The transfer of data outside Russia to member countries of the European Human Council Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (Strasbourg Convention) and to other countries offering adequate data protection guarantees in accordance with Roskomnadzor is permitted. 5.4 Other – personal data that does not belong to any of the above categories (public, biometric, special). 5.3 Special – personal data relating to the race, ethnic origin, political opinions, religious beliefs, state of health, sex life of the persons concerned. Organisations must employ a Data Protection Officer (DPO) in the following cases: Personal data: Any information relating directly or indirectly to an identified or identifiable person (data subject). In 2014, the Commissioner also published a handbook on international transfers of personal data, which provides guidelines on international transfers of personal data. Small processors: controllers or processors who process personal data electronically or manually by fewer than six processors, either directly or through processors. Controllers have many obligations towards data subjects. In particular, data controllers must: The Federal Law on Personal Data applies to any legal entity, including any foreign person with a legal presence in Russia, that collects personal data in Russia. It also applies to entities not established in the Russian Federation if they target and benefit from their activities in the Russian Federation. The transmission of sensitive data for scientific research only takes place if there is an important public interest. Personal data will only be used by persons who are required to maintain confidentiality. Where data processing is carried out in such a way as to allow the identification of the data subject, the data should be immediately encrypted so that the data subjects are no longer identifiable.

Encrypted personal data will only be used by persons who are required to respect confidentiality. 3.10 Personal data must be accurate and kept up to date if necessary. The operator is obliged to ensure the accessibility of personal data for inspection by data subjects at their request. In the event that such persons discover that such information is out of date or inadequate, the Operator is obliged to cease processing such information until the necessary changes are made. There are also some restrictions on how employee data is processed. Some categories of employee data cannot be processed at all, even with the employee`s consent. This includes data on criminal convictions, as well as information on employees` trade union membership, unless such processing is necessary to comply with certain procedures established by Russian legislation, such as: with regard to the dismissal process or employment in certain positions that require criminal review. Personal data the dissemination of which is authorised and publicly available with the consent of the data subject by consent to the processing of personal data.

Maria represents international clients in matters of data protection regulation in Russia, advises on operators` obligations regarding data processing, including cross-border data transfers, as well as on the structuring of data flow between members of international groups. Maria supports Russian and foreign clients with her expertise in areas such as pharmaceuticals and healthcare, consumer goods, banking and financial institutions, retail, telecommunications, media and technology. Irina Anyukhina is the Coordinating Partner for Data Protection, Intellectual Property and TMT at ALRUD Law Firm. Irina has extensive knowledge of IP rights protection in various sectors, including licensing and assignment of IP rights and enforcement of trademarks, patents and other IP-related matters. She specializes in the data protection, IT, telecommunications and entertainment sectors. Since the adoption of the law, several amendments have been introduced to ensure that the law is well equipped to meet today`s technological and data protection challenges. One of the changes concerns the data localization requirement, which requires the storage and storage of Russian citizens` data in databases in Russia. This will continue to allow cross-border data transfers if the conditions for cross-border transfers are met. Controllers must ensure that they have legitimate grounds to process personal data. To this end, companies should check whether any of the grounds provided for in the Personal Data Act apply to the envisaged data processing. If this is not the case, the duly formalised consent of the data subjects serves as a legitimate ground for the processing of the data or, where applicable, the data may be processed on the basis of an agreement concluded with a data subject or where the data subject is a beneficiary or guarantor, or to conclude a contract with a data subject. 5.1 Public – personal data obtained only from publicly available sources of personal data that are processed in accordance with Article 8 of the Russian Federal Law on Personal Data (No.

152-FZ) Data controllers are required to conduct an audit to verify compliance with Russian data protection requirements at least every three years. Controllers shall implement sufficient organisational, legal and technical measures to ensure the security and confidentiality of the personal data processed. The Personal Data Act contains a basic list of measures to ensure the security of personal data. In addition to these measures, companies must take additional security measures in accordance with the provisions of Decree No.