The expert spoke about the changes in the legislation on the protection of personal data: Company: Russia:

Changes to personal data protection legislation came into force on March 1

The July amendments to the Federal Law “On Personal Data”, which entered into force on March 1, will significantly change the model for processing and protecting personal data (PD) by operators. About it at the Russian Legal and Judicial Information Agency (RAPSI) said Lecturer, Department of Digital Technologies Law and Biolaw, Faculty of Law NRU HSE Alena Gerashchenko.

According to her, it is now necessary to carefully monitor the timing of the destruction of personal data when achieving the purposes of processing and to record the facts of the destruction of such data. The order came into effect in March Roskomnadzor dated October 28, 2022 “Upon approval of the Requirements for confirmation of the destruction of personal data”, it will be valid until March 1, 2029. In accordance with it, the facts of destruction must be recorded in an act, which must be kept for three years after its signature. Moreover, there are three different contexts and different ways of fixing these facts.

In the operating company, this should be controlled by the person responsible for ensuring the security of the personal data when processing it in the personal data information systems. Such a person may be responsible for one system, multiple systems, and all of the company’s systems. This person can control the time after which the data must be destroyed and supervise the workers who have the right role in the system that allows the destruction of the information. In the second and third cases, with purely automated processing or mixed processing, one could consider automating the process of generating log files and establishing an act of electronic destruction.

In addition, from March 1, it is necessary to notify Roskomnadzor of the intention to carry out a cross-border transfer of PD before the start of this activity.

After March 1, you will no longer be able to transfer data on business trips abroad. You will therefore no longer be able to make such business trips until a notification has been submitted to Roskomnadzor regarding the cross-border data transfer. At the same time, Roskomnadzor can either approve (tacitly accept) such a cross-border transfer, or prohibit it. You need to wait for the approval, it will come after 10 days from the date of submission of the notification, before the expiration of this period it is impossible to transfer data abroad. And the ban will mean that it is impossible to transfer to the specified state, since its legislation does not comply with the level of protection of personal data established by the federal law “On personal data”.

In addition, from March 1, if the operator has changed the processes associated with the processing of personal data, it must inform the service no later than the 15th of the month following the month in which these changes occurred, i.e. submit a notice of change of information, contained in the notice of intent to process personal data.

In March, the Roskomnadzor Ordinance of October 27, 2022 “On Approval of Requirements for Assessing the Harm That May Be Caused to Subjects of Personal Data in Case of Violation of the Federal Law” On Personal Data “enters into force. This order will also be in effect until March 1, 2029. The new assessment is expected to update the data subject rights violation events that constitute high, medium and low harm.The order also reflects the requirements of the law on damage assessment according to a new model.

The Roskomnadzor Ordinance entered into force, which establishes the requirements for notifying this department of incidents for the purpose of recording this information in the incident registration register in the field of personal data. The main notification is highlighted – notification of an incident that has occurred. And an additional notification – about the results of the internal investigation of the identified incident.

The Ordinance establishes information requirements that must be reflected in both types of notifications. Roskomnadzor’s request for additional information must be answered within three working days from the date of receipt of the request. If you do not respond in time, Roskomnadzor sends a request for the provision of this information. The request must be answered in record time – within one business day of receipt of the request.

Leave a Comment