New rules for checking personal data operators
Legal Digest \ 21.03.2019

New rules for control and supervision over the processing of personal data have become effective starting from 23 February 2019. The bodies of the Federal Service for Supervision of Communications, Information Technology and Mass Media (known in Russian as 'Roskomnadzor') follow these Rules during audits.

The rules have been amended as follows:

  • The number of grounds for including an audit in the schedule have been reduced (the start of personal data processing is no longer a ground for an audit).

  • A new ground for a non-scheduled audit has emerged. This is a decision of the head of Roskomnadzor or of a regional body of Roskomnadzor adopted based on a review of the memo indicating violations that have been discovered during control measures.

  • The timeframe for a non-scheduled audit has been halved; it can now be no more than 10 business days, with the possibility for a single extension for the same period.

  • A non-scheduled desk audit has been abolished.

  • The regularity of some scheduled audits has been restricted. Operators that gather biometrical personal data will be audited no more often than twice a year.

  • A new obligation has been introduced for operators during field audits. They now have to provide documents at the request of inspectors before the audit starts.

  • New grounds for extending an audit have emerged:

       - the agency has obtained documents evidencing a violation of the requirements for personal data processing;

       - force majeure (fire, flood, etc.)

       - the operator has not submitted the required documents.

  • The maximum period for rectifying violations has been set at no more than 6 months from the date of the order.

  • New grounds have appeared for demanding that an operator should suspend the processing of personal data (such as when non-compliance with the order violates an employee’s rights).

Please contact the specialists from Acsour's legal department with questions about how legislation on personal data should be applied.