New rules for control and supervision over the processing of personal data have become effective starting from 23 February 2019. The bodies of the Federal Service for Supervision of Communications, Information Technology and Mass Media (known in Russian as ‘Roskomnadzor’) follow these Rules during audits.
The rules have been
amended as follows:
- The number of grounds for including an audit in the
schedule have been reduced (the start of personal data processing is no longer
a ground for an audit).
- A new ground for a non-scheduled audit has emerged.
This is a decision of the head of Roskomnadzor or of a regional body of
Roskomnadzor adopted based on a review of the memo indicating violations that
have been discovered during control measures.
- The timeframe for a non-scheduled audit has been
halved; it can now be no more than 10 business days, with the possibility for a
single extension for the same period.
- A non-scheduled desk audit has been abolished.
- The regularity of some scheduled audits has been
restricted. Operators that gather biometrical personal data will be audited no
more often than twice a year.
- A new obligation has been introduced for operators
during field audits. They now have to provide documents at the request of
inspectors before the audit starts.
- New grounds for extending an audit have emerged:
– the agency has
obtained documents evidencing a violation of the requirements for personal data
– force majeure (fire, flood, etc.)
– the operator has not submitted the required documents.
- The maximum period for rectifying violations has been
set at no more than 6 months from the date of the order.
- New grounds have appeared for demanding that an
operator should suspend the processing of personal data (such as when
non-compliance with the order violates an employee’s rights).
Please contact the specialists from Acsour’s
legal department with questions about how legislation on personal data should