The Federal Service for Supervision in the Sphere of Telecom, Information Technologies and Mass Communications (abbreviated in Russian as “Roskomnadzor”) issued an Order confirming the destruction of personal data of individuals.
Starting from March 1, 2023, personal data operators (hereinafter referred to as PD operators) are required to document the destruction of such data. The composition and procedure of the formation of documents depends on whether the operator uses automation tools for data processing.
If the operator processes the data without using automation tools, then the document confirming the erasure of personal information is a certificate.
If automation tools are used during processing, then apart from the certificate, it will be necessary to make an unloading from the event log in the PD information system (hereinafter referred to as - unloading from the log).
The certificate of destruction of PD has to contain:
It is possible to draw up a document in both paper and electronic form. In the first case, the document is certified by the personal signature of the person who destroyed the PD, in the second one – by his or her enhanced qualified electronic signature.
Unloading from the log has to contain:
If it is impossible to specify any information in the unloading from the log, then it should be reflected in the certificate of destruction of PD.
The term of storage of the certificate and unloading from the log is 3 years from the date of destruction of the PD.
Please be reminded that for violation of the requirements of the legislation in the field of personal data, administrative liability is provided for under article 13.11 of the Administrative Code of the Russian Federation. The scope of punishment depends on the type of offense committed. For more information about the scope of the liability, see the table below.
Starting from March 1, 2023, personal data operators (hereinafter referred to as PD operators) are required to document the destruction of such data. The composition and procedure of the formation of documents depends on whether the operator uses automation tools for data processing.
If the operator processes the data without using automation tools, then the document confirming the erasure of personal information is a certificate.
If automation tools are used during processing, then apart from the certificate, it will be necessary to make an unloading from the event log in the PD information system (hereinafter referred to as - unloading from the log).
The certificate of destruction of PD has to contain:
- name and address of the PD operator (legal entity);
- full names of PD subjects or other information related to certain individuals whose personal data has been destroyed;
- full names and positions of the persons who destroyed the PD and their signatures;
- list of categories of destroyed PD;
- name of the destroyed tangible mediums of expression with personal data indicating the number of sheets regarding each such medium;
- name of the personal data information system from which the personal data was destroyed;
- method of destruction of personal data;
- reason for the destruction of personal data;
- date of destruction of personal data.
It is possible to draw up a document in both paper and electronic form. In the first case, the document is certified by the personal signature of the person who destroyed the PD, in the second one – by his or her enhanced qualified electronic signature.
Unloading from the log has to contain:
- full name of the subject or other information related to a specific individual whose personal data was destroyed;
- list of categories of destroyed PD of the PD subject;
- name of the PD information system from which the personal data of individuals were destroyed;
- reasons for destruction of PD;
- date of destruction of PD.
If it is impossible to specify any information in the unloading from the log, then it should be reflected in the certificate of destruction of PD.
The term of storage of the certificate and unloading from the log is 3 years from the date of destruction of the PD.
Please be reminded that for violation of the requirements of the legislation in the field of personal data, administrative liability is provided for under article 13.11 of the Administrative Code of the Russian Federation. The scope of punishment depends on the type of offense committed. For more information about the scope of the liability, see the table below.
In the matters of compliance with the legislation in the field of personal data, please contact Acsour experts.