+7 (495) 147 11 03
email
telegram
  EN
email
email
telegram

Personal Data Operator (Data Controller) Obligations in Russia: Requirements for Business

 

July 26, 2023

BRACE Law Firm ©

 

Any company processes personal data (the "PD") of its employees, clients, and counterparties. Federal Law No. 152-FZ dated July 27, 2006, On Personal Data (the "Law on Personal Data" or "Federal Law No. 152-FZ") defines such companies as personal data operators (the "operators", "PD operators", or "PDO").

The Law on Personal Data imposes numerous obligations on operators during personal data processing, and this number continues to grow. Compliance often requires financial investment and the involvement of specialists.

This article examines in detail the obligations that personal data legislation imposes on business and the liability of operators for non-compliance.

Obligations of Personal Data Operators

Chapter 4 of the Law on Personal Data is dedicated to the obligations of the operator, although some are also contained in other chapters of the law. Furthermore, these obligations are further developed in the regulations of regulatory authorities (Roskomnadzor, FSTEC of Russia, and the FSB of Russia).

For ease of consideration, we can conventionally divide these obligations into several groups:

  • obligations when interacting with Roskomnadzor;
  • obligations to comply with the principles and conditions of personal data processing;
  • obligations to protect personal data;
  • obligations when interacting with the personal data subject.
  • each of these groups is discussed in more detail below.

Obligations of the PDO when Interacting with Roskomnadzor

We begin with this group because any work with personal data starts with notifying Roskomnadzor. Subsequently, the operator must inform the supervisory authority about the occurrence of certain events throughout its data processing activities.

1. Obligation to file a notification on personal data processing.

Prior to the commencement of processing, the operator must notify Roskomnadzor of its intent to process personal data (Part 1 of Article 22 of Federal Law No. 152-FZ). Exceptions apply if the processing is performed:

  • without the use of automation tools;
  • within state information systems created to protect state security and public order;
  • to ensure transport security in cases provided for by legislation.

Roskomnadzor Order No. 180 dated October 28, 2022 (the "Order No. 180") approved the notification form. [1] The notification is sent as a hard copy document or as an electronic document via the Roskomnadzor website. To send the notification in electronic form, the operator must pass authentication on the State Services Portal (Gosuslugi), fill out, and submit the form posted on the Roskomnadzor website.

If the information specified in the notification changes, the operator must notify Roskomnadzor no later than the 15th day of the following month. In the event of the termination of data processing, the operator must notify the authority within 10 business days from the date of termination. Order No. 180 also provides the forms for these notifications.

2. Obligation to file a notification on the cross-border transfer of personal data.

Effective March 1, 2023, operators must file a notification with Roskomnadzor regarding their intent to perform cross-border transfers of personal data (Part 3 of Article 12 of Federal Law No. 152-FZ). Cross-border transfer is defined as the transfer of personal data to the territory of a foreign state to an authority of a foreign state, a foreign individual, or a foreign legal entity.

The operator submits this notification separately from the notification of intent to process personal data provided for by Article 22 of the Law on Personal Data.

Like the general notification of the commencement of personal data processing, this notification is submitted as a hard copy document or as an electronic document via the Roskomnadzor website. The notification form has not yet been officially approved. Part 4 of Article 12 of Federal Law No. 152-FZ lists the necessary information; alternatively, the recommended template posted on the agency's website may be used.

3. Obligation to provide information upon request from Roskomnadzor.

The operator must provide necessary information upon request from Roskomnadzor within 10 business days from the date of its receipt (Part 4 of Article 20 of Federal Law No. 152-FZ). This period may be extended by no more than 5 business days upon a reasoned notification from the operator.

4. Obligation to notify of personal data breaches.

Effective September 1, 2022, the operator must also notify Roskomnadzor of facts involving the unlawful or accidental transfer (provision, dissemination, access) of personal data (Part 3.1 of Article 21 of Federal Law No. 152-FZ).

According to the introduced norms, the PDO must notify the supervisory authority:

  • within 24 hours – regarding the incident, the suspected causes and potential harm, and the measures taken to eliminate the consequences of the incident;
  • within 72 hours – regarding the results of the internal investigation of the incident and the persons whose actions caused the incident.

Roskomnadzor Order No. 187 dated November 14, 2022 approved the procedure for interaction between the supervisory authority and the operator when recording incidents. [2]

PDOs classified as subjects of critical information infrastructure (defense industry, communications, transport, energy, healthcare, science, banking, mining, metallurgical, and chemical industries) must report computer incidents through the GosSOPKA information system (Part 12 of Article 19 of Federal Law No. 152-FZ). Others transfer information by submitting a notification through the Roskomnadzor website.

For violation of obligations when interacting with Roskomnadzor, PD operators are subject to administrative liability under Article 19.7 of the CAO RF, "Failure to Submit Information". The fine for officials ranges from 300 to 500 rubles; for legal entities, it ranges from 3,000 to 5,000 rubles.

Judicial practice illustrates this. In one case, a commercial company failed to submit a notification of personal data processing or an information letter specifying the grounds allowing it to process personal data without notifying the supervisory authority upon Roskomnadzor's request. The court found this company guilty of an administrative offense under Article 19.7 of the CAO RF and imposed a fine of 3,000 rubles. [3]

Notably, these obligations also apply to foreign companies processing personal data in Russia. In a case that reached the Supreme Court of the Russian Federation, a foreign company failed to provide information requested by Roskomnadzor regarding the databases used to process Russian users' data and the server capacities recorded on the company's balance sheet. The court found the company guilty of an administrative offense under Article 19.7 of the CAO RF and imposed a fine of 3,000 rubles. The company failed to challenge the decision by arguing that it had sent a letter to Roskomnadzor containing its approach to user data security. [4]

Obligations to Comply with Principles and Conditions of Personal Data Processing

When working with personal data, the operator must comply with the principles and conditions of its processing provided for by the Law on Personal Data. This requirement stems from the provisions of Article 6 of Federal Law No. 152-FZ. The main requirements include:

1. Personal data processing must be performed on a lawful and fair basis.

As a general rule, a PD operator must obtain the consent of the PD subject to process personal data (Part 1 of Article 6 of Federal Law No. 152-FZ). Processing without consent is permitted only in cases expressly provided for by the Law on Personal Data. For example, consent is not required if the data is necessary to perform a contract where the data owner is a party or beneficiary, or if the information is needed to comply with the requirements of pension, tax, or labor legislation. The Operator bears the burden of proving that consent was obtained or that grounds for processing without consent existed.

2. When collecting personal data, the operator must explain the legal consequences of refusing to provide personal data and (or) refusing to give consent for its processing to the subject (Part 4 of Article 16 of Federal Law No. 152-FZ).

3. As a general rule, personal data must be obtained directly from the owner. If personal data is obtained from third-party sources, the Operator must provide the personal data subject with information regarding the purposes of processing, the intended users, and the source of the data (Parts 2 and 3 of Article 18 of Federal Law No. 152-FZ).

4. The operator must not disclose personal data to third parties or disseminate it without the consent of the personal data subject (Article 7 of Federal Law No. 152-FZ). Federal law may provide otherwise. For instance, if personal data is provided upon request from inquiry, investigation, or court authorities in accordance with procedural legislation or legislation on operational-search activities.

5. The operator must ensure the storage of personal data of citizens of the Russian Federation using databases located within the territory of the Russian Federation (Part 5 of Article 18 of Federal Law No. 152-FZ).

6. When processing personal data, its accuracy, sufficiency, and relevance must be ensured. The operator must take necessary measures to delete or clarify incomplete or inaccurate data (Part 6 of Article 18 of Federal Law No. 152-FZ). These facts may be discovered by the operator independently or as a result of a request from the personal data subject or Roskomnadzor.

Article 21 of Federal Law No. 152-FZ details the obligations of the PD operator in connection with the identification of facts of unlawful personal data processing or the processing of inaccurate personal data.

In particular, the PD operator must:

  • block unlawfully processed personal data during the verification of the relevant circumstances. If processing is delegated to a third party, the operator must take measures to ensure such blocking;
  • if the unlawfulness of processing is confirmed, cease processing (ensure cessation) within 3 business days. If ensuring the lawfulness of personal data processing is impossible, the operator must destroy such personal data within 10 business days and notify the PD subject and Roskomnadzor of the measures taken;
  • clarify (take measures for clarification by a third party) personal data in the event of identifying inaccuracies within 7 business days from the date of receiving supporting information;
  • cease personal data processing upon receipt of a withdrawal of consent for processing within 30 days, as well as upon receipt of a request from the PD subject to cease processing within 10 business days, except in cases where the law or a contract provides for continued processing without the subject's consent;
  • destroy personal data (ensure destruction) in the event the purpose of personal data processing is achieved within 30 days, except in cases where the law or a contract provides for continued processing without the subject's consent.

The CAO RF contains several compositions of administrative offenses for failure to fulfill obligations during personal data processing:

  • Part 1 of Article 13.11 of the CAO RF, "Processing of Personal Data in Cases Not Provided for by Law, or Incompatible with the Purposes of Personal Data Collection" – fine for officials ranges from 10,000 to 20,000 rubles; for legal entities, from 60,000 to 100,000 rubles.[5]
  • Part 2 of Article 13.11 of the CAO RF, "Processing of Personal Data Without Written Consent of the Personal Data Subject or in Violation of the Requirements for Consent" – fine for officials ranges from 20,000 to 40,000 rubles; for legal entities, from 30,000 to 150,000 rubles.
  • Part 8 of Article 13.11 of the CAO RF, "Failure by the Operator, when collecting personal data, to fulfill the obligation to ensure the recording, systematization, accumulation, storage, clarification (updating, modification), or extraction of personal data of citizens of the Russian Federation using databases located within the territory of the Russian Federation" – fine for officials ranges from 500,000 to 800,000 rubles; for legal entities, from 6,000,000 to 18,000,000 rubles.

For example, in one case, Roskomnadzor established that a foreign organization was collecting personal data of citizens of the Russian Federation (name, surname, phone number, and email address were provided during registration) using the foreign service "Speedtest". Consequently, the court found the foreign organization guilty of an administrative offense under Part 6 of Article 13.11 of the CAO RF and imposed a fine of 1,000,000 rubles. [6]

Obligations of Operators to Protect Personal Data

A key obligation of the operator is to protect personal data from unlawful actions (unlawful or accidental access, destruction, modification, blocking, copying, provision, dissemination, etc.). To achieve this, the operator must take necessary legal, organizational, and technical measures (Article 19 of Federal Law No. 152-FZ).

Legal measures include the adoption of relevant local regulations; organizational measures include the appointment of responsible persons and training for employees involved in data processing; and technical measures include actions aimed at preventing information security threats. The Law on Personal Data does not provide an exhaustive list of measures; therefore, the operator develops them independently, considering the requirements of sub-legal regulations and the specifics of its activities.

Legal Measures for Personal Data Protection

The operator must develop a Policy Regarding the Processing of Personal Data (the "Policy") and other local acts on matters of personal data processing. These acts define the categories and scope of processed data, the categories of subjects whose data is processed, the methods and terms of processing and storage, and the procedure for its destruction.

The operator must ensure access to the Policy for an unlimited circle of persons, including publishing it on its website (Part 2 of Article 18.1 of Federal Law No. 152-FZ). Violation of this obligation leads to administrative liability under Part 3 of Article 13.11 of the CAO RF, with fines for officials from 6,000 to 12,000 rubles; for individual entrepreneurs, from 10,000 to 20,000 rubles; and for legal entities, from 30,000 to 60,000 rubles.

In one instance, a prosecutorial audit revealed that an organization had not published its Policy. By order of a justice of the peace, the organization was found guilty of an administrative offense under Part 3 of Article 13.11 of the CAO RF and fined 15,000 rubles. [7] Attempts to challenge the order were unsuccessful. Superior courts noted that arguments regarding the excessive severity of the penalty and the absence of negative consequences are not grounds for reviewing the decision. [8]

It should be noted that if the operator does not have its own website, the Policy must be brought to the attention of an unlimited circle of persons by other available means, such as by posting it on an information board. In one case, Roskomnadzor refused to initiate proceedings due to the absence of an administrative offense. The operator proved that in the absence of a website, the Policy was posted on an information board, and an announcement containing a QR code for electronic access on Google Disk was also posted.[9]

In addition to the Policy, local acts and documents such as the Regulation on the Processing and Protection of Personal Data, orders on admission to PD processing, non-disclosure agreements, consent for processing, and the Regulation on the Procedure for Organizing Work with Requests from Personal Data Subjects are typically prepared. Furthermore, acts aimed at preventing and detecting violations of processing rules in information systems are developed, such as:

  • an order approving the list of personal data information systems (the "PDIS") used in processing;
  • instructions for the employee responsible for organizing personal data processing in the PDIS;
  • instructions for organizing anti-virus protection in the PDIS;
  • instructions for emergency situations, and others.

The PD operator must familiarize employees directly involved in processing personal data with the provisions of personal data legislation and local regulations and conduct training for said employees (Clause 6 of Part 1 of Article 18.1 of Federal Law No. 152-FZ).

Organizational Measures for Personal Data Processing

In addition to legal measures, organizational protection measures must be developed. These include appointing persons responsible for organizing personal data processing (Clause 1 of Part 1 of Article 18.1 of Federal Law No. 152-FZ).

For operators processing personal data without automation tools, this is sufficient. To organize work in a PDIS, a person responsible for ensuring the security of personal data is also appointed.

Technical Measures for Personal Data Processing

The orders of regulatory authorities regulate the list of technical measures for operators processing data in a PDIS:

  • FSTEC of Russia Order No. 21 dated February 18, 2013, On Approval of the Composition and Content of Organizational and Technical Measures to Ensure the Security of Personal Data during its Processing in Personal Data Information Systems;
  • FSB of Russia Order No. 378 dated July 10, 2014, On Approval of the Composition and Content of Organizational and Technical Measures to Ensure the Security of Personal Data during its Processing in Personal Data Information Systems Using Means of Cryptographic Information Protection.

These acts are technical in nature and are primarily addressed to information security specialists. These measures include:

  • identification and authentication of access subjects and access objects;
  • protection of machine-based personal data carriers, anti-virus protection;
  • and others.

The operator determines the specific list and content of measures based on defined levels of security.

The operator must also develop and apply physical measures for personal data protection, such as equipping the premises where personal data is stored with locking devices. Upon request from Roskomnadzor, the operator must submit documents or otherwise confirm the adoption of protection measures (Part 4 of Article 18.1 of Federal Law No. 152-FZ).

Besides taking protection measures, the operator must conduct an assessment of the harm that may be caused to personal data subjects in the event of a violation of the law (Sub-clause 5 of Part 1 of Article 18.1 of Federal Law No. 152-FZ). Roskomnadzor Order No. 178 dated October 27, 2022 established the assessment requirements. [10] An Act of Harm Assessment is compiled based on the results, specifying the degree of harm: high, medium, or low.

The operator must perform internal control and (or) an audit of the compliance of personal data processing with legislation and the operator's local acts. The audit procedure is approved by a separate local act or included in the Regulation on Personal Data Protection.

For failure to fulfill the obligation to ensure the safety of personal data when processing personal data without automation tools, if this resulted in unlawful actions regarding personal data, the operator may be held liable under Part 6 of Article 13.11 of the CAO RF. The fine for officials ranges from 8,000 to 20,000 rubles; for individual entrepreneurs, from 20,000 to 40,000 rubles; and for legal entities, from 50,000 to 100,000 rubles.

Violation of the rules for protecting personal data in a PDIS leads to liability under Part 6 of Article 13.12 of the CAO RF. The fine for officials ranges from 1,000 to 2,000 rubles; for legal entities, from 10,000 to 15,000 rubles.

As established in one case, the FSB Department identified during operational-search activities that an organization had not determined the security levels for personal data in the PDIS. Furthermore, in violation of Order No. 378, it had not approved rules for access to premises where cryptographic protection means are stored or the list of persons authorized for access. The FSB Department found the organization guilty of an administrative offense under Part 6 of Article 13.12 of the CAO RF and imposed an administrative fine of 15,000 rubles. The court agreed with the classification of the violation but considered it minor and replaced the fine with a warning. [11]

Additionally, one should remember that violations of the Law on Personal Data regarding protection requirements may be viewed as the following criminal offenses: violation of privacy (Article 137 of the Criminal Code of the Russian Federation) or unlawful access to computer information that resulted in the destruction, blocking, modification, or copying of information (Article 272 of the Criminal Code of the Russian Federation).

Obligations when Interacting with the Personal Data Subject

Article 20 of the Law on Personal Data regulates the obligations of the Operator when a personal data subject or their representative (the "PD subject") contacts them. According to this norm, the Operator must:

1. Provide information about personal data or the opportunity to review it.

Under Part 7 of Article 14 of Federal Law No. 152-FZ, a personal data subject has the right to receive information concerning the processing of their personal data, such as: the fact of processing, grounds, purposes, and methods of processing, sources of data, information on persons delegated to process the data, etc. Generally, the requested information must be provided within 10 business days from the date of receiving the request.

Upon request from the PD subject, the Operator must provide information about the processed personal data (list, legal grounds, purposes, and methods of processing, etc.) within 10 business days from the date the request is received. The operator must provide the subject with the opportunity to review this data within the same timeframe. The period may be extended up to 5 business days, provided that a reasoned notification is sent to the subject specifying the reasons for the extension.

The information must be provided in an accessible form and must not contain personal data relating to other personal data subjects. The requested information is provided free of charge.

In the event of a refusal to provide the requested data, the operator must provide a reasoned response in writing within the same timeframe, specifying the grounds for refusal. Refusal is permitted only on grounds expressly provided for by Federal Law No. 152-FZ:

  • processing is performed for national defense, state security, and law enforcement purposes, or in connection with the detention of a PD subject on suspicion of committing a crime, or the bringing of charges in a criminal case, or the selection of a measure of restraint;
  • processing is performed in accordance with legislation on anti-money laundering and combating the financing of terrorism;
  • access of the PD subject to their personal data violates the rights and legitimate interests of third parties;
  • personal data processing is performed in accordance with legislation on transport security for the safe functioning of the transport complex.

Notably, the obligation to provide requested information arises if the request contains mandatory details provided for by Article 14 of Federal Law No. 152-FZ: information on the identity document, information confirming participation in relations with the operator (contract number, date of contract, or other details), and the signature of the PD subject, which is confirmed by judicial practice. [12]

Roskomnadzor receives many complaints from citizens regarding the refusal of officials to provide requested information. Although practice shows that the supervisory authority does not find signs of an offense in the actions of said persons in most cases, the risk of liability for an unlawful refusal exists.

The maximum penalty for officials is a fine of up to 12,000 rubles; for individual entrepreneurs, up to 30,000 rubles; and for legal entities, up to 80,000 rubles.

2. Modify or destroy processed personal data.

The operator must modify personal data if the PD subject provides the Operator with information confirming that it is incomplete, inaccurate, or irrelevant within 7 business days from the date the information is provided. The subject must be notified of the modifications made.

The maximum penalty for officials is a fine of up to 20,000 rubles; for individual entrepreneurs, up to 40,000 rubles; and for legal entities, up to 90,000 rubles.

Within the same period, the operator must destroy the subject's personal data if the PD subject provides confirmed information that the personal data was obtained unlawfully or is not necessary for the stated purpose of processing.

Violation of obligations regarding interaction with personal data subjects entails the risk of administrative liability under Part 4 of Article 13.11 of the CAO RF. The fine for officials ranges from 8,000 to 12,000 rubles; for individual entrepreneurs, from 20,000 to 30,000 rubles; and for legal entities, from 40,000 to 80,000 rubles. Furthermore, in practice, cases occur where a PD subject files lawsuits for compensation for moral harm for failure to provide requested information or failure to take actions to cease data processing.[13]

For example, in one case, a commercial company acting as a personal data operator failed to comply with Roskomnadzor's requirements to delete employees' personal data on specified web pages. The court found the company guilty of an administrative offense under Part 5 of Article 13.11 of the CAO RF and imposed an administrative penalty in the form of a fine of 25,000 rubles.

In conclusion, we emphasize the necessity for Operators to properly fulfill their obligations under the Law on Personal Data, regardless of whether the PD operator is a micro-enterprise or a large company. Ignoring these obligations will lead to adverse consequences for business in the form of fines, the amount of which grows from year to year.

____________________________

References

  1. Roskomnadzor Order No. 180 dated October 28, 2022, On Approval of Notification Forms on the Intent to Process Personal Data, on Changes to Information Contained in the Notification of Intent to Process Personal Data, and on the Termination of Personal Data Processing.
  2. Roskomnadzor Order No. 187 dated November 14, 2022, On Approval of the Procedure and Conditions for Interaction between the Federal Service for Supervision of Communications, Information Technology, and Mass Media and Operators within the Framework of Maintaining the Registry for Accounting for Incidents in the Field of Personal Data.
  3. Resolution of the Second Cassation Court of General Jurisdiction dated October 7, 2022, No. 16-7329/2022.
  4. Resolution of the Supreme Court of the Russian Federation dated December 27, 2019, No. 5-AD19-239.
  5. Hereinafter, liability is also established for the repeated commission of a similar offense with a more severe penalty.
  6. Resolution of the Second Cassation Court of General Jurisdiction dated December 26, 2022, Case No. 16-9987/2022.
  7. The fine was assigned based on the version of the law in effect on the date the resolution was issued.
  8. Resolution of the Fifth Cassation Court of General Jurisdiction dated February 18, 2021, No. 16-355/2021.
  9. Decision of the Kaluga Regional Court dated February 28, 2023, Case No. 7-21-36/2023.
  10. Roskomnadzor Order No. 178 dated October 27, 2022, On Approval of Requirements for the Assessment of Harm that May be Caused to Personal Data Subjects in Case of Violation of the Federal Law "On Personal Data".
  11. Decision of the Pervomayskiy District Court of Krasnodar dated April 23, 2019, Case No. 12-185/19.
  12. Resolution of the Ninth Cassation Court of General Jurisdiction dated July 23, 2021, No. 16-1125/2021.
  13. Decision of the Kirovskiy District Court of Saratov dated September 17, 2018, Case No. 2-5252/2018~M-5153/2018.
E-mail
info@brace-lf.com

Send us a request with a detailed description of the issue.

Our phone
+7 (495) 147-11-03

Contact us by phone.

Clients & Partners

65.png
68.png
69.png
73.png
75.png
fitera.jpg
imko.png
logo.png
Logo_RED_RGB_Rus.png
logo_SK_2.png
Яндекс.Метрика