Storing Personal Data on a Foreign Server: A Threat to Business?

"Collection of personal data" refers to a purposeful process of obtaining personal data by an operator directly from the personal data subject or through specially engaged third parties (for example, filling out a personal data collection form for user registration in a personal account on the operator's website).

The collection of personal data includes the following actions (Article 18, Paragraph 5 of Federal Law No. 152):

Recording;
Systematization;
Accumulation;
Storage;
Updating;
Extraction.

The primary collection of such data must be carried out exclusively using databases registered in Russia (for example, Google Analytics services are prohibited, as their operational mechanism involves immediate data transfer, including to the USA).

Thus, Russian legislation provides for the principle of personal data localization: personal data must first be entered into databases located within the Russian Federation.

The transfer of personal data to the territory of a foreign state, to a foreign state authority, to a foreign individual, or to a foreign legal entity is permitted (this is known as "cross-border personal data transfer").

For this, the operator must comply with established requirements, specifically: notify Roskomnadzor of the planned cross-border transfer, and obtain certain information from the foreign entities to whom the cross-border data transfer is planned (Article 12 of Federal Law No. 152).

Therefore, the transfer of personal data outside Russia, provided it was initially stored on a Russian server during collection, is permitted subject to compliance with the requirements specified in Article 12 of Federal Law No. 152.

Roskomnadzor regularly identifies companies that store data of Russian citizens abroad. Administrative offense cases are initiated against such organizations, fines are imposed, and websites may be added to the register of violators and blocked. Furthermore, additional demands from Roskomnadzor may be issued.

Russian legislation provides for administrative liability for an operator who, during the collection of personal data located on the territory of the Russian Federation, fails to fulfill obligations to ensure the recording, systematization, accumulation, storage, updating (renewal, modification), or extraction of such data (Part 8, Article 13.11 of the Code of Administrative Offenses of the Russian Federation):

For individuals: an administrative fine of 30,000 to 50,000 rubles;
For officials: an administrative fine of 100,000 to 200,000 rubles;
For legal entities: an administrative fine of 1,000,000 to 6,000,000 rubles.

Identify what personal data is collected through the website;
Analyze the personal data processing procedure, determine where personal data databases are physically stored (which server receives the initial entry, where the database is located, which system performs systematization and storage);
Localize databases in Russian data centers when processing data of Russian citizens;
Include in contracts with contractors or processors the obligation to localize personal data and penalties for its violation;
Check if cross-border data transfer is occurring; if so, verify whether the relevant notification has been submitted to Roskomnadzor;
Analyze and edit (if necessary) the personal data processing policy, data subject consents, contracts with processors, internal regulations, and Roskomnadzor notifications.

The collection of personal data from Russian users via a website, including a mobile application, must initially take place in a database physically located in Russia. Only after this can such data be subsequently transferred abroad, provided that all relevant legal requirements are met.

If, as a personal data operator or processor, you need to determine where and how to legally collect customer personal data, identify which data requires localization in the Russian Federation, regulate cross-border transfer procedures, and minimize legal risks for your business, the C Cases team is ready to conduct a comprehensive legal audit of your local regulatory acts, contracts with contractors and processors, and to create a detailed "map" of personal data collection and storage routes, complete with recommendations for addressing any identified violations.

‍

Sources

• Federal Law No. 152-FZ of July 27, 2006 "On Personal Data".
• Code of the Russian Federation on Administrative Offenses No. 195-FZ of December 30, 2001.