Practices Sectors Private clients

Data Protection and Digital Regulation

Dispute Resolution ←
→ Industry

Product

BGP Litigation's Data Protection and Digital Regulation Practice focuses on providing comprehensive business support in a rapidly changing digital legal environment.  Our team has a deep understanding of process flows and business models in the digital economy and, thus, is capable to provide clients with legal support at all stages of digital transformation, from personal data processing system implementation and key information protection to liaising with regulators, assisting clients in connection Roskomnadzor's audits and checks, and integrated participation in implementation of nationwide projects and strategies.

We advise both Russian and multinational companies across a variety of industries, including tech sector, e-commerce, FinTech, media and telecommunications, pharmaceuticals and healthcare, retail, beauty brands, banking sector, and other industries where personal data processing constitutes is a critical element of the business process.
Services
Compliance with Personal Data Protection Regulations
+
Our lawyers conduct audits of personal data processing operations taking account of the specific aspects a client's business. Such audits involve identification of Federal Law No. 152 non-compliance risks, analysing data processing flows, assessing localisation risks and preparing risk matrix charts, process flow registers, and compliance action plans.

Our services include:

  • Conducting a comprehensive legal audit of personal data processing and information protection operations
  • Developing internal corporate regulations, privacy policies, and personal data processing policies and procedures
  • Drafting personal data processing consent forms and personal data processing notices
  • Drafting statutory executive documents that are normally requested during regulatory authority audits
  • Preparing and filing notices with Roskomnadzor prior to processing, and cross-border transfer of, personal data
  • Exercising the functions of, and providing assistance to, the DPO, or Data Processing Officer, or any other officer responsible for personal data processing
  • Drafting confidentiality and non-disclosure agreements
  • Advice in connection with technical implementation of information security measures
  • Implementation and maintenance of a whistle-blowing system and procuring its compliance with the applicable confidential information and personal data processing requirements
Personal Data Localisation and Cross Border Personal Data Transfer
+

The Russian law imposes specific requirements for localisation of Russian citizens' personal data and cross-border transfer of personal data. We assist clients in structuring data flows within international company groups and drafting relevant contractual documents.

Our services include:

  • Advice on personal data localisation in the Russian Federation
  • Structuring data flows and transferring personal data to third parties
  • Drafting agreements for processing and cross-border transfer of personal data
  • Advice on compliance with the GDPR and other international data protection standards
  • Drafting Binding Corporate Rules (BCR) and other mechanisms to legitimatise cross-border data flows

Training and Implementing Data Protection Culture
+
Human error continues to be a key cause of data breaches and compliance violations. We assist companies in building a corporate data protection culture.

Our services include:

  • Developing employee training programmes on fundamental personal data protection principles
  • Conducting trainings and webinars for various employee categories
  • Drafting internal memoranda and personal data processing manuals
  • Advice in relation to appointment a DPO, or Data Protection Officer
  • Implementation of an internal control system procuring compliance with the provisions of Federal Law No. 152
  • Developing KPIs to evaluate efficiency of the data protection system
Cybersecurity and Infrastructure Resilience Regulation
+
Data leaks and cyber attacks involve serious reputational and financial risks. We assist clients in developing and implementing an information security system that efficiently responds to incidents and promptly mitigates any associated risks.

Our services include:

  • Developing and implementing an information security system and using all available legal, organisational and technical protection tools
  • Analysis of the applicable information security requirements in connection with the counter-terrorism regulations ("Yarovaya Law") and exercising the statutory functions by internet and/or communications service providers
  • Drafting and implementing procedures for addressing, and responding to, information security incidents and data leaks
  • Legal support in connection with security incident investigations
  • Cyber liability insurance
  • Advice on various matters relating to protection of critical information infrastructure
Regulatory Advice to Online Service Providers and Assistance in connection with Regulatory Audits and Checks
+

Roskomnadzor continuously intensifies its audits and checks increasing administrative pressure on personal data operators. We have extensive experience in liaising with the regulators and safeguarding our clients' interests.

Our services include:

  • Assisting clients in connection with audits and checks performed by Roskomnadzor and other government authorities
  • Representing clients at Roskomnadzor, Russia's Federal Security Service ("FSB") and other regulatory authorities
  • Drafting objections to regulatory audit reports and administrative offence reports
  • Defending clients in administrative cases over personal data protection infringement
  • Challenging decrees, acts and decisions of government authorities
  • Unblocking access to websites blocked by Roskomnadzor
  • Advice on grounds for unscheduled regulatory audits and dawn raids

Online Platform and Content Regulation
+
Online information dissemination involves numerous legal risks. We help clients develop a sustainable legal strategy to deal with online content and protect online services operated by them and users from accessing and disseminating prohibited content.

Our services include:

  • Content development, dissemination, and moderation in an online media environment
  • Advice on mandatory content labelling and age verification of users
  • Advice on regulation of video hosting services, social media, and instant messaging platforms
  • Advice on application of the "News Aggregator Law"
  • Advice on legal aspects of user-generated content (UGC) moderation
  • Cascading liability for disseminating false or misleading information
  • Advice on regulation of the online gaming industry and digital gaming assets

We advised:

A Former Moscow Office of an International Law Firm

in relation to drafting a complete set of personal data documents, including all standard personal data processing consent forms and employee obligations in view of the specific nature of the company's business, and its registration in Roskomnadzor's register of personal data operators

A Major Recruitment Agency

in connection with a comprehensive review of the complete set of personal data processing policies and procedures and preparation of process flow registers, including drafting local internal regulations and the agency's registration in Roskomnadzor's register of personal data operators

A Major International Company

in relation to drafting documents governing employees' personal data processing and allocation of personal data responsibilities among the company's chief executive officer and division heads

The Owner of Shopping Malls in Moscow, Saint Petersburg and Kazan

on development of a concept of alternative legal grounds for clients' and employees' personal data processing, including development of a new approach to collecting employees' personal data processing consents

A Major Pharmaceutical Company

within the scope of a comprehensive audit of the personal data processing policies and on restructuring data processing procedures to procure compliance with the applicable personal data laws and drafting a complete set of the required local internal documents and policies

A Global Leader in Wood Products Manufacturing

within the scope of a comprehensive audit of the personal data processing policies and on development and implementation of the personal data compliance system, followed by notification of Roskomnadzor of upcoming processing, and cross-border transfer of, personal data

The Largest Global Perfume and Cosmetics Manufacturer,

on a subscription basis, on various personal data processing and protection matters, including personal data processing on the client's numerous online platforms, localisation and cross-border transfer of personal data, and technical personal data protection measures

Team

Arseniy Topadze
Counsel, attorney – Data Protection and Digital Regulation
Alexandra Kurdyumova
Partner, Head of Legal Practice MENA Desk, FinTech, Intellectual Property and Technology
Anastasia Dudko
Partner, attorney - Intellectual Property and Technology
Anna Ivanova
Partner, attorney — Labour law
Sophia Luneva
Senoir associate, attorney — Labour law