In Russia, public personal data is not so public anymore

In March 2021 the rules for processing personal data changed significantly. The definition of ‘personal data that was made publicly available by the data subject’ in the Law On Personal Data has been changed to ‘personal data allowed for dissemination by the data subject’. This new phrasing gives individuals more control over their data and widens the data operator’s scope of responsibilities.

A new reality

Previously, public availability of personal data constituted an independent ground for its processing and did not require any additional confirmation of legitimacy of an operator’s actions. Now, data operators must obtain special written consent from the data subject.

The form can either be drafted independently in accordance with the Russian data protection regulator Roskomnadzor requirements or with the help of an online generator on Roskomnadzor’s website. Currently, the generator is only available in Russian.

Specialised consent must be obtained separately. The good news is that it is possible to indicate several purposes for processing data on the new form, so data operators no longer have to obtain several documents to cover their needs.

In the consent form, the data subject can specify prohibitions on transferring and processing personal data, or stipulate conditions for processing personal data by unlimited groups. Within three days of receiving consent, the operator must publish information on any specified limitations or prohibitions. Given the narrow timeframe to carry this out, the process may require some technical fine tuning in the future.

In addition, the specialised consent must have a validity date and can be withdrawn by request at any time.

From now on, a data operator bears the responsibility of ensuring the legitimacy of its processing of public personal data. In other words, if one wishes to use the data that was lawfully made public by another data operator, it is now their responsibility to check whether there are any processing restrictions or prohibitions associated with it.

Risks of non-compliance

The sanctions related to administrative liability for the dissemination of information with restricted access – personal data included – have recently been raised. Warnings were excluded from the sanction measures and the maximum fine for data processing without a required written consent has been increased to Rb500,000 rubles (approximately $6,700) for legal entities. The limitations period for filing a complaint for the violation of personal data regulations has also been increased from three months to one year.


Data operators should review the processes that they use for handling personal data to determine the circle of data recipients when transferring data to third parties. If personal data is made available to the wider public, or the data operator is using publicly available personal data in its activity, then the processes should be revised swiftly to comply with the new requirements.

This is an Insight article, written by a selected partner as part of IAM's co-published content. Read more on Insight

Unlock unlimited access to all IAM content