Acsour.com_ENG

Destruction of personal data: confirmation procedure

The Federal Service for Supervision in the Sphere of Telecom, Information Technologies and Mass Communications (abbreviated in Russian as “Roskomnadzor”) issued an Order confirming the destruction of personal data of individuals.

Starting from March 1, 2023, personal data operators (hereinafter referred to as PD operators) are required to document the destruction of such data. The composition and procedure of the formation of documents depends on whether the operator uses automation tools for data processing.

If the operator processes the data without using automation tools, then the document confirming the erasure of personal information is a certificate.

If automation tools are used during processing, then apart from the certificate, it will be necessary to make an unloading from the event log in the PD information system (hereinafter referred to as - unloading from the log).

The certificate of destruction of PD has to contain:

  • name and address of the PD operator (legal entity);
  • full names of PD subjects or other information related to certain individuals whose personal data has been destroyed;
  • full names and positions of the persons who destroyed the PD and their signatures;
  • list of categories of destroyed PD;
  • name of the destroyed tangible mediums of expression with personal data indicating the number of sheets regarding each such medium;
  • name of the personal data information system from which the personal data was destroyed;
  • method of destruction of personal data;
  • reason for the destruction of personal data;
  • date of destruction of personal data.

It is possible to draw up a document in both paper and electronic form. In the first case, the document is certified by the personal signature of the person who destroyed the PD, in the second one – by his or her enhanced qualified electronic signature.

Unloading from the log has to contain:

  • full name of the subject or other information related to a specific individual whose personal data was destroyed;
  • list of categories of destroyed PD of the PD subject;
  • name of the PD information system from which the personal data of individuals were destroyed;
  • reasons for destruction of PD;
  • date of destruction of PD.

If it is impossible to specify any information in the unloading from the log, then it should be reflected in the certificate of destruction of PD.

The term of storage of the certificate and unloading from the log is 3 years from the date of destruction of the PD.

Please be reminded that for violation of the requirements of the legislation in the field of personal data, administrative liability is provided for under article 13.11 of the Administrative Code of the Russian Federation. The scope of punishment depends on the type of offense committed. For more information about the scope of the liability, see the table below.

Type of offense Scope of punishment
Processing of PD that is not provided for by the legislation of the Russian Federation or processing of PD that is incompatible with the purposes of collecting such data Imposition of a fine: - for officers – in the amount of 10,000 - 20,000 rubles; - for legal entities – in the amount of 60,000 - 100,000 rubles. For repeated violations, the measures of punishment are increased and will be: - for officers - in the amount of 20,000 - 50,000 rubles; - for legal entities – in the amount of 100,000 -300,000 rubles.
PD processing without the consent of the PD subject Imposition of a fine: - for officers - in the amount of 20,000 - 40,000 rubles; - for legal entities – in the amount of 30,000 - 100,000 rubles. For repeated violations, the measures of punishment are increased and will be: - for officers - in the amount of 40,000 - 100,000 rubles; - for legal entities – in the amount of 300,000 - 500,000 rubles.
Failure of the PD operator to provide the PD subject with information about the processing of its PD Imposition of a fine: - for officers - in the amount of 8,000-12,000 rubles; - for legal entities – in the amount of 40,000 - 80,000 rubles.
Failure by the PD operator in the collection of PD, including through the Internet, to ensure the recording, systematization, accumulation, storage, rectification or extraction of PD of citizens of the Russian Federation using databases located in the Russian Federation Imposition of a fine: - for officers – in the amount of 100,000 - 200,000 rubles; - for legal entities – in the amount of 1,000,000 - 6,000,000 rubles. For repeated violations, the measures of punishment are increased and will be: - for officers – in the amount of 500,000 - 800,000 rubles; - for legal entities – in the amount of 6,000,000-18,000,000 rubles.

In the matters of compliance with the legislation in the field of personal data, please contact Acsour experts.