Russian personal data protection legislation is formulated in a way that, in many instances, allows broad interpretation of rules and restrictions. For this reason, personal data operators sometimes need to wait until courts explain certain ambiguous provisions of the law or the Federal Service for Supervision of Communications, Information Technology, and Mass Media (Roskomnadzor) issues general or individual clarifications on how provisions of the personal data protection laws are to be applied.
In response to one of our recent enquiries related to the implementation of the Russian Federal Law on Personal Data, Roskomnadzor has provided comments that we consider to be of interest to our clients.
A mandatory written consent to personal data processing can only specify one purpose and one operator for personal data processing
According to Roskomnadzor, the provisions of the Russian Federal Law on Personal Data, which established the requirements for a written consent to personal data processing, provide the terms “a purpose” and “an operator” of personal data in the singular, and they are not subject to broader interpretation. Therefore, in cases where, under the law, it is necessary to obtain a consent for personal data processing in written form (for example, for the transfer of employees’ personal data to third parties or for the transfer of personal data to the territory of foreign states which do not provide adequate protection of personal data subjects’ rights), only one purpose and one operator can be indicated in such consent. This means that, in order to process personal data for several purposes or to transfer data to several third parties, the operator must obtain separate consents. Similarly, the European General Data Protection (GDPR) provides that consent should cover all processing activities carried out for the same purpose and that, when the processing has multiple purposes, consent should be given separately for each purpose. Roskomnadzor noted that when a consent is obtained in cases where the law does not require it to be in writing, such consent can specify several personal data processing purposes and operators (for example, when personal data processing is delegated to another party, the written consent of the personal data subject is not required), as well as identify several third parties to which personal data is to be transferred.
Branches and representative offices of a legal entity do not need to obtain a separate consent from a personal data subject for the processing of their personal data
Roskomnadzor indicated that if a company has legal grounds for processing the personal data of a personal data subject (for example, an agreement or a subject’s consent to personal data processing), it will not be required to obtain additional consents from the individual for the transfer and further processing of his/her personal data by a branch or a representative office of such legal entity. However, this will not be the case when the personal data of employees of a branch or a representative office needs to be transferred to the head office located in a country which, according to Russian state authorities, does not provide adequate protection of personal data subjects’ rights, (e.g., the USA). In this situation, the employer needs to obtain the written consent of the employees in a form established by law.
The operator determines the content of the document setting out its policy regarding personal data processing at its own discretion
Under the Russian Federal Law on Personal Data, operators are obliged to publish, or otherwise provide unrestricted access to, the document setting out their policy regarding personal data processing. Recommendations for drafting such a document were developed by Roskomnadzor and published on its official website, however, operators still have a lot of questions with regard to such policy since there are no clear rules as to the content of this document. Roskomnadzor confirmed that the above said Recommendations are not mandatory, and that it is operators that determine the structure and content of such policy. This means that an operator determines the content and the form of such document and, for instance, can develop and implement several separate policies regarding personal data processing applicable to different groups of users (for example, if an operator has several websites for sales of goods or services, it has the right to publish, on each of its websites, a policy on personal data processing related only to the website’s visitors).