Utilizziamo cookies e tecnologie similari per migliorare l’esperienza all’interno del sito e offrire all’utente un servizio di maggior valore. I cookie presenti su questo sito sono cookie tecnici per garantire il funzionamento del sito e cookie analitici, anche di terze parti, utilizzati da noi e dai nostri partner per misurare le performance del Sito e capire i contenuti che vi interessano. Per accettare i cookie clicca «accetta i cookie analitici». Per rifiutare i cookie clicca «rifiuta i cookie analitici». Per maggiori informazioni ti invitiamo a leggere la nostra Cookie Policy.



Processing of biometric data: novelties in Russian law

PrintMailRate-it
published on 25 November 2021 | reading time approx. 5 minutes

Personal biometric data are becoming more and more important for the state and for business, giving their owners access to various convenient services. For example, a growing number of people using bank services are identified by means of facial recognition, speaker authentication, fingerprints, etc. The rapidly growing importance of biometrics leads to certain changes in the legal regulation of personal data. Russia is no exception in this respect, having adopted in 2021 numerous legal acts regulating the biometric data processing. Some changes in Russian laws are described below.

Approved new procedure for processing of personal biometric data 

The Ministry of Digital Development, Communications and Mass Media of the Russian Federation has approved a new procedure for processing, including collection and storage, of the personal biometric data parameters in the Unified State Biometric System (UBS) (details regarding the UBS are provided in the next section) as well as in other information systems ensuring identification and/or authentication of individuals (Decree No. 930 issued by the Russian Ministry of Digital Development, Communications and Mass Media on 10.09.2021). The new procedure will take effect on 1 March 2022 and apply till 1 March 2028, replacing the current rules (Decree no. 321 issued by the Russian Ministry of Digital Development, Communications and Mass Media on 25.06.2018).

The new decree regulates processing of the data owner’s images and voice , which have been collected applying a text-dependent method, i.e. while reading a specific text. The data owner’s their written consent will still be needed for processing of their personal biometric data. According to the above decree, biometric personal data will be stored in the Unified Biometric System for at least 50 years. The biometric data (collected  in the UBS as well as in other information systems) may be used for identification and/or authentication purposes within no more than five years of the collection date.

Higher volumes of data in the Unified Biometric System 

The Unified Biometric System (UBS) is the Russian digital platform for remote biometric identification of Russian citizens, which was implemented at the request of the Russian Central Bank and the Russian Ministry of Digital Development, Communications and Mass Media in 2018. PAO Rostelecom is the developer and the operator of the system. Above all, this system is used by banks. However, its application scope is expanding and covers also public services, health care, e-commerce, etc. The UBS contains the data types specified in Russian Governmental Decree no. 772 of 30.06.2018, and in particular: one’s facial image and/or voice data, contact details (phone number, e-mail), account ID in the system, etc. Since 19 August 2021 more data has been included in the UBS: Now the system contains, in particular, information about one’s birth date and nationality/(-ies), information about the authorities and organizations submitting the data to the system, information regarding the method of biometric data collection, etc. (Russian Governmental Decree no. 1345 of 16.08.2021).

The state supports use of the system by the organizations connected thereto and reimburses them for a part of the fee charged by the UBS operator. According to Decree no. 662 issued by the Russian Ministry of Digital Development, Communications and Mass Media on 29.06.2021, such reimbursement may cover up to a half of the fee payable for system use, including VAT.

Approved situations of possible use of biometric data outside the UBS 

In October 2021 the Russian Government made a list of the situations in which legal entities and entrepreneurs operating as sole traders may accumulate and process biometric personal data in their information systems (i.e. outside the UBS). This list includes the following situations of personal data processing: 
  • personal data of taxi drivers and car sharing drivers;
  • personal data of persons entering the company’s territory (excluding organizations operating in certain fields, e.g. energy industry, chemical industry, etc.);
  • personal data of the participants in general meetings of civil companies (shareholders of legal entities, creditors in case of insolvency proceedings, etc.), excluding banks, insurance companies, companies operating in certain other fields, etc.
The above regulatory act (Russian Governmental Decree no. 1815 of 23.10.2021) will take effect on 1 March 2022 and apply till 1 March 2028.

Organizations owning information systems that ensure identification and/or authentication of individuals by means of their biometric data or provide such identification/authentication services will have to get accredited by the Russian Ministry of Digital Development, Communications and Mass Media beginning on 1 January 2022. Foreign legal entities can also get such accreditation. The  accreditation rules are provided in Russian Governmental Decree no. 1799 of 20.10.2021, which will apply for six years (i.e. until 1 January 2028).

List of identified safety concerns for biometric data

The Russian Ministry of Digital Development, Communications and Mass Media has approved a list of identified safety concerns arising during use of personal biometric data. The relevant decree of the Ministry came into force on 14 November 2021 (Decree no. 902 of 01.09.2021). The safety concerns listed in this regulatory act include in particular: violation of integrity of personal biometric data (through substitution, deletion thereof) and their compromising during automated processing by user’s equipment; safety concerns arising when collecting biometric data in offices, branches or internal subdivisions of companies, including unauthorized access to information by using code or network weaknesses, malware etc. The Decree also covers the safety concerns arising during the collection of biometric data which involves using mobile phones and tablets and during data transmission between devices as well as safety concerns which may arise during interaction between authorities, individual entrepreneurs, notaries and organizations (other than financial institutions) on the one part and information systems on the other part, etc.

This list may be applied in particular for checks of biometric data and transmission of information about matches thereof to the data owner in information systems of the organisations applying biometric identification or authentication.

Recommendations to companies

The above list of changes is not exhaustive: there have been a number of novelties with regard to state control over identification security and provision of governmental services involving use of biometric data. All companies (including foreign ones) processing personal biometric data of Russian citizens should take numerous changes in the Russian laws regulating this sphere into account to ensure that their activities comply with applicable rules and to avoid sanctions.

 DATA PROTECTION BITES

Our newsletter aims at collecting updates, news and insights on data protection matters worldwide, 
with a special focus on the GDPR. 

CONTACT

Contact Person Picture

Tatiana Vukolova

Lawyer

Associate Partner

+7 495 9335120

Invia richiesta

 RÖDL & PARTNER RUSSIA

​Discover more about our offices in Russia. Read more »
Deutschland Weltweit Search Menu