for failure to comply with data protection requirements. The fine for the first violation varies from $33,000 to $100,000, repeat violations will cost $100,000 to $300,000.  

Since 2019, Roskomnadzor (Russian Federal Service for Supervision of Communications, Information Technology and Mass Media) carries out regular inspections, to make sure companies follow the rules. 

Policies for investigations as follows:  

• Personal data operators receive 3 days’ notice for scheduled inspections and 24 hours’ for unexpected inspections.   

• A scheduled inspection can last no longer than 20 days and an unexpected inspection – no longer than 10 days. 

• Legal entities and individual entrepreneurs should not be inspected during the first three years after legal registration. This gives new-founded companies time to set up compliance processes and prepare for investigations.  

• Inspection frequency depends on the types of data being processed and processing procedures. For most companies, inspections will happen only once in 3 years.  

• Companies who operate with special categories of data (e.g. biometrics) and operators transferring data to foreign countries can expect to be investigated every 2 years.  

Personal data localization and data protection in Russia – why InCountry is your ideal partner

Learn why InCountry is your ideal partner to manage data protection and data compliance in Russia.

InCountry is:

• FZ-152 compliant
• HIPAA compliant
• PCI DSS certified
• Your data is managed to the highest security and privacy standards. We use industry-standard encryption standards to enable the security and privacy of your data in every phase of our operations.
• InCountry’s infrastructure securely manages your regulated data in Russian Federation with 24×7 customer support.
• Partnering with InCountry is the fastest way to comply with data residency regulations and unlock new territories, such as the Russian Federation
• Our solutions can be implemented quickly and cost-effectively, depending on the amount of customization and control you need

For all additional questions please contact us at sales@incountry.com