Acsour
The Federal Service for Supervision in the Sphere of Telecom, Information Technologies and Mass Communications (abbreviated in Russian as “Roskomnadzor”) issued an Order confirming the destruction of personal data of individuals.
Starting from March 1, 2023, personal data operators (hereinafter referred to as PD operators) are required to document the destruction of such data. The composition and procedure of the formation of documents depends on whether the operator uses automation tools for data processing.
If the operator processes the data without using automation tools, then the document confirming the erasure of personal information is a certificate.
If automation tools are used during processing, then apart from the certificate, it will be necessary to make an unloading from the event log in the PD information system (hereinafter referred to as – unloading from the log).
The certificate of destruction of PD has to contain:
It is possible to draw up a document in both paper and electronic form. In the first case, the document is certified by the personal signature of the person who destroyed the PD, in the second one – by his or her enhanced qualified electronic signature.
Unloading from the log has to contain:
If it is impossible to specify any information in the unloading from the log, then it should be reflected in the certificate of destruction of PD.
The term of storage of the certificate and unloading from the log is 3 years from the date of destruction of the PD.
Please be reminded that for violation of the requirements of the legislation in the field of personal data, administrative liability is provided for under article 13.11 of the Administrative Code of the Russian Federation. The scope of punishment depends on the type of offense committed. For more information about the scope of the liability, see the table below.
| Type of offense | Scope of punishment |
| Processing of PD that is not provided for by the legislation of the Russian Federation or processing of PD that is incompatible with the purposes of collecting such data | Imposition of a fine:
– for officers – in the amount of 10,000 – 20,000 rubles; – for legal entities – in the amount of 60,000 – 100,000 rubles.
For repeated violations, the measures of punishment are increased and will be: – for officers – in the amount of 20,000 – 50,000 rubles; – for legal entities – in the amount of 100,000 -300,000 rubles. |
| PD processing without the consent of the PD subject | Imposition of a fine:
– for officers – in the amount of 20,000 – 40,000 rubles; – for legal entities – in the amount of 30,000 – 100,000 rubles.
For repeated violations, the measures of punishment are increased and will be: – for officers – in the amount of 40,000 – 100,000 rubles; – for legal entities – in the amount of 300,000 – 500,000 rubles. |
| Failure of the PD operator to provide the PD subject with information about the processing of its PD | Imposition of a fine:
– for officers – in the amount of 8,000-12,000 rubles; – for legal entities – in the amount of 40,000 – 80,000 rubles. |
| Failure by the PD operator in the collection of PD, including through the Internet, to ensure the recording, systematization, accumulation, storage, rectification or extraction of PD of citizens of the Russian Federation using databases located in the Russian Federation | Imposition of a fine:
– for officers – in the amount of 100,000 – 200,000 rubles; – for legal entities – in the amount of 1,000,000 – 6,000,000 rubles.
For repeated violations, the measures of punishment are increased and will be: – for officers – in the amount of 500,000 – 800,000 rubles; – for legal entities – in the amount of 6,000,000-18,000,000 rubles. |
In the matters of compliance with the legislation in the field of personal data, please contact Acsour experts.
