защита персональных данных

New requirements for the processing of personal data

New requirements for the processing of personal data

LEGAL DIGEST, NEWS \ 07.07.2022

The President of the Russian Federation has signed a law establishing new requirements for companies that process personal data of employees.

Starting from September 1, 2022, personal data (PD) operator organizations will be required to notify the Federal Service for Supervision of Communications, Information Technology and Mass Media (abbreviated in Russian as “Roskomnadzor”) of their intention to process personal information that:

  • are processed in accordance with employment legislation (personal data of employees);
  • are belonged to citizens or contractors with which the company has concluded a contract for the performance of works, provision of services, etc.;
  • are necessary for a one-off admission of citizens to the territory of the company.

It will not be necessary to notify Roskomnadzor in cases where personal data is processed that:

  • are included in the state PD information systems created in order to protect the security of the state and public order;
  • are processed by the PD operator without the use of automation tools;
  • are processed by organizations in accordance with the legislation on transport security.

It is necessary to make notifications in the form and in the procedure prescribed in the Order No. 94 of Roskomnadzor dated May 30, 2017. The signed notification can be sent both in paper and in electronic form to the territorial body of Roskomnadzor at the place of registration. The deadline for entering information into the Register of PD operators is 30 days from the date of receipt of the notification. Currently, it is not required to notify Roskomnadzor, but starting from autumn this rule will be mandatory.

Apart from the above-mentioned provision, a number of other changes were made to the Law on PD:

  1. The obligation to inform individuals about the receipt of their personal data from third parties. This should be done before the employee’s personal information is processed. In the notification you have to specify:
  • name (full name) of the company (representative) who provided the employee’s personal information;
  • purpose and legal justification of PD processing;
  • intended users of personal data and the rights of employees;
  • list of personal data and sources of their receipt.
  1. The obligation to interact with the state system for detecting, preventing and winding up the consequences of computer attacks on the information resources of the Russian Federation (State System).

In order to protect PD from unauthorized access, organizations are required to interact with the specified state system and inform it of incidents that have resulted in the illegal transfer of PD. The procedure of interaction with the system will be later approved by Roskomnadzor.

  1. The prohibition of organizations to refuse to provide services to citizens if they have not provided biometric PD.

Organizations will be prohibited from refusing to provide services to individuals if the latter do not want to provide biometric information or other personal data, for which it is not necessary to obtain consent for processing.

The company will also be obliged to stop further processing of personal data at the request of their owner within a period not exceeding 30 days.

  1. Reducing the response time to the request.

When requests are received from individuals or Roskomnadzor on issues associated with the protection of rights in the field of PD, the period for their consideration will be reduced from 30 to 10 working days from the date of receipt of the request. The specified period may be extended, but not more than five working days.

  1. Transfer of PD abroad

Organizations will be required to inform Roskomnadzor authorities about the intention of cross-border transfer of PD. In exceptional cases, if there are threats to defense, security and the foundations of the constitutional system, such transfer may be restricted by the decision of the authorized government authority.

Please be reminded that for violation of the requirements of the legislation in the field of personal data, administrative liability is provided for under article 13.11 of the Administrative Code of the Russian Federation. The scope of punishment depends on the type of offense committed. For more information about the scope of liability, see the table below.

Type of offense Scope of punishment
PD processing without the consent of the PD subject Imposition of a fine:

  • for officers – of 10,000 – 20,000 rubles
  • for legal entities – of 15,000 – 70,000 rubles.
Failure to comply within the prescribed time limits with the requirements of an individual or Roskomnadzor to clarify the PD in the case when they are incomplete, outdated, inaccurate Imposition of a fine:

  • for officers – of 8,000 – 20,000 rubles
  • for legal entities – of 50,000 – 90,000 rubles.

For repeated violations, the measures of punishment are increased and will be:

  • for officers – a fine of 30,000 – 50,000 rubles
  • for legal entities – a fine of 300,000 – 500,000 rubles
Failure by the PD operator in the collection of PD, including through the Internet, to ensure the recording, systematization, accumulation, storage, rectification or extraction of PD of citizens of the Russian Federation using databases located in the Russian Federation Imposition of a fine:

  • for officers – of 100,000 – 200,000 rubles
  • for legal entities – of 1,000,000 – 6,000,000 rubles.

For repeated violations, the measures of punishment are increased and will be:

  • for officers – a fine of 500,000 – 800,000 rubles;
  • for legal entities – a fine of 6,000,000-18,000,000 rubles.

In the matters of compliance with the requirements of the legislation in the field of personal data of employees, please contact Acsour specialists.