On 1 September 2015 the Federal law dated 21 July 2014 № 242-FZ came into force. The Law specifies that the personal data operator shall provide recording, arrangement, storage, modification of personal data of Russian citizens with use of data bases and servers located on the Russian territory.
In general the Roskomnadzor refers in the Answers to particular articles of the Federal law dated 27 July 2006 No. 152-FZ “On personal data” (hereinafter – the “Law”), however in some explanations the regulatory authority construes some certain provisions of the Law and provides specific practical examples. The most interesting of them are given below.
- Consent to processing of personal data may not be obtained by phone or text message.
- Issues of obtaining consent to processing personal data when effecting online purchases are clarified. In such case file of digital signature of the purchaser upon completion of online purchase web-form shall be deemed as due confirmation of obtaining consent to processing personal data. Should the online offering be a public offer, consent to processing of one’s personal data may be expressed in acceptance of such offer.
- The Answers clarify p. 3 art. 12 of the Law pursuant to which prior to performing cross-border transfer of personal data the operator shall confirm that foreign state receiving personal data may provide proper protection of rights of personal data subjects. Due to absence of such criteria for proper protection of rights of personal data subjects in Russian law, the Roskomnadzor recommends to rely on the legislation of the Russian Federation, the legislation of the state on territory of which personal data is transferred as well as on international legislative acts. Particularly, states that ratified Convention on protection of the rights of individuals in the automatic processing of personal data dated 28 January 1981 ETS No. 108 as well as states with nationwide statutory regulation in the sphere of personal data protection may claim the status of state providing proper protection of personal data.
- The procedure of documental recording of personal data destruction is specified. Subject to the Answers destruction of personal data shall be performed by the commission or operator’s authorized officer. The fact of destruction may be established by the relevant act on termination of processing personal data or by registration of the fact in special book, template forms of which are elaborated by the operator on its own account.
- Personal data received when processing credit application are subject to destruction no later than within 3 days of the date when credit organization made negative decision on these applications.
Summarizing the above it should be mentioned that the Answers are not regulatory legal act, but rather a construction by the regulatory authority of certain provisions of the Law, which are unclear in law enforcement. However, it is recommended to consider the Roskomnadzor’s position specified in the Answers when arranging collection, processing and storage of personal data on the Russian territory, as well as when performing cross-border transfer of personal data, provided that the regulator will apparently rely on such position in the course of audit of personal data operators.
1Federal law dated 21 July 2014 №242-ФЗ “On the amendments to certain legislative acts of the Russian Federation with regard to specification of the personal data processing order in information and telecommunication network”