Supporting Personal Information Requirements in Russia

To use Russian citizens’ personal information in Veeva CRM, organizations must first process the information on a Russian database, then copy or transfer it to the appropriate foreign database.

For more information on Russia’s specific requirements for personal information processing, see Federal Law of 27 July 2006 N 152-FZ on Personal Data.

Best Practices for Using Russian Personal Information in Veeva CRM

Consult legal counsel on applying Russian personal information protection requirements. This document is based on Veeva’s current understanding of applicable law and should be confirmed by your company’s legal counsel; it is not and should not be relied upon as legal advice.

To maintain compliance with Russian personal information protection requirements:

  1. Define which personal information from Russian citizens is captured, processed, or stored in Veeva CRM. Clearly indicate which information is considered personal information under Russian legislation and which data is not.

    See Personal Data and Data Privacy for a list of Veeva CRM fields that contain personal information.

  2. For all applicable information, analyze and update existing business processes to ensure they meet requirements for personal information protection:

    • If the information is processed in Russia and then copied to Veeva CRM, existing processes are most likely compliant with personal information protection requirements
    • If the information is processed in Veeva CRM, existing processes will likely need to be updated:
    • For account information, use an HCP data provider with data processing in Russia—for example, Veeva OpenData. Then, load the personal information processed in Russia to Veeva CRM.
    • For all other types of personal information used in Veeva CRM, create a similar procedure where information is first processed locally in Russia, then copied or loaded to Veeva CRM

    Any copies of personal information are likely compliant regardless of where they are stored, as long as the original data is processed in Russia according to Russian personal information requirements.

  3. If copying information to a database in an unsafe country as defined by Roskomnadzor, for example, Veeva and databases in the US, additional qualified consent is required from data subjects.