Anastasia Petrova

Anastasia Petrova

Of Counsel
Anastasia Petrova

Legal 500

Anastasia Petrova is very responsive, supportive and professional. Nothing is impossible for her.

Biography
Recent work
Publications and Insights
Rankings and awards

Anastasia Petrova is a Counsel in the Labour and Employment, Corporate, Data Protection and Cybersecurity Practices of ALRUD Law Firm.

Anastasia provides comprehensive support on all issues of labour law, including internal investigations and compliance, by companies and their employees, with internal policies and procedures, the introduction of electronic document management in the HR processes of companies. Anastasia has significant experience in supporting clients on labour issues during M&A transactions.

Anastasia advises on a wide range of complex issues in the field of confidentiality and data protection, cybersecurity, and legislation in the field of information technology, including the structuring of data flows with a cross-border element, the legal assessment of products and technologies that are based on data management, and the construction of data ecosystems, compliance with the Yarovaya Law, legislation on critical information infrastructure and industrial regulation.

Anastasia manages projects for conducting comprehensive audits of companies' processes, involving data management, and assists clients in eliminating the risks identified during the audits.

She has experience in ensuring compliance with the requirements of the EU General Data Protection Regulation by Russian companies and Russian subsidiaries of European companies.

Anastasia has significant practical experience in legal support to clients operating in Telecom, IT, banking and finance, medicine and pharmaceuticals industries.

Anastasia graduated from the Russian State University for the Humanities.

She joined the ALRUD team in 2010.

Anastasia is a member of the International Bar Association (IBA).

Recent projects include advising:

One of the largest Russian air carriers

during the audit of personal data processing, where she was involved in an audit performed by an international group of lawyers, and during the work to bring these processes into compliance with the requirements of the EU General Data Protection Regulation.

An international telecom operator

where she provided comprehensive legal support to the entrance into the Russian market to render telecommunication services in Russia, in particular, on licensing telecom activities, compliance with the legislation on the sovereign Russian Internet, and compliance with anti-corruption legislation.

An international manufacturer of cassettes, vinyl, LCD screens, insulation and other products

on a balanced approach to compliance with the requirements of the EU General Data Protection Regulation and the Russian legislation.

The largest German airline

on the requirements of the Russian legislation on data protection and national security, related to the implementation of its activities.

An international payments system

on a number of issues related to compliance with data protection legislation and cybersecurity for payment systems, as well as on the implementation of an internal hotline for reporting violations (whistleblowing), and provided legal support for its implementation.

A major U.S. software developer for telecom operators

on all employment law issues, arising from acquisitions in Russia, including pre-transaction HR audits, regulations, asset/company acquisition agreements, personnel structuring agreements, and bringing the policies of acquired companies into line with the laws and customer requirements after transactions.

A leading international developer and supplier of medical products

on compliance with Russian data protection legislation, including requirements for the localization of personal data of Russian citizens, when using SAP software. Also provided legal support for the legalization of cross-border flows of employee data, during the use of SAP.

A Swiss group specializing in the sale of electronic cooking devices

on applicable requirements of legislation on personal data protection, currency regulation, and consumer protection, in connection with the planned launch of an online platform with recipes, a mobile application and sales of electronic devices in Russia, Ukraine and Kazakhstan.

An American financial company

on the disclosure of personal data of Russian citizens to foreign regulators in the U.S. and the UK.

An international cosmetics company

during the inspection of Roskomnadzor, and in the course of eliminating the identified violations, in the field of the data protection legislation.

A number of clients, including the world leader in the production of cosmetics and perfumes

on the implementation of electronic document management and electronic communication, when interacting with employees. Supported the development of legal documentation, necessary for the introduction of electronic document management and electronic communication with employees.

A manufacturer of telecommunications equipment

on a wide range of complex issues of the labour law, including the conducting an investigation into the creation, by an employee, of an information resource that harms the company's reputation, support to the dismissal of this employee for a single gross breach of employment duties, expressed in the disclosure of personal data, successful support of litigations with this employee in 3 (three) instances.

A number of clients, including an international payment system

on the evaluation of their products and services, based on data processing, including a scoring service, for compliance with data protection legislation. She also provided support in the preparation and negotiation of a data processing agreement, in connection with the provision of scoring services with the client's partner, to reduce potential risks of the violation of data protection legislation.

Concise and to the point with ALRUD: HR & DIGITAL (№12)
State Duma passes law on anonymization of personal data in second and third readings
The [law](https://sozd-duma-gov-ru.translate.goog/bill/992331-7?_x_tr_sl=auto&_x_tr_tl=en&_x_tr_hl=ru&_x_tr_pto=wappbh_histras 'law') provides for the creation of a state information system with anonymized PD (“PD”). The PD operator (employer) will be obliged to anonymize processed data (e.g., of employees) and provide it to the state information system at the request of the Ministry of Digital Development, Communications and Mass Media, which will have to ensure the confidentiality of this data. The law is due to come into force from 1 September 2025. The new law is generating numerous questions for companies, especially in terms of how companies must anonymize PD and what software to use for this purpose. Companies will probably have to buy certified software, which is not yet available on the market. The old Roskomnadzor (Russian Data Protection Authority) order describes anonymization methods for municipal and state bodies and does not provide anonymization methods for private companies, nor does it provide information on technical means for anonymization. The state authorities have started accepting applications for IT deferment from military service from 24 July to 6 August 2024
Employees of accredited IT companies aged between 18 and 30 may apply for deferment from military service in the autumn conscription through Gosuslugi from 24 July to 6 August 2024. If an employee does not have a personal account on Gosuslugi, the company itself will be able to add him to the list. Companies, meanwhile, are required to check and confirm employees' data and send the lists to the Ministry of Digital Development, Communications and Mass Media by 11 August 2024. One company may send several lists as they are compiled. The Ministry of Digital Development, Communications and Mass Media will send the information to the Ministry of Defence by 31 August 2024. From 1 October to 31 December, the conscription commission will make decisions on deferment. Please note that employees of conscription age employed in the IT sector may qualify for deferment of conscription for military service if they: - Work in an accredited IT company under an employment contract with normal working hours - Have completed university education in a major from this special [list](https://publication-pravo-gov-ru.translate.goog/Document/View/0001202204010045?index=4&_x_tr_sch=http&_x_tr_sl=auto&_x_tr_tl=en&_x_tr_hl=ru&_x_tr_pto=wapp 'list') - Have at least 11 months of work experience in the IT sector during the year preceding the date of recruitment Prohibition to include consent to processing of PD in other documents
A [draft law](https://sozd-duma-gov-ru.translate.goog/bill/679980-8?ysclid=lyzstl76k2625458467&_x_tr_sl=auto&_x_tr_tl=en&_x_tr_hl=ru&_x_tr_pto=wapp 'draft law') has been submitted to the State Duma to formalize consent to the processing of PD separately from other documents signed by the subject of PD and/or provided to him/her for review. According to the authors, consent to the processing of PD is often currently included in contracts or other consents to the processing of PD, which are provided for other purposes. These documents contain, among other things, a significant amount of information not related to the processing of PD and conditions for consent to the processing of PD, including for the purpose of transferring it to an indefinite number of persons. In practice, we often see situations where consent to the processing of an employee's PD is “stitched” into an employment contract. Although there is currently no explicit prohibition in the law to incorporate consent with the text of the employment contract, such an approach can already be challenged, as the employee is considered a weak party and such incorporated consent may be considered non-free and involuntary. We strongly recommend that all employers abandon the practice of including any consents to the processing of PD in employment contracts, other agreements, instructions and local policies, particularly as consent is not the only possible means for processing employees' PD. In many cases, the processing of employees' PD may also be justified by an agreement with the employee or a legal obligation, including obligations that the employer has to employees under the Labour Code of the Russian Federation. Where the processing of PD necessarily requires consent, such consent must be specific, conscious and unambiguous, i.e., obtained separately from other documents, as well as substantive and informed.
02 August 2024
Anastasia Petrova and Maria Nevezhina speak at the AmCham HR Committee Meeting
On 29 July 2024 the Russia’s HR Committee of the American Chamber of Commerce (AmCham) met to discuss topical issues of the labour law. [Anastasia Petrova](https://www.alrud.com/people/AnastasiaPetrova/ 'Anastasia Petrova'), Of Counsel in ALRUD Labour and Employment Practice, and [Maria Nevezhina](https://www.alrud.com/people/MariaNevezhina/ 'Maria Nevezhina'), Senior Associate in ALRUD Labour and Employment Practice, spoke on the topic: “Labor & employment compliance issues after the enactment of recent EU and US sanctions”. The experts told which labour and legal processes require changes in the context of the enactment of recent EU and US sanctions, including localization of global policies and human resources documents templates, change of employees’ personal data processing, restructurisation, bringing of arrangements with a head office to compliance with the sanctions requirements, as well as trainings and introduction of a reporting system. *The American Chamber of Commerce in Russia (AmCham) is the leading international business organization in Russia. Founded in 1994, AmCham advocates for the trade and investment interests of its member companies. The reach and scope of AmCham’s advocacy continues to expand to reflect the increasing diversity of its membership. AmCham’s mission is to promote the development of a sustainable market environment conductive to business operations in Russia.*
01 August 2024
Concise and to the point with ALRUD: HR & DIGITAL (№11)
Reminder
It is illegal for a company to refuse to provide benefits (e.g., voluntary medical insurance) due to an employee's failure to provide consent to the processing of personal data. This was the conclusion reached by the 3rd Cassation Court of General Jurisdiction in Resolution No. 88-1047/2024 dated 15 January 2024. Key facts of the case
Per the employment contract, employees agreed to comply with all the requirements of the employer’s Internal Labour Regulations and other in-house policies. In accordance with the Policy on Additional Benefits for Employees, employees were eligible to receive benefits if they provide written consent to the processing of their personal data. In the absence of such consent, the benefits for employees could be suspended. An employee who was reinstated at work and did not provide consent to the processing of personal data filed a claim in court to require the company to provide voluntary medical insurance. All three court instances (district court, appellate court and court of general jurisdiction) supported the employee, pointing out that legislation on personal data stipulates that the subject of personal data has the right to grant consent to the processing of such data. However, such consent must be provided exclusively voluntarily. Whether or not a personal data subject exercises his/her rights cannot be made dependent on exercising the right to receive additional benefits provided to an employee as part of employment relations. As a result, the courts satisfied the employee's claims to require the employer to provide voluntary medical insurance on the terms of the existing in-house policy no later than 3 business days from the date on which the court decision takes effect. Claims > To require an employer to provide voluntary medical insurance, recover the amount of food subsidies, provide compensation for delayed payments, provide annual paid leave, and provide compensation for moral damages Resolution > To uphold the decisions of the lower court instances and dismiss the cassation appeal
24 July 2024
Data Protection: What Do Operators Need To Know in 2024?
Dear Ladies and Gentlemen! The authorities in Russia and the rest of the world have recently been paying more and more attention to data protection issues. This is evidenced by the numerous laws adopted in this regard, the increased activities of the Russian Federal Service for Supervision of Communications, Information Technology and Mass Media (Roskomnadzor), despite a moratorium on scheduled inspections, and the serious amendments that are expected to be introduced to broaden liability for violations of data protection laws. For example, in a report that Roskomnadzor issued for 20231,we can see that a total of RUB 266,324,329 in administrative fines were imposed last year compared with RUB 109,579,160 in 20222. This means that, despite the moratorium on scheduled inspections, Roskomnadzor more than doubled its efforts to hold individuals accountable for violations of legislation on the protection of personal data in 2023 compared with the previous period. Russian data protection laws impose numerous requirements on operators, and companies must expend enormous resources and be highly vigilant in the processing of personal data to comply with them. As a result, internal teams and DPOs often have questions about which requirements are most critical and pose the greatest risk to business. The list of requirements may vary depending on the size of the business and the company’s industry, business model, and other factors, however, there are issues that will be crucial for most operators. In this brochure, we have highlighted such issues for the current period and invite you to learn more about them: - The importance of written consent; - Inspections by Roskomnadzor; - Requirements for online resources; - The "extraterritorial" principle of the application of the personal data law; - Localization trend; - Cross-border data transfer; - Anonymous data; - Personal data breaches; - Notification of a personal data breach; - Personal liability of management and imposition of criminal liability. You can download the brochure [here](https://www.alrud.ru/upload/ALRUD%20upload/2024/Newsletters/ALRUD_Data_Protection_What_Do_Operators_Need_To_Know_in_2024.pdfmsdynttrid=ewOpCEpu51bnuK8ks-Bn_lKQGfLYV0MMdbORdRYMYnM 'here'). [gosdoklad_za_2023_ 03042024.pdf (rkn.gov.ru)](https://rkn.gov.ru/docs/gosdoklad_za_2023_03042024.pdfmsdynttrid=2UrE_VEIyl0-bkddTp6e1hac51Q6c14-uN1Fe3b6dsw 'gosdoklad_za_2023_ 03042024.pdf (rkn.gov.ru)') [2022_RKN_goskontrol.pdf](https://rkn.gov.ru/docs/2022_RKN_goskontrol.pdfmsdynttrid=BbXoNLdry4VKtr6nj6xUaV6vyiZbS8FX-DMiOG5XHb4 '2022_RKN_goskontrol.pdf')
24 July 2024
Anastasia Petrova and Roman Vedernikov speak at an AmCham event
On 4 July 2024 experts of ALRUD Crisis Management, Economic Sanctions and Compliance Practice [Anastasia Petrova](https://www.alrud.com/people/AnastasiaPetrova/ 'Anastasia Petrova'), Of Counsel, and [Roman Vedernikov](https://www.alrud.com/people/RomanVedernikov/ 'Roman Vedernikov'), Senior Associate, spoke at the event “Sanctions Briefing” held by the American Chamber of Commerce in Russia (AmCham). The webinar was moderated by the AmCham President and CEO Robert Agee. Anastasia spoke on “EU Sanctions on IT/IP. Key aspects” covering the updates on the EU sanctions package, including extension of deadlines for the use of IT infrastructure and services, prohibition of accepting new applications for registration of intellectual property, as well as a ban on the use of contractually granted intellectual property rights relating to high-priority goods intended for subsequent, direct or indirect, sale, delivery, transfer, or export to Russia or for use in Russia. Roman spoke on “The 14th EU Sanctions Package against Russia. Key changes” focusing on the key restrictions introduced by the 14th EU Sanctions package.
10 July 2024
Concise and to the point with ALRUD: HR & DIGITAL (№10)
Roskomnadzor (Russian Data Protection Authority) plans to make it easier for personal data subjects to revoke consent to the processing of personal data
Roskomnadzor proposes making it possible to revoke consent to the processing of personal data “in one click”. Technically, the mechanism can be implemented as part of the consent management system that the Ministry of Digital Development, Communications and Mass Media created on the basis of the Gosuslugi service, but it will require revisions to standards. The relevant draft law may be considered as early as September. Business fears that implementing the plan will lead to increased costs for the restructuring of information systems. Criminal liability for violating the secrecy of correspondence and destroying corporate information
The Oktyabrsky District Court of Ufa handed down a verdict in a criminal case against a former employee of the company. He was found guilty of committing crimes under Part 1 of Article 138 of the Russian Criminal Code (violation of the secrecy of correspondence) and Part 2 of Article 272 of the Russian Criminal Code (unlawful access to legally protected computer information committed out of self-interest). The court found that in November 2023, a man who previously worked as a system administrator remotely copied the email correspondence, contacts, and personal data of the general director and corporate information containing trade secrets and destroyed them. The defendant pleaded guilty to the crimes. The court sentenced him to a fine of 120,000 RUB (approximately 1,364 USD or 1,268 EUR). The verdict does not contain information about the company filing a civil claim in criminal proceedings to compensate for damages caused as a result of the destruction of corporate information. Question > Can the data controller be subjected to administrative liability during the moratorium on inspections? Position of the 8th Court of the General Jurisdiction (Case No. 2a-2919/2022) > If a violation is revealed during the consideration of materials received, including from a citizen, Roskomnadzor may conduct an inspection and initiate an administrative offence case or refuse to initiate it.
05 July 2024
Concise and to the point with ALRUD: HR & DIGITAL (№9)
Ban on foreign information security services from “unfriendly” jurisdictions
Decree No. 250 of the Russian President dated 1 May 2022 “On Additional Measures to Ensure the Information Security of the Russian Federation” previously imposed restrictions on the use of foreign information security means. In particular, government authorities, state corporations, systemically important organizations, and subjects of critical information infrastructure (“CII subjects”) are prohibited from using information security means as of 1 January 2025: - Originating from “unfriendly” states; - Or from manufacturers that are organizations under the jurisdiction of “unfriendly” states, directly or indirectly controlled by them or affiliated with them. Decree No. 500 of the Russian President dated 13 June 2024 extended the scope of the ban: as of 1 January 2025, government authorities, state corporations, systemically important organizations and CII subjects are also prohibited from using cybersecurity services (work or services) from companies from “unfriendly” states. If your company belongs to government authorities, state corporations, systemically important organizations or CII subjects, we recommend that together with IT you conduct an audit of software and IT services used for HR, accounting and personnel management purposes in order to ensure timely compliance with the requirements of the above-mentioned presidential decrees. A 14th package of sanctions, including IT restrictions, has been imposed against Russia
The USA has significantly expanded sanctions against Russia, with new restrictions affecting financial infrastructure, cloud services and information technology. The USA will ban a number of software and IT services as of 12 September 2024. The US Department of the Treasury, together with the State Department, issued a special decree with the following restrictions: - It is prohibited to provide any person in Russia with design services and IT consulting services; - It is prohibited to supply cloud technology and IT support services for business management, as well as design and manufacturing software. Russian companies using such software for HR purposes may consider the following courses of action: - Change the vendor, which will allow them to continue using the software in Russia; - Localize relevant HR processes. Exemption from liability for personal data leaks due to the insignificance of the offence
During the ‘I Give My Heart to Children’ Russian Professional Skills Competition for Continuing Education Employees, there was a technical failure that led to the brief publication (three minutes) of information about a personal data subject on the competition website. The subject’s passport details, registration address, telephone number and email address were published, all of which constitutes personal data. In court, the data controller pointed out that the incident was caused by a technical malfunction in the service, third parties did not gain access to the personal data since the violation was eliminated as soon as possible, and no damage was caused to the subject of the personal data. The Russian Federal Service for Supervision of Communications, Information Technology and Mass Media, (Roskomnadzor) reported that it did not receive any complaints about the data controller as a result of the incident. In accordance with the law, the data controller sent a notification about the leak of personal data. A justice of the peace of the Danilovsky District of Moscow (Case No. 05-1415/456/2023) ruled that the data controller had failed to ensure the confidentiality of personal data and had not prevented unauthorized access to it by third parties, and qualified the offence under Part 1 of Article 13.11 of the Code of Administrative Offences of the Russian Federation. However, since the court had no evidence that information about the personal data subject had been copied, obtained or used by third parties to violate its legally protected rights, including through the competition website, the court relieved the data controller of administrative liability due to the insignificance of the offence and limited itself to a verbal reprimand.
25 June 2024
Concise and to the point with ALRUD: HR & DIGITAL (№8)
The State Duma will consider a draft law on the possibility for the plaintiff to receive personal data (“PD”) of the defendant
Amendments are planned to be made to the Civil Procedure Code of the Russian Federation. It is proposed to grant the plaintiff the right to file a motion to the court for assistance in establishing information about the defendant, which is necessary to file a claim in court, but the plaintiff does not have. In addition, if the law is adopted, the court will be able to independently determine the ist of data about the defendant necessary to accept the claim. More than half of the surveyed small and medium-sized businesses are not ready for tougher sanctions for PD leaks
Less than half of Russian companies (44%) from the SMB segment have managed to review their PD protection measures against the background of possible tightening of sanctions for their leaks. 50% of companies have not even studied the amendments in detail, and some do not plan to strengthen protection at all yet. Some of the respondents (45%) expect to strengthen protective processes “within a year”, another 8% - “in the next six months”. There are also those (4%) who do not plan to review the protection at all yet. At least 32% of SMB respondents are concerned about reputational risks from sanctions. 68% of respondents are concerned about financial losses, including from the imposition of fines. It is noteworthy that only 43% of respondents have conducted an audit of PD processing processes over the past 3 years, 11% conducted an audit more than 3 years ago. Almost a quarter (21%) have never conducted an audit at all. 25% of the respondents could not give an answer to this question. We remind you that the draft laws on administrative and criminal liability for PD leaks are planned to be finally considered this spring session of the State Duma. Regardless of the adoption of these bills in this session, we recommend that data controllers be prepared to tighten liability for PD leaks. To this end, companies should conduct an audit of PD processing processes and an IT security audit. A draft law on the right of the Federal Tax Service to transfer information that constitutes a tax secret to interdepartmental commissions has been adopted in the first reading
According to the new law on employment, interdepartmental commissions on combating illegal employment will be created in the regions of the Russian Federation. They have the right to receive from various authorities, including the tax service, PD and information constituting a tax secret. They want to extend the effect of the tax secrecy regime to cases where the tax authorities transfer relevant information and information to interdepartmental commissions of the subjects of the Russian Federation and territorial bodies of the Federal Service for Labour and Employment (Rostrud). Following the results of the prosecutor's office's inspection, the DPO of the company was brought to administrative liability
The Prosecutor's office of the Kirovsky district of Saratov conducted an inspection of compliance with legislation in the field of PD protection in a medical company. During the supervisory activities, together with a specialist of the Roskomnadzor Department for the Saratov region, a fact of illegal dissemination of a database containing PD of clients, in particular phone numbers and full names, was revealed. According to this fact, the district prosecutor's office initiated an administrative offense case under Part 1 of Article 13.11 of the Administrative Code of the Russian Federation against a responsible official of a medical company. According to the results of the consideration of the case, the DPO was sentenced to an administrative fine in the amount of RUB 10,000 (approx. USD 112, EUR 103). Question > Can an employer track the location of employees through their personal smartphones?Can an employer track the location of employees through their personal smartphones? Answer from Rostrud > The employer has the right to monitor the employee through an application in a mobile phone, if this is related to the performance of job duties. We additionally note the need to obtain the consent of employees to track and process PD.
06 June 2024
Concise and to the point with ALRUD: HR & DIGITAL (№7)
The Federation Council clarified how the Russian Digital Code will look like
Work on the Digital Code, which will become the basis for legal regulation of relations in the field of information and digital technologies, will take at least another year, and a significant part of the future document is planned to be devoted to the protection of personal and biometric data. The structure of the Code reflects two parts – general and special: - the general part will list the basic concepts, terms, principles, subjects and objects of law, that is, all that is called the conceptual apparatus; - in a special part – specific types of state and social institutions, types of legal relations and ways of their regulation. Separately, the Federation Council noted that the special part involves three large sections: issues of communication, information and personal data protection. We recommend that employers monitor the development and adoption of the code, as it can have a direct impact on digitized HR processes in companies. Participants of JSC and LLC at online meetings will be identified by electronic signatures or biometric personal data
Draft amendments to the laws on JSC and LLC have been prepared for the second reading in the government bill (No. 103501-8). Initially this document was devoted to another issue: it provided for the possibility of the JSC to suspend the sending of correspondence and payment of dividends to shareholders who have not contacted the company for more than two years (the so-called lost shareholders). It is proposed to use a choice of five options when identifying a participant in online meeting: enhanced qualified electronic signature, enhanced unqualified electronic signature, personal data from the Unified Identification and Authentication System (ESIA), as well as information from the Unified Biometric System (EBS). At the same time, non-public JSC will be able to deviate from the rules set out: specify in the charters other ways to reliably identify persons taking online participation in the meeting and ways to sign ballots. The bill also regulates the general rules for online meetings. For example, such a format should provide for broadcasting, and the company is obliged to keep a record of it. If there are significant technical problems that make it impossible to hold a meeting, the vote is declared invalid. Question > Should the Data Protection Officer (DPO) be directly subordinate to the General director?Should the Data Protection Officer (DPO) be directly subordinate to the General director? Answer from Roskomnadzor > The DPO receives instructions directly from the executive body of the organization that is the data controller and is accountable to it.The DPO receives instructions directly from the executive body of the organization that is the data controller and is accountable to it.
23 May 2024
Concise and to the point with ALRUD: HR & DIGITAL (№6)
The Russian government has approved draft amendments to the Russian Criminal Code that increase the severity of punishment for leaks of personal data (“PD”)
The amendments have changed slightly compared with the version adopted in the first reading. The Ministry of Internal Affairs (MVD) proposed mitigating liability for leaks and editing the wording so that penalties are imposed only in the event of the leakage of (1) data of 50 or more PD subjects, or (2) information about people’s private life, personal or family secrets, special categories of PD, or biometric PD. The Ministry of Justice opposed such amendments, arguing that restricting the number to 50 PD subjects would result in attackers intentionally splitting up databases with leaked PD, while those who leak the PD of fewer people would be able to avoid criminal punishment. Under the draft law, if a violation results in severe consequences, the guilty parties may be punished with a fine of up to 3 million RUB (approximately 32,730 USD or 30,476 EUR) and maximum prison sentence of up to 10 years, as well as forced labour and deprivation of the right to hold certain positions or engage in certain activities. We are closely monitoring the consideration of this draft law and will keep you posted about the latest news. Russia may soon have a mechanism to compensate for damages caused by the leakage of PD
The Federation Council has drafted a bill on mandatory insurance for PD leaks. The law would clearly specify not only the insurance amount, limits and list of risks, but also a list of exceptions that should not be set by the actual insurance companies. We understand that the legislators’ main goal is to encourage companies to pay closer attention to their IT infrastructure, in part to ensure the best possible protection of stored PD or to refuse to process it if it is not required for business. Growing number of PD-related legal disputes
The number of disputes over the illegal use of PD is on the rise in Russia: since the start of 2024, their number has already increased by 17% compared with the beginning of 2023. There were a total of 17,400 cases across the country in 2023, an increase of 23% from 2022. Last year, the greatest dynamics in this regard were seen in administrative and criminal cases. The disputes under the Russian Criminal Code concern the illegal receipt of PD about a particular person, which is due to increased attention to the problem of growing terrorist threats. Businesses, in turn, face claims from employees about the reliable storage of their information and the legality of processing their PD. On the one hand, this poses reputational risks, while, on the other hand, it attracts the attention of the Russian PD authority (Roskomnadzor). We recommend that data controllers regularly conduct an audit of the processes of PD processing to bring them into compliance with the requirements of law and minimize financial, operational and reputational risks.
17 May 2024
Pravo-300, 2023 recommends Anastasia Petrova for Protection of personal data, TMT (telecommunications, media and technology), Compliance.
Best Lawyers 2022 recommends Anastasia Petrova for Labor and Employment Law.
The Legal 500 Europe, Middle East&Africa 2021 recommends Anastasia Petrova for Employment.
Who’s Who Legal,Global Leader Labour & Employment 2021 recommends Anastasia Petrova as a leading practitioner.
We use cookies to offer better performance of the website and fulfill some other purposes specified in the Privacy Policy. By way of ticking the box you provide your consent to use of cookies. Otherwise, we will only use technical cookies, which are necessary for proper functioning of the website.
Accept