For operators of personal data, a number of new obligations and prohibitions will be provided, as well as the terms within which it is necessary to report information to the Federal Service for Supervision of Communications, Information Technology, and Mass Media (Roskomnadzor) and other government agencies will be reduced. The amendments have already passed the final reading in the State Duma and will come into force on September 01, 2022. On July 14, 2022  the law was signed and published on the legal information portal.

When to send notices to Roskomnadzor

It will also be necessary to notify Roskomnadzor of plans to process personal information in cases where this information (paragraph 2, Subclause “a”, Clause 14, Article 1 of Draft Federal Law No. 101234-8):

  • relates to employees;
  • belongs to the counterparties of the operator, and it uses personal data to fulfill contracts or enter into new agreements with the same citizens (in this case, the information is not distributed or transferred to third parties without consent);
  • is needed for a single pass of a citizen to the territory of the operator or for similar purposes.

The notice may be sent in the form of paper documents by mail or electronically. Instructions for each option on the RKN website.

After processing the notice, Roskomnadzor will include the operator in its register. It is possible to check the presence of a personal data operator in the register on the Roskomnadzor website.

Now, in these and some other cases, it is not necessary to notify Roskomnadzor. The operator will have to state to the data subject, before starting the processing of personal information, the data that it received from another source (Subclause “b”, Clause 9, Article 1 of the draft Federal Law).

Cross-border data transfer

Also, from March 01, 2023, companies will be required to notify the RKN if they send personal data from the Russian Federation abroad. In this case, when determining cross-border transmission, it will not be the country of registration of the receiving party that will be taken into account, but the location of the infrastructure. In some cases, regulatory authorities may restrict the transfer of personal data abroad. In addition, the principle of extraterritoriality is introduced for the Russian legislation on personal data. Thus, the processing of personal data of the Russian citizens abroad will also be subject to regulation by the relevant state authorities of the Russian Federation.

Duty to report incidents

It will be necessary to work with the state system for detecting, preventing and eliminating the consequences of cyber attacks on the information resources of the Russian Federation. In particular, it will be necessary to report incidents due to which personal information was leaked within 24 hours after the incident, indicating the alleged causes of the incidents and measures to eliminate them (paragraph 2, Clause 11, Article 1 of the draft Federal Law). On August 11. 2022,  at a meeting of the Public Council at Roskomnadzor, Roskomnadzor justified the need for this change as follows: “This is necessary in order to reduce the availability of such personal data bases on the Internet as soon as possible. Also, the processing of personal data will become possible only for the purposes of the contract, in which there are no conditions restricting a person in his/her right to control his/her personal data – to receive information about the processing, to demand the deletion or destruction of data, to disagree with the transfer of data to third parties.”.

Previously, such a duty was assigned only to companies operating critical infrastructure. Since 2018, all of them have been required to connect to the state system for detecting, preventing and eliminating the consequences of computer attacks on information resources of the Russian Federation (GosSOPKA), created on the basis of Decree of the President of the Russian Federation No. 31c dated January 15, 2013.  The information collected in the specified system is processed by the National Coordination Center for Computer Incidents (NCCCI) and all operators connected to GosSOPKA have access to up-to-date information about leaks, critical vulnerabilities and cyber attacks on critical infrastructure facilities. The new law is likely to extend similar practices to all personal data operators. Connection to the GosSOPKA system is carried out with the help of companies that have set up secure data transfer with this system and provide services for connecting new companies (most often these are telecom operators or companies working in the field of cybersecurity). Starting from March 01, 2023, Roskomnadzor will keep records of incidents in a specialized register.

What needs to be stipulated in the local regulatory document (LRD)

From September 01, it will be necessary to determine the following in the LRD for each purpose of processing personal data:

  • Categories and list of processed personal data;
  • Categories of personal data subjects;
  • Ways of personal data processing;
  • Terms of processing and storage of personal data;
  • Procedure for the destruction of personal data when the goals of their processing are achieved, or when other grounds occur.

Obligations of persons who process personal data on behalf of the operator

If the operator of personal data entrusts the processing of personal data to other individuals or legal entities, then such persons shall take measures to ensure compliance with the requirements of Law 152-ФЗ. The personal data operator shall have the right to request documents from such persons, as well as other information that confirms that these persons comply with the requirements of Law 152-ФЗ. In the event of incidents that may lead to a violation of the rights of personal data subjects, persons processing personal data on behalf of the operator shall notify the operator of the incident and the measures taken to prevent repeated incidents and eliminate its consequences.
In the new edition, persons processing personal data on behalf of the operator (including if they are foreign individuals or legal entities), shall be liable to the subjects of personal data together with the operator.

Other requirements

  • Operators will be prohibited from refusing to provide services to individuals if they do not want to provide biometric information or agree to the processing of personal data, if it is not required by law to obtain consent to it (Clause 6, Article 1 of the draft).
  • At the request of the personal data subject, the operator shall stop processing personal data within 30 days after the request is received.
  • The processing of biometric personal data of minors is prohibited.

Changes in the time limits

The time for the operator to provide Roskomnadzor with the necessary data at its request will be reduced from 30 days to 10 business days (Subclause “c”, Clause 12, Article 1 of the draft Federal Law). The period may be extended (maximum – 5 additional days) by providing a reasoned notice to Roskomnadzor.
The amendments will enter into force on September 01, 2022, except for certain provisions that will apply from March 01, 2023.

Control and liability of personal data operators for violations

Roskomnadzor controls personal data operators as part of three types of control measures:

  • inspection visit;
  • documentary check;
  • on-site inspection.

The organization may be held administratively liable for failure to fulfill the obligations stipulated by Federal Law No. 152-ФЗ dated July 27, 2006 “On Personal Data” and the regulatory legal acts adopted in accordance therewith. For example, the maximum fine for an organization is:

  • for non-compliance in due time with the requirement of the subject of personal data (his/her representative) or Roskomnadzor to clarify personal data in the event that they are incomplete, outdated, inaccurate, amounts to RUB 90 thous., for a repeated offense – RUB 500 thous. (Parts 5, 5.1, Article 13.11 of the Code of Administrative Offenses of the Russian Federation);
  • for failure to comply with the collection of personal data, including through the Internet information and telecommunication network, the obligation to ensure, in particular, the storage of personal data of citizens of the Russian Federation using databases located on the territory of the Russian Federation, amounts to RUB 6 mln, for a repeated offense – RUB 18 mln (Parts 8, 9, Article 13.11 of the Code of Administrative Offenses of the Russian Federation).
    If the actions of an individual contain signs of a crime, then he/she may be held criminally liable.

Obligation to delete personal data

From March 01, 2023, the Requirements for Confirming the Destruction of Personal Data (hereinafter referred to as the Requirements) approved by Order No. 179 of the Federal Service for Supervision of Communications, Information Technology, and Mass Media (Roskomnadzor) dated October 28, 2022, shall come into force.

According to the new rules, the confirmation of the destruction of personal data is the Certificate on the Destruction of Personal Data, which shall contain:

  • name of the operator;
  • full name of the subject of personal data;
  • full name, position of persons who destroyed personal data, their signature;
  • list of categories of destroyed personal data;
  • name of the destroyed material carrier containing personal data and the name of the personal data information system from which the personal data were destroyed;
  • method of destruction of personal data;
  • reason for destruction of personal data;
  • date of destruction of personal data.

In case of automated processing of personal data, in addition to the specified certificate. it is necessary to arrange unloading from the event log in the personal data information system. Unlike the Certificate, the uploaded data shall contain less information, namely:

  • full name of the subject of personal data;
  • the list of categories of destroyed personal data;
  • the name of the information system;
  • the reason and date of destruction of personal data.

These documents may be issued both on paper and in electronic form.

The Requirements also set the period for storing the Certificate on the Destruction of Personal Data and the unloaded data from the log. It is 3 years from the date of destruction of personal data.

Procedure

Starting from March 2023, to erase personal data (PD), a commission will need to be formed to conduct the procedure. Confirmation of the erasure of information will require two documents: an act on the erasure of PD and an export from the log of events registration in the PD information system.

If the company processes data without an information system, only an act will be required. The storage period of the documents is three years. An electronic act with a digital signature will be equivalent to a paper one. (Order of Roskomnadzor No. 179 of October 28, 2022)

Personal data will be erased after the storage period has expired or when the company achieves the processing purpose of the documents if the law does not specify the storage period. For example, there is no reason to keep a copy of a child’s birth certificate in personnel records after an employee has been granted child care benefits.

To erase PD, the following algorithm must be followed:

  • Step # 1. Establish the procedure for erasing personal data. Develop a local act on the erasure of personal data, which can also be included in the Personal Data Policy. The act should specify the cases in which the company erases personal data. Determine which methods to use for this purpose.
  • Step # 2. Create a commission for erasing PD. The media containing PD must be erased in a specially designated room of the company. Its composition and powers are approved by the corresponding order. The commission includes a chairman and at least two other employees. The commission should also include an employee responsible for processing the documents to be erased.
  • Step # 3. Record the erasure of PD. Reflect in a special act that the documents containing the PD of employees have been erased. The requirements for such an act are established by the Order of Roskomnadzor No. 179 of October 28, 2022, starting from March 1, 2023.

Konsu support

The specialists of our company, if necessary, will help analyze the documents, prepare the LRD, fill out the necessary forms and notify Roskomnadzor of the operator’s intention to process personal data (Part 1, Article 22 of the Law on Personal Data). Learn more about our personal data protection services