30 September 2023

DPO and Person Responsible for Personal Data processing in Russia & the EU: Legal Status

September 30, 2023

BRACE Law Firm ©

The profession of the person responsible for the protection of personal data — the Data Protection Officer (the "DPO") — is gaining popularity both globally and in Russia. This trend is driven by the development of new technologies and the processing of large volumes of personal data (the "PD"). The increased number of data breaches and significant fines for non-compliance with requirements for personal data processing also contribute to the growing demand.

This article examines which businesses must hire such a specialist as a staff member or engage one under a service agreement, the qualification requirements for the role, and the rights and obligations assigned to them under European and Russian law.

Who is a Data Protection Officer?

The position and profession of a personal data protection specialist — the Data Protection Officer — emerged in Europe in the 1970s following the adoption of Germany's first personal data protection law. The primary goal of their activity was to protect the human right to privacy.

On May 25, 2018, the General Data Protection Regulation (the "GDPR" or the "Regulation") entered into force in the European Union. Notably, the Regulation is mandatory for all parties processing the personal data of EU citizens, regardless of whether the processing takes place within or outside the EU.

Russian companies acting as personal data operators also fall under the scope of the GDPR if they:

Have branches or representative offices in EU countries, or an office or workplace where personal data processing is performed;
Provide services or sell goods to EU citizens, including online;
Monitor the actions (observing and predicting preferences, personality traits, and behavioral patterns for marketing, statistical, or other purposes) of EU citizens.

Section 4 of the GDPR regulates the DPO institution, and it requires careful consideration. Companies acting as personal data operators (referred to as "Controllers" and "Processors" in the GDPR, but hereinafter referred to as "Operators" in this article, consistent with Russian legislation) must appoint a DPO if:

A government body or institution, except for courts, performs the processing;
The Operator's core activities require regular or systematic monitoring of data subjects on a large scale.

An example is an HR agency whose core activity is recruitment, which requires regular monitoring of the data of individuals seeking employment. Notably, the GDPR does not define the terms "regular and systematic monitoring" or "processing on a large scale". However, established legal practice considers the following factors when determining a large volume of processing: the number of data subjects, the volume of personal data processed, the range of different data elements, and the geographical scope of processing.

The Operator's core activities consist of the large-scale processing of special categories of data or personal data related to criminal convictions and offenses. For instance, the activities of a medical clinic or a health insurance company that processes health-related data of individuals on a large scale.

In other cases, a DPO is appointed at the Operator's discretion or if mandatory under national law. A group of companies may appoint a single DPO, provided the officer is easily accessible from each organizational unit.

DPO Qualification Requirements

The Regulation defines these requirements only in general terms. Specifically, a DPO should be appointed based on professional qualities and, in particular, expert knowledge of personal data protection law and practice. The Regulation does not establish specific education or qualification requirements. At the same time, several DPO certification systems operate within EU countries, and national regulatory bodies publish recommendations regarding competence levels. For example, France has established 17 qualification criteria that must be met to obtain certified DPO status.

A DPO may be an employee of the Operator or perform tasks under a service agreement. In Europe, these positions are most often held by specialists with a legal background. The Operator must publish the DPO’s contact details and communicate them to the supervisory authority.

DPO Tasks and Guarantees

Article 39 of the GDPR defines the DPO’s tasks, which include:

Informing and advising the Operator and its employees who process data about their obligations;

Under this task, the DPO informs management and employees about necessary technical and organizational protection measures, monitors changes in legislation, and conducts training events.

Monitoring compliance with the GDPR, other data protection laws, and local data protection policies, including relevant audits;

Effectively, the DPO must conduct a full audit of the collection, processing, and storage processes to ensure compliance with GDPR requirements. The DPO also monitors the maintenance of data processing documentation and ensures it is updated in a timely manner.

Cooperating with the supervisory authority;
Acting as the contact person for the supervisory authority on issues related to processing.

The GDPR also regulates the guarantees provided to the DPO and their interaction with the Operator. Specifically, the Operator:

Provides support to the specialist by supplying necessary resources and ensuring access to personal data and processing operations, as well as providing resources to maintain their expert knowledge;
Ensures the proper and timely involvement of the DPO in all issues related to personal data protection;
Guarantees that the DPO does not receive any instructions regarding the performance of their tasks;
Refrains from dismissing or penalizing the DPO for performing their tasks.

The DPO reports directly to the Operator’s senior management. They may perform other tasks and duties, provided the Operator ensures they do not create a conflict of interest.

Evidently, the DPO plays a significant role in EU-based Operators. Russian companies subject to the GDPR should organize their work according to international legal acts and, where possible, appoint a person responsible for data protection who possesses the necessary competencies.

Who is Responsible for Organizing Personal Data Processing Under Russian Law?

In Russia, one of the Operator's obligations is to appoint a person responsible for the organization of personal data processing (the "person responsible for PD processing" or the "responsible person"). Article 22.1 of Federal Law No. 152-FZ dated July 27, 2006, On Personal Data (the "Personal Data Law") governs their legal status.

The legislature included this provision in the Law in 2011; however, both regulatory authorities and Operators did not pay sufficient attention to this role for a long time. This situation began to change with the advancement of digitalization and information technology, as well as the increase in administrative fines.

Consider the legal status of the person responsible for PD processing in more detail. If the Operator is a legal entity, including a government body, the appointment of a person responsible for PD processing is mandatory. Individual entrepreneurs are not required to appoint one. However, given that the Personal Data Law imposes a significant number of obligations on Operators, such a specialist may be necessary for any party involved in processing personal data.

The Personal Data Law does not establish education or qualification requirements for this role. According to open internet sources, lawyers are appointed to this position in 37% of cases, while 26% are information security specialists, and 9% are HR specialists. [1]

The Operator can appoint a responsible person from its employees or engage a third party under a civil law contract. If the functions are outsourced, the Operator remains liable for the actions of such a person. An exception applies to state or municipal bodies, which must appoint the responsible person only from among their own officials or employees (subparagraph "a" of paragraph 1 of the List approved by Decree of the Government of Russia No. 211 dated March 21, 2012). [2]

Whether an Operator may appoint multiple responsible persons remains a subject of debate, with two opposing views. In our opinion, dividing duties among several individuals is not always practical. Furthermore, the notification of personal data processing submitted to Roskomnadzor must specify a single responsible individual.

Part 4 of Article 22.1 of the Personal Data Law lists the duties of the person responsible for PD processing. They are similar to those of a DPO. The responsible person must:

Exercise internal control over the Operator’s and its employees’ compliance with personal data legislation, including requirements for personal data protection;
Inform the Operator’s employees about the provisions of personal data legislation, local acts on processing issues, and protection requirements;
Organize the receipt and processing of requests and inquiries from personal data subjects or their representatives and monitor such processing.

To facilitate the activities of the responsible person, the Operator must provide them with the same information that is submitted to Roskomnadzor, such as processing purposes and the measures taken to protect and secure personal data.

As we can see, the activities of this person, much like in the GDPR, are regulated quite superficially and clearly require additional regulation in the Operator’s local internal policies (orders, job descriptions, regulations on personal data processing, and inter-departmental interaction protocols).

Person Responsible for Personal Data Security

If an Operator processes data using information systems, it may also be necessary to appoint a person responsible for ensuring the security of personal data in the information system (the "person responsible for PD security").

First, this depends on the level of personal data protection required in the information system.

Protection levels are determined by the Operator in accordance with Decree of the Government of Russia No. 1119 dated November 1, 2012, [3] and depend on factors such as the type of threat and the category of personal data being processed. Pursuant to paragraph 14 of the specified Decree, a person responsible for PD security must be appointed to ensure the 3rd and 2nd protection levels.

It should be noted that personal data legislation does not contain specific requirements for the position or education of the person responsible for security. Generally, a specialist in information security, IT, or another technical field is appointed.

To ensure the 1st protection level, the Operator must create a separate structural unit responsible for security or assign these functions to an existing structural unit.

Second, the requirement for a person responsible for security depends on the company's field of activity.

Thus, in accordance with Decree of the President of Russia No. 250 dated May 1, 2022, On Additional Measures to Ensure the Information Security of the Russian Federation, executive authorities, state funds, state corporations, strategic and systemic organizations, and subjects of critical information infrastructure (the "CII subjects") must establish a structural unit to perform information security functions. The organization's deputy head is tasked with ensuring information security. As a reminder, CII subjects include Russian legal entities operating in one of 14 sectors (healthcare, science, transport, communications, energy, banking and financial markets, the fuel and energy complex, nuclear energy, defense, aerospace, mining, metallurgical, and chemical industries).

Decree of the Government of Russia No. 1272 dated July 15, 2022, approved model regulations for the deputy head responsible for information security and the structural unit ensuring it. Specifically, the deputy head must have a higher education degree (at least a specialist or master's degree) in information security or another higher education degree supplemented by professional retraining in the field of Information Security. [4]

In accordance with Order of FSTEC of Russia No. 235 dated December 21, 2017, [5] the following requirements apply to employees of the security structural units of CII subjects:

For the head of the security unit: a higher professional education in information security or another higher professional education supplemented by a document confirming professional retraining in "Information Security", and at least 3 years of work experience in the field of information security.
For other unit employees: a professional education in information security or another higher professional education supplemented by professional development in the field of Information Security.

Furthermore, these employees are required to undergo professional development in this field at least once every 3 years.

Order of FSTEC of Russia No. 235 dated December 21, 2017, assigns the following functions to the employees of the security unit:

Analyzing security threats and identifying vulnerabilities in CII objects;
Ensuring the implementation of security requirements for significant CII objects;
Ensuring the implementation of organizational measures and the application and operation of information protection tools;
Responding to computer incidents;
Organizing security compliance assessments for significant CII objects;
Preparing proposals to improve the functioning of security systems and the security level of CII objects;
Developing proposals to improve organizational and administrative documents regarding the security of CII objects.

Additionally, organizations holding licenses in the field of information protection may be engaged to perform these functions.

Despite the weak regulation of requirements for PD security specialists, this profession requires both a strong knowledge of legislation and a large volume of highly specialized knowledge and skills. The Russian labor market still experiences a shortage of such specialists.

Penalties for Violations in the Activities of Responsible Persons

For non-compliance with the GDPR, including the norms regulating DPO activities, an Operator may face a fine of up to 20,000,000 Euros or up to 4% of annual turnover (Article 83 of the GDPR). The amount varies depending on the gravity, duration, and consequences of the violation.

Open sources provide information on several such cases. For instance, in one case, a fine of 51,000 Euros was imposed on the German division of Facebook for the absence of a DPO. Facebook argued that a DPO had been appointed in another EU country and would operate for all European divisions. The regulator rejected this argument as it had not been previously notified. The prompt remediation of the violation was taken into account when determining the fine amount. [6]

In another case, a Belgian operator was fined 50,000 Euros for a conflict of interest involving the DPO and insufficient involvement in resolving processing and protection issues. It was established that one employee combined the functions of the head of the audit, risk, and compliance department with those of a security officer. This situation was categorized as "self-control". [7]

Turning back to Russian legislation, it should be noted that the Code of Administrative Offenses does not contain specific provisions establishing administrative liability for the absence of a responsible person. However, if Roskomnadzor discovers that an Operator has failed to appoint one, it will issue a prescription. Failure to comply with the prescription will lead to administrative liability under Part 1 of Article 19.5 of the CAO RF. The fine for officials is up to 2,000 rubles or disqualification for up to 3 years, and for legal entities, up to 20,000 rubles.

Consider an example from judicial practice. Roskomnadzor conducted an inspection of an Election Commission's compliance with personal data legislation. The inspection revealed violations, including the absence of a person responsible for the organization of personal data processing. A prescription to remedy the violations was issued. The Commission challenged the prescription in court, claiming that such a person had been designated by an order. The court ruled that based on the literal text of the order, the commission's secretary was responsible only for the collection and storage of data, but not for its processing. Under such circumstances, the prescription was found to be legal and justified. [8]

Furthermore, prosecutorial authorities may compel the appointment of a responsible person through court proceedings. In one case, a prosecutor filed a lawsuit against a District Administration to compel it to appoint a responsible official and approve internal regulations governing this field within two months. The lawsuit was granted in full. [9]

For violations in the activities of the person responsible for PD security, there is a risk of administrative liability under Part 6 of Article 13.12 of the CAO RF, "Violation of Information Protection Requirements". The fine for officials is up to 2,000 rubles, and for legal entities, up to 15,000 rubles.

In one case, a prosecutor's office found that a non-profit organization was transmitting information containing the personal data of Russian citizens over the internet without using certified cryptographic information protection tools. The inspection also established that no person responsible for PD security had been appointed, and uncontrolled access to the premises housing the information system could not be excluded. The organization was held liable under Part 6 of Article 13.12 of the CAO RF and fined 10,000 rubles. The challenge to the liability order in court was unsuccessful. [10]

In conclusion, in an environment of widespread computerization and digitalization, the risks of personal data leaks are growing, and requirements for Operators are tightening. To comply with the law and avoid unfavorable consequences, we recommend that every personal data operator appoint a person responsible for organization and security who possesses the necessary competencies. Recent high-profile data leaks highlight once again the need for professional information protection.

____________________________________

References

[1] Who is a Data Protection Officer? / B-152. M. Lagutin. September 12, 2023. // Habr.

[2] Decree of the Government of Russia No. 211 dated March 21, 2012, On Approval of the List of Measures Aimed at Ensuring the Performance of Obligations Provided for by the Federal Law On Personal Data and Normative Legal Acts Adopted in Accordance with It by Operators That Are State or Municipal Bodies.

[3] Decree of the Government of Russia No. 1119 dated November 1, 2012, On Approval of the Requirements for Personal Data Protection During Its Processing in Personal Data Information Systems.

[4] Decree of the Government of Russia No. 1272 dated July 15, 2022, On Approval of the Model Regulation on the Deputy Head of a Body (Organization) Responsible for Ensuring Information Security in the Body (Organization) and the Model Regulation on the Structural Unit in the Body (Organization) Ensuring the Information Security of the Body (Organization).

[5] Order of FSTEC of Russia No. 235 dated December 21, 2017, On Approval of the Requirements for the Creation of Security Systems for Significant Objects of the Critical Information Infrastructure of the Russian Federation and Ensuring Their Functioning.

[6] Facebook’s Tiny Privacy Fine Is a ‘Warning,’ Watchdog Says. Hamburg privacy watchdog levies symbolic EU 51,000 penalty. EU’s new privacy rules give authorities higher fining powers // Stephanie Bodoni. February 13, 2020. // Bloomberg.

[7] DPO and conflict of interest: the Belgian DPA issues a 50,000 EUR fine. May 4, 2020 / Jane Murphy // Edpo.

[8] Resolution of the FAS of the North-Western District dated April 29, 2013, in Case No. A44-5910/2012.

[9] Decision of the Sharlyksky District Court of the Orenburg Region dated November 5, 2019, in Case No. 2a-520/2019.

[10] Decision of the Kuybyshevsky District Court of the City of Omsk dated October 21, 2021, in Case No. 12-696/2021.