Legal Alert – The Requirement to Localize Personal Data in Russia Will Enter into Force on 1 September 2015
The heavily debated new rules on processing the personal data of Russian citizens will enter into force on 1 September 2015. All companies having operations in Russia should take into account at least the following issues:
- All Russian and foreign individuals and legal entities (e.g. Finnish companies having a Russian subsidiary) that collect the personal data of Russian citizens must process such data by using databases located on the territory of Russia.
- This requirement applies to the majority of methods used in processing personal data.
- The changes will affect B2B and B2C companies that have business in Russia, employ Russian citizens, or provide any services or sell goods to Russian citizens, whether in or outside Russia. The changes will also affect Russian companies that use IT services based on infrastructure located outside Russia, such as web hosting, online software, etc.
- Substantively, this requirement obligates the majority of international companies to place those parts of their information systems that contain Russians’ personal data in Russia. The new legislation does not, however, prohibit the placing of mirror copies of such databases located in Russia in a foreign country.
- Violation of the above-mentioned requirements may result in administrative fines or suspension of access to the website (or its part) on the territory of Russia.
It should also be noted that the Parliament of the Russian Federation is currently considering a bill on the increase of the amounts of administrative fines for the violation of the law on personal data.
Our Privacy & Data Protection team has developed efficient tools and analyses for Russian data protection compliance.