+7 (495) 147 11 03
email
telegram
  EN
email
email
telegram

Personal Data Processing in Russia: Categories, Conditions, and Legal Compliance

 

September 20, 2023

BRACE Law Firm ©

 

A massive volume of individuals' personal data is collected and transferred globally every day. In the Russian Federation, Federal Law No. 152-FZ dated July 27, 2006, On Personal Data (the "Personal Data Law", the "Law", the "Federal Law No. 152-FZ") regulates the principles and conditions for its processing.

In recent years, the issue of permissible boundaries and conditions for processing personal data (the "PD") has become extremely acute due to increased digitalization, which raises the risks of unauthorized access and unlawful use of personal data.

In this article, we analyze the concept of personal data, its various categories, and the conditions for its processing depending on its type.

What is Personal Data?

According to Article 3 of Federal Law No. 152-FZ, "personal data" is any information relating to a directly or indirectly identified or identifiable natural person (the "personal data subject"). Thus, personal data constitutes any information about a person that directly or indirectly allows for their identification.

This definition is extremely broad and classifies a wide range of information as personal data, starting from full name, passport details, and date and place of birth to dactyloscopic data, and photographic and video images of a person. At the same time, individual types of information may or may not simultaneously constitute personal data. One may agree with the opinion of researchers of this problem that the ability to identify a person is the most essential characteristic of personal data. [1]

Categories of Personal Data

The Personal Data Law distinguishes several types of personal data (referred to in the Law as personal data categories, which is the term we will use below):

  • general;
  • special;

Prior to March 1, 2021, Federal Law No. 152-FZ distinguished another category: publicly available personal data. This term referred to personal data to which the personal data subject granted access to an unrestricted circle of persons. For example, data posted on social networks, job search websites, etc. Processing of such data was permitted without the subject's consent.

Legal regulation changed following the entry into force of Federal Law No. 519-FZ dated December 30, 2020, On Amending the Federal Law On Personal Data, [2] which abolished this term. Instead, the Law introduced the concept of "personal data authorized by the personal data subject for dissemination", which refers to PD for which the data owner has given separate consent for dissemination. This category may include general, special, or biometric personal data. This article will not consider this institution, as in our view, it does not constitute a separate category of personal data under current legal regulation.

Processing conditions vary depending on the category. Below, we consider each category and its processing conditions in detail, including examples from judicial practice.

What is Meant by the Conditions for Personal Data Processing?

In accordance with Article 3 of Federal Law No. 152-FZ, "personal data processing" is any action or set of actions performed with personal data, such as: collection, recording, systematization, accumulation, storage, clarification (updating, changing), extraction, use, transfer (dissemination, provision, access), depersonalization, blocking, deletion, destruction, and others.

The person who organizes and (or) performs the processing of personal data is called the "personal data operator" (the "PD operator"), (the "operator"). These can be state and municipal authorities, legal entities, as well as individual entrepreneurs and self-employed citizens, provided they perform actions with the personal data of individuals.

"Conditions of processing" in the Personal Data Law effectively refers to the rules and grounds under which personal data processing is permitted. As a general condition for processing any type of personal data, Part 1 of Article 6 of Federal Law No. 152-FZ specifies compliance with the principles and rules provided for by the Personal Data Law. Article 5 of the Law lists these principles:

  • Processing must be carried out on a lawful and fair basis.
  • Processing must be limited to the achievement of specific, predetermined, and lawful purposes.
  • The operator may not merge databases containing personal data processed for purposes incompatible with each other.
  • Only personal data that meets the purposes of its processing is subject to processing.
  • The content and volume of processed personal data must not be excessive in relation to the stated purposes of its processing.
  • The operator must ensure the accuracy, sufficiency, and relevance of personal data during processing.
  • The operator must store personal data in a form that allows for the identification of the personal data subject, and for no longer than required by the purposes of processing.

In addition to the general conditions, specific grounds for processing are regulated for each category of personal data, which we examine below.

General Categories of Personal Data and Conditions for Their Processing

The Personal Data Law contains neither a definition nor an exhaustive list of general personal data. This category can include a significant amount of information about a person: full name, date and place of birth, passport details, registration and residential address, telephone number, information on family, social and property status, education, profession, position held, work experience, etc.

In practice, questions often arise regarding the classification of certain information as general personal data. For example, does information about an employee's salary constitute personal data? According to Roskomnadzor, as the authority empowered to protect the rights of personal data subjects, information regarding a person's salary constitutes information containing the subject's personal data.

The conditions for processing general personal data, set forth in Part 1 of Article 6 of Federal Law No. 152-FZ, can be divided into two groups:

1. Processing with the consent of the personal data subject.

As a general rule, personal data processing is permitted with the consent of the personal data subject. Article 9 of Federal Law No. 152-FZ provides the requirements for the content of the consent. The consent must be specific, objective, informed, conscious, and unambiguous. Consent to the processing of general personal data may be given in any form; however, given the operator's obligation established by the Personal Data Law to confirm its existence, we recommend documenting it in writing or another form that allows for confirmation of its receipt.

2. Processing without the consent of the personal data subject.

The list of grounds where personal data processing is permitted without obtaining the subject's consent is exhaustive. Such processing is allowed in the following cases:

  • If it is necessary to achieve and perform the functions, powers, and duties imposed on the operator by Russian legislation or an international treaty; for example, the processing of an employee's personal data required by the employer for hiring, or the transfer of an employee's data established by regulations to tax authorities or non-budgetary funds, does not require their consent.
  • In connection with a person's participation in constitutional, civil, administrative, or criminal proceedings, or proceedings in arbitration courts.
  • To execute a judicial act, an act of another body, or an official, subject to execution in accordance with the legislation of the Russian Federation on enforcement proceedings. For example, information containing personal data is provided upon the request of a court bailiff-executor for the performance of enforcement actions.
  • To exercise the powers of executive authorities, state non-budgetary funds, local self-government bodies, or organizations involved in providing state and municipal services.

The registration of a personal data subject on the State Services portal, the provision of a state or municipal service, or interagency interaction for its provision may require the processing of an individual's personal data. By virtue of this provision, the requirement by these bodies for consent to process personal data and the refusal to provide a service due to the failure to submit consent is unlawful, as confirmed by judicial practice. [3]

  • To conclude and (or) execute a contract to which the personal data subject is a party, beneficiary, or guarantor; the Law does not specify the type of contract, but in practice, regulatory authorities interpret this as any type of civil law contract (purchase and sale, construction, provision of services, insurance, etc.) where an individual is a party, beneficiary, or guarantor. Furthermore, the operator must carry out the processing to perform actions for its conclusion or execution (for example, for the delivery or payment of goods). The operator must obtain consent to carry out advertising mailings, marketing research, etc.
  • To protect the life, health, or other vital interests of the personal data subject if obtaining the subject's consent is impossible; as a rule, this refers to cases where urgent measures must be taken to protect the life, health, or other vital interests of the personal data subject, and obtaining consent is impossible due to their unconscious state, incapacity, or other similar reasons.
  • To exercise the rights and legitimate interests of the operator or third parties, or to achieve socially significant goals, provided that the rights and freedoms of the personal data subject are not violated; the wording of this provision allows for a fairly broad interpretation. However, in disputed cases, the operator will have to confirm what their legitimate interests were and by which regulatory document they are governed.

In current law enforcement practice, banks and other credit organizations, as well as lessors, apply this basis, as they are obliged by Federal Law No. 115-FZ dated August 7, 2001, On Countering the Legalization (Laundering) of Proceeds from Crime and the Financing of Terrorism to identify the client and establish information about them (full name, citizenship, date of birth, passport details, and several others).

  • To carry out the professional activities of a journalist or mass media outlet, or for scientific, literary, or other creative activities, provided that the rights and legitimate interests of the personal data subject are not violated.

Please note that in accordance with the Law of the Russian Federation No. 2124-1 dated December 27, 1991, On Mass Media, a mass media outlet is defined as a periodic printed publication, a network publication, a TV channel, a radio channel, a TV program, a radio program, or another form of periodic dissemination of information registered as such in the manner prescribed by said law. For instance, an internet site may be registered as a network publication, but in the absence of registration, it is not a mass media outlet.

A journalist is defined as a person professionally engaged in editing, creating, collecting, or preparing messages and materials for the editorial office of a registered mass media outlet, associated with it by labor or other contractual relations, or engaged in such activity by its authorization.

Thus, as a general rule, internet pages not registered as mass media, pages on social networks, bloggers, etc., do not fall under this provision.

Furthermore, when assessing the admissibility of applying this provision, courts analyze whether the rights of personal data subjects have been violated. For example, in one case considered by a court, the editor-in-chief of a newspaper was held administratively liable under Part 1 of Article 13.11 of the CAO RF with the imposition of an administrative penalty in the form of a warning. The basis for liability was the dissemination in an article of the surname and rank of an FSB officer in the absence of his consent. The courts, including the Supreme Court of the Russian Federation, stated that there was no necessity or public need for the disclosure of the personal data of a person not engaged in public activity. The court denied the appeal to overturn the liability. [4]

  • For statistical or other research purposes, provided that the personal data is mandatory depersonalized, as well as for other purposes provided for by Federal Law No. 123-FZ dated April 24, 2020, On Conducting an Experiment to Establish Special Regulation to Create Necessary Conditions for the Development and Implementation of Artificial Intelligence Technologies in the Subject of the Russian Federation – the City of Federal Significance Moscow and Federal Law No. 258-FZ dated July 31, 2020, On Experimental Legal Regimes in the Sphere of Digital Innovations in the Russian Federation.

Depersonalization of personal data refers to actions resulting in it becoming impossible, without the use of additional information, to determine the attribution of personal data to a specific personal data subject. At the same time, by virtue of an express provision of the Law, the processing of data for the purpose of promoting goods, works, or services on the market through direct contact with a potential consumer, as well as for the purpose of political agitation, is not permitted under this ground.

  • Processing of personal data subject to publication or mandatory disclosure in accordance with federal law.

For example, Federal Law No. 273-FZ dated December 29, 2012, On Education in the Russian Federation obliges educational institutions to post information on their official website on the Internet regarding the personal composition of teaching staff, indicating their level of education, qualifications, and work experience. Obtaining the consent of teaching staff for these actions is not required.

Please note that the considered list of cases for processing general categories of personal data is not subject to broad interpretation.

Special Categories of Personal Data and Conditions for Their Processing

Special categories of personal data include information concerning racial or national origin, political views, religious or philosophical beliefs, health status, and intimate life (Part 1 of Article 10 of the Personal Data Law).

As a general rule, their processing is not permitted. Parts 2 and 2.1 of Article 10 of Federal Law No. 152-FZ list the cases where processing of this category of personal data is allowed. Let's consider them in more detail.

1. Processing on the basis of the written consent of the personal data subject.

As we can see, unlike general categories of personal data, obtaining written consent is mandatory. Consent in the form of an electronic document signed with an electronic signature is recognized as equivalent to consent on paper. Part 4 of Article 9 of Federal Law No. 152-FZ provides the requirements for the content of written consent.

Since March 1, 2021, personal data authorized by the personal data subject for dissemination has been processed on the basis of separate consent. In this case, the operator must comply with the prohibitions and conditions established by the personal data subject.

2. Processing without the consent of the personal data subject.

The operator may process special categories of personal data without the owner's consent:

  • in connection with the implementation of international treaties of the Russian Federation on readmission ("readmission" – is a state's consent to the return of its citizens who are subject to deportation from another state);
  • in accordance with Federal Law No. 8-FZ dated January 25, 2002, On the All-Russian Population Census;
  • in accordance with the legislation on state social assistance, labor legislation, and the pension legislation of the Russian Federation;

For example, an employer has the right to process information about an employee's health status that is necessary in connection with the organization and conduct of mandatory medical examinations.

  • to protect the life, health, or other vital interests of the personal data subject or the life, health, or other vital interests of other persons, where obtaining the personal data subject's consent is impossible;

This ground is similar to the ground for processing general categories of personal data discussed above.

  • for medical and preventive purposes, for the purpose of establishing a medical diagnosis, or providing medical and medico-social services, provided that it is carried out by a person professionally engaged in medical activities and obliged to maintain medical secrecy.

In the Russian Federation, persons who have received a medical or other education and have passed specialist accreditation have the right to engage in medical activities.

  • processing by a public association or religious organization of the personal data of its members to achieve the goals provided for by their constituent documents;
  • to establish or exercise the rights of the personal data subject or third parties, or in connection with the administration of justice;
  • in accordance with the legislation of the Russian Federation on defense, security, countering terrorism, transport security, countering corruption, operational-search activities, enforcement proceedings, and criminal-executive legislation;
  • by prosecution authorities in connection with their exercise of prosecutorial supervision;
  • in accordance with the legislation on mandatory types of insurance and insurance legislation;
  • by authorized state or municipal authorities or organizations for the purpose of placing children left without parental care in families;
  • in accordance with the legislation of the Russian Federation on citizenship;
  • processing of depersonalized personal data concerning health status, as well as for purposes provided for by Federal Law No. 123-FZ dated April 24, 2020, On Conducting an Experiment to Establish Special Regulation to Create Necessary Conditions for the Development and Implementation of Artificial Intelligence Technologies in the Subject of the Russian Federation – the City of Federal Significance Moscow and Federal Law No. 258-FZ dated July 31, 2020, On Experimental Legal Regimes in the Sphere of Digital Innovations in the Russian Federation.

Thus, the Law imposes more stringent requirements on the processing of special personal data. However, some of the considered grounds for processing personal data overlap with or are similar to the grounds for processing general categories of personal data.

Biometric Personal Data and Conditions for Its Processing

Biometric personal data – are information that characterize the physiological and biological characteristics of a person, on the basis of which their identity can be established (Part 1 of Article 11 of the Personal Data Law).

Based on this definition, personal data will be biometric if they:

  • characterize the physiological and biological characteristics of a person, on the basis of which their identity can be established;
  • are used by the operator to establish the identity of the personal data subject.

The Personal Data Law does not define a specific list of biometric data. In practice, biometric personal data includes photographs and video images of a person, dactyloscopic data, information on the iris of the eye, DNA analysis results, and voice data.

When determining whether data are biometric, the operator should consider the following nuances highlighted by regulatory authorities.

Photographic images and other information used to ensure single and/or multiple entry to a protected territory are considered biometric personal data, as they are used to establish a person's identity. [5] Conversely, a photograph contained in an employee's personal file or a person's signature on a contract will not be considered biometric personal data, as they are not used for human identification.

Also, according to Roskomnadzor's explanations, [6] X-rays or fluorographic images found in a patient's case history (medical record) are not biometric personal data, as the operator (medical institution) does not use them to establish the patient's identity. Although these explanations have currently been revoked, one can fully agree with them based on the essence of the Law.

Courts generally do not recognize photographs and video images of a person in public places, work premises, and protected territories as biometric data, since they are used to protect public order, maintain labor discipline, or for public or social interests, and as a general rule do not require consent.

Regarding dactyloscopic data, in Roskomnadzor's opinion, [7] a person's fingerprints are always biometric personal data. However, their processing is allowed only by authorized state bodies and only in cases established by Federal Law No. 128-FZ dated July 25, 1998, On State Dactyloscopic Registration in the Russian Federation. The use of dactyloscopic information by other operators, including for providing single/multiple entry to a territory, bears signs of an administrative offense under Part 1 of Article 13.11 of the CAO RF, "Personal data processing in cases not provided for by the legislation of the Russian Federation in the field of personal data".

Article 11 of the Personal Data Law provides the conditions for processing biometric personal data, which are in many ways similar to the conditions for processing special categories of personal data.

1. As a general rule, processing of such data is permitted with the consent of the subject expressed in writing.

Providing such consent is not mandatory. The operator is not entitled to refuse service in the event of a refusal to provide biometric data or to give consent to the processing of personal data, if in accordance with the law, obtaining consent from the operator for processing personal data is not mandatory.

2. Processing is permitted without obtaining the subject's consent in the following cases:

  • in connection with the implementation of international treaties of the Russian Federation on readmission;
  • in connection with the administration of justice and the execution of judicial acts;
  • in connection with mandatory state dactyloscopic registration or mandatory state genomic registration;
  • in cases provided for by the legislation of the Russian Federation on defense, security, countering terrorism, transport security, countering corruption, operational-search activities, state service, the notary system, criminal-executive legislation, the procedure for exit from and entry into the Russian Federation, and the citizenship of the Russian Federation.

Despite the explanations of authorized bodies, a completely uniform law enforcement practice regarding the classification of data as biometric has not yet been established; therefore, the risks of judicial disputes and liability for violating their processing conditions are not excluded.

Liability for Violation of Personal Data Processing Conditions

Violation of personal data processing conditions may lead to administrative, civil, or disciplinary liability.

Most often, administrative liability for violation of processing conditions is imposed:

  • Under Part 1 of Article 13.11 of the CAO RF, "Personal data processing in cases not provided for by the legislation of the Russian Federation in the field of personal data, or personal data processing incompatible with the purposes of personal data collection". The maximum penalty for officials – is a fine of up to 20,000 rubles; for legal entities – up to 100,000 rubles.
  • Under Part 2 of Article 13.11 of the CAO RF, "Personal data processing without the written consent of the personal data subject or in violation of the requirements for consent". The maximum penalty for officials – is a fine of up to 40,000 rubles; for legal entities – up to 150,000 rubles.

Civil liability may take the form of compensation for moral harm and reimbursement of losses to the personal data subject. The court determines the amount of compensation for moral harm, taking into account the degree of the violator's guilt and the degree of suffering caused.

Disciplinary liability is imposed on employees responsible for processing personal data in case of non-performance or improper performance of their labor duties. The employer has the right to apply the following disciplinary sanctions: remark, reprimand, or dismissal on appropriate grounds.

In conclusion, we note that the absence of a list of personal data or clear criteria for its classification in the law can, in some cases, create legal uncertainty and entails additional risks of liability. We also draw attention to periodic changes in legal regulation, including the grounds for personal data processing, which requires operators to constantly "keep their finger on the pulse".

___________________________

References

[1] Platonova N.I., Solovyova-Oposhnyanskaya A.Yu. Biometric Personal Data: Opportunities and Problems // "Jurist", 2019, No. 6.

[2] Federal Law No. 519-FZ dated December 30, 2020, On Amending the Federal Law On Personal Data.

[3] Cassation Ruling of the Judicial Collegium for Administrative Cases of the Supreme Court of the Russian Federation No. 5-KA19-56 dated January 22, 2020.

[4] Resolution of the Supreme Court of the Russian Federation No. 74-AD18-11 dated June 28, 2018.

[5] Letter of the Ministry of Digital Development, Communications and Mass Media of Russia No. OP-P24-070-19433 dated July 17, 2020.

[6] Roskomnadzor Explanations dated September 2, 2013, On Matters of Classification of Photo and Video Images, Dactyloscopic Data, and Other Information as Biometric Personal Data and the Peculiarities of Their Processing.

[7] Roskomnadzor Letter No. 08AP-6782 dated February 10, 2020, On Sending Information According to the Minutes of the Meeting.

E-mail
info@brace-lf.com

Send us a request with a detailed description of the issue.

Our phone
+7 (495) 147-11-03

Contact us by phone.

Clients & Partners

65.png
68.png
69.png
73.png
75.png
fitera.jpg
imko.png
logo.png
Logo_RED_RGB_Rus.png
logo_SK_2.png
Яндекс.Метрика