For operators of personal data, a number of new obligations and prohibitions will be provided, as well as the terms within which it is necessary to report information to the Federal Service for Supervision of Communications, Information Technology, and Mass Media (Roskomnadzor) and other government agencies will be reduced. The amendments have already passed the final reading in the State Duma and will come into force on September 01, 2022. On July 14, 2022  the law was signed and published on the legal information portal.

When to send notices to Roskomnadzor

It will also be necessary to notify Roskomnadzor of plans to process personal information in cases where this information (paragraph 2, Subclause “a”, Clause 14, Article 1 of Draft Federal Law No. 101234-8):

  • relates to employees;
  • belongs to the counterparties of the operator, and it uses personal data to fulfill contracts or enter into new agreements with the same citizens (in this case, the information is not distributed or transferred to third parties without consent);
  • is needed for a single pass of a citizen to the territory of the operator or for similar purposes.

The notice may be sent in the form of paper documents by mail or electronically. Instructions for each option on the RKN website.

After processing the notice, Roskomnadzor will include the operator in its register. It is possible to check the presence of a personal data operator in the register on the Roskomnadzor website.

Now, in these and some other cases, it is not necessary to notify Roskomnadzor. The operator will have to state to the data subject, before starting the processing of personal information, the data that it received from another source (Subclause “b”, Clause 9, Article 1 of the draft Federal Law).

Cross-border data transfer

Also, from March 01, 2023, companies will be required to notify the RKN if they send personal data from the Russian Federation abroad. In this case, when determining cross-border transmission, it will not be the country of registration of the receiving party that will be taken into account, but the location of the infrastructure. In some cases, regulatory authorities may restrict the transfer of personal data abroad. In addition, the principle of extraterritoriality is introduced for the Russian legislation on personal data. Thus, the processing of personal data of the Russian citizens abroad will also be subject to regulation by the relevant state authorities of the Russian Federation.

Duty to report incidents

It will be necessary to work with the state system for detecting, preventing and eliminating the consequences of cyber attacks on the information resources of the Russian Federation. In particular, it will be necessary to report incidents due to which personal information was leaked within 24 hours after the incident, indicating the alleged causes of the incidents and measures to eliminate them (paragraph 2, Clause 11, Article 1 of the draft Federal Law). On August 11. 2022,  at a meeting of the Public Council at Roskomnadzor, Roskomnadzor justified the need for this change as follows: “This is necessary in order to reduce the availability of such personal data bases on the Internet as soon as possible. Also, the processing of personal data will become possible only for the purposes of the contract, in which there are no conditions restricting a person in his/her right to control his/her personal data – to receive information about the processing, to demand the deletion or destruction of data, to disagree with the transfer of data to third parties.”.

Previously, such a duty was assigned only to companies operating critical infrastructure. Since 2018, all of them have been required to connect to the state system for detecting, preventing and eliminating the consequences of computer attacks on information resources of the Russian Federation (GosSOPKA), created on the basis of Decree of the President of the Russian Federation No. 31c dated January 15, 2013.  The information collected in the specified system is processed by the National Coordination Center for Computer Incidents (NCCCI) and all operators connected to GosSOPKA have access to up-to-date information about leaks, critical vulnerabilities and cyber attacks on critical infrastructure facilities. The new law is likely to extend similar practices to all personal data operators. Connection to the GosSOPKA system is carried out with the help of companies that have set up secure data transfer with this system and provide services for connecting new companies (most often these are telecom operators or companies working in the field of cybersecurity). Starting from March 01, 2023, Roskomnadzor will keep records of incidents in a specialized register.

What needs to be stipulated in the local regulatory document (LRD)

From September 01, it will be necessary to determine the following in the LRD for each purpose of processing personal data:

  • Categories and list of processed personal data;
  • Categories of personal data subjects;
  • Ways of personal data processing;
  • Terms of processing and storage of personal data;
  • Procedure for the destruction of personal data when the goals of their processing are achieved, or when other grounds occur.

Obligations of persons who process personal data on behalf of the operator

If the operator of personal data entrusts the processing of personal data to other individuals or legal entities, then such persons shall take measures to ensure compliance with the requirements of Law 152-ФЗ. The personal data operator shall have the right to request documents from such persons, as well as other information that confirms that these persons comply with the requirements of Law 152-ФЗ. In the event of incidents that may lead to a violation of the rights of personal data subjects, persons processing personal data on behalf of the operator shall notify the operator of the incident and the measures taken to prevent repeated incidents and eliminate its consequences.
In the new edition, persons processing personal data on behalf of the operator (including if they are foreign individuals or legal entities), shall be liable to the subjects of personal data together with the operator.

Other requirements

  • Operators will be prohibited from refusing to provide services to individuals if they do not want to provide biometric information or agree to the processing of personal data, if it is not required by law to obtain consent to it (Clause 6, Article 1 of the draft).
  • At the request of the personal data subject, the operator shall stop processing personal data within 30 days after the request is received.
  • The processing of biometric personal data of minors is prohibited.

Changes in the time limits

The time for the operator to provide Roskomnadzor with the necessary data at its request will be reduced from 30 days to 10 business days (Subclause “c”, Clause 12, Article 1 of the draft Federal Law). The period may be extended (maximum – 5 additional days) by providing a reasoned notice to Roskomnadzor.
The amendments will enter into force on September 01, 2022, except for certain provisions that will apply from March 01, 2023.

Control and liability of personal data operators for violations

Roskomnadzor controls personal data operators as part of three types of control measures:

  • inspection visit;
  • documentary check;
  • on-site inspection.

The organization may be held administratively liable for failure to fulfill the obligations stipulated by Federal Law No. 152-ФЗ dated July 27, 2006 “On Personal Data” and the regulatory legal acts adopted in accordance therewith. For example, the maximum fine for an organization is:

  • for non-compliance in due time with the requirement of the subject of personal data (his/her representative) or Roskomnadzor to clarify personal data in the event that they are incomplete, outdated, inaccurate, amounts to RUB 90 thous., for a repeated offense – RUB 500 thous. (Parts 5, 5.1, Article 13.11 of the Code of Administrative Offenses of the Russian Federation);
  • for failure to comply with the collection of personal data, including through the Internet information and telecommunication network, the obligation to ensure, in particular, the storage of personal data of citizens of the Russian Federation using databases located on the territory of the Russian Federation, amounts to RUB 6 mln, for a repeated offense – RUB 18 mln (Parts 8, 9, Article 13.11 of the Code of Administrative Offenses of the Russian Federation).
    If the actions of an individual contain signs of a crime, then he/she may be held criminally liable.

Konsu support

The specialists of our company, if necessary, will help analyze the documents, prepare the LRD, fill out the necessary forms and notify Roskomnadzor of the operator’s intention to process personal data (Part 1, Article 22 of the Law on Personal Data). Learn more about our personal data protection services