phone icon+7 (495) 649-87-12
divider

Archive


Advising on three GDPR projects

/ 0 Comments

Nadmitov, Ivanov and Partners Law Firm LLC advised three online client platforms on compliance of their contracts with the GDPR.

Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), known as the GDPR, entered into force on May 25, 2018.

The GDPR introduced supranational regulation in the field of personal data circulation of EU residents. In particular, users were granted the right of access to their personal data, the rights to rectification, addition, restriction of processing and erasure of their personal data. The EU introduced severe penalties for violation of the rules for the personal data processing, including fines up to 20 million euro or 4% of the offender’s total worldwide annual turnover of the preceding financial year.

Nadmitov, Ivanov and Partners Law Firm actively advises clients on the protection and processing of personal data.


separator

The lawyers have supported the idea to open the access to all personal information to Roskomnadzor

/ 0 Comments

23 маяPavel Maruev, the senior lawyer of Nadmitov, Ivanov & Partners Law Firm, commented to Pravo.ru portal on the Ministry of Telecom and Mass Communications’s draft document concerning the state control order of processing of personal information.

The lawyers have supported the idea to open the access to all personal information to Roskomnadzor

According to the new rules, Roskomnadzor will be provided with an access to operators’ data systems of personal information. The agency will check whether the way of processing and the periods of storage of these data correspond to the stated purposes. Therefore, it will be provided with access to the personal information, which is processed by an operator.

Without the access to personal information it is impossible to exercise the appropriate control over compliance with the law on personal information, the senior lawyer of Nadmitov, Ivanov & Partners Law Firm Pavel Maruev agrees. Especially this relates to the protection of workers processing of whose personal information is carried out by an employer by law, he adds. “In particular it concerns control of observance of such requirements of the law as, for example, whether the worker gave the consent to processing of personal information, compliance of processing to the stated purposes, legitimacy of transfer of personal information to third parties”, – Maruev explains.

The important question in this case is the organization of the state agency’s access to personal information, the expert continues. Besides, it is necessary to set limits of such access accurately, for example: the access which isn’t entailing transfer for storage and the subsequent processing of these data. “The question of a consent of the subject of personal information has an important role here, – Maruev emphasizes. – If he has given consent to processing to the operator, including processing of a special category of personal information (religion, political views, the state of health, other personal information), then state agency’s access to such information without consent of the subject of these data cannot be always justified”.

For more detail see: https://pravo.ru/news/view/141033/

Nadmitov, Ivanov and Partnets regularly advises clients on personal data regulation.

 


separator

Overseas servers of the Russian companies will become “foreign”

/ 0 Comments

4 маяAlexander Nadmitov, the managing partner of Nadmitov, Ivanov & Partners Law Firm, commented to Izvestia newspaper on the proposal of the Ministry of Telecom and Mass Communications of toughening of the text of the law “On Personal Information”.

Overseas servers of the Russian companies will become “foreign”. The Ministry of Telecom and Mass Communications will toughen the definition of cross-border transmission of personal information

Today transmission of these data to a foreign server of a Russian company doesn’t fall under the restrictions existing for cross-border operations. At the same time “cross-border transmission of personal data” in the law is defined in the following way: “transmission of personal data to the territory of the foreign state to authority of the foreign state, foreign natural person or foreign legal entity”. That is if the information is obtained abroad by the Russian company or the natural person, then under the present law it is considered that personal data remain in Russia. The new wording will be the following: “the cross-border transmission of personal data — transmission of personal data to the territory of a foreign state”.

— There is a gap in the legislation — Alexander Nadmitov, the managing partner of Nadmitov, Ivanov & Partners Law Firm, remarked. — If the Russian company transfers personal data to a Russian company, it doesn’t fall under definition of cross-border data transfer now. The amendments are aimed at limiting such gaps.

For more detail see: http://izvestia.ru/news/693557

“Nadmitov, Ivanov and Partners” Law Firm actively advises its clients on the issues of cross-border transfer of personal data.

 


separator

Blocked unauthorized websites can become unblocked

/ 0 Comments

Alexander Nadmitov, the managing partner of Nadmitov, Ivanov and Partners Law Firm, commented to Izvestia newspaper on the submission of the bill to the Gosduma on the blocking of “mirrors” of unauthorized websites.

Law on the blocking of “mirrors” of unauthorized websites will provide for the operative measures against counterfeit in the internet. But pirates can easily avoid the block by only one short letter. Authors of the bill are clarifying: expectation is that pirates will not write official letters and defend their rights in court.

However blocked unauthorized website can shortly appear in the internet on the other address. And right-holders will have to begin bankruptcy procedures once again.

As Alexander Nadmitov, the managing partner of Nadmitov, Ivanov and Partners Law Firm reckons, it would be more reasonable to block “mirrors” in the court – for example, in Moscow City Court. But it does not ensure fair proceedings, courts often treat such cases formally, notes expert.

In the opinion of Gosduma IT-committee it says that in the second reading bill “requires harmonization with present mechanism of rendering and revocation of court order.

More details: http://izvestia.ru/news/671535

Nadmitov, Ivanov and Partners Law Firm actively consults clients on personal data issues in the Internet.


separator

Update on new Russian requirements for mandatory localization of personal data databases

/ 0 Comments

4 (2)Nadmitov, Ivanov and Partners Law Firm presents an Update on new Russian requirements for mandatory localization of personal data databases

Update

Federal law 21.07.2014 №242-FZ “On the amendment of certain legislative acts of Russian Federation concerning the procession of personal data in computer networks”

1  Introduction

  • Russian federal law 21.07.2014 №242-FZ (hereinafter “Federal law №242-FZ”) came into force on 1 September 2015. It introduced an obligation upon an operator to record, systematize, store and clarify the personal data he/she retains. The obligation does not concern the cases specified in Article 6 (1.2, 1.3, 1.4, 1.8) of Federal law №242-FZ.

2  Key Terms

  • Database is one of the most important definitions in the context of data processing. One of its  definitions  contains  in  Russian  Civil  Code.  Moreover,  GOST  (Russian  State Standard) 20886-85 defines database as data, aggregated in a certain manner. According to the Decree of Saint-Petersburg 16.10.1999 №14-19, database qualifies as ordered personal data. Thus, Russian legislation provides for a sufficiently broad definition of database.
  • Personal data are defined by Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data 1981 (CETS 108) (hereinafter “CETS 108”) as well as by Russian federal law 27.07.2006 №152-FZ “On personal data” (hereinafter “Federal law on personal data”). According to Article 3 of the law, personal data are considered as any kind of data directly or indirectly related to a definable natural person. If data cannot define a natural person, they are not personal.
  • Operator is an entity possessing information, data processing technology and techniques.
  • Data processing is any kind of activity involving the data, inter alia retention, record, systematization, aggregation, storage, clarification (update, modification), extraction, usage, transmission (dissemination, access), encryption, lockout, deletion, destruction, whether or not automatic techniques are used.

In Persons:3 Scope of Application

  • Federal law №242-FZ does not provide for any guidance on identifying the nationality of persons subject to data retention, therefore an operator has certain discretion with respect to this issue. Data retention is supposed to take place within the whole territory of Russian Federation, thereby affecting foreigners as well as stateless persons.
  • Moreover, Federal law №242-FZ applies to Russian companies, foreign companies with official representation in Russia and foreign companies without official representation in Russia. Meanwhile, Federal law №242-FZ does not apply extraterritorially and does not affect non-residents retaining the personal data of Russian nationals abroad
  • In Time:
  • The application  of  Federal  law  №242-FZ  in  time  requires  to  be  closely  examined.

Generally,  law  does  not  apply  retroactively,  unless  specifically  provides  for  such

application. According to the Ministry of Telecommunication explanations, databases created before 1 September 2015 will not be required to be localized (so called archive databases). Nevertheless, the modification of such bases and their update should be exercised through Russian bases.

4 Law Enforcement

  • The amendments  of  Article  18  (5)  of  Federal  law  on  personal  data  introduced  an obligation of an operator to record, systematize, store, aggregate, clarify and extract personal data through the databases located on the Russian territory.
  • In other words, the abovementioned activities are required to be localized on the Russian

territory. The localization can be either electronic or paper.

  • Article 18 (5) provides for the following exceptions:

1) If an operator requires data processing in order to perform his/her obligations.

This would be determined and monitored on case-by-case basis by Federal Service for

Supervision    in    the    Sphere    of    Telecom,    Information   Technologies and Mass Communications (hereinafter “Roskomnadzor”);

2) If processing is required for administration of justice or law enforcement;

3)  If a federal authority requires data processing in order to perform its executive powers

4)  If a journalist requires data processing to exercise his/her professional activity or any other form of lawful media activity as well as any scientific, literary and creative activity given that individual rights are not violated.

  • Currently, there  are  no  rules  defining  responsibility  for  the  breach  of  localization provisions.
  • Nevertheless, the following penalties can be introduced against violators of localization rules:

1)  Article 13.11 of Russian Code on Administrative Offences provides for a fine if record, storage, usage and dissemination procedures are violated. The fine comes up to

10,000 RUR (app. 155 USD).

2) As an alternative penalty, domain addresses and global addresses of violators

could be included in a special roster of protection of personal data violators.

 

5  Transboundary data transmission

  • According to Article 3 of Federal law on personal data, transboundary transmission of personal data is defined as transmission of data to foreign competent authorities, foreign natural person, foreign entity, residing in a foreign State.
  • There is no limitation on transmission of personal data to States adequately respecting human rights, except for the purposes of protecting constitutional regime, morality, health, human rights, national security.
  • States adequately respecting human rights are those parties to CETS 108 as well as those indicated in Roskomnadzor Order №274 “On Register of Foreign States that are Party to CETS 108 and that Adequately Respect Individuals’ Rights to Protection of Personal Data”.
  • A competent authority also forms a roster of foreign States that are not party to CETS 108.
  • Federal law  on  personal  data  obliges  an  operator  to  make  sure  that  foreign  States, recipients of personal data, adequately respect human rights.
  • Meanwhile, according to Article 12 (4) of Federal law on personal data, transboundary transmission of personal data is permissible:

1) If there is a written permission on behalf of a person whose data are transmitted;

2) If it is required by a relevant treaty of Russian Federation;

3)  If  it  is  required  by  a  federal  law for  the  purposes  of  protection  of  Russian constitutional regime;

4) If it is required by a contract concluded by a person whose data are transmitted;

5)  If  it is required for the purposes of protection  of  life, health and other vital interests of a person whose data are transmitted or other people in case of impossibility to obtain their written permission.

 

  • Moreover, transboundary data transmission has the following requirements:

1) It is required to notify Roskomnadzor of the transboundary data transmission;

2)  It is required to notify a person whose data are subject to transboundary data transmission;

3)  It  is  required  to  specify  the  conditions  of  transboundary  personal  data transmission in an operator’s bylaws;

4) It is required to assure protection of data transmission cable.

  • Federal law №242-FZ specifies the requirement of localization.
  • It is  prohibited  to  transmit  personal  data  to  the  databases  located  out  of  Russian Federation. The explanations of Ministry of Telecommunications, however, noted that the amendments introduced by Federal law №242-FZ did not concern the current regime of transboundary data transmission. Thus, it is generally permitted to transmit personal data if the requirements of Article 12 of Federal law on personal data are satisfied.

6 Explanations of Roskomnadzor and Ministry of Telecommunications as regards implementation of new personal data legislation

  • implementation of new personal data legislation
  • Implementation of  new  rules  provoked  numerous  questions;  therefore,  it  requires  a detailed analysis. The majority of answers concerning the implementation of localization rules were introduced by Roskomnadzor or Ministry of Telecommunications.
  • Recommendations and explanations of Ministry of Telecommunications:

1)  Definition of “nationality” of a person whose data are transmitted in the context of localization rules

  • The issue of nationality of a person whose data are transmitted is not regulated by current legislation. Therefore, an operator has certain discretion to determine nationality of individuals. If nationality cannot be determined by an operator, an operator is entitled to retain any data located on the Russian territory.

2) The application of new rules to air carriers

  • Air carrier contract is concluded by means of ticket and baggage check. Air carriers are, therefore, required to process the personal data in order to prepare the abovementioned documents.
  • Article 18 (5) of Federal law on personal data applies neither to Russian air carriers nor to foreign ones in the context of retention and processing of personal data while booking, preparing and issuing air tickets, baggage checks and other travel documents which fall under the exception clause in Article 6 (2.1) of Federal law on personal data.

3) Transboundary transmission of employees’ data

  • Transboundary transmission of employees’ data is permitted under current legislation.

4)  Is  it  required  to  localize  employees’ personal  data  which  is  transmitted  in compliance with labour law?

  • If processing of personal data falls within the exception clause specified in Article 6 (2), (3), (4), (8) of Federal law on personal data, Article 18(5) of Federal law №242-FZ does not apply. Whether transmission falls within the exception clause or not shall be decided by federal competent authorities.

5) Can  Russian  nationals  publish  their  personal  data  the  way  they  find  it convenient and make use of the services offered by global market of goods and services?

  • The amendments introduced by Federal law №242-FZ do not preclude Russian nationals from using foreign services, even if their data are processed outside the Russian territory.

6) Does Federal law №242-FZ apply extraterritorially?

  • Domestic legislation, such as Federal law №242-FZ, applies only to the State’s territory and does not affect those outside the territory.

7) Does Federal law №242-FZ apply retroactively?

  • Federal law №242-FZ does not apply retroactively. Neither does it apply to “archive” databases. If such databases are subject to any kind of activity described in Article 18 (5), localization rules shall be respected.

8)  Is it possible to process personal data if a person whose data are processed gives permission?

  • Generally, permission is not considered as a ground for data processing.

 

9)  Do localization rules apply only to primary retention of data?

▪  Current  legislation  does  not  provide  for  a  definition  of  “primary  retention  of  data”.

Localization rules apply to all kind of data retention.

10) For how long is permission for personal data processing valid?

▪  Current legislation does not mention “terminated permission”. According to Article 5(7) of Federal law on personal data, personal data is subject to deletion or encryption when the goals of data retention are met or when it is no more necessary.

11)  Is  it  possible  under  a  gratuitous  contract  to  transmit  the  data  of  Russian employees  to  foreign  companies,  which  relate  to  the  same  group  of  companies  as Russian employer?

▪  Transboundary data transmission is not prohibited if the requirements of Article 12 of Federal law on personal data are met. Transboundary transmission shall in advance define the goal of data processing and shall assure destruction of data emanated from Russian companies.

12)  For how long can the transmitted data be stored on foreign server?

▪  According to Article 21 (4) of Federal law on personal data, operator is obliged to delete the data within 30 days after the accomplishment of processing goals. If it is impossible to delete personal data within the specified time period operator is obliged to block the data and assure their deletion within 6 months.

13) Is it necessary to obtain preliminary permission from Roskomnadzor for transboundary transmission of personal data?

▪  Federal law on personal data does not provide for such requirements.

14)  Is it necessary to notify competent authorities of personal data processing after

1 September 2015? Shall the location of database be announced?

▪  Current legislation does not provide for such obligation. Article 22 of Federal law on personal data obliges operators to notify competent authorities before personal data is retained. Article 22 (2) provides for the list of exceptions. If a company has already notified Roskomnadzor, then pursuant to Article 22(7) it is required to announce the location of databases within 10 working days.

 

Recommendations and explanation of Roskomnadzor

1) Does a vehicle identification number fall within the notion of personal data?

  • Vehicle identification number and any other technical information, including repair history, do not qualify as personal data since it cannot identify an individual. Thus, the abovementioned data relate to a vehicle, but not individual.

2) Are foreign operators which process the data of Russian nationals by means of websites required to process and store the retained data on the Russian territory?

  • It does not matter whether the foreign operator is located on the Russian territory or not. If the operator’s activity relates to the Russian data, Federal law №242-FZ applies. Thus, retention and procession of the data shall take place within the territory of Russian Federation.

3)  Are there any confidential requirements as regards the processing of publicly available data?

  • According to Article 6 (1.10) of Federal law on personal data, publicly available data are permitted to be processed without individual’s consent. Therefore, Article 7 of Federal law on personal data where confidential requirements are specified is not applicable.

4) Is there any term for recovery of a blocked website?

  • Terms and conditions of website recovery are defined by Executive Decree prepared by

Russian Government and currently subject to approval by competent authorities.

5) Is there any transition period so that companies can comply with new standards?

  • Federal law №242-FZ entered into force on 1 September 2015. No transition periods are mentioned.

6) Is there any approved form for specifying location of databases?

  • Article 22 of Federal law on personal data obliges operators to notify competent authorities before the processing of personal data. Article 22(2) provides for a list of cases when notification is not required. Federal law №242-FZ introduces amendments to Article 22(3) of Federal law on personal data which specifies the notification requirements. If a company has already  notified  Roskomnadzor,  then  pursuant  to  Article  22(7)  it  is  required  to announce the location of databases within 10 working days.

7)  How shall a database be organized? How shall it be stored, as file or as website?

  • Federal law №242-FZ introduces amendments only with respect to location of database.

It does not  anyhow affect  technical requirements  detailed,  inter alia  in  Article  19 of

Federal law on personal data.

8)  Is it possible for Roskomnadzor to shift responsibility for the violations of data protection laws occurred before 1 September 2016?

  • Federal law №224-FZ does not provide for any transition periods; therefore, no shift of responsibility for  the  violations  is  possible.  Nevertheless,  competent  authorities  will impose obligations to comply №242-FZ within a specified time period if the violations take place.

9) Are there other limitations on server’s activity in Russia?

  • The activity of servers, centers of data processing shall comply with the confidentiality and data protection standards. Recommendations concerning these issues are published on Federal Agency on Technical and Export Control (FSTEK) website as well as Federal Security Service website (FSB).

10) What type of personal data falls within the scope of Federal law №242-FZ application?

  • Federal law №242-FZ applies to any kind of data directly or indirectly related to defined or

definable individual, but not to specific types of data (e.g. biometric data)

11) Which criteria are taken into account while identifying individuals’ nationality?

  • An operator has certain discretion with respect to this issue. Therefore, any criteria can be examined by an operator while identifying individual’s nationality.

12) Does Federal law №242-FZ apply to federal or municipal databases?

  • Federal law  №242-FZ  is  silent  as  regards  the  application  to  federal  or  municipal databases. However, according to Article 1, Federal law on personal data applies to municipal and federal authorities. Since Federal law №242-FZ introduces amendments to Federal law on personal data it would be logical to conclude that it applies to federal and municipal databases in a way they are governed by Federal law on personal data.

 


separator

Review of the Russian law on the right to be forgotten in the Internet

/ 0 Comments

Nadmitov, Ivanov and Partners Law Firm presents to you the review of the Russian law on the right to be forgotten in the Internet.

Legislative Update

On 13 July 2015 г. the Russian President signed into law the so-called “law on the right to forget” [1], i. e. the law obliging the search engines operators to delete at the request of a natural person concerned the links containing information on such person, which is distributed in violation of Russian law and outdated.

The changes introduced

The requirements related to deletion of links to the information at the request of a natural person cover search engines operators distributing advertisements in the Internet, which is aimed at the attraction on consumers’ attention in the Russian territory. At the request of a natural person the operator is obliged to delete the links to the following information:

  • Information on the applicant distributed in violation of Russian law;
  • Untrue, outdated information;
  • Information, which lost its significance for the application due to subsequent events or the applicant’s actions.

The following information is exempt from the above:

  • Information on the criminally punishable events with respect to which statute of limitation has not expired;
  • Information on commission of a crime by a natural person whose conviction has not been removed from official records.

The applicant’s request must contain his/her details, description of information links to which the applicant requests to delete, the relevant link, the ground for deletion of the links and the applicant’ consent for personal data processing.

The procedure for dispatching of the request by the natural person

After the receipt of the natural person’s request the search engine operator within 10 days has a right to send to such natural person a one-time notice asking to clarify/correct the details in the request as well as to send to the operator his/her ID. Within 10 days from such notice the applicant must correct the defects and send corrected details, and, if required, the ID to the operator. After this the operator also within 10 days must stop providing links to the specified information or send to the applicant a justified refusal. If the applicant considers such refusal unjustified he/she has a right to file a lawsuit to a court requesting to stop providing the links to the said information.

The mode of sending of the request by the natural person is not specified in the law. However, it is stated that the operator’s reply must be sent to the applicant in the same form as his request..

Other changes

The said law also gave a definition to the important term related to the protection of information in Internet, i. e. “search engine”, which was defined as an information system making searches in Internet at the request of an Internet user for information of certain content and giving links for access to such information. The state and municipal information systems as well as other systems used for carrying out of the public powers are excluded from this definition.

[1] Federal Law No. 264-FZ dated 13 July 2015 “On the Introduction of Changes into the Federal Law “On information, information technologies and protection of information” and Articles 29 and 402 of the Civil Procedure Code of the Russian Federation”


separator