Financial Crime World

Here is the converted article in Markdown format:

Russian Data Protection Law: Retention Periods, Security Obligations, and More

The Russian Personal Data Law (PD Law) sets out specific rules governing the processing and retention of personal data in Russia. In a recent interview, experts revealed that the length of time certain documents containing personal data should be retained can vary significantly, ranging from one year to 75 years.

Processing Purposes

Under Article 5 of the PD Law, any data processing must be carried out for specific, explicit, and legitimate purposes. Data operators must ensure that inaccurate personal data is rectified or deleted, and destroyed or depersonalized when the purpose of processing is met. However, the law does not provide for exceptions from this principle.

Security Obligations

The PD Law imposes complex security requirements on data operators and third-party service providers that process personal data under their instructions. While there are no specific security requirements, the law requires data operators to take technical measures against unauthorized access, loss, blocking, or destruction of processed data.

  • Data operators must establish an internal system of control over access to personal data.
  • Any personal data information system must be certified by the Federal Service for Technical and Export Control (FSTEK).

Notification of Data Breach

The PD Law does not require data operators to notify authorities or individuals of data security breaches. However, if a request for rectification is made by an affected individual or Roskomnadzor, the operator must notify the affected individual or Roskomnadzor within three days.

Data Protection Officer

Under Article 22.1 of the PD Law, data operators are required to appoint a data protection officer (DPO). The DPO is responsible for:

  • Implementing internal controls
  • Making employees aware of personal data-related regulations
  • Dealing with applications and requests from individuals

Record Keeping

Data operators must regularly conduct internal audits of personal data-processing activities to ensure compliance with the PD Law. There are no specific requirements for record keeping, but data operators may need to maintain records of access to personal data.

Registration and Notification

As a general rule, data operators must register with Roskomnadzor, which maintains a public register of registered data operators. The registration procedure includes:

  • A one-off notification from the data operator
  • Any changes to processing characteristics must be notified to Roskomnadzor

Exemptions apply for simple, one-off collections of data and HR-related data.

Formalities

The notification form required for registration can be found on Roskomnadzor’s website, along with guidance on its completion. The information provided includes:

  • Name and address of the data operator
  • Type of data being processed
  • Purpose of processing
  • Time frame of processing
  • Description of IT systems and security measures used

Conclusion

In conclusion, Russia’s Personal Data Law sets out specific rules governing the processing and retention of personal data in Russia. While there are no exceptions from the finality principle, data operators must ensure that inaccurate personal data is rectified or deleted, and destroyed or depersonalized when the purpose of processing is met.