Acsour
The President of the Russian Federation has signed a law establishing new requirements for companies that process personal data of employees.
Starting from September 1, 2022, personal data (PD) operator organizations will be required to notify the Federal Service for Supervision of Communications, Information Technology and Mass Media (abbreviated in Russian as “Roskomnadzor”) of their intention to process personal information that:
It will not be necessary to notify Roskomnadzor in cases where personal data is processed that:
It is necessary to make notifications in the form and in the procedure prescribed in the Order No. 94 of Roskomnadzor dated May 30, 2017. The signed notification can be sent both in paper and in electronic form to the territorial body of Roskomnadzor at the place of registration. The deadline for entering information into the Register of PD operators is 30 days from the date of receipt of the notification. Currently, it is not required to notify Roskomnadzor, but starting from autumn this rule will be mandatory.
Apart from the above-mentioned provision, a number of other changes were made to the Law on PD:
In order to protect PD from unauthorized access, organizations are required to interact with the specified state system and inform it of incidents that have resulted in the illegal transfer of PD. The procedure of interaction with the system will be later approved by Roskomnadzor.
Organizations will be prohibited from refusing to provide services to individuals if the latter do not want to provide biometric information or other personal data, for which it is not necessary to obtain consent for processing.
The company will also be obliged to stop further processing of personal data at the request of their owner within a period not exceeding 30 days.
When requests are received from individuals or Roskomnadzor on issues associated with the protection of rights in the field of PD, the period for their consideration will be reduced from 30 to 10 working days from the date of receipt of the request. The specified period may be extended, but not more than five working days.
Organizations will be required to inform Roskomnadzor authorities about the intention of cross-border transfer of PD. In exceptional cases, if there are threats to defense, security and the foundations of the constitutional system, such transfer may be restricted by the decision of the authorized government authority.
Please be reminded that for violation of the requirements of the legislation in the field of personal data, administrative liability is provided for under article 13.11 of the Administrative Code of the Russian Federation. The scope of punishment depends on the type of offense committed. For more information about the scope of liability, see the table below.
| Type of offense | Scope of punishment |
| PD processing without the consent of the PD subject | Imposition of a fine:
|
| Failure to comply within the prescribed time limits with the requirements of an individual or Roskomnadzor to clarify the PD in the case when they are incomplete, outdated, inaccurate | Imposition of a fine:
For repeated violations, the measures of punishment are increased and will be:
|
| Failure by the PD operator in the collection of PD, including through the Internet, to ensure the recording, systematization, accumulation, storage, rectification or extraction of PD of citizens of the Russian Federation using databases located in the Russian Federation | Imposition of a fine:
For repeated violations, the measures of punishment are increased and will be:
|
In the matters of compliance with the requirements of the legislation in the field of personal data of employees, please contact Acsour specialists.
