Until March 1, 2023, employers are required to submit special notifications to Roskomnadzor (hereinafter referred to as RKN) regarding the processing of personal data.
Starting from March 1, 2023, RKN will strengthen inspections on personal data and increase requirements related to them. In particular, they will initiate “remote” inspections of personal data operators.
Personal data (hereinafter referred to as PD) includes any information directly or indirectly related to an individual, whether identified or identifiable.
Processing of personal data refers to actions or a combination of actions performed with personal data of individuals, such as employees, clients, contractors, website users, etc.
1. Notification of Changes in Personal Data: New Deadline
Starting from March 1, there will be more time to inform RKN about changes in personal data. If the information provided in the notification has changed, it must be reported to RKN no later than the 15th day of the month following the month in which the changes occurred. Prior to March 1, such notification was required to be sent within 10 business days from the moment the changes took place.
2. Destruction of Personal Data: New Rules
From March 1, the fact of personal data destruction must be documented by an act in a new form. Previously, it was possible to document the act of destruction in a free form, but now it is necessary to include 10 mandatory types of data in it (Order of Roskomnadzor dated October 28, 2022, No. 179).
Starting from March 1, 2023, the employer will be required to document the fact of personal data destruction using two documents:
- An act of personal data destruction.
- An export from the event log of the personal data information system.
In the case where data is processed manually, an act will be sufficient for confirmation.
The minimum period for which acts of personal data destruction and exports from event logs must be kept is 3 years.
Please note: If RKN or the data subject demands data destruction and the operator fails to comply with the requirement, and if the personal data is incomplete, outdated, inaccurate, unlawfully obtained, or unnecessary for the declared processing purposes, the company may face administrative liability under Part 5 of Article 13.11 of the Code of Administrative Offenses of the Russian Federation. The fine for such a violation can be up to 90,000 rubles.
3. Assessment of Harm Level: New Procedure
Starting from March 1, 2023, it will be required to assess the level of harm that may arise if the personal data law is violated. RKN has approved specific rules according to which employers must assess the harm that may occur if the rules for processing personal data are violated.
These rules will be in effect until March 1, 2029 (approved by the Order of the Federal Service for Supervision of Communications, Information Technology, and Mass Media dated October 28, 2022, No. 179).
There are three levels of harm:
- High
- Medium
- Low
The results of the assessment must be documented in a harm assessment report.
If the harm assessment reveals that different levels of harm may be inflicted on the data subjects, the higher level of harm should be applied.
Specific measures of liability for failure to conduct a harm assessment are not established by legislation. However, if a violation is identified during an RKN inspection, it will be necessary to rectify it. Roskomnadzor has the authority to issue a corresponding order to the company.
4. Transfer of Personal Data Abroad
Starting from March 1, 2023, companies will be required to notify RKN (Federal Service for Supervision of Communications, Information Technology, and Mass Media) about foreign recipients who have access to the personal data of Russian citizens (Article 12 of Law No. 152-FZ). RKN, in turn, will make a decision on whether the data can or cannot be transferred to these counterparts. The company will be informed of the decision within 10 business days.
Permission will not be granted if the foreign counterpart operates in a country that, in the view of RKN, does not provide adequate data protection. However, if the provider is located in a country that has ratified the Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, it is more likely that permission will be granted. Countries that have ratified the Convention include Armenia, Azerbaijan, Serbia, and Turkey, for example.
The notification of the intention to carry out cross-border data transfers can be submitted in paper or electronic format. It should be filed as a separate document, rather than included in the general notification of the intention to process personal data.
5. RKN Tightens Inspections
In 2023, RKN (Federal Service for Supervision of Communications, Information Technology, and Mass Media) will increase the frequency of holding companies accountable for violations related to personal data.
For this purpose, it will not always be necessary to conduct on-site inspections (letter from Roskomnadzor dated January 31, 2023, No. 09-6488). The focus is on violations outlined in parts 1-2.1 and 4 of Article 13.11 of the Code of Administrative Offenses of the Russian Federation. For example, processing data without written consent and processing that is incompatible with the purposes of data collection are considered significant violations.
RKN clarifies in its explanations that for such violations, controllers can act “contactlessly” (without direct interaction with the violator). For instance, if the violation is discovered by an employee of Roskomnadzor themselves and they have the authority to draw up a protocol, or if there are instructions from the prosecutor’s office.
There will be an increase in unscheduled inspections. The government has expanded the grounds for conducting unscheduled inspections related to personal data (resolution dated February 4, 2023, No. 161). For example, based on a decision by the head or deputy head of Roskomnadzor, a company, including accredited IT organizations, may be subject to an unscheduled inspection if the dissemination of databases containing personal data on the internet is identified.
Complaints and reports in the media, such as data breaches, can serve as a reason for initiating a case (points 1-3, part 1, Article 28.1 of the Code of Administrative Offenses).
Our services
Our specialists will assist in developing and conducting an analysis of existing documents related to personal data, identifying inaccuracies, missing information, and supplementing documents or creating a document package in accordance with the new requirements and forms of 2023. Additionally, they can determine the level of harm considering the processed categories of personal data, their storage on servers, and methods of protection. Learn more about our services for personal data protection.
Author
Anna Reznikova
- Head of legal practice in Labor & Migration
Send message
Please describe your situation and we will find an optimal solution for your business.
info@konsugroup.com