- August 31, 2022
From September 1, 2022, amendments to the current legislation in the field of personal data protection will come into force: the circle of persons who need to transmit information to the Federal Service for Supervision of Communications, Information Technology and Mass Communications (Roskomnadzor) about their intention to process personal data is expanded, a number of previously established deadlines and the procedure for working with biometric data are changed, etc. These changes will affect even those companies that have only one employee.
We remind you that according to Russian legislation, the Operator of personal data is a person (state body, municipal body, legal entity or individual) independently or jointly with other persons organizing and/or processing personal data, as well as determining the purposes of processing personal data, the composition of personal data to be processed, and actions (operations) performed with personal data.
Inclusion in the Register of Personal Data Operators
In accordance with the changes, a number of exceptions, allowing Operators not to notify Roskomnadzor about the processing of personal data are cut. According to the amendments, from September 1, 2022, most companies, entrepreneurs, and in some cases, even individuals need to be included in the register of personal data operators (including when processing personal data of full-time employees of the organization).
Operators, as before, have the right to process personal data without notifying Roskomnadzor when processing is carried out without the use of automation tools (without the use of technical means /on paper).
To be included in the register of personal data operators, it is necessary to send a corresponding notification to Roskomnadzor. The notification can be sent in the form of a paper document or in the form of an electronic document signed by an authorized person.
If there are any changes in the data that was added to the registry earlier, the operator can make changes by sending a letter of information to Roskomnadzor. The methods for sending such a letter are the same as for notification of the intention to start processing personal data. The time limit for this is 10 working days from the date of the change.
Please note that from September 1, 2022, Roskomnadzor will publish a new notification form. Its electronic form and the procedure for filling it out will be posted on the Roskomnadzor Personal Data Portal.
For organizations that carry out their activities before the entry into force of the innovations and who have not previously transmitted to Roskomnadzor information about the processing of personal data, we recommend that you be included in the register of operators as soon as possible using the above form.
The Provision of Biometric Personal Data and Consent to the Processing of Personal Data Is Mandatory Only in Exceptional Cases
According to the amendments, from September 1, 2022, the Operator does not have the right to refuse service to the client if the latter refuses to provide their biometric personal data and/or consent to the processing of personal data, unless such an obligation is established by law.
Operators Must Report Incidents That Have Resulted in the Leakage of Personal Data
In the event of illegal or accidental transfer of personal data, the Operator is obliged to inform Roskomnadzor of the relevant information within the following periods:
— within 24 hours: about the incident, its causes, the alleged harm, measures to eliminate the consequences, information about the person authorized by the Operator to interact with Roskomnadzor;
— within 72 hours: on the results of the internal investigation of the identified incident, information about the persons whose actions caused the incident.
The Deadlines Previously Established by Law for the Operator to Perform Actions Related to the Processing of Personal Data Have Changed
For example, the period during which the Operator is obliged to respond to the request of the subject of personal data and Roskomnadzor has been reduced from 30 to 10 working days.
In addition, the deadline for termination of personal data processing by the Operator is 10 working days from the date of receipt of the relevant request.
The Requirements of the Legislation on the Protection of Personal Data Now Apply to Foreign Entities
The provisions of the Federal Law “On Personal Data” began to apply to foreign entities that process personal data of citizens of the Russian Federation, on the basis of a contract, other agreements, or with their consent.
In addition, foreign entities that process personal data on behalf of the Operator are now also liable in the event of violation of the established procedure in the field of personal data protection.
The requirements for the procedure for cross-border transfer of personal data are tightened and expanded:
Please note! Operators who transferred personal data across borders before September 1, 2022 and continue to transfer personal data after September 1, 2022, must send Roskomnadzor a notification about the transfer of personal data across-borders by March 1, 2023. The form of such notice will be published on September 1, 2022, on the Roskomnadzor’s website.
As of March 1, 2023, the operator must notify Roskomnadzor prior to engaging in cross-border transfer of personal data. The relevant notice shall be sent separately from the notice of intent to process personal data in hard copy or in the form of an electronic document.
Before filing the notice, the operator must obtain information from the entities to which the personal data cross-border transfer is planned to be sent, on the legal regulation of personal data in the respective country (a specific list of required information is provided in Paragraph 5, Article 12 of the Federal Law “On Personal Data”). The information obtained may be requested by Roskomnadzor in the course of verification of the notice sent by the operator.
Recall that for violation of the legislation on personal data, individuals/entities are liable in accordance with Article 13.11 of the Code of Administrative Offences of the Russian Federation.
The amount of fines varies within the following limits:
— for individuals: a warning or a fine from 100 rubles to 300 rubles;
— for officers: a fine from 300 rubles to 500 rubles;
— for legal entities: a fine from 3,000 rubles to 5,000 rubles.
For other violations of the legislation on personal data, persons shall be liable in accordance with Article 13.11 of the Administrative Code of the Russian Federation.
Awara experts can help you to prepare the necessary documents in connection with the changes in legislation on personal data, as well as to update existing documents.