Working with personal data: what is important for companies to know

Please be reminded that starting from March 1, 2023, there are a number of new requirements in the legislation on personal data. Now, if such data is changed or destroyed, companies will have to draw up documents according to the new rules. It will also be necessary to notify the supervisory authorities about the transfer of personal data abroad.

Read more about the current changes in the text of the material below.

DRAWING UP A CERTIFICATE ON THE DESTRUCTION OF PERSONAL DATA

Companies - operators of personal data (hereinafter referred to as PD operators) are required to document the fact of destruction of such data. The composition and procedure of the formation of document depends on whether the PD operator uses automation tools for data processing.

If automation tools are not used when processing PD, then the document confirming the destruction of PD is a certificate.

If automation tools are used during PD processing, then apart from the certificate, it will be necessary to make an unloading from the event log in the PD information system.

The certificate of destruction of PD has to contain information:

about the PD operator (name and address of the legal entity);
about the PD subject (full name) whose personal data was destroyed;
about the person who destroyed the PD (full name, position) and their signature;
about the destroyed tangible medium of expression with PD;
about the methods, reasons and date of destruction of PD.

It is possible to draw up a document in both paper and electronic form. In the first case, the document is certified by the signature of the person who destroyed the document, in the second one – by their enhanced qualified electronic signature.

Unloading from the log has to contain data:

about the PD subject (full name) whose personal data was destroyed;
about the list of categories of destroyed PD;
about the PD information system from which such data was destroyed;
about the reasons and date of destruction of PD.

The term of storage of the certificate and unloading from the log is 3 years from the date of destruction of the PD.

For the absence of the fact of the destruction of PD at the request of an individual, companies face administrative liability in the form of a fine (part 5 of article 13.11 of the Administrative Code of the Russian Federation):

for officers – of 8,000 - 20,000 rubles;
for legal entities – of 50,000 - 90,000 rubles.

For repeated violations, the measures of liability are strengthened and the amount of the fine is:

for officers – a fine of 30,000 - 50,000 rubles;
for legal entities – a fine of 300,000 - 500,000 rubles.

ASSESSMENT OF THE DEGREE OF POSSIBLE DAMAGE WHEN WORKING WITH PD

Organizations are required to assess potential damage to PD subjects and implement a set of measures aimed at ensuring the safety and security of PD.

The damage assessment is carried out by the person responsible for organizing the PD processing or by a commission formed by the PD operator. During the assessment, the degree of damage that will be caused if the rules for processing PD are violated is determined. The degree of damage can be high, medium and low. It depends on the category of PD that are being processed.

Degree of damage	Category of processed PD
High	- Biometric PD; - Special categories of PD (associated with race or nationality, health status, intimate life, criminal record information); - Personal data of minors; - PD collected using databases located outside the Russian Federation; - Assignment to a foreign person to process the PD of citizens of the Russian Federation.
Medium	- PD on the official website of the company (provision of data to an unlimited number of persons); - PD processed for additional purposes other than the initial purpose of collection.
Low	- Maintaining publicly available PD sources; - PD processed by a person with whom an employment contract has not been concluded.

The results of the assessment are drawn up by an appropriate certificate indicating the information:

about the PD operator (name and address of the legal entity);
about the date of issuance of the certificate of damage assessment;
about the date of the damage assessment;
about the persons who conducted the damage assessment (full name, position), and their signatures;
about the degree of damage that may be caused to the PD subject.

It is possible to draw up a document in both paper and electronic form. In the second case, the document is signed with an enhanced qualified electronic signature of the person responsible for the assessment of damage, or by members of the commission, and is recognized as an electronic document equivalent to paper form.

The storage period of the certificate is indefinite. It is assumed that it is necessary to update the document if the degree of potential damage when working with PD has changed.

CHANGES IN WORKING WITH PD: NEW NOTIFICATION DEADLINES

It is necessary to inform the Federal Service for Supervision in the Sphere of Telecom, Information Technologies and Mass Communications (abbreviated in Russian as “Roskomnadzor”) about the change in the information that the companies indicated in the notification on the processing of PD in the new deadlines – not later than the 15th day of the month following the month of the changes (previously, such a period was 10 working days from the date of the changes).

It is necessary to inform about any change in the information specified in the notification on the processing of PD:

purpose of processing;
list of actions with PD;
data processing methods;
categories of processed data;
information about those responsible for processing, etc.

The notification is filled in according to the form from Appendix No. 2 to the Order No. 180 of Roskomnadzor dated October 28, 2022. The document can be submitted both in paper and electronic form.

Roskomnadzor authorities may request additional information if they consider that the notification contains incomplete or inaccurate information. The response period is 10 working days from the date of receipt of the request. Otherwise, the company faces administrative liability in the form of a fine in the amount of 3,000 – 5,000 rubles. For officers, such a fine reaches 500 rubles.

Please be reminded that PD operators are required to notify Roskomnadzor authorities of their intention to process PD that:

are processed in accordance with employment legislation (personal data of employees);
are belonged to citizens or contractors with which the company has concluded a contract for the provision of services, performance of works;
are necessary for a one-off admission of citizens to the territory of the company.

NOTIFICATION OF THE TRANSFER OF PD ABROAD

Starting from March 1 of this year, companies are required to notify Roskomnadzor of their intention to carry out cross-border transfer of PD.

Before that, it is necessary to find out what measures to protect PD are being taken by the foreign partner to whom such PD will be transferred and how long the processing of such data will be completed.

There is no approved form of notification by the legislation on PD, but it is necessary that the following information be reflected in it:

name of the PD operator;
name of the person responsible for the organization of PD processing and their contact information;
category and list of transferred PD;
list of foreign countries to whose territory it is required to transfer PD;
date of the operator's assessment of compliance by the government authorities of foreign states, foreign legal entities and individuals with the confidentiality of PD.

The notification is submitted only once. It is not required to form a new notification about each new foreign contractor.

Please note that the specified notification procedure is additional and does not exempt the PD operator from submitting a notification of the start of personal data processing in the manner provided for in article 22 of Law No. 152-FZ.

In the matters of compliance with the legislation in the field of personal data, please contact Acsour experts.