Personal Data Subject Rights in Russia: A Comprehensive Guide to Legal Protection under Law No. 152-FZ

 

September 30, 2023

BRACE Law Firm ©

 

Every day, a massive volume of personal data is transferred to state authorities, employers, banks, sellers, social networks, and other operators, which significantly increases the risks of its unlawful use. In the modern world, it is extremely important to ensure the protection of the rights and freedoms of individuals during the processing of their personal data.

This article examines in detail the rights granted by Russian legislation to personal data subjects, as well as how to appeal the actions (or omissions) of a personal data operator in the event of a violation of rights.

Terminology of Personal Data Legislation

The basic regulatory act governing relations regarding the processing of personal data in the Russian Federation is Federal Law No. 152-FZ dated July 27, 2006, On Personal Data (the "Law on Personal Data", the "Law", or the "Federal Law No. 152-FZ").

The Law does not contain a definition for the term "personal data subject". According to Article 3 of Federal Law No. 152-FZ, personal data is any information relating to a directly or indirectly identified or identifiable individual (personal data subject). Thus, based on this concept, a personal data subject (the "PD Subject") is understood to be an individual to whom the personal data belongs and by which they can be directly or indirectly identified.

In turn, state or municipal authorities, legal entities, or individuals who organize or perform the processing of personal data are referred to as personal data operators (the "Operator") or (the "PD Operator").

Rights of Personal Data Subjects

A separate Chapter 3 of the Law on Personal Data is dedicated to the fundamental rights of personal data subjects. We list them here:

• The right to access their personal data.
• The right to demand the rectification, blocking, or destruction of personal data.
• The right not to receive advertising and political campaigning without prior consent.
• The right to object to decisions made based on automated data processing.
• The right to the protection of their rights and legitimate interests.

Each of these is considered in more detail below.

The Right of the PD Subject to Access Information

One of the key rights of the PD Subject is the right to access information regarding the processing of their personal data. Many other rights derive from this basic right.

In accordance with Article 14, Part 1 of Federal Law No. 152-FZ, a PD Subject has the right to receive the following information concerning the processing of their data:

• The fact of personal data processing by the PD Operator;
• The name and location of the Operator, and information about persons (excluding the Operator’s employees) who have access to the personal data or to whom it may be disclosed;
• The legal grounds and purposes for the processing of personal data;
• The methods used by the PD Operator for processing personal data (automated processing, non-automated processing, or mixed processing);
• The list of processed personal data and the source of its acquisition;
• The timeframes for processing personal data, including its storage periods;
• The procedure for the personal data subject to exercise their rights;
• Information regarding any completed or proposed cross-border data transfer (transfer of data to the territory of another state);
• The name or full name and address of the person performing the processing of personal data on behalf of the PD Operator;
• Information on the measures taken by the Operator to comply with the rules for the processing and protection of personal data.

This list is not exhaustive.

These rights may be exercised (1) upon a personal visit by the PD Subject or their representative, or by sending the Operator (2) a PD Request. A request to the PD Operator may be sent in the form of a paper document or an electronic document signed with a UK(E)P, and must contain:

• Passport details of the PD Subject / their representative (document number, date of issue, and information about the issuing authority);
• Information confirming the participation of the PD Subject in relations with the PD Operator (contract number, date of the contract, or other information confirming the fact of personal data processing by the PD Operator);
• The signature of the personal data subject or their representative.

The information is provided by the Operator in an accessible form and must not contain the personal data of other persons. The response to the request is provided in the same form as the request, unless otherwise specified upon its submission.

The deadline for providing this information is 10 business days from the date of the request by the subject / their representative or the receipt of the inquiry (Article 20, Part 1 of Federal Law No. 152-FZ). This period may be extended by 5 business days with the mandatory sending of a reasoned notification regarding the reasons for such an extension.

A follow-up request can be sent no earlier than 30 days after the initial inquiry. An exception exists if this is expressly provided for by federal law or a contract, or if the information was not previously provided by the Operator in full. A follow-up request must contain a justification for its submission.

The right to access personal data may be restricted by federal laws. Thus, according to Article 14, Part 8 of Federal Law No. 152-FZ, the provision of the requested information may be denied if the processing of personal data is carried out:

• For the purposes of national defense, state security, and law enforcement;
• If the PD Subject is detained on suspicion of committing a crime, or if they have been charged in a criminal case or a preventive measure has been applied (except for rights provided by criminal procedure legislation);
• If the processing is carried out in accordance with legislation on anti-money laundering and combating the financing of terrorism;
• If it violates the rights and legitimate interests of third parties;
• In cases provided for by the legislation of the Russian Federation on transport security.

Upon refusal to provide information, the PD Operator is obliged to provide a reasoned response in writing within 10 business days, indicating the provision of the federal law that serves as the basis for such a refusal.

Failure by the PD Operator to fulfill the obligation to provide the PD Subject with information concerning the processing of their personal data results in administrative liability under Article 13.11, Part 4 of the CAO RF. The fine for citizens ranges from 2,000 to 4,000 rubles; for officials, from 8,000 to 12,000 rubles; for individual entrepreneurs, from 20,000 to 30,000 rubles; and for legal entities, from 40,000 to 80,000 rubles.

As practice shows, in most cases, regulatory authorities do not see signs of an offense in the actions of the specified persons; however, the risk of liability for an unlawful refusal exists.

The Right to Demand Rectification, Blocking, and Destruction of Personal Data

Quite often, the owner of personal data does not want their data to continue to be processed or finds errors in them. Under Article 14, Part 1 of Federal Law No. 152-FZ, they are granted the right to demand from the PD Operator the rectification, blocking, or destruction of their personal data.

Rectification (updating, changing) of PD is carried out in cases where the personal data are incomplete, outdated, or inaccurate. The PD Operator is obliged to make the relevant changes within 7 business days from the day the PD Subject / their representative submits supporting information. Furthermore, the PD Operator is obliged to notify the subject of the changes made and the measures taken, and to take reasonable measures to notify third parties to whom the personal data of this subject were transferred (Article 20, Part 3 of Federal Law No. 152-FZ).

Blocking of personal data is understood as the temporary cessation of personal data processing, while destruction refers to actions as a result of which it becomes impossible to restore the content of personal data and/or as a result of which the material carriers of personal data are destroyed.

Blocking, as a temporary measure, is usually carried out for the period of verifying information received from the PD Subject regarding the unlawfulness of processing or the inaccuracy of data. Demands for the destruction of personal data may be presented in cases where they were obtained unlawfully or are not necessary for the stated purpose of processing. Just as with the rectification of personal data, within 7 business days from the day the PD Subject / their representative submits supporting information, the PD Operator is obliged to destroy the personal data and notify the PD Subject.

For failure to fulfill a lawful demand of a personal data subject regarding the rectification of personal data, their blocking, or destruction, parties are held administratively liable under Article 13.11, Part 5 of the CAO RF. The fine for citizens ranges from 2,000 to 4,000 rubles; for officials, from 8,000 to 20,000 rubles; for individual entrepreneurs, from 20,000 to 40,000 rubles; and for legal entities, from 50,000 to 90,000 rubles.

For example, in one case, a business entity failed to fulfill requirements to delete the personal data of its employees from internet pages. This entity was found guilty of committing an administrative offense provided for by Article 13.11, Part 5 of the CAO RF and was subjected to administrative punishment in the form of a fine in the amount of 25,000 rubles.[1]

The risks of awarding the victim compensation for moral harm are also not excluded. We provide an example from judicial practice.

S. applied to the court with a claim to compel a commercial bank to exclude his personal data from information databases and for compensation for moral harm in the amount of 25,000 rubles. In support of the claims, he indicated that this bank made calls to his personal telephone number and his daughter's telephone number for the purpose of collecting overdue debt. The plaintiff tried to inform the bank's employees that he was not acquainted with the debtor, but the calls continued. In the court session, it was established that S. and his minor daughter did not transfer their data to the bank and have no obligations toward the Bank; that is, the bank processed their personal data without legal grounds. Moreover, having repeatedly received information about the absence of credit obligations, it failed to fulfill requirements to destroy the personal data. The court recovered compensation for moral harm in favor of S. in the amount of 6,000 rubles.[2]

The Right of the PD Subject Not to Receive Advertising and Political Campaigning Without Prior Consent

Many companies use personal data to send promotional messages. According to Article 15 of Federal Law No. 152-FZ, any processing of personal data carried out for the promotion of goods, works, or services on the market by making direct contacts with a potential consumer or for the purpose of political campaigning is permitted only with the prior consent of the personal data subject.

The Law on Personal Data does not impose any special requirements for such consent. The main thing is that it must be specific, objective, informed, conscious, and unambiguous (Article 9, Part 1 of Federal Law No. 152-FZ). It can be obtained when issuing discount cards, questionnaires, or in the personal account of an online store by checking the box in the corresponding column. The obligation to confirm the receipt of such consent is placed on the PD Operator. The Law also obliges the PD Operator to immediately cease the processing of personal data upon the demand of the personal data subject.

For violation of the right under consideration, there is a risk of administrative liability under Article 13.11, Part 1 of the CAO RF, Processing of personal data in cases not provided for by law. The fine for citizens ranges from 2,000 to 6,000 rubles; for officials, from 10,000 to 20,000 rubles; and for legal entities, from 60,000 to 100,000 rubles.

Thus, in one case, a general director was held administratively liable under Article 13.11, Part 1 of the CAO RF; a warning was issued. As a violation, the court indicated that the general director allowed the use of a citizen's personal data (full name and mobile telephone number) by making a call to the specified number for the purpose of promoting the business entity's investment products, thereby violating Article 15 of the Law on Personal Data.[3]

Courts and antimonopoly authorities often regard actions for the mailing of information to specific persons aimed at the promotion of goods, works, or services as a violation not only of the Law on Personal Data, but also of Federal Law No. 38-FZ dated March 13, 2006, On Advertising (the "Law on Advertising"). We explain in more detail.

In accordance with Article 3 of the specified Law, advertising is understood as information distributed in any way, in any form, and using any means, addressed to an indefinite circle of persons and aimed at attracting attention to the object of advertising, forming or maintaining interest in it, and its promotion on the market. Furthermore, according to FAS Russia clarifications,[4] information aimed at promoting an object of advertising is recognized as advertising even if it is sent to a specific address list.

As an example of such an interpretation, we provide Case No. A57-6346/2021, which reached the Supreme Court of the Russian Federation. [5] In this case, the bank, without the borrower's prior consent, sent an SMS message containing advertising for credit products to his personal mobile telephone number with the following content: Sergey Alexandrovich; cash loan from 7.5% up to 3 million rubles. The courts established that, contrary to the requirements of the Law on Advertising, the bank mailed advertising for financial services in which the information required by the Law on Advertising was absent. The courts also indicated that consent for the mailing was obtained when registering a new banking product. However, the application form developed by the bank implied the simultaneous giving of consent for the processing of personal data for the provision of the requested banking services and for the receipt of promotional information from the bank, thereby not leaving the citizen any free choice. These actions were recognized as violating both the provisions of the Law on Advertising and the Law on Personal Data. Note that no less severe fines are provided for violations of the Law on Advertising.

The Right to Object to Decisions Made Based on Automated Data Processing

Article 16 of the Law on Personal Data regulates the rights of PD Subjects when making decisions based exclusively on the automated processing of their data. We clarify that automated processing of personal data is understood as processing with the help of computing technology.

As a general rule, it is prohibited to make decisions that produce legal consequences or otherwise affect the rights and legitimate interests of the PD Subject solely based on data obtained as a result of automated processing. For example, it is prohibited to evaluate the business qualities of an applicant and refuse employment solely on the basis of online testing; it is prohibited to fire an employee for absenteeism solely on the basis of video surveillance data, and so on.

A decision based exclusively on the automated processing of data may be made:

• If there is consent in writing from the PD Subject (written consent must be formatted in accordance with the requirements of Article 9, Part 4 of Federal Law No. 152-FZ);
• In cases provided for by federal laws (for example, the CAO RF permits administrative liability for violations in the field of road traffic detected as a result of photo and video recording).

Additionally, the Law on Personal Data obliges the PD Operator to explain to the PD Subject the procedure for making such a decision and the possible legal consequences. To fulfill this obligation, we recommend including corresponding provisions in the standard forms that the client fills out.

The PD Subject has the right to state an objection to the operator against such a decision. The period for its consideration is 30 days from the day of receipt. The person who submitted the objection is notified of the results of the consideration. Ignoring these obligations may result in unfavorable consequences for the PD Operator in the form of a lawsuit.

Let us consider an example from judicial practice. M. applied with a claim against the Bank for the recognition of the opening of bank accounts as unlawful, for the imposition of the obligation to destroy information about the opening of accounts in his name, and for the recovery of compensation for moral harm in the amount of 1,000,000 rubles. In the court session, the parties did not dispute that the Bank opened bank accounts in the name of M. At the time the dispute was considered, the accounts were closed. The court indicated that, in accordance with Article 16 of Federal Law No. 152-FZ, it is prohibited to make decisions producing legal consequences in relation to the personal data subject based exclusively on the automated processing of personal data. M. did not give consent for the opening of the accounts. The court recognized the bank's actions as unlawful and recovered compensation for moral harm in favor of M. in the amount of 20,000 rubles.[6]

Appealing the Actions or Omissions of a Personal Data Operator

In the event of a violation by the PD Operator of the procedure for personal data processing, the PD Subject has the right to appeal the actions (omissions) of the operator to the authorized body for the protection of personal data subjects' rights (Roskomnadzor) or in a judicial procedure (Article 17 of the Law on Personal Data). The PD Subject chooses the method of protection independently based on specific circumstances. We consider each of them in more detail.

1. Appealing the actions (omissions) of the PD Operator to an administrative body. The procedure for filing a complaint is regulated by Federal Law No. 59-FZ dated May 2, 2006, On the Procedure for Considering Appeals from Citizens of the Russian Federation. The complaint is filed with the territorial body of Roskomnadzor at the place of residence of the PD Subject. A complaint can be filed by sending it by post or upon a personal visit to the regulatory body, as well as in electronic form through the official website of Roskomnadzor.

The following must be indicated in the complaint:

• The name of the body or official to whom the complaint is submitted;
• The applicant's full name, postal address, or email address (in the case of an electronic appeal) to which the response must be sent (anonymous appeals are not considered).
• The substance of the complaint (it is desirable to accurately indicate the name of the operator and describe the substance of the violations in detail; documents (or their copies) confirming the arguments of the complaint can also be attached to the complaint if necessary).
• The applicant's signature and the date.

The period for consideration of the complaint is 30 days from the date of its registration, but in exceptional cases, the period may be extended for another 30 days with mandatory notification to the person who submitted the complaint.

In the event of disagreement with the decision of the regulatory body, the applicant has the right to apply to the court with demands for the challenge of this decision, actions (omissions) of the body of state power. In this case, it will be necessary to prove that the contested decisions, actions, or omissions violated or contested the rights, freedoms, and legitimate interests of the PD Subject, created obstacles to the exercise of a right, or unlawfully imposed any obligations (Article 218 of the CAS RF).

Let us illustrate with an example from judicial practice. Thus, in one case, L. applied to the court with an administrative statement of claim for the recognition of the omissions of the regional prosecutor's office and the territorial Roskomnadzor administration as unlawful. In support of his claims, he indicated that an energy sales company unlawfully requested and used a copy of a residential registration card containing the personal data of L. and other persons registered in the apartment, none of whom gave consent for the processing of personal data. L. applied to state bodies with a statement to hold the officials of the energy sales company administratively liable for the violation of personal data legislation. The prosecutor's office forwarded the statement to Roskomnadzor. The Roskomnadzor Administration informed L. of the absence of grounds for taking response measures, which served as the reason for applying with the claim.

In the court session, the Roskomnadzor representative explained that the regulatory body was not provided with information about whose rights were violated or what negative consequences occurred as a result of unlawful processing. The court came to the conclusion that Roskomnadzor, as the body granted the right to initiate cases of administrative offenses for the violation of personal data processing rules, in violation of legislative requirements, did not make a procedural decision to initiate or to refuse to initiate a case, thereby depriving the applicant of the right to appeal it. In relation to the prosecutor's office, it did not establish violations of the plaintiff's rights, since the initiation of this category of cases does not belong to the exclusive competence of the prosecutor. [7]

2. Challenging the actions (omissions) of the PD Operator in a judicial procedure.

The consideration of a dispute in court is carried out in accordance with the Civil Procedure Code of the Russian Federation by presenting a claim. The claim is filed in the district (city) court at the location of the defendant — the PD Operator. It can also be filed at the location of the plaintiff (Article 29, Part 6.1. of the GPC RF). Compliance with a pre-trial procedure is not required.

The personal data subject may present demands:

1. For the Operator's performance of duties or cessation of actions violating the rights of the PD Subject. For example, to oblige the PD Operator to provide information about processed personal data, to cease processing, to destroy personal data, and so on. Note that PD Subjects often apply with demands that clearly contradict the meaning of the Law on Personal Data. For example, they demand the destruction of personal data in cases where the PD Operator is granted the right to process them by virtue of the Law on Personal Data.

2. For compensation for losses. In accordance with Article 15 of the Civil Code, losses are understood as expenses that the person whose right is violated has made or will have to make to restore the violated right, loss or damage to their property (actual damage), as well as unearned income that this person would have received under normal conditions of civil circulation if their right had not been violated (lost profits). Note that the recovery of losses is extremely problematic in these legal relations in view of the peculiarities of proof.

3. For compensation for moral harm. Moral harm refers to physical or mental suffering of a citizen caused by the actions of the PD Operator that violate the citizen's personal non-property rights or encroach on intangible benefits belonging to them (Article 151 of the Civil Code). The amount of compensation for moral harm is determined by the court depending on the nature of the physical and mental suffering caused to the victim, as well as on the degree of guilt of the tortfeasor. When determining the amount of compensation for harm, requirements for reasonableness and justice must be taken into account. As practice shows, the amounts of the recovered monetary compensation are extremely small and usually range from 500 to 25,000 rubles.

We provide an example from judicial practice. S. applied to the court with a claim against a Microfinance company for the recovery of compensation for moral harm in the amount of 20,000 rubles. In support of the claims, she indicated that when checking her credit history, S. learned about a credit contract concluded in her name for the amount of 9,000 rubles and the presence of a debt under it, in connection with which she applied to the microfinance organization with a demand to waive the debt and cease the processing of her personal data. The microfinance organization informed S. that the contract in her name was recognized as not concluded, and information was sent to the credit history bureau regarding the absence of a concluded contract. However, as a result of the actions of the microfinance organization, the plaintiff experienced mental suffering, which served as the reason for applying to the court. The court indicated that the PD Operator is obliged to immediately cease the processing of personal data upon the demand of the personal data subject. Information that the plaintiff's demands to cease the processing of her data were satisfied by the defendant did not find confirmation in the court. Taking into account the circumstances of the case and the behavior of each party, the court recognized the right to compensation for moral harm in the amount of 4,000 rubles. [8]

In summary, it can be stated that the rights of personal data subjects in Russia are currently not respected at the proper level. Calls from unknown telephone numbers with an offer of various goods and services or demands for the payment of debt are still common practice, and achieving the cessation of the use of one's personal data is still difficult. The position of judicial bodies, which often approach the consideration of requirements formally or reduce the amounts of recoveries to nominal ones, also does not contribute to the protection of the rights of the personal data subject.

It is also worth paying attention to the insufficient legal literacy and legal culture of the personal data subjects themselves. It appears that to solve such problems, it is necessary to take a set of measures aimed at increasing the legal literacy of citizens, changing law enforcement practice, and toughening fines for the violation of rights.

_______________________________

References

1. Resolution of the Second Cassation Court of General Jurisdiction dated November 30, 2021, No. 16-9529/2021.
2. Decision of the Leninsky District Court of the city of Kostroma dated April 15, 2019, for Case No. 2-222/2019(2-2821/2018).
3. Resolution of the Moscow City Court dated August 3, 2017, No. 4a-2675/2017.
4. Clarifications of FAS Russia dated June 14, 2012, On the Procedure for Applying Article 18 of the Federal Law On Advertising.
5. Ruling of the Supreme Court of the Russian Federation dated March 23, 2022, No. 306-ES22-2085 for Case No. A57-6346/2021.
6. Decision of the Zheleznodorozhny District Court of the city of Yekaterinburg dated July 5, 2019, for Case No. 2-2751/2019.
7. Cassation Ruling of the Second Cassation Court of General Jurisdiction dated May 24, 2023, No. 88a-13050/2023.
8. Default Judgment of the Oktyabrsky District Court of the city of Arkhangelsk dated June 21, 2023, for Case No. 2-2030/2023.