Structuring Personal Data Protection

Nadezhda Panova
Associate
Salans

The development of an information community in Russia is inevitably leading to an increased interest by companies in the problem of data protection, including personal data protection. Since the amendments to the federal law on personal data entered force in July of this year ("the Law"), interest in this problem has only grown further. Considered here, from a practical standpoint, are the most important issues that companies (operators) should bear in mind to ensure personal data protection.

Four relation levels can be identified where operators may participate in personal data processing:

  • with an authorized agency;
  • with the subject of personal data himself/herself;
  • with third parties;
  • with employees.

The aim of these relations is personal data protection. Let us consider each of these relation types in detail.

Relations with an authorized agency (Roskomnadzor)

According to Article 22 of the Law, before beginning to process personal data, an operator must notify Roskomnadzor of its intention to do so. This article also provides cases where the operator may be released from such an obligation (including when personal data processing is carried out as part of employment relations or in connection with the execution of an agreement). The procedure for submitting and storing personal data, as well as the notice form, can be found on Roskomnadzor's official site at: www.pd.rsoc.ru/operators-registry. Roskomnadzor then enters the corresponding information in the register of personal data operators within 30 days from the date of receiving a notification. This information is publicly accessible.

Relations with the subject of personal data

Based on the Law's tenor, as a rule, personal data processing may only be carried out provided that the subject is aware and/or consents. In certain cases, for instance when processing special categories of personal data and biometric personal data, the subject's written consent is required. Alongside this, Article 6 of the Law provides cases where personal data processing may occur without the subject's consent.

If data is received from a source other than the subject of personal data, the operator must notify the subject of this before beginning to process personal data, having provided him/her with information necessary under Article 18 of the Law. This article also contains a list of conditions that release the operator from such obligation. In particular, among these exceptions is the case where the subject has already been notified of his/her personal data processing by the operator who has received the data, as well as when personal data has been obtained by the operator under a federal law or in connection with an agreement's execution.

The Law further consolidates the operator's obligation to publish or otherwise ensure unrestricted access to its policy document concerning personal data processing. Operators who collect personal data on internet networks must publish this document on their web site.

Third-party relations

According to Article 6 of the Law, with the subject's consent, an operator has the right to assign another party to process personal data based on an agreement concluded with this party. The party processing personal data on the operator's behalf is not obliged to obtain consent from the subject.

The operator's instructions (the agreement) must include a list of the intended activities with the personal data and the aim for processing, as well as state the requirements for protection of processed personal data. Besides this, the party must undertake an obligation to observe confidentiality and ensure the safety of personal data during its use.

Liability in such relations has been outlined. The operator that assigns processing of a subject's personal data to a third party is directly liable to the subject, and the third party is liable to the operator.

Relations with employees

An operator's relations with its employees may be defined as administrative. These relations essentially comprise the operator taking organizational, legal and technical measures, a list for which is determined in Articles 18.1 and 19 of the Law. The legislator emphasizes that the operator shall independently set the structure and list of such measures.

At the present time, achieving some of these measures (e.g. applying certified methods for information protection) is impossible without corresponding laws and regulations being adopted. However, many of the measures listed could already be observed in full by operators. In particular, this includes the appointment of someone responsible for organizing personal data processing, as well as publication of company bylaws on personal data processing issues.