Baker & McKenzie
Learn about us Locally »
English (Change Language)
Close
Baker & McKenzie
Learn about us Locally
Asia Pacific
Europe, Middle East & Africa
Latin America
North America
and/or
Combining the knowledge of local laws and cultures with a global reach is just one of the ways Baker & McKenzie separates itself from other firms. Our genuinely global perspective allows us to operate without boundaries around the world, in every jurisdiction that is important to your business.

Select a region or country to learn about on-the-ground resources immersed in the local culture or Learn about us Globally to view our talent and services worldwide.

When content is available in multiple languages, please select your preference on the right.
Supporting Your Business
Legal Services
Our People
Locations
About Us
World-Class Careers
Close

Related Professionals

Key changes to Russian personal data law

Supporting Your Business
July 2010
Author/s: Edward A. Bekeschenko, Igor N. Makarov
In a continuation of the existing practice of regularly updating our clients about changes in Russian legislation and law enforcement practice, in this legal alert we inform you that the period initially set by the Federal Law "On Personal Data"[1] (hereinafter the "Law") for bringing personal data information systems into compliance with the requirements of the Law has been moved from 1 January 2010 to 1 January 2011. Also, changes have been made to the Law concerning the requirements for personal data information systems.

As of today, all companies process data for accounting and bookkeeping and also store information on contractors and contracts being implemented. Such processing signifies the presence of an information system for processing personal data, and means that all companies must take into account the requirements of this Law.

General Requirements for Personal Data Information Systems

Under the Law, all operators of personal data must bring their information systems into conformity with the Law's requirements, in particular, taking organizational and technical measures to protect personal data when they are being processed.

Processing of personal data within the framework of this Law shall be understood to mean actions (operations) involving personal data, including the gathering, systemization, accumulation, storage, revision (updating, amending), use, distribution (including broadcasting), depersonalization, blocking, and destruction of personal data.

A personal data information system shall be understood to mean an information system that includes the combination of personal data held in databases, as well as information technologies and technical resources allowing one to process such personal data using automated equipment.

The processing and organization of technical protection of personal data for purposes of the Law are regulated by a range of RF Government resolutions and normative documents of the regulatory authorities. The regulatory authorities in this area at the moment are the Federal Service for Technical and Export Control of the RF and the Federal Security Service of the RF.

The procedure for ensuring the security of personal data when processing them in personal data information systems is regulated by the Provisions approved by resolution No. 781 of the Government of the Russian Federation dated 17 November 2007. Individual requirements for methods and means of protecting information in personal data information systems are set out by the Provisions approved by Order No. 58 of the Federal Service for Technical and Export Control. The Provisions envisage methods and means for protection of information from unsanctioned access, and from leakage through technical channels irrespective of the class of the information system.

In accordance with the requirements of legislation, each personal data operator is required to classify the personal data information system being used with the purpose of establishing the methods and means of protecting information necessary to ensure the safety of personal data. In accordance with current regulations, classification of a personal data information system is done according to several criteria:
  • category of personal data being processed;
  • volume of personal data being processed (i.e., the number of subjects of personal data the personal data of which is being processed in the information system);
  • safety characteristics of personal data (standard and special) given by the operator;
  • presence of connections to common use networks;
  • structure of information system (autonomous, local, distributed);
  • processing regime and delimitation of users' access rights, etc.

When classifying an information system according to the above criteria, it is first necessary for an operator to determine whether a system is standard or special.

A standard information system is one which requires guaranteeing only the confidentiality of personal data.

A special information system is one which, besides confidentiality of personal data, requires guaranteeing at least one of the characteristics of personal data safety besides confidentiality (for example, integrity, security from destruction, alteration, etc.). The following must be assigned to the class of special information systems in all cases:
  • information systems in which personal data are processed that deal with the health conditions of the subjects of the personal data;
  • information systems that envisage the making, based exclusively on automated processing of personal data, of decisions engendering legal consequences for the subject of the personal data or in some other way affecting its rights and legal interests.

Depending on the category and scope of the personal data, as well as the security characteristics of the personal data set by the operator, a standard information system is assigned to one of four classes. The class of a special information system is determined on the basis of a model of threats to the security of personal data in accordance with the methodical documents developed by the regulatory authorities.

It must be noted that technical protection activity for confidential information (protection from unsanctioned access, including via technical channels, as well as from special attacks on information with the goal of destroying it, distorting it, or blocking access to it) is a licensed type of activity. As a result, if an operator processes personal data in special information systems or in standard information systems of the first or second classes, and also in certain cases in standard information systems of the third class, then the operator is required to obtain a license to perform technical protection activity for confidential information for which the licensing is assigned to the competence of the Federal Service for Technical and Export Control of the RF.

In order to protect personal data information systems, operators may use only certified software and equipment. Operators can develop such software and equipment on their own, or acquire it from organizations holding the relevant licenses and certificates. If the software and equipment for technical protection of personal data in the information system is developed by the operator himself, then the operator is also required to obtain a license to perform activities in development and/or production of means for protecting confidential information for which the licensing is assigned to the competence of the Federal Service for Technical and Export Control of the RF, and for which licensing of the development of cryptographic methods is assigned to the competence of the Federal Security Service of the RF.

Change in the Terms and General Requirements for Personal Data Information Systems

On 27 December 2009, Federal Law No. 363-FZ "On making amendments to Articles 19 and 25 of the Federal Law 'On Personal Data'", which introduced two substantial amendments to the Law. First, the deadline by which all operators of personal data must bring their personal data information systems into full compliance with the Law's requirements has been moved from 1 January 2010 to 1 January 2011.

Second, the duty of operators of personal data to use cryptographic methods of protecting information when processing personal data has been excluded from the Law. This particular change will allow operators of personal data to simplify the procedure for processing personal data, as well as to avoid substantial expenses related to acquiring cryptographic equipment, software and installment of cryptographic information protection into personal data information systems.

Conclusion

At present, liability for failure to observe the requirements of legislation on personal data includes both measures of an administrative and civil-legal nature and, in certain cases, criminal punishment.

Taking this into account, we recommend that you appraise the status of your existing personal data information systems and work out measures to fulfill the requirements of legislation in regard to bringing such systems into compliance with the Law's requirements.

Additional Information

Should our clients have any questions in connection with the above, they can obtain clarifications from the lawyers of the Moscow representative office of Baker & McKenzie via Valery Fedoreev, attorney, Edward Bekeschenko, partner, or Igor Makarov, partner, by phone at +7 (495) 787 27 00.

This LEGAL ALERT is to inform Baker & McKenzie clients and other interested persons of any amendments to legislation that might in some way affect their activities or be of particular interest to them. The opinions and comments in this LEGAL ALERT do not constitute a legal opinion and cannot substitute for obtaining legal advice or opinions in specific practical situations.


--------------------------------------------------------------------------------

[1] Federal Law No. 152-FZ "On Personal Data," dated 27 July 2006
© Baker & McKenzie 2012 | Attorney Advertising | Disclaimers | Privacy Statement | Contact Us | Global Newsroom | Extranet | LawInContext | RSS
Close
Governing    |    Managing    |    Operating    |    Financing    |    Global Markets
 
Close
Search Globally


Antitrust & Competition
Automotive
Banking & Finance
Corporate Compliance
Dispute Resolution
Employment
Energy, Mining & Infrastructure
Environmental
Financial Restructuring & Insolvency
Information Technology & Communications
Insurance
Intellectual Property
Mergers & Acquisitions
Pharmaceuticals & Healthcare
Private Equity
Real Estate
Securities
Tax
Trade & Commerce


or

Real-world solutions


We understand your industry, culture and goals. Our innovative solutions extend beyond practices and borders, just as your business needs do.

Our global perspective is based on our knowledge of local laws and customs everywhere we operate, while our lawyers understand issues across a broad spectrum of business and legal practices. This fluency allows us to bring the right talent and knowledge to deliver world-class commercially pragmatic advice.

To learn more, click the drop down menu to choose a service area or type in your search request.
Close
Search Globally
Alphabetical by Last Name
A | B | C | D | E | F | G | H | I | J | K | L | M | N | O |
P | Q | R | S | T | U | V | W | X | Y | Z
Antitrust & Competition
Automotive
Banking & Finance
Corporate Compliance
Dispute Resolution
Employment
Energy, Mining & Infrastructure
Environmental
Financial Restructuring & Insolvency
Information Technology & Communications
Insurance
Intellectual Property
Mergers & Acquisitions
Pharmaceuticals & Healthcare
Private Equity
Real Estate
Securities
Tax
Trade & Commerce
Associate
Business Services
Partner
Afrikaans
Aguacateco
Arabic
Armenian
Azerbaijani
Bahasa Malaysia
Belarusian
Bengali
Berber (Other)
Bulgarian
Cantonese
Catalan
Cebuano
Chinese
Croatian
Czech
Danish
Dutch
English
Farsi
Filipino, Pilipino
Finnish
Fookien
French
French
German
Greek
Gujarati
Haitian Creole
Hakka
Hebrew
Hindi
Hokkien
Hungarian
Indonesian
Irish
Italian
Italian
Japanese
Kashmiri
Kazakh
Korean
Latin
Luxembourgish, Letzeburgesch
Macedonian
Malay
Malayalam
Mandarin
Maori
Norwegian
Panjabi, Punjabi
Papiamento
Persian
Philippine (Other)
Polish
Portuguese
Putonghua
Romanian
Russian
Serbian
Serbo-Croatian
Shanghainese
Sindhi
Slovak
Slovenian
Spanish
Swahili
Swedish
Tagalog
Taiwanese
Tajik
Tamil
Telugu
Thai
Turkish
Ukrainian
Urdu
Uzbek
Vietnamese
Visayan
Antitrust & Competition
Automotive
Banking & Finance
Corporate Compliance
Dispute Resolution
Employment
Energy, Mining & Infrastructure
Environmental
Financial Restructuring & Insolvency
Information Technology & Communications
Insurance
Intellectual Property
Mergers & Acquisitions
Pharmaceuticals & Healthcare
Private Equity
Real Estate
Securities
Tax
Trade & Commerce
Every day our more than 3,800 lawyers, economists, tax advisors and other professionals share insights and best practices across borders and practices. We speak more than 75 languages and represent more than 55 nationalities, and the close relationships among our people fosters the trust needed to develop and deliver world-class solutions to multinational clients.

We share an uncompromising commitment to excellence, which explains why more of our lawyers are included as leading lawyers in the Chambers Global Guide to the World’s Best Lawyers than any other Global 20 law firm.

To find a Baker & McKenzie lawyer or other professional, enter a search parameter to the left.
Close
Passionately global
We are passionately global — it's in our DNA.

We started with a vision of going global and were in eight countries before our 10th anniversary. Today we have 69 offices in 42 countries -- including the emerging markets so important to the growth of your business.
Asia Pacific
Australia
Melbourne
Sydney
China
Beijing
Hong Kong
Shanghai
Indonesia
Jakarta*
Japan
Tokyo
Malaysia
Kuala Lumpur*
Philippines
Manila*
Singapore
Taiwan
Taipei
Thailand
Bangkok
Vietnam
Hanoi
Ho Chi Minh City
Europe, Middle East & Africa
Austria
Vienna
Azerbaijan
Baku
Bahrain
Belgium
Antwerp
Brussels
Czech Republic
Prague
Egypt
Cairo
France
Paris
Germany
Berlin
Dusseldorf
Frankfurt
Munich
Hungary
Budapest
Italy
Milan
Rome
Kazakhstan
Almaty
Luxembourg
Netherlands
Amsterdam
Poland
Warsaw
Qatar
Doha
Russia
Moscow
St. Petersburg
Saudi Arabia
Riyadh
Spain
Barcelona
Madrid
Sweden
Stockholm
Switzerland
Geneva
Zurich
Turkey
Istanbul
Ukraine
Kyiv
United Arab Emirates
Abu Dhabi
United Kingdom
London
Latin America
Argentina
Buenos Aires
Brazil
Brasília*
Porto Alegre*
Rio de Janeiro*
Sao Paulo*
Chile
Santiago
Colombia
Bogota
Mexico
Guadalajara
Juarez
Mexico City
Monterrey
Tijuana
Venezuela
Caracas
Valencia
North America
Canada
Toronto
United States
Chicago
Dallas
Houston
Miami
New York
Palo Alto
San Francisco
Washington, DC
*Associated Firms
Other Countries

We service clients in countries where we do not have offices, working with carefully selected local firms, leveraging our global knowledge and capabilities.

 India Africa Central America 
  Central Europe   
Close
Explore us Globally »
We offer world-class career opportunities around the globe, while our entrepreneurial culture makes Baker & McKenzie a unique place to develop professionally.

Explore us Locally by selecting a region, country or office below, or select Submit to view our site Globally.
Asia Pacific
Europe, Middle East & Africa
Latin America
North America