Important updates to the Russian law on personal data protection

In less than a month, amendments to Law No. 152-FZ “On Personal Data” will come into force, which will affect almost every company. These amendments were made by Federal Law No. 266-FZ of 14.07.2022; thus, the legislator left personal data operators a little more than a month to sort out the innovations.  

Below we provide an overview of major changes to which special attention should be paid. They will come into force on 1 September 2022.

• The number of cases where the operator must notify Roskomnadzor about personal data processing has increased. For example, when they are processed within the framework of labour relations, they are used to issue a single pass to the territory, as well as in a number of other cases.

• The requirements that the operator must include in the contract in case of entrusting the processing of personal data to another person have been supplemented. Such instructions can be issued when concluding agreements on a corporate VHI program, registering a salary project in a bank, organizing training for employees, and providing corporate mobile communications.

• Consent from the subject of personal data must be specific and unambiguous; thus, most companies will need to revise and amend the standard consent form.

• The response time to the request of the subject of personal data has been reduced - the operator must respond within 10 business days. The subject of personal data has the right to request information on the fulfilment by the operator of the obligations provided for by Law No. 152-FZ.

• The list of documents to be developed and accepted by the operator has been supplemented. In addition to the policy regarding the processing of personal data, local acts are required that define for each purpose of processing personal data the categories and list of processed personal data, the categories of subjects whose personal data are processed, the methods and terms of their processing and storage, as well as the procedure for destroying personal data.

• The operator's policy regarding the processing of personal data should be posted, among other things, on the website pages where personal data is collected. This is relevant for companies that accept applications, appeals or resumes of candidates on their websites, as well as in case cookies are used.

• It is required to notify Roskomnadzor of incidents that resulted in the unlawful transfer (provision, distribution, access) of personal data within 24 hours from the moment the incident was discovered, as well as within 72 hours of the results of an internal investigation, and additionally interact with the Federal Security Service through the new information system GosSOPKA (State system for detection, prevention and elimination of consequences of computer attacks).

• The provisions of Law No. 152-FZ now apply to foreign legal entities and individuals if they process personal data of citizens of the Russian Federation on the basis of a contract or other agreement to which citizens of the Russian Federation are parties, or on the basis of the consent of a citizen of the Russian Federation to process their personal data. This is relevant for companies that maintain common databases on the side of foreign companies.

Also, from 01.03.2023, changes related to the cross-border transfer of personal data will come into force, according to which operators are required to notify Roskomnadzor of their intention to carry out cross-border transfer of personal data and obtain permission if the recipient country does not belong to the list of countries that provide adequate protection of the rights of subjects of personal data. For example, at the time of publication, the list of countries providing such protection does not include the USA, China, or the countries of the Middle East.

In case of violation of the requirements of Law No. 152-FZ, significant fines of up to RUB 6 million may be imposed on a company. Despite the fact that Roskomnadzor will not conduct scheduled inspections until the end of 2022, we recommend using this time to develop the missing internal documents governing the processing of personal data and to establish interaction processes.