The Federal Law No. 266 amending the regulations on the processing of personal data (“the Law on PD”) comes into force on September 1, 2022 (except of certain provisions).
Main changes:
1. The principle of extraterritoriality of the Law on PD
The Federal Law No. 152-FZ "On Personal Data" (“the Law No. 152-FZ”) applies in cases where the PD of Russian citizens is processed by foreign entities or individuals:
-
on the basis of an agreement to which Russian citizens are parties, other agreements between foreign entities, foreign individuals and Russian citizens; or
- on the basis of a consent of the Russian citizen to the processing of PD.
Thus, foreigners are required to comply with the provisions of the Law No. 152-FZ when processing the PD of Russian citizens (“the PD subjects”). Previously, the application of the Law No. 152-FZ to foreigners that did not have branches or representative offices in the territory of Russia was limited and based on the criteria of the activity.
2. New rules for cross-border transfer of PD
Until March 1, 2023, the PD transfer procedure will remain the same. The transfer of PD to countries that do not provide adequate protection of PD subjects’ rights is possible in five cases specified in the Law No. 152-FZ. However, no special grounds for transfer of PD are required for the transfer of PD to countries that provide adequate protection of PD subjects’ rights:
-
Notification regime. This regime applies to the transfer of PD to countries that provide adequate protection of PD subjects’ rights. The notice must contain information on the protection measures taken by the recipient, the conditions for terminating the processing of PD, as well as the information on the recipient to whom the transfer of PD is planned. After sending a notice to Roskomnadzor (“the RKN”), the operator has the right to carry out the cross-border transfer of PD to the countries indicated in the notice until RKN makes a decision to prohibit or restrict the cross-border transfer of PD. If such a decision is made, the operator is obliged to destroy PD or ensure its destruction.
- Permissive regime. This regime applies to the transfer of PD to countries that do not provide adequate protection of PD subjects’ rights. The notice must contain information on the protection measures taken by the recipient, the conditions for terminating the processing of PD, the information on the recipient to whom the transfer is planned and the information on regulations of PD in the recipient country. After sending a notice to RKN, the operator does not have the right to carry out the cross-border transfer of PD to the countries indicated in the notice until the decision of RKN. There are exceptions for cases where the transfer of PD is necessary to protect the life, health, other vital interests of PD subjects or others. In case of the receipt of the decision of RKN, PD can be processed in the territory of the country indicated in the notice until RKN makes a decision to prohibit or restrict the cross-border transfer of PD. If such a decision is made, the operator is obliged to destroy PD or ensure its destruction.
The notice can be submitted either in paper form or electronically. The notice must contain the following:
-
Information on the operator, as well as the date and number of the notice;
-
Information on the person responsible for organization of the processing of PD;
-
The basis and the purpose of the cross-border transfer of PD and further processing of the transferred PD;
-
Categories and a list of transferred PD;
-
A list of foreign countries in the territories of which the cross-border transfer of PD is planned;
- The date of the operator's assessment of the recipients' compliance with the PD confidentiality and security rules while processing the PD.
3. Additional obligations for processors of PD on behalf of the operator, as well as for operators
Processors of PD on behalf of the operator are required to take measures aimed to ensure the fulfillment of the obligations established in the Law 152-FZ.
PD operators are obliged to notify RKN on computer incidents that led to violation of PD subjects’ rights. This obligation arises from the moment a computer incident is detected. Two notices are to be sent to RKN:
-
within 24 hours, a notice with information about the incident. The notice must contain information about the following: the incident, the alleged causes, the alleged harm, the measures taken to eliminate the consequences.
- within 72 hours, a notice with information about the results of the internal investigation of the incident, the people responsible for the incident.
The PD operator is obliged to conduct an internal investigation of a computer incident within three days from the moment it is detected.
4. Operators will be required to ensure interaction with the State System of Detection, Prevention and Liquidation of the Effects of Computer Attacks on Information Resources R (“the GosSOPKA”), including the notice on computer incidents that led to unlawful transfer of PD
As part of interaction with GosSOPKA, the PD operator is obliged to notify the FSB on the computer incidents that occurred as a result of illegal actions.
5. Reduced response time to RKN requests
The time for response to RKN requests will be reduced from 30 to 10 working days from the date of receipt. This period can be extended on the basis of a reasoned notice from the operator by no more than 5 working days.
6. Documents on the policy of processing of PD, local acts on processing of PD, as well as local acts establishing procedures aimed to prevent and detect violations of the Russian legislation, must now determine for each purpose of processing:
-
categories and a list of processed PD;
-
categories of PD subjects;
-
methods, terms of processing and storage of PD;
- the procedure for the destruction of PD upon reaching the goals of processing or upon the other legal grounds.
If PD is collected through the Internet, then the policy must be published on the relevant pages of the site where PD is collected.
7. The criteria for the consent of PD subjects to the processing of PD are specified
At the moment, the law determines the validity of the consent of PD subjects: it must be informed, specific, conscious.
The new law provides that consent must also be substantive and unambiguous. These criteria are evaluative, their content is not disclosed in the law.
8. Foreign entities or individuals processing PD of Russian citizens on behalf of the operator will be responsible to PD subjects along with the operator.