Database

Personal data may only be processed after informing the data subject and, significantly, having obtained the data subject’s explicit and freely-given consent.

Moreover, the Regulation of Electronic Commerce (the E- commerce law) came into force on May 2015 states that the service provider is not permitted to transfer the personal data to third parties or use the data for other purposes without the customer's consent.

Telecommunication companies have to delete all information regarding their customers following the accomplishment of their service.

Article 23 of Law No. 6493 requires that "the system operator, payment institution and electronic money institution shall be required to keep all the documents and records related to the matters within the scope of this Law for at least ten years within the country, in a secure and accessible manner". The article also specifies that "The information systems and their substitutes, which are used by system operator to carry out its activities shall also be kept within the country".

The transfer of traffic and location data abroad is permitted with the data subjects' explicit consent.

The legislation stipulates that data cannot be processed or transferred abroad without the individual's explicit consent. Consent will not be required if the transfer is necessary to exercise a right or is required by law, and either:
- Sufficient protection exists in the transferee country, or
- if the data controller gives a written security undertaking and Turkey’s Data Protection Board grants permission.

Article 23 of Law No. 6493 requires that "the system operator, payment institution and electronic money institution shall be required to keep all the documents and records related to the matters within the scope of this Law for at least ten years within the country, in a secure and accessible manner". The article also specifies that "the information systems and their substitutes, which are used by system operator to carry out its activities shall also be kept within the country".

Article 20 of the Federal Act on Data Protection, effective in August 2018, states that data controllers must conduct an impact assessment if processing may lead to a high risk for the data subject’s privacy or fundamental rights (e.g. in case of extensive processing of sensitive personal data or profiling). If such a risk is confirmed, the Federal Data Protection and Information Commissioner (FDPIC) must be consulted prior to the processing. No impact assessment is required if the Controller is certified by a recognized certification body, or complies with a code of conduct. In case of multiple similar processing activities, the Controller may conduct a general impact assessment which applies across all processing activities.

On the 13 of May 2014, the European Court of Justice ruled that individuals are entitled to seek the deletion of links on search engines about themself if the information is outdated or irrelevant, the so-called right to be forgotten. Although the court ruling only applies to the 28 European Member States, four other countries - Iceland, Liechtenstein, Norway and Switzerland - are de facto making use of it.

The providers of telecommunications services and postal servicesmust retain information necessary for the subscriber identification as well as traffic and billing data for six months. In addition, providers of telecommunication servers are required to retain for six months web server access logs including IP addresses.

Failure to comply with that Enforcement Notice by the Information Regulator is a criminal offence, punishable by a term of imprisonment not exceeding 10 years, or unlimited fines, or both. Administrative fines may go up to 10 million ZAR (approximately 600,000 USD).

A responsible party is obliged to notify both the Information Regulator and data subjects where there are reasonable grounds to believe that personal information has been accessed or acquired by any unauthorised person.

Companies may designate and must register with the Information Regulator an information officer and a number of deputy information officers as is necessary to perform the duties and responsibilities of the information officer. The role of information officer is covered by default by the head of a company.

Consent is needed for the data transfer to third countries. Otherwise, the transfer can happen if:
- the third party is subject to a law, binding corporate rules or binding agreement that provide for an adequate level of protection;
- the transfer is necessary for the performance of a contract between the data subject and the responsible party, or
- the transfer is necessary for the implementation of pre-contractual measures taken in response to the data subject's request.

In Russia, non-compliance with data protection laws can be punishable with: civil sanctions, administrative sanctions and criminal sanctions.

It is reported that Russian data protection laws have been enforced quite heavily in recent years and data subjects have sent many complaints to Roskomnadzor.

There has also been a growing number of appeals by data operators against the orders and decisions of Roskomnadzor imposing different sanctions on data operators and blocking their Internet resources.

As of 2017, Russia diversified how it fines breaches of data processing legislation, and increased overall fines. Now, illegal data processing can be fined between RUB 15,000 (approx. USD 260) and RUB 70,000 (approx. USD 1,230).

Additionally, Law No. 374 amends the Code of Administrative Violations to establish fines of up to RUB40,000 (approx. USD 700) for encryption which goes beyond mandated levels and for the use of previously uncertified encryption equipment. Furthermore, the Law imposes on distributors of information via the Internet the obligation to report to the Federal Security Service “all information required for the description of received, transferred, or delivered electronic communications.” The refusal to provide such information will be punishable by a fine in the amount of RUB 1,000,000 (approx. USD 16,000).