October 2012

Recent developments in personal data protection regulation

Since the beginning of 2012, a number of new regulations on personal data protection have been passed. In the light of the above and taking into account new legislation under preparation and the increasing number of checks being carried out (see below), it is highly recommended that companies adopt the following measures for the protection of personal data:

submit a notification to the Federal Service for Supervision in the Sphere of Telecommunications, Information Technologies and Mass Communications (“Roscomnadzor”) by 1 January 2013;
adopt internal regulations, and
develop procedures for protecting personal data.

Companies in the healthcare, insurance and banking industries, as well as those selling mass consumption goods, are at the highest risk of sanctions for violations since processing of personal data of the customers and other data subjects represent an important part of their business.

The recent regulations implement certain provisions of the Law “On Personal Data” (the “Law”), as revised and effective since 27 July 2011.

Cross-border transfer of personal data

Roscomnadzor has prepared a draft list of the states which ensure the relevant protection for personal data. It is expected that the list shall be approved and published in the near future. In accordance with the provisions of the Law, the cross-border transfer of personal data to such states may be performed on the basis of consent of an individual presented in any form (providing the consent in written form and indicating the passport details of an individual are not necessary).

Protecting personal data in specific sectors

Decree No. 940 of the Government of the Russian Federation (“Decree No. 940”) came into force on 2 October 2012. The document allows data controller associations and unions to develop industry standards on data processing within their specific industry sectors. The Decree No. 940 also establishes a procedure for such industry standards to be approved by the Federal Security Service of the Russian Federation (the “FSB”) and the Federal Service for Technical and Export Control (the “FSTEC”).

The development of standards for processing and protecting personal data in particular industries is common international practice. Such industry standards exist, for example, in insurance and private banking, as well as in healthcare and tourism. Companies operating in one industry as a rule process personal data of a similar type, for similar purposes and in a similar way. Therefore, they experience the same issues with protecting personal data security and such an industry standard on the processing of personal data is a practical and convenient solution. Currently standards providing for additional measures of protection are being developed (including at the state level) for the banking industry and, by the Decree issued on 13 June 2012, the Russian Government approved for example a standard for protecting information (including personal data) processed by payment systems, money transfer operators, and bank payment agents.

Data protection outsourcing

Often companies that process personal data engage information protection specialists to comply with the technical requirements on personal data protection. In the spring of 2012, certain Decrees of the Russian Government came into force that establish licensing rules for such specialists providing services in the field of protecting confidential information. Consequently, prior to hiring a service company in this area, it is now necessary to verify that the provider has a license to provide such services.

The particular Decrees are described in more detail in the table below.

Details of
the Decree
Russian Government’s Decree No. 79, dated
3 February 2012
Russian Government’s Decree No. 171, dated
3 March 2012
Russian Government’s Decree No. 313, dated
16 April 2012.
Main provisions

Licensing applies to:

• monitoring of confidential
   information security;

• certification tests for
   compliance with
   information security
   requirements; and

• installing, assembling,
   testing and repairing
   information security
   products and tools.

Licensing applies to:

• developing security tools
   to protect confidential
   information; and

• manufacturing products
   and tools to protect
   confidential information.


• what are considered
   encryption (cryptographic)

• the list of licensable works
   and services; and

• the licensing requirements
   for licence applicants.


Law enforcement in practice

Roscomnadzor compliance checks

On 9 March 2012, came into force the Administrative Regulations that establish an audit procedure for Roscomnadzor regarding compliance with laws on personal data protection. A clear regulated procedure for such monitoring is to be welcomed as the number of checks has increased substantially over the past year. The controlling authority has started to scrutinise the activities of those who process personal data, irrespective of whether they are registered as data controllers. We reiterate that, under the Law, personal data controllers are required to submit a notification to Roscomnadzor on or before 1 January 2013.

The number of spot checks carried out by the authorities against companies processing personal data has increased in response to complaints from individual data subjects. As a result, a number of banks have been held administratively liable following complaints by bank customers for infringement of the law. Specifically, the banks were held liable for refusing to provide customers with their credit files, as well as for transferring personal data to third parties (i.e. collection agencies) without the consent of the customer.

Recent court practice

There has been a growing number of appeals of data controllers against decisions imposing liability for non-compliance with personal data protection laws. In January of this year, the Basmanny Court of the City of Moscow held that a bank was administratively liable for transferring personal data relating to one of its debtors to a collection agency without the consent of the debtor. In May of this year, the Savyolovsky District Court of the City of Moscow upheld a fine against bank for processing personal data without the consent of the data subject.

Tougher penalties

Recently draft amendments to the Administrative Offences Code of the Russian Federation (the “Draft Amendments”) appeared on Roscomnadzor’s website. The Draft Amendments outline in particular such types of infringements of personal data processing as the illegal processing of special categories of personal data and violating the conditions of cross-border transfer of personal data.

The Draft Amendments envisage a substantial increase in fines of up to RUB 700,000 for legal entities. In individual cases, fines could be as much as 1.5% - 2 % of the revenue of a legal entity for the reporting period. At this time, the Draft Amendments are still awaiting review by the State Duma.

Main trends

Closing loop holes in the regulation of personal data protection and increasing penalties for violations are the main trends in the developing legislation in this sphere. At the same time, guidance on practical implementation of the regulations on personal data protection, remain poorly developed and pose a compliance issue for companies.

If you have any questions on the matters referred to in this Alert, please do not hesitate to contact CMS experts LEONID ZUBAREV or ANASTASIYA LEMYSH or your regular contact at CMS.




This information is provided for general information purposes only and does not constitute legal or professional advice. If you would like specific advice, please call your usual contact or the named contact responsible for the issue addressed above.
Copyright © 2012 CMS International B.V. All rights reserved.

If you no longer wish to receive any news via e-mail please use this link to

CMS, Russia
119019 Moscow
Gogolevsky boulevard, 11
Tel: +7 495 786 4000
Fax: +7 495 786 4001

www.cmslegal.ru   Disclaimer   Privacy Statement