26 Oct 2016

The Right Way to Protect Personal Data

Law No. 152-FZ On Personal Data, which was adopted 10 years ago, was primarily intended to ensure the protection of the citizens’ rights and freedoms, such as the right to privacy and family. Olga Korotkova, Deputy Head of the Department of the Federal Supervision Agency for Information Technologies and Communications for the Central Federal District has explained the key provisions of the law on the website of the Prefecture of the Eastern Administrative District of Moscow.

In her interview, the official has described the current aims of the agency authorized to protect the rights of personal data owners.

We have asked Mikhail Emelyannikov, the lead expert on Information Security and the Managing Partner at Emelyannikov, Popova and Partnery Consulting Agency, to comment on the recently issued article.

You can see the key issues from the interview with Olga Aleksandrovna below.

What is “personal data”?

In international practice, this notion was defined at the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (ETS No. 108) dated January 28, 1981. The notion of “personal data” in the Russian Federation strongly complies with that definition and means any data that is directly or indirectly related to an individual belongs to the personal data owner.

Who are personal data operators?

Any state or municipal authorities, as well as individuals and legal entities who organize and conduct personal data processing and who determine the actions required for data processing, along with the composition of the data.

How does one legally become a personal data operator?

Prior to commencing data processing, the operator must inform the competent department on the protection of rights of personal data owners about their intention to conduct personal data processing according to Part 3, Article 22 of the Federal Law On Personal Data. The respective notice can be submitted either in paper format or electronically. The cases described in Part 2, Article 22 of Law No. 152-FZ represent exceptions.

Once the notice is submitted, the information about the operator is entered into the Registry of Personal Data Operators. The information contained in that Registry is available to the general public. Anyone can look through it on the Personal Data Portal of the Federal Supervision Agency for Information Technologies and Communications (Roskomnadzor) at http://pd.rkn.gov.ru. People often contact the Department of Roskomnadzor because they fail to find the organization to which they provide personal data in the Registry. And that causes concern about the safety of such personal data.
Like I said before, the law outlines a number of exceptions that allow the operator to process personal data without notifying Roskomnadzor.

It is difficult to become a personal data operator?

According to Olga Korotkova, not so much. This implies no financial expenses. Moreover, a notice of personal data processing can be submitted electronically and Roskomnadzor has drafted recommendations on how to fill in the notice form. This information is available on the Personal Data Portal or on the website of any regional Roskomnadzor Department. Besides, the Department employees offer assistance in filling out the notice and provide explanations for any points of friction.

Are there operators who chose not to make themselves known, and if yes, why?

Olga Aleksandrovna reminds us that processing of data without proper notification in cases when no grounds exist listed in Part 2, Article 22 of the Federal Law On Personal Data is a breach. The activities of some organizations really do fall under these exceptions. But there are also some organizations that do not consider themselves personal data operators by mistake. Ms. Aleksandrovna provides an example from her own experience. An organization has indicated in their information letter that they use e-mail addresses and full names of their website users as protection against spam. This does not represent a legal basis for personal data processing without notification, which is why the Department requested a proper notice.

Some organizations also fail to submit notices in belief that this would save them from Roskomnadzor inspections. However, this is not true because the inspection schedule also includes the organizations that conduct operations that imply no grounds for personal data processing without notification. Moreover, the Department once in a while reminds the organizations about the legal requirements and requests that they provide the notice on personal data processing.

What trends are observed in filling of the Registry of Personal Data Operators?

Some organizations are terminating their activities, others are just starting. So the question of whether the Registry would be complete remains open. According to Ms. Aleksandrovna, taking responsibility for the personal data safety has become an important component in developing the image of a reliable organization. The regional Roskomnadzor Departments, in their turn, carry out awareness-raising and preventative activities in order to bring down the number of breaches in the field of personal data.

Detailed information on the procedure of inputting data into the Registry of Personal Data Operators is available on the Personal Data Portal of Roskomnadzor.

Putin instructed to accelerate work to strengthen the protection of personal data

Russian President Vladimir Putin instructed the government to accelerate work aimed at amending legislation in order to strengthen the protection of personal data of Russians and to promote the development of Russian organizations.

"The government … to speed up the preparation and introduction of amendments to the federal law" On Personal Data "aimed at strengthening the protection of personal data of citizens, as well as at promoting the development of Russian organizations developing software and hardware and software systems," the instruction says.

The Russian State Duma Approves Increased Fines for Violation of Data Processing Requirements

The Russian State Duma has adopted in the third reading the draft law that proposes to stiffen penalties for violation of rules applicable to personal data processing in Russia, as established by Federal Law No. 152-FZ “On Personal Data”. The fine for first time violators could reach up to RUB 6. Repeated violations of the data localization law can incur increasing fines with a maximum penalty of RUB 18 million for legal entities.

The main legal requirement is to store the information about Russian users must be stored in the territory of the Russian Federation. On December 2, 2019, President Vladimir Putin signed Federal Law No. 405-FZ, On the Introduction of Amendments to the Administrative Offenses Code of the Russian Federation.  As of December 13, 2019, the Code has introduced new constituent element of an administrative offense – breach of localization requirements.

Failure by an operator to comply with the requirement leads to increased fines:

for officials – up to RUB 200,000 (approximately US$3,350)

for legal entities – up to RUB 6,000,000 (approximately US$100,000)

For repeated violation:

for officials – up to RUB 800,000 (approximately US$13,350)

for legal entities – up to RUB 18,000,000 (approximately US$ 300,000)


Load testing is the process of putting demand on a system and measuring its response. Load testing generally refers to the practice of modeling the expected usage of a software program by simulating multiple users accessing the program concurrently. This test method allows you to determine whether the tested solution, application or device meets the stated requirements.

CT Consulting specialists in cooperation with partner-expert Performance Lab team made all necessary changes with the subsequent transfer of tests. Load testing was successful, CT Consulting has managed not only to optimize the solution, but also to obtain a technological base for making similar changes in the future. The project passed from start to finish without a single delay. We can say that the task was completed with 100%.

DFG152 has been certified by FSTEC Russia

DFG152 is now licensed by FSTEC (Russia's Federal Service for Technology and Export Control)

MASTERDATA Company is proud to announce successful completion of the certification process for the DFG152 software and obtaining a FSTEC Certificate. This certificate в„–3766 was issued June 30, 2017 on the results of successfully passed certification tests conducted by the testing laboratory Echelon NPO CJSC. The certificate states that DFG152 solution developed by the MASTERDATA Company in accordance with the specifications RU.81363339.501410.001 TU meets the requirements of the document entitled В«Protection against unauthorized access to information Part 1. Software protection information. Classification by the level of control of absence undeclared -bath optionsВ» by the security level of 4 when implementing the operating instructions. Successful certification by FSTEC is an indicator of reliability of the DFG152 software and gives the opportunity to actively work with confidential information and personal data.
LinkedIn May Be Blocked in Russia
Moscow's Tagansky district court granted the petition to Roskomnadzor, but this decision has not yet entered into force. LinkedIn appeal to the Moscow City Court, which meeting will be held on 10 November. Roskomnadzor intends to limit access to the largest business social network LinkedIn as reported by "Kommersant". Office believes that LinkedIn is breaking the law "On Personal Data" as it did not move their servers to Russia, and also collects and transmits information about citizens who are not users of the network, without their consent. It is reported that the law violations were identified during the inspection, which began due to the publications in the media about the repeated leaks of user information from this social network. According to Roskomnadzor, the agency has twice sent requests for information on the network’s compliance with the personal data law to LinkedIn. Roskomnadzor has not received any essential answer. LinkedIn is the largest business networking and job search site. In 2015 the site exceeded 400 million registered users. Of those, 5 million were from Russia. Source of the article: http://kommersant.ru/doc/3126052