Personal data legislation: recent major changes

Part 2 of Article 22 of the Federal Law "On Personal Data"

Several previously existing exceptions to the rule on the mandatory notification of Roskomnadzor about the processing of personal data have been removed.

Now the company must inform Roskomnadzor of the processing of personal data of its employees, customers (even when the data is needed solely for the conclusion and execution of contracts) and other personal data owners, which means that almost all private businesses are obligated to notify Roskomnadzor.

It should be noted that even before the changes to the law, exceptions to the obligation to submit notifications were invalidated by the practice of Roskomnadzor. Thus, for many companies, the notification obligation existed before the changes of September 1, 2022.

From now on, in the notification the operator must provide information based on the purposes of personal data processing, i.e. the purpose of processing must first be indicated first, and then for each purpose the categories of personal data, categories of personal data owners, the legal basis for processing, a list of actions with personal data and methods of their processing must be listed.

To send a notification of the processing of personal data to Roskomnadzor.

At the same time, the deadline for notification is not defined by law - Roskomnadzor clarified that September 1, 2022, is not the deadline for filing a notification.

The new notification form (considering the new requirement to provide data on the purposes of processing) will be approved by Roskomnadzor later. Now the operator has the right to fill out the existing form on Roskomnadzor’s website, which does not take into account this requirement.

Clause 2 of Part 1 of Article 18.1. of the Federal Law "On Personal Data"

The requirements for the content of the document defining the operator's policy regarding personal data processing were made more specific. Now, for each purpose of processing, it is necessary to separately indicate the categories and list of processed personal data, categories of subjects, methods and terms of processing and storage, as well as the procedure for destroying of personal data.

It is necessary to bring the personal data processing policy to substantive and formal compliance with the requirements of the new regulation.

Part 2 of Article 18.1. of the Federal Law "On Personal Data"

The document defining the operator's policy regarding personal data processing must be placed on each page of the website on which personal data is being collected.

It is necessary to update the relevant pages of the website if personal data collection is carried out through the website.

Clause 5 of Part 1 of Article 6 of the Federal Law "On Personal Data"

An agreement concluded with a personal data owner cannot contain the following provisions:

1. establishing cases of processing of personal data of minors (except for cases established by the legislation of the Russian Federation);
2. provisions restricting the rights and freedoms of personal data owners;
3. provisions allowing lack of action of the personal data owner as a condition for concluding a contract.

It is necessary to review the processes and documents of the company to identify processes and documents that require changes in connection with these prohibitions.

Part 1 of Article 9 of the Federal Law "On Personal Data"

The law was amended with additional requirements for consents to personal data processing, which were, to some degree, relevant in practice even before changes were made:

1. consent must be substantive;
2. consent must be unambiguous.

Before the changes in the law, only the requirements that consent should be only specific, informed and conscious were formalized.    

To check template consent to personal data processing for compliance with the new requirements of the law.

Article 20 of the Federal Law "On Personal Data"

The response time to requests from personal data owners or from Roskomnadzor has been reduced from 30 calendar days to 10 business days with the possibility of extending it to 15 business days.

This period must be kept in mind in case of receiving requests from personal data owners or from Roskomnadzor. It is also necessary to update these terms in the company's local acts on the processing of personal data.

Part 3, 6 of Article 6 of the Federal Law "On Personal Data"

In the text of the instruction to the person processing personal data on behalf of the operator (hereinafter referred to as the "Processor"), it is necessary to indicate the additional obligation of the Processor - compliance with the requirement to localize databases in Russia.

If the Processor is a foreign company, then the Operator and the Processor are equally liable.

The requirement applies to documents concluded with Processors. It is necessary to review the wording and content thereof for compliance with the requirements of the new regulation.

Part 12 of Article 19 of the Federal Law "On Personal Data"

Operators will have to build interaction with the State System for Detecting, Preventing and Eliminating the Consequences of Computer Attacks on Information Resources of the Russian Federation, including informing it about computer incidents that resulted in the illegal transfer (provision, distribution, access) of personal data.

It is necessary to wait for the issuance of a by-law that specifies the rules for the interaction of personal data operators with this state authority.

Article 21 of the Federal Law "On Personal Data"

New obligations of the operator in case of leakage of personal data have been introduced.

In the event of data leak, the operator is obliged:

1. to notify Roskomnadzor within 24 hours – to report the alleged causes of the leak and the alleged harm;
2. within 72 hours, to investigate the incident and report its results.

We deem it expedient to develop internal rules for incidents investigation and notification.

The form of the new leak notification has already been approved by Roskomnadzor.

Clause 5 of Part 1 of Article 18.1. of the Federal Law "On Personal Data"

A new regulation will be applied to conduct a “harm assessment” that may be caused to personal data owners in case of violation of the requirements for processing and ensuring the security of personal data.

It is necessary to wait for the issuance of a by-law that specifies the new procedure for “harm assessment”.

Article 12 of the Federal Law "On Personal Data"

The following modes of cross-border transfer of personal data will be introduced:

1. notification mode (when transferring personal data to states that provide adequate protection of the rights of data owners – for example, EU countries);
2. permissive mode (when transferring personal data to states that do not provide adequate protection of the rights of data owners – for example, the United States).

In the case of a cross-border transfer of personal data, a notification must be sent to Roskomnadzor before March 1, 2023. Such notice shall be sent separately from the notice of intent to process personal data.

The company shall in advance obtain information about the measures taken to protect personal data and the conditions for terminating their processing from the person to which the data is transferred.

If the operator plans to transfer personal data to the territory of a foreign state that does not provide adequate protection of the rights of data owners, such a transfer is unacceptable until Roskomnadzor's permission is received following the consideration of the notification.

Cross-border transfer notification form is already approved.

Part 7 of Article 22 of the Federal Law "On Personal Data"

The deadlines have been changed for notifying Roskomnadzor in the event of a change in the submitted information, and a deadline has been introduced for notification if the company stops processing personal data.

In our opinion, the change itself does not require changes in the acts of the company or the mandatory special issuance of new ones, however, this requirement must be borne in mind.