Russia - Data Breach Guide
Russia
1.1 In the event of a data breach affecting residents of your country, is there any legal obligation or requirement to notify either a) affected individuals; or b) a regulator such as a data protection authority (DPA)?
No, currently there is no formal legal obligation to notify a regulator or communicate the fact of a breach to data subjects concerned. However, the personal data operator is required to detect a data breach and recover personal data affected by the breach.
In the meantime, there have been certain initiatives to introduce a mandatory notification of the DPA in case of a data breach, especially taking into account that Russia has signed the Protocol amending the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data.
Still, as of today, it is unclear when and in what form this legislation is going to be enacted.
1.2 Under what conditions must such notification(s) be given, including a) what types of data must be breached to trigger notification; and b) whether the entity must be a data controller or data processor in your country for such obligations to apply?
Not applicable.
1.3 For such notification(s), is there any required or suggested a) content of the notice; b) time period in which notice must be given; or c) method of giving notice, such as regular mail, email, web-posting or publication?
Not applicable.
1.4 What are the penalties, fines or risks in failing to notify, either by the DPA or in litigation?
There is no specific penalty for violations related to the breach notification. However, the breach could be one of the factors to determine the amount of fine for another breach, e.g. if failure to localise personal data in Russia led to a data breach, this could be used as a justification for the court to choose higher fines for the breach of the localisation rules.
1.5 Even if there is no current legal obligation to do so, or if there is no "data controller" or "data processor" located in your country, is notification to individuals recommended in the event of a data breach affecting residents in your country (such as in credit card data breaches)?
Depending on the nature of the breach and the nature of the data concerned, it might be advisable to notify the individuals as the data controller is required to restore the personal data that was modified or deleted as a result of a data breach.
In addition, proper and timely notification of affected individuals may help to prevent greater damage caused by a data breach, which in turn could mitigate risks of civil claims by data subjects.
Voluntary notification should always be considered from commercial and reputational standpoints as well.
1.6 What are the applicable (data protection) laws or guidelines within your country?
The key legal act in the area is the Federal Law No. 152-FZ dated 27 July 2006 "On Personal Data".
1.7 Contact information for the local Data Protection Authority:
Name: | The Federal Service for Supervision of Communications, Information Technology and Mass Media (Roskomnadzor) |
Address: | 7, bldg 2, Kitaigorodskiy proezd, Moscow, 109074, Russia |
Telephone: | +7 (495) 983-33-93 |
Fax: | +7 (495) 983-33-93 |
Email: | |
Website: |
For more information, contact:
Name: | Maxim Boulba |
Firm: | CMS Russia |
Address: | Gogolevsky Blvd. 11, 119019 Moscow, Russia |
Telephone: | +7 49 5786 4000 |
Fax: | +7 49 5786 4001 |
Email: | |
Website: |