Fundamental rights of personal data
The regulatory framework governing the privacy of personal data was formed in the Russian Federation over 15 years ago, but is still not being executed flawlessly. A lack of knowledge in the sphere of personal data can potentially lead to intrusion to your privacy. Avoiding it requires knowledge. Let us consider main aspects of your rights in the personal data regulation.
Privacy — is an area that is regulated in detail by laws that establish the limits of your data processing, your rights as well as the obligations of data controllers, referred to as operators in Russian legislation.

1
Laws regulating the rights of subjects of personal data
In Russia, personal data is regulated by the Federal Law «On Personal Data». This law was adopted in 2006 to fulfill countries obligations under an international treaty, the 1981 Convention No. 108.

The Act is intended to establish a balance between, on the one hand, the subjects of personal data - ordinary people – and the operators – entities who process data for a variety of purposes.


In addition to the Russian law, there are other important acts on personal data. In Europe, this is the General Data Protection Regulation (GDPR) enforced in 2018. GDPR is crucial because it can also apply to Russian organizations — for example, Yandex, which allows the tracking of people in Europe by using its Maps service.

It often turns out that a company must process user data from different countries and under different laws. In certain cases, you can protect your rights not only under Russian law, but also under GDPR. But we will talk only about Russian law today.
2
Definition of personal data and criteria for its classification
To understand what data is protected by law, we need to look at the definition of personal data. Russian law says that personal data is any information that relates to directly or indirectly identified or identifiable person. The wording is both complex and broad, we understand you.
In fact, almost everything can be personal data. To understand whether or not personal data is in front of you, certain criteria have been developed. When determining what information identifies a person, three arguments are given:
Thus, the scope of information recognized as personal data is broad. Namely, it includes your name, phone number, address, mail, image and voice, fingerprints, online test results and much more.

We have already referred to IP, cookies, GPS data. They can also be personal data. If you suddenly have "smart" gadgets, like fitness bracelets or refrigerators, the information from their sensors can also be considered personal data. Even before a person wakes up, the bracelet on his arm records his pulse and breathing rhythm. The heart rate and rhythm, as well as information about the device of the person to whom such a bracelet is attached, make it quite easy to distinguish such data as personal.
Even if some data by itself is not enough to identify a person, such as the name David Willison, since there are dozens of such people in the world, having any additional information can make them personal.

For example, if we know David’s ID, we can tell a lot more about him. Or, for instance, the browser history of a forgotten computer will already be enough to make a portrait (or profile) of him. This will allow controller to determine what David likes, where he goes and when, even if controller and subject of personal data are complete strangers.


3
What are the main provisions of the Law "On Personal Data"?
First, any processing of personal data must comply with the principles of processing (Art. 5 of the Act). Processing is any action with data, e.g., its storage, recording, copying, transferring, erasure, etc. To put it simply, when someone "touches" your data, they become data controller and must comply with the law.

These principles include lawfulness, fairness, purposefulness limitation and data minimization. For example, a mobile photo retouching app that asks you for access to your phone book is likely to violate purpose limitation and data minimization principles.

Lawful processing means that the data must be processed on one of the legitimate grounds. Let's look at the main ones.
One of the most popular grounds is the consent of an individual. Try to recall how many consents you have signed in your lifetime and how many consents you have given without noticing it, for example, when registering at TikTok or placing an order online .

There are special requirements for consent — it must be informed, specific and freely given. Unfortunately, many consents fail to meet these standards. The simplest example is when consent is automatically ticked off on a website. You can't say that the consent was freely given because it weren't ypu who gave it in the first place. Try, for interest, to observe, which sites have pre-checked tickboxes, and which are not.
In addition to consent, grounds such as the legitimate interest of controller and executing a contract are popular. Legitimate interest, for example, is to know the age of the person who registers on a social network, because the content posted there may not be intended for children. Legitimate interest is a rather blurry category, so many operators use it even when there is no obvious interest in the data that would justify collecting it. Many companies get fined for misapplying this ground. In Europe, for example, Whatsapp was fined 225 million euros for failing to prove a legitimate interest in processing the data

The processing of a person's data by contract occurs, for example, when you enter your address and phone number when ordering from a food delivery service, because this data is necessary for your food to be delivered to you. There is no need to obtain consent to data processing when another legal basis is involved.

In some cases, consent must be obtained in a special form, in writing. This applies to situations where special or biometric data are processed.
Special data is data that relates to political, national, religious, health and philosophical beliefs. Data from a fitness bracelet, which we've already talked about, or information about medications from the shopping cart would be considered special data.
The peculiarity of these data is their "sensitive" nature, since their disclosure may lead to discrimination against a person. For example, he or she could be fired from his job for supporting a political movement. For this reason, there are fewer grounds for processing special data, and consent must be given in writing and with specific requirements. We talk about biometric data separately in one of our longreads.
A written consent form is also required if the data is processed to offer goods or services through direct contact. What does this mean? All advertising SMS and push notifications, spam mails, annoying phone calls are included in this concept. That is, without consent, all these practices are illegal, and you have the right to demand to be removed from your customer bases.

The only thing that's important to remember is that written consent doesn't necessarily mean consent on paper. You sign a written consent when, for example, you use a code from an SMS or a confirmation from an email to use some service. This is called a simple electronic signature, which replaces a normal signature.
An interesting situation arises from the proliferation of artificial intelligence and other technologies that make decisions about people on their own. For example, in many companies all CVs are first automatically screened by a computer according to a set of criteria. Since any machine is human-trained, of course, many biases can simply be passed on to it.

A famous scandal happened with Facebook when, after watching videos of black men, the algorithm suggested that users watch videos about primates. The company quickly apologized and promised to fix the error in video suggestion technology.

Since many modern systems, including those based on artificial intelligence, can make important decisions about people — to hire or not to hire, to give or not to give credit, everyone has the right to know how the system works and to object to the decisions it makes. This possibility is also stipulated in the law on personal data.
4

What other rights do you have?

First, you can withdraw your consent. After that, the operator has no right to process your data in the absence of other legal grounds and must delete it.

Secondly, you have the right to access and rectify your data, as well as to restrict its processing or erase it if it's out of date, inaccurate or illegal. Why do you need access to your data? For example, to back up (i.e. make a backup copy of) your files on a particular system. Rectification of data is important when some important choices rely on data — for example, if you apply for a scholarship or to university.

The rights to resrtict processings or erase data can be exercised if, for example, you want to remove outdated online links relating to you. This right of data subject is close to the so-called "right to be forgotten", which allows you to delete outdated or inaccurate links to web pages through a request to a search engine, such as Google.

You also have the right to information about the processing of your data, which the controller must provide you before the data is — who processes it, what categories, for what purposes, how your data is protected, to whom it is transferred, etc. This information is usually communicated through privacy notices, which can be found in the footer of a website.

All inquiries can be sent to controller, whose adress is usually listed in its privacy notice on the site or app.

You can also protect your rights if you have doubts about the lawfulness of the controller's actions by contacting Roskomnadzor or bringing a claim with a court. You can file an appeal with Roskomnadzor at the following link.

As you can see, the field of privacy is very broad and deep, and we've only covered the tip of the iceberg!

In the following longreads we will talk about leaks, remedies and how to behave smartly on the Internet.