Russia: Amendments to Law on Personal Data enter into effect
The Federal Service for the Supervision of Communications, Information Technology, and Mass Media ('Roskomnadzor') announced, on 1 September 2022, the entrance into effect of Federal Law of 14 July 2022 No. 266-FZ on Amending the Federal Law on Personal Data ('the Amendment Law'). In particular, the Roskomnadzor highlighted the Amendment Law provides significant changes to the Federal Law of 27 July 2006 No. 152-FZ on Personal Data ('the Law on Personal Data'), including, among other things:
- the extraterritorial application of the Law on Personal Data in cases where the personal data of Russian subjects is processed by a foreign entity on the basis of an agreement or consent;
- minimum standards applicable to contracts concluded with data subjects for processing of personal data; and
- prohibition against mandatory provision of biometric data, whereby the controller is not entitled to refuse to provide a service if the data subject objects.
In addition, the Roskomnadzor detailed that the Amendment Law requires that processors notify the Roskomnadzor of the facts of a data leak, as well as the cross-border transfer of personal data. More specifically, the Amendment Law notes that operators who leaked personal data are required to notify the Roskomnadzor within 24 hours and within 72 hours provide the Roskomnadzor with the results of an internal investigation of the breach, indicating the cause and perpetrators.
Further, the Roskomnadzor provided that the requirement to notify on cross-border transfer of personal data does not enter into effect until 1 March 2023. However, the Roskomnadzor clarified that operators are required to notify the Roskomnadzor of cross-border data transfers prior to this date, so as not to result in suspension of processing activities, and that notification to the Roskomnadzor is required for each country that data will be transferred to, and not each transfer.
UPDATE (2 September 2022)
Roskomnadzor publishes guidance on records of processing notification
The Roskomnadzor published, on 1 September 2022, guidance regarding notification of the Roskomnadzor of the commencement or implementation of any processing of personal data, following the entrance into effect of the Amendment Law. In particular, the Roskomnadzor highlighted the Amendment Law requires personal data operators to fill out a notification form on the processing of personal data on the Personal Data Portal of the Roskomnadzor or send a notification to the address of the territorial department of the Roskomnadzor on paper, in the form approved by Order No. 94 dated 30 May 2017. More specifically, the Roskomnadzor outlined a personal data operator may send a notification to the Roskomnadzor through the Personal Data Portal:
- in paper form;
- in electronic form using an enhanced qualified electronic signature; or
- in electronic form using authentication tools.
However, the Roskomnadzor clarified that the deadline for notifying the processing of personal data has not been defined, and 1 September 2022 is not the deadline for submitting a notification.
You can read the guidance, only available in Russian, here.