On September 1, 2022, a Law came into force that made more severe the procedure for cross-border processing of personal data and their transfer abroad.
The amendments made to the law provide for:
- a new procedure for cross-border processing and transfer of personal data (PD) abroad;
- a limitation of the list of cases that allow companies – PD operators not to send a notification about the processing of such data to the Federal Service for Supervision in the Sphere of Telecom, Information Technologies and Mass Communications (abbreviated in Russian as “Roskomnadzor”) authorities;
- an obligation of PD operators to notify Roskomnadzor authorities of the facts of illegal or accidental transfer of PD, which resulted in violation of the rights of PD subjects.
New procedure for cross-border transfer of PD
Companies that are operators of personal data are required to notify the Roskomnadzor authorities of their intention to carry out cross-border transfer of PD. The following information has to be specified in the document:
- name of the PD operator;
- name of the person responsible for the organization of PD processing and his or her contact information;
- legal basis and purpose of cross-border transfer of PD;
- category and list of transferred PD;
- list of foreign states where such data is required to be transferred;
- date of the operator’s assessment of compliance by the government authorities of foreign states, foreign legal entities and individuals with the confidentiality of personal data.
The Roskomnadzor authorities have the right to request information from the PD operator to assess the accuracy of the information specified in the notification, namely:
- measures taken by the government authorities of foreign states, their individuals and legal entities to protect the transferred PD and the conditions for termination of processing;
- information on the legal regulation in the field of PD of a foreign state under whose jurisdiction the recipients of the data are located;
- information about the government authorities of a foreign state, foreign legal entities and individuals (name/full name, contact details).
The deadline for transferring the notification is until March 1, 2023, if the operator has previously carried out a cross-transfer of PD and is still doing so. The deadline for consideration of notifications by Roskomnadzor is 10 working days.
Please note that the specified notification procedure is additional and does not exempt the PD operator from submitting a notification of the start of personal data processing in the manner provided for in article 22 of Law No. 152-FZ.
New cases that allow the operator not to send a notification about the processing of PD
The current Law provides for new cases, according to which the operator has the right not to send a notification about the processing of PD to the Roskomnadzor authorities. Such cases are:
- personal data is included in the state information systems of personal data created in order to protect the security of the state and public order;
- the operator carries out personal data processing activities exclusively without the use of automation tools;
- personal data is processed in cases stipulated by the legislation of the Russian Federation on transportation security in order to ensure the stable and safe functioning of the transport system, to protect the interests of the individual, society and the state in the field of transport system from acts of unlawful interference.
The obligation of operators to notify about PD leaks
In case of identifying the fact of illegal or accidental transfer of PD, the operator of such data will be obliged to:
- Notify the Roskomnadzor authorities about the incident, the alleged causes of harm, and the measures taken to eliminate the consequences within 24 hours.
- Report the results of the internal investigation of the incident within 72 hours from the moment of its detection, as well as provide information about the persons whose actions caused the identified incident.
What is recommended for companies to do:
- to audit the PD processing processes by the company and determine the list of states to which the PD transfer is carried out;
- to request from foreign contractors the information provided by Law for sending a notification on the cross-border transfer of personal data before March 1, 2023.
- to make changes to the company’s local acts regulating the processing of personal data;
- to submit a notification.
In the matters of compliance with the requirements of the legislation in the field of personal data, please contact Acsour specialists.