1. Главная
  2. Публикации
  3. Data Protection
  4. Assessment of the harm caused to personal data subjects in the event of a breach of the Federal Law "On Personal Data"

Assessment of the harm caused to personal data subjects in the event of a breach of the Federal Law "On Personal Data"

5 декабря 2022
233

In July 2022, the Federal Law on Personal Data (hereinafter, the "PD Law") was amended by Federal Law No. 266-FZ of 14.07.2022. Under these amendments, personal data operators must assess the harm that may be caused to personal data subjects by a breach of the PD Law.

As a result, on 28 November the Russian Ministry of Justice registered Roskomnadzor's Order of 27.10.2022 No. 178 "On Approval of the Requirements for the assessment of harm that may be caused to personal data subjects in case of violations of the Federal Law 'On personal data'" which will take effect on March 1, 2023.

The operator determines one of the degrees of harm that may be caused to the subject of personal data in the event of a breach:

1. High degree in cases of:

  • Processing of biometric PD;

  • Processing of special categories of Personal Data concerning race, nationality, political opinions, religious or philosophical beliefs, health status, intimate life, criminal record information;

  • Processing of personal data of minors;

  • Impersonalisation of personal data;

  • Entrusting a foreign person (persons) to process Russian citizens' Personal Data;

  • Collecting Personal Data using databases located outside the Russian Federation.

2. Intermediate degree in cases of:

  • Dissemination of Personal Data on the operator's official website, provision of Personal Data to an unlimited number of persons;

  • Processing of Personal Data for additional purposes other than the original purpose of collection;

  • Promotion of goods, works, services on the market by direct contact with a potential consumer using PD databases owned by another operator;

  • Obtaining consent to process personal data through the implementation of a functionality on the site that does not involve the further identification and (or) authentication of the subject of personal data;

  • Obtaining consent to process personal data entailing the right to process personal data for a certain and (or) indefinite number of persons for incompatible purposes.

3. Low degree in cases of:

  • Maintaining publicly accessible sources of PD;

  • Appointment of an individual who is not a full-time employee of the operator as a responsible person for personal data processing.

  • The results of the assessment shall be documented in a harm assessment act.

These degrees of harm show the possible harm to the subject of personal data and the relevance of security threats, which is taken into account by the Government in determining the requirements for material media and technologies.

You can read the Order at the following link*: http://publication.pravo.gov.ru/Document/View/0001202211290004?index=3&rangeSize=1 


Nadmitov, Ivanov & Partners law firm advises on the protection and transfer of personal data.

Email: info@nplaw.ru
Tel: +7 (495) 649-87-12


*In Russian



+7 (495) 649-87-12