Home
Internal
Global
Contatto
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC, alternatively known as General Data Protection Regulation (hereinafter referred to as “Regulation” or “GDPR”) took effect on 25 May 2018.
The applicability of this Regulation in the Russian Federation derives from its extraterritoriality. For example, the Regulation directly affects Russian companies processing personal data of the EU citizens as part of their business activities. This concerns mainly the companies offering goods or services to EU citizens and monitoring their behaviour, such as online shops, mobile telecom operators, ticket booking services, travel agencies, transportation and financial companies, etc. The Regulation also applies to the citizens of non-EU countries physically present in the EU.
In case of an infringement against the GDPR, the company may be sanctioned with a fine up to EUR 20,000,000 or 4 percent of the company’s total annual revenue . Additionally, the supervisory authority of the EU may suspend or fully prohibit processing of the personal data within the EU.
To prevent the application of these sanctions, the businesses should comply with the GDPR requirements, in particular, concerning obtaining of the consent of personal data subjects to the processing of their data, documenting of the operations with these data and compliance with the personal data processing principles, such as legality, collection of personal data only for the determined purpose, minimization of data, accuracy, personal data storage restrictions and confidentiality.
Complications may arise from the discrepancies between the Regulation and Russian law. Federal Law No. 152-FZ: On personal data (hereinafter referred to as “Law 152-FZ”) is based, similar to the GDPR, on the Convention for the protection of individuals with regard to automatic processing of personal data developed by the Council of Europe and Directive 95/46/EC on the protection of personal data of the European Union. On the one hand, the both documents have much in common due to this circumstance, particularly with regard to the principles of data processing. On the other hand, these legal acts are different in some respects. For example, the GDPR grants the personal data subject the right to obtain their personal data and to have the data transferred from one data processor to another and only allows active actions of the personal data subject as the required consent justifying the processing of personal data on websites. The Regulation also vests the European Commission with the functions of the supervisory authority and requests that any leakage of personal data be reported within 72 hours.
As per Article 27 Clause 4 of the Regulation, in order to ensure compliance with the Regulation, the data controller or processor resident outside the EU must authorize their representative to decide, either jointly with them or independently on their behalf, all issues relating to the processing of data. The Regulation places only general restrictions on the scope of such representative’s authority. Accordingly, a situation cannot be excluded where a holding company resident in the EU may give its subsidiary an inquiry as to the latter’s compliance with the EU requirements for personal data processing.
Thus, the following disputable situation may emerge as a result: If the Russian subsidiary accepts the request to comply with the European requirements for personal data processing, it also undertakes to fulfil any requests of the EU representative concerning the transfer of personal data. The question is whether the Russian company may follow these rules.
On the one hand, the Regulation of the EU should apply because the subsidiary processes personal data of EU citizens. On the other hand, Law 152-FZ should apply because the subsidiary is located in the Russian Federation.
According to Article 18 Clause 5 of Law 152-FZ, “when collecting personal data, e.g. by means of the Internet IT network, the operator shall ensure that personal data of Russian citizens are recorded, filed, accumulated, stored, adjusted (updated, altered) and retrieved using solely databases located in the Russian Federation.”
According to Article 12 Clause 1 of Law 152-FZ, any transmission of personal data to a foreign authority, natural or legal person in a third country (cross-border data transmission) shall take place in accordance with the aforementioned Federal Law and may be prohibited or restricted in order to protect the fundamentals of the constitutional order of the Russian Federation, or public morals, health, rights and legitimate interests of Russian citizens, or to ensure the national defence and security.
Besides, Article 22 Clause 1 of the Law 152-FZ states that the operator shall notify the relevant authority in charge of protection of rights of the personal data subjects of their intent to process personal data before the processing of the personal data commences. Among other things, the notification shall indicate whether a cross-border transmission of personal data will take place in the course of the concerned processing.
Thus, Russian law does not forbid Russian subsidiaries to transmit the requested data to their foreign parent companies located in the EU (representatives). Nevertheless, the Russian subsidiary may not transmit personal data of Russian nationals with infringements against Russian law. Before the transmission takes place, it must pass a security check.
In this situation, the company is recommended to perform an analysis of its internal personal data processing procedures. A solution may be found in the concept of the cross-border data transmission developed by the Russian legislators. Thus, the company may insert a clause into a special agreement stating that the data transmission will take place in accordance with the procedure established by the Russian laws on the processing of personal data and thus comply with Article 18 Clause 5 of Law 152-FZ on the use of databases. Under this procedure, the personal data may be transmitted for determined purposes and for a determined period of time. Yet another viable alternative to the agreement on the cross-border transmission would be a memorandum or an additional agreement regulating this matter.
Many Russian businesses have already done their homework to get prepared to the new requirements.
Before the Regulation came into force, JSC Russian Railways had updated its ticket sales software and changed the rules published on its website and governing the distribution of electronic tickets. Sberbank is currently working on the unified system of personal data processing and protection that would comply with both Russian and European norms.
Our recommendations to the companies that have not yet updated their software according to the requirements of the Regulation would be:
Tatiana Vukolova
Lawyer
Associate Partner
Invia richiesta
