In today’s digitalization environment, the processing of personal data (PD) has become one of the key tasks for organizations. The increasing volume of data and its importance as a resource require companies to strictly comply with the law. Violation of the law can lead to serious consequences, including fines, reputational damage and litigation.
A review of arbitration court decisions in the Russian Federation shows key aspects and problems in the interpretation of legislation that are useful for every data controller to take into account. Below we analyze examples from court practice and draw conclusions about the most important aspects of data processing.

Lawful processing of personal data

The consent of the subject of personal data remains the cornerstone of their lawful processing. An example is the case of TNS Energo Nizhny Novgorod” [1]. In this case the operator transferred consumers’ personal data to third parties (resource supplying organizations). When considering the case, the court emphasized the need to obtain written consent when transferring data to third parties, even if such transfer is provided for in the operator’s internal contracts. This indicates the need for strict compliance with the provisions of Article 6 of the Law “On Personal Data”.

No less significant was an example from the case of “Makro” ICC, where the operator was held liable for insufficient transparency of work with consents [2]. Roskomnadzor proved that there was no documentary evidence of consent to the processing of personal data, which was qualified as a violation.

For organizations, the conclusion is obvious: the recording of consents must be systematic, and internal controls over data processing must be regular. The creation of a unified consent registry and its verification will be a reliable tool for compliance with the law.

Medical personal data: special level of protection

The processing of health data remains one of the most sensitive areas of regulation. It should be noted that the transfer of such personal data to third parties, even in case of conflict with the personal data subject, cannot be carried out without his/her consent.

Thus, in the case of the clinic “City of Health”, the court noted that even when the data is transferred to a lawyer for conflict resolution, the written consent of the patient remains mandatory [3]. This decision emphasizes the strict framework of part 2 of Art. 10 para. 2 of Article 10 of the Law “On Personal Data”, which establishes a special procedure for special categories of data.

For healthcare companies, it is important not only to ensure the confidentiality of such data, but also to conduct additional training for employees and include clauses on data protection in contracts with contractors. Failure to properly protect data can undermine patient trust and lead to reputational losses.

Interpretation of the definition of personal data

The definition of personal data remains one of the most complex issues. Court cases clearly demonstrate how information can be interpreted in a variety of ways. For example, in the case of ARSENAL ARSENAL Insurance Company, the court recognized that the publication of the data of the company’s executives on the website complied with the laws on information disclosure [4]. At the same time, the purpose of such publication – fulfillment of regulatory obligations – was a determining factor for its legality.

A different view is presented in the Farpost DV case”[5]. The court stated that posting data on the Internet, if it does not identify a specific person, cannot be considered processing of personal data. Thus, the issues of processing concern only information that clearly relates to a certain individual.

For businesses, this means the need to distinguish between data used for public purposes and that which is directly related to the subject. Legal analysis becomes an integral part of the operator’s work.

Comprehensive approach to the protection of subjects’ rights

Personal data operators are increasingly facing claims of violation of the rights of citizens, including lack of consent procedures or unlawful dissemination of data. Courts emphasize that each situation requires an individual approach, focused on the maximum protection of the subject’s rights. In cases involving Roskomnadzor, operators are often required to improve the transparency of procedures and internal controls.

In order to successfully resolve such issues, it is important for companies to pay attention to a comprehensive approach. Creating internal regulations, conducting regular audits and developing a culture of data processing among employees will help avoid claims. Equally important is the introduction of automation tools to manage data life cycles – from receipt to deletion.

Conclusions

Judicial practice in the field of personal data processing confirms that the management of personal data requires a clear balance between the rights of subjects and the obligations of operators. Modern organizations need to:

  1. Maintain a centralized and up-to-date register of consents with their purposes recorded.
  2. Conduct regular audits of business processes related to data processing in order to eliminate violations in a timely manner.
  3. Develop internal regulations governing work with personal data and implement them in operations.
  4. Automate data management processes to avoid human error.
  5. Train personnel on the principles of working with personal data, taking into account current legal and technical aspects.

By adhering to these recommendations, companies can not only avoid legal risks, but also build trusting relationships with customers, which are becoming a key success factor in the digitalization environment.


[1] Resolution of the Arbitration Court of the Volgo-Vyatsky District of 23.08.2024 N F01-3819/2024 on the case N A43-25737/2023

[2] Resolution of the Moscow District Arbitration Court of 14.12.2022 N F05-30463/2022 on the case N A40-28155/2022

[3] Resolution of the Arbitration Court of the Central District dated 02.02.2024 N F10-6795/2023 in case N A14-2054/2023

[4] Resolution of the Moscow District Arbitration Court of 30.03.2023 N F05-4354/2023 on the case N A40-139096/2022

[5] Resolution of the Arbitration Court of the West Siberian District of 10.05.2023 N F04-1436/2023 in case N A27-13261/2022