New rules for personal data processing
On March 1, 2021, Federal Law No. 519-FZ of 30.12.2020 “On Amendments to the Federal Law “On Personal Data”*” (hereinafter – the “Law”) came into force.
The term “publicly available personal data” has been replaced by “personal data allowed by the data subject to be disseminated”. This is the information to which an unlimited number of persons get access. As a rule, it is published on social networking sites or various data banks. Now, in order to process such information and provide it to a wide range of people, it is necessary to obtain the data subject’s consent. It is drawn up in a separate document, and the requirements for its content will be established by Roskomnadzor which is also developing an information system for obtaining consent in electronic form. The system will start operating from July 1, 2021. The rules for its operation will be established in the Roskomnadzor’s order which is now undergoing public discussions.
Within 3 working days from the receipt of the corresponding consent, the operator must publish information about the processing conditions and prohibitions that third parties must consider when processing data.
The new rules will affect owners of websites, social networks and other Internet resources, as well as those who use information from these sources. The purpose of the changes is to exclude the uncontrolled use of personal data by users of Internet resources, to ensure that the citizens’ rights to privacy are respected.
In addition, on March 27, 2021, Federal Law No. 19-FZ of February 24, 2021 “On Amendments to the Code of Administrative Offenses of the Russian Federation” comes into force, which will toughen liability for violations in the field of personal data and increase the statute of limitations to bring to responsibility to 1 year (currently – 3 months).
Thus, the fines for personal data processing without the consent of their subject, non-acceptance of the policy on the processing and protection of personal data, restriction of access to such a policy, failure to comply with the requirements of the data subject to clarify or destroy them have been doubled. The document also introduces a number of new articles and sanctions.
Operators of personal data are advised to conduct an internal audit for compliance with legal requirements in order to timely eliminate shortcomings and violations.
* Federal Law No. 152-FZ as of July 27, 2006 “On Personal Data”