30 September 2022

Key Amendments to the Russian Personal Data Law (152-FZ)

September 30, 2022

BRACE Law Firm ©

Personal data (the "PD"), its processing, protection, and storage have long been part of our lives and do not raise questions when one needs to sign a consent for personal data processing. Federal Law No. 152-FZ dated July 27, 2006, On Personal Data (the "Law No. 152-FZ", the "Personal Data Law") is regularly amended in ways that affect various industries of companies processing personal data.

The latest changes are reflected in Federal Law No. 266-FZ dated July 14, 2022, On Amending the Federal Law On Personal Data, Specific Legislative Acts of the Russian Federation and Recognizing Part Fourteen of Article 30 of the Federal Law On Banks and Banking Activities as Invalid (the "Law No. 266-FZ"). The amendments introduced by Law No. 266-FZ entered into force on September 1, 2022.

Local Acts of the Organization Regarding Personal Data Processing

Clause 2 of Article 18.1 of the Personal Data Law was amended regarding the local documents of personal data operators; specifically, it now details what local acts must contain:

Categories and lists of processed data.
Categories of data subjects.
Methods and timelines for data processing and storage.
Procedures for the destruction of personal data.

The operator must define such information for each purpose of data processing.

Furthermore, such local documents may not contain provisions that limit the rights of personal data subjects or impose powers and obligations on operators not provided for by the legislation of the Russian Federation.

An important point is the placement of the Personal Data Processing Policy on a website. This local document must be posted, among other places, on website pages where personal data is directly collected (for example, on pages with registration forms that users fill out).

Notification to Roskomnadzor on the Commencement of Personal Data Processing

Starting September 1, 2022, the obligation to notify Roskomnadzor before starting personal data processing of the intent to process personal data extends to the processing of personal data:

Processed in accordance with labor legislation.
Obtained by the operator in connection with entering into a contract and used by the operator exclusively for the performance of said contract and for entering into contracts with the personal data subject.
Relating to members (participants) of a public association or religious organization, provided that the PD will not be distributed or disclosed to third parties without the written consent of the personal data subjects.
Authorized by the personal data subject for distribution, provided that the operator complies with the prohibitions and conditions stipulated by Article 10.1 of the Personal Data Law.
Including only the surnames, first names, and patronymics of personal data subjects.
Necessary for the purpose of a one-time entry of the personal data subject onto the territory where the operator is located, or for other similar purposes.

As of September 1, 2022, the listed cases of PD processing no longer serve as grounds for exemption from the requirement to notify Roskomnadzor of PD processing.

According to the amendments, this obligation does not arise in cases where personal data is:

Included in state personal data information systems created for the purpose of protecting state security and public order.
Processed solely without the use of automation tools.
Processed in cases provided for by the legislation of the Russian Federation on transport security, for the purposes of ensuring the sustainable and safe operation of the transport complex and protecting the interests of the individual, society, and the state in the transport sector from acts of unlawful interference.

If an operator processes PD exclusively without the use of automation tools, it may be exempt from the obligation to notify Roskomnadzor.

It is expected that a corresponding document will approve the notification form; however, until such a document is adopted, the notification form may comply with the existing regulatory document (Order of Roskomnadzor No. 94 dated May 30, 2017, On Approving Methodological Recommendations for Notifying the Authorized Body of the Commencement of Personal Data Processing and on Amending Previously Submitted Information). Notifications may be sent:

In hard copy.
In electronic form using an enhanced qualified electronic signature.
In electronic form using ESIA authentication tools.

Furthermore, the failure to submit or the late submission of a notification on personal data processing to Roskomnadzor, or the submission of a notification containing incomplete or inaccurate information, constitutes an administrative offense. Liability for this is established by Article 19.7 of the CAO RF in the form of a warning or a fine:

For officers: from 300 to 500 rubles. According to the note to Article 2.4 of the CAO RF, such persons include managers and other employees of organizations performing organizational, administrative, or economic functions.
For legal entities: from 3,000 to 5,000 rubles.

The maximum deadline for notifying Roskomnadzor of personal data processing has not been defined. Consequently, September 1, 2022, is not the final deadline for filing a notification. However, Roskomnadzor indicated that notification must also be filed by those who were already processing personal data in situations previously considered exceptions.

Consent to Personal Data Processing

In Part 1 of Article 9 of the Personal Data Law, the words "specific, informed, and conscious" were replaced with the words "specific, targeted, informed, conscious, and unambiguous".

In this context, unambiguity means that the consent to personal data processing must specify:

The purpose of processing.
The list of data to be processed.
The subject whose personal data will be processed.
The operator of the personal data processing.

Additionally, if obtaining consent is mandatory, the organization must explain to the individual the consequences of refusing to provide personal data, as well as the consequences of refusing to provide consent for its processing.

Cross-Border Transfer of Personal Data

Article 12 of Law No. 152-FZ was significantly amended by Law No. 266-FZ. For example, the authorized body for the protection of the rights of personal data subjects now approves a list of foreign states that provide adequate protection for the rights of personal data subjects. Previously, the provision of Part 1 of Article 12 of the Personal Data Law obligated personal data operators to independently ensure that adequate protection for the rights of personal data subjects was provided.

The list of foreign states providing adequate protection now includes states that are parties to the Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, as well as foreign states that are not parties to said Convention, provided that the legal norms in force in the respective state and the measures applied to ensure the confidentiality and security of personal data during its processing comply with the provisions of the Convention.

Furthermore, for cross-border transfers of personal data, it is now necessary to obtain not only consent for personal data processing but also specific consent for its cross-border transfer.

It should also be noted that state bodies, the Bank of Russia, and local government bodies must coordinate their regulatory legal acts with Roskomnadzor if they concern the cross-border transfer of personal data, the processing of special categories of personal data, biometric personal data, personal data of minors, or the provision and distribution of personal data obtained through depersonalization. The period for such coordination may not exceed 30 days from the date the respective regulatory legal act is received by Roskomnadzor.

It is also important to note that operators already transferring personal data in this context must send a notification of the cross-border transfer of personal data to Roskomnadzor by March 1, 2023. At the same time, Roskomnadzor makes decisions to prohibit or restrict the cross-border transfer of personal data for the purpose of protecting morality, health, and the rights and legitimate interests of citizens within 10 business days from the date the notification is received. A notification must be sent once for each country to which personal data will be transferred. The notification may be submitted through the Roskomnadzor Personal Data Portal or in writing.

Personal Data Processing by Other Persons

Processing of personal data by other persons was also adjusted; changes were made to Part 3 of Article 6 of Law No. 152-FZ, according to which the operator's instruction must define:

The list of personal data.
The list of actions (operations) with personal data to be performed by the person processing the personal data.
The purposes of personal data processing.
The obligation of such person to maintain the confidentiality of personal data.
The obligation to provide, upon request, information on compliance with the conditions of personal data processing throughout the term of the instruction.
The obligation to ensure the security of personal data during its processing.
Requirements for the protection of processed personal data.
The obligation to notify of instances where processed data has been compromised.

Use of Personal Data by Foreign Persons

Article 1 of the Personal Data Law was supplemented with Part 1.1, stating: The provisions of the Federal Law apply to the processing of personal data of citizens of the Russian Federation carried out by foreign legal entities or foreign individuals based on a contract to which citizens of the Russian Federation are a party, other agreements between foreign legal entities, foreign individuals, and citizens of the Russian Federation, or based on the consent of a citizen of the Russian Federation to the processing of his/her personal data.

If an operator instructs a foreign individual or a foreign legal entity to process personal data, both the operator and the person processing the personal data on behalf of the operator shall bear liability to the personal data subject for the actions of said persons.

Actions of the Organization in the Event of Personal Data Compromise

Article 21 of the Personal Data Law was supplemented with Part 3.1, according to which, if a fact of unlawful or accidental transfer (provision, distribution, access) of personal data is established that resulted in a violation of the rights of personal data subjects, the operator must notify Roskomnadzor from the moment of discovery:

1. Within 24 hours:

Of the incident that occurred.
Of the suspected causes that led to the violation of the rights of personal data subjects.
Of the suspected harm caused to the rights of personal data subjects.
Of the measures taken to eliminate the consequences of the respective incident.
Provide information about the person authorized by the operator to interact with the authorized body for the protection of the rights of personal data subjects on issues related to the discovered incident.

2. Within 72 hours:

Of the results of the internal investigation into the discovered incident.
Provide information about the persons whose actions caused the discovered incident (if available).

Interaction with GosSOPKA

As of September 1, 2022, a new obligation was introduced for personal data operators to interact with the state system for the detection, prevention, and elimination of the consequences of computer attacks (the "GosSOPKA"). New provisions of Article 19 of the Personal Data Law were enacted, according to which:

The operator is obliged, in the manner determined by the FSB, to ensure interaction with the state system for the detection, prevention, and elimination of the consequences of computer attacks on the information resources of the Russian Federation, including informing it of computer incidents that resulted in the unlawful transfer (provision, distribution, access) of personal data.
Said information (except for information constituting a state secret) is transferred by the FSB to Roskomnadzor.
The procedure for transferring information is established jointly by the FSB and Roskomnadzor.

The state system for the detection, prevention, and elimination of the consequences of computer attacks on information resources of the RF (information systems, information and telecommunications networks, and automated control systems located in the RF, in diplomatic missions, and/or consular offices of the RF) was created in accordance with Federal Law No. 187-FZ dated July 26, 2017, On the Security of the Critical Information Infrastructure of the Russian Federation.

The list and procedure for providing information transmitted to GosSOPKA are determined by Order of the FSB of Russia No. 367 dated July 24, 2018, On Approving the List of Information Submitted to the State System for Detection, Prevention, and Elimination of Consequences of Computer Attacks on Information Resources of the Russian Federation and the Procedure for Submitting Information to the State System for Detection, Prevention, and Elimination of Consequences of Computer Attacks on Information Resources of the Russian Federation.

Obligations of an Organization that Received Data from a Person Other Than the Personal Data Subject

Clause 3 of Article 18 of Law No. 152-FZ is now set forth in the following wording:

If personal data is obtained from a person other than the personal data subject, the operator must provide the personal data subject with the following information before commencing the processing of such personal data:

The name or surname, first name, patronymic, and address of the operator or its representative.
The purpose of the personal data processing and its legal basis.
The list of personal data.
The intended users of the personal data.
The rights of the personal data subject established by this Federal Law.
The source of the personal data.

Timelines for Providing a Response to a Request from Roskomnadzor

The timelines for providing information upon a request from Roskomnadzor have been significantly reduced from 30 days to 10 days. Furthermore, the article regulating the obligations of a personal data operator to provide information upon a request from Roskomnadzor was supplemented with a sentence stating that said period may be extended by no more than 5 business days if the operator sends a reasoned notification to Roskomnadzor specifying the reasons for extending the deadline for providing the requested information.

Providing Information to Subjects Regarding the Processing of Their Personal Data

Article 14, The Right of a Personal Data Subject to Access His/Her Personal Data, of the Personal Data Law was supplemented with a clause stating that the personal data subject has the right to know by what methods the organization performs the duties provided for by the Personal Data Law.

Additionally, upon the request of a personal data subject or his/her representative, the information must be provided within 10 business days from the moment of the request. This period may be extended by no more than 5 business days if the operator sends a reasoned notification to the personal data subject specifying the reasons for extending the deadline for providing the requested information. Furthermore, the operator shall provide said information to the personal data subject or his/her representative in the same form in which the corresponding request or inquiry was sent, unless otherwise specified in the request or inquiry.

Termination of Personal Data Processing at the Request of the Personal Data Subject

Personal data processing must be terminated at the request of the personal data subject in accordance with Part 5.1 of Article 21 of Law No. 152-FZ, which states that if a personal data subject contacts an operator with a demand to terminate personal data processing, the operator is obliged, within a period not exceeding 10 business days from the date the operator receives the corresponding demand, to terminate its processing or ensure the termination of such processing (if such processing is carried out by a person processing the personal data). This period may be extended by no more than 5 business days if the operator sends a reasoned notification to the personal data subject specifying the reasons for extending the deadline for providing the requested information.

Obligations of the Operator During Personal Data Collection

Part 2 of Article 18 of the Personal Data Law is set forth in a new wording:

If, in accordance with federal law, the provision of personal data and/or the obtaining of consent by the operator for personal data processing are mandatory, the operator is obliged to explain to the personal data subject the legal consequences of refusing to provide his/her personal data and/or give consent for its processing.

We also remind you that when processing PD, the operator is obliged to take the necessary legal, organizational, and technical measures, or ensure they are taken, to protect the PD from unlawful or accidental access, destruction, modification, blocking, copying, provision, or distribution, as well as from other unlawful actions in relation to them.

According to Article 19 of the Personal Data Law, the security of personal data is achieved, in particular, by:

Determining threats to the security of personal data during its processing in personal data information systems.
Applying organizational and technical measures to ensure the security of personal data during its processing in personal data information systems necessary to meet personal data protection requirements, the implementation of which ensures the levels of personal data protection established by the Government.
Using information security tools that have undergone the established conformity assessment procedure.
Assessing the effectiveness of the measures taken to ensure personal data security before the personal data information system is put into operation.
Keeping records of personal data machine-readable media.
Detecting instances of unauthorized access to personal data and taking measures, including measures for the detection, prevention, and elimination of the consequences of computer attacks on personal data information systems and responding to computer incidents within them.
Restoring personal data that has been modified or destroyed due to unauthorized access.
Establishing rules for access to personal data processed in the personal data information system, as well as ensuring the registration and accounting of all actions performed with personal data in the personal data information system.
Monitoring the measures taken to ensure personal data security and the protection level of personal data information systems.

The Government of the Russian Federation has established:

The levels of personal data protection during its processing in personal data information systems depending on the security threats to such data.
The requirements for personal data protection during its processing in personal data information systems, the implementation of which ensures the established levels of personal data protection.
The requirements for material media of biometric personal data and the technologies for storing such data outside of personal data information systems.

The composition and content of the organizational and technical measures necessary to fulfill the personal data protection requirements established above for each protection level are established by the federal executive body authorized in the field of security and the federal executive body authorized in the field of countering technical intelligence and technical information protection, within their powers.

According to the requirements for personal data protection during its processing in personal data information systems, approved by Decree of the Government of the Russian Federation No. 1119 dated November 1, 2012, four levels of personal data protection are established for processing personal data in information systems.

In light of the above, it is necessary to establish the threat level with the help of an IT specialist who develops information protection measures as part of software configuration. Furthermore, when processing personal data in information systems, as well as when processing it in personal data information systems using cryptographic information protection tools, it is necessary to comply with the technical requirements established by Order of the FSTEC of Russia No. 21 dated February 18, 2013, On Approving the Composition and Content of Organizational and Technical Measures to Ensure the Security of Personal Data during its Processing in Personal Data Information Systems, and Order of the FSB of the RF No. 378 dated July 10, 2014, On Approving the Composition and Content of Organizational and Technical Measures to Ensure the Security of Personal Data during its Processing in Personal Data Information Systems Using Cryptographic Information Protection Tools Necessary to Fulfill the Requirements Established by the Government of the Russian Federation for the Protection of Personal Data for Each of the Protection Levels.

Contracts Requiring Personal Data for Performance

Clause 5 of Part 1 of Article 6 of the Personal Data Law was amended; now, according to this clause, a contract entered into with a personal data subject may not contain provisions:

Limiting the rights and freedoms of the personal data subject.
Establishing cases for the processing of personal data of minors, unless otherwise provided for by the legislation of the Russian Federation.
Allowing the inaction of the personal data subject as a condition for entering into the contract.

New Developments in the Processing of Biometric Data

Information characterizing the physiological and biological characteristics of a person, on the basis of which his/her identity can be established, is considered biometric personal data. Now, after the amendments to Law No. 152-FZ, an operator is not entitled to refuse service if the personal data subject refuses to provide biometric personal data and/or give consent for personal data processing, unless obtaining consent for personal data processing is mandatory under federal law.

Filing various types of notifications with Roskomnadzor is a relatively new obligation for personal data operators; therefore, for the convenience of personal data operators, special electronic forms for filing notifications have become available on the Roskomnadzor website:

On personal data leaks.
Notification of the commencement of personal data processing.
On the cross-border transfer of PD.

Such electronic forms will allow Roskomnadzor to react more promptly to incidents related to personal data.

Clarifications on the Application of Law No. 152-FZ

State authorities of various branches systematically provide clarifications on certain issues of the application of legislation, including Law No. 152-FZ. Examples of recent clarifications include:

Letter of the Federal Tax Service No. BV-3-7/9757@ dated September 8, 2022. The question was whether it is necessary to obtain consent for the processing of personal data of a taxpayer who is a participant in a court proceeding. In considering this issue, the FNS clarifies that, taking into account legal norms, if a person is a participant in a court proceeding, his/her personal data must be disclosed by virtue of the requirement of the law; therefore, consent to personal data processing is not required.
Letter of the Central Bank of the RF No. 59-3-2/40817 dated September 19, 2022, regarding microfinance organizations obtaining consent from borrowers for the processing of their personal data. The Bank of Russia believes that the legal framework of Law No. 152-FZ provides for the possibility of providing consent for personal data processing to a specific operator and does not contain any indication of the possibility of providing consent to a group of operators or an indefinite circle of persons.

Personal data leaks and attacks on personal data operators lead to necessary changes in the legislation regulating the handling of personal data. Despite the increasing requirements in the field of personal data protection, the process of unauthorized distribution of personal data often leads to undesirable consequences for both personal data subjects and personal data operators. In this regard, the amendment of Law No. 152-FZ became a necessity of modern reality, and only its strict execution and the monitoring of its execution will allow personal data operators and personal data subjects to form a secure environment for their mutually beneficial cooperation.