On 1 March 2021, substantial amendments to the Russian Federal Law No 152-FZ dated 27 July 2006 On Personal Data came into effect (“Amendments”). The Amendments change the rules on processing of publicly disseminated personal data and affect businesses which are publishing or using personal data on the internet.
In particular, employers who publish employee personal data on a website need to examine the Amendments and implement new consent requirements. Data subjects now have wider powers to control and authorise the processing of their data in the public domain. Data subjects also have a right to request that data operators disseminating their data (and any company down the data processing chain) cease from transferring such data.
The requirements for consent to PDD processing are generally in line with the GDPR with some deviations. The Russian DPA has also issued draft Requirements regarding the content of consent for the processing of PDD (“Draft DPA Requirements”) which are not yet in final form and which we summarise below:
Consent to PDD processing requirements: |
Russia |
GDPR |
specific and informed |
YES |
YES |
unambiguous |
YES - affirmative opt-in methods via (i) information system of the data operator, OR (ii) information system of the Russian DPA, OR (iii) in writing with wet or electronic signature. |
YES – wider options to obtain consent than under the Draft DPA Requirements |
not bundled with the other data processing consents |
YES |
YES |
provide for the data operator’s identity and the purpose(s) of processing |
YES |
YES |
set out the purpose of each of the processing operations for which consent is sought |
NO | YES |
provide for the data subject’s identity |
YES |
NO |
enable the data subject to choose the personal data for dissemination |
YES –detailed list is required |
YES - type of data is sufficient |
terms and prohibitions of PDD processing |
YES - the data subject has the right to: (i) prohibit the dissemination to the general public and/or the provision to specific companies/individuals, (ii) prohibit processing (except for providing access) of PDD by the general public after such data publication, and/or (iii) set out the terms of the processing (except in relation to obtaining access) of personal data by the general public. The data operator shall provide the data subject with an option to introduce prohibitions on and terms of processing in relation to detailed sub-categories of personal data. |
NO |
term of consent |
YES - precise term of the consent’s validity is required under the Draft DPA Requirements |
NO |
internet resources for PDD |
YES - websites and/or webpages on which PDD is made publicly available to be listed under the Draft DPA Requirements |
NO |
indicating in consent the existence of the right to withdraw consent |
NO |
YES |
The data subject has a right to revoke consent to the processing of PDD at any time, which is in line with the consent revocation right available prior to the Amendments coming into effect.
A data subject request to revoke consent should include the full name of the data subject, contact details and the list of personal data being processed which should be ceased. The data operator should cease the transfer of the PDD, including disseminating it, providing the data and any access to it after receiving the data subject’s request.
The Amendments do not introduce new sanctions for non-compliance. This means that the general data protection offences will apply. Non-compliance with the new requirements on PDD processing may amount to administrative fines for personal data processing without a legitimate ground envisaged by the Russian privacy legislation. An explanatory note to the draft Amendments which was provided by the legislator also refers to the above data protection offence.