Roskomnadzor Notification: Compliance with Russian Personal Data Processing Laws

 

August 14, 2023

BRACE Law Firm ©

 

Every person has personal data (the "PD"), which allows for their identification among other people. Various parties, including employers, counterparties, and government authorities, gain access to such data. Most of these parties must notify the supervisory authority (Roskomnadzor) of the planned processing of personal data before commencing any actions with it.

Since September 1, 2022, the list of persons required to submit such a notification has significantly expanded. This article examines the specific cases where companies must submit a notification of PD processing, the submission procedure, and the liability for violating these submission rules.

Who and When Must Submit a Notification of PD Processing?

Pursuant to Part 1 of Article 22 of Federal Law No. 152-FZ dated July 27, 2006, On Personal Data (the "Personal Data Law" or "Federal Law No. 152-FZ"), an operator must notify Roskomnadzor of its intention to process personal data before such processing begins.

This provision raises the question: who is a personal data operator? Article 3 of Federal Law No. 152-FZ defines this term. Personal data operators include state and municipal authorities, as well as legal entities and individuals who organize and (or) perform personal data processing and determine the purposes and content of such processing.

In turn, processing means any action or set of actions performed with personal data, such as collection, recording, systematization, accumulation, storage, clarification, extraction, use, transfer, depersonalization, blocking, deletion, or destruction, among others.

We emphasize that the law establishes no special exemptions for individual entrepreneurs. An individual entrepreneur may refrain from submitting a notification only if they do not process data: specifically, if they have no employees and do not process customer personal data. Similar rules apply to self-employed individuals. While a self-employed person has no employees, they must submit a notification if they gain access to the personal data of individual clients during their activities.

Furthermore, according to Roskomnadzor, the legal requirements for submitting a notification also apply to representative offices of foreign legal entities performing personal data processing activities within the territory of the Russian Federation.

The Personal Data Law allows an operator to delegate personal data processing to a third party, for example, when outsourcing HR or accounting services. However, this does not exempt the Operator from the obligation to submit a notification of processing.

Thus, as a general rule, any legal entity or individual entrepreneur planning to perform any actions with the personal data of individuals must submit a notification of the intent to process personal data before such processing commences.

When Is a Notification of the Commencement of Personal Data Processing Not Required?

Part 2 of Article 22 of the Personal Data Law provides for cases where notifying Roskomnadzor of personal data processing is not required. A notification is not required if the processing is performed:

• In state information systems created to protect state security and public order;
• To ensure the functioning of the transport complex and protection against acts of unlawful interference in cases provided for by transport security legislation;
• Without the use of automation tools.

The cases where personal data processing may be recognized as non-automated are formulated in the Regulation on the Specifics of Personal Data Processing Performed Without the Use of Automation Tools, approved by Decree of the Government of the Russian Federation No. 687 dated September 15, 2008 (the "Decree No. 687"). According to Clauses 1 and 2 of Decree No. 687:

• Non-automated processing refers to actions with personal data provided that the use, clarification, dissemination, and destruction of personal data involve the direct participation of a person;
• Personal data processing cannot be recognized as automated solely because the personal data is contained in or extracted from a personal data information system.

In simpler terms, if the use, clarification, dissemination, and destruction of personal data occur without the use of electronic computing technology, such processing is non-automated.

In all other cases, the operator must submit a notification of the intent to process personal data of individuals. We provide an example from judicial practice. In one case, a company applied to an arbitration court to invalidate a Roskomnadzor order regarding the need to provide a notification of personal data processing, arguing that it was not a personal data operator. The court stated: the fact that a person performs activities in which they may process personal data is of legal significance for classifying that person as an operator. When reviewing the case, the court examined the company’s local act, which stated that it processed personal data in the information systems "1C-KAMIN: Salary" and "1C: Accounting". The information systems used did not fall under the exceptions provided for by Article 22 of Law No. 152-FZ. The court denied the application.

Note also that due to the adoption of Federal Law No. 266-FZ dated July 14, 2022, On Amending the Federal Law On Personal Data, the list of grounds where notification was not required was significantly reduced from nine to three as of September 1, 2022. Previously, for instance, an operator could refrain from notifying Roskomnadzor if data was processed in accordance with labor legislation or a concluded contract and was not disseminated, or if only the full name was processed. Such PD operators must now submit a notification to the supervisory authority. At the same time, according to Roskomnadzor, the Federal Law does not define a final deadline for notification; therefore, September 1, 2022, cannot be considered a mandatory cut-off date for providing the notification to Roskomnadzor.

Content of the Notification of Personal Data Processing

The procedure for submitting a processing notification is regulated by Parts 3 and 3.1 of Article 22 of the Personal Data Law. Additionally, Roskomnadzor Order No. 94 dated May 30, 2017, approved the Methodological Recommendations on Notifying the Authorized Body of the Commencement of Personal Data Processing and on Amending Previously Submitted Information (the "Methodological Recommendations No. 94").

The operator should send the notification to the territorial body of Roskomnadzor at the place of the operator's tax registration (Clause 3.1.13 of Methodological Recommendations No. 94).

The notification form was approved by Roskomnadzor Order No. 180 dated October 28, 2022 (the "Order No. 180"). The notification must contain the following information:

1. Name (last name, first name, patronymic) and address of the operator. For legal entities, this includes the full and abbreviated name, legal form, names of branches (representative offices), address, INN, and OGRN; for individuals, this includes the full name, passport details, address, and INN.

2. Purpose of personal data processing. Purposes are formulated based on an analysis of the legal acts regulating the operator's activities, constituent documents, the operator's actual activities, and specific business processes. Examples include HR and accounting management, compliance with tax and pension legislation, market promotion of goods, works, and services, etc. Roskomnadzor's website offers a list of possible purposes when filling out the notification form.

For each purpose of personal data processing, the operator must specify the categories of personal data, categories of personal data subjects, the legal basis for processing, the list of actions, and the methods of personal data processing (Part 3.1 of Article 22 of Federal Law No. 152-FZ).

One must approach the specification of purposes in the notification with great care. Federal Law No. 152-FZ establishes that the content and volume of processed personal data must correspond to the stated processing purposes (Part 5 of Article 5 of Federal Law No. 152-FZ). Processing personal data in a manner incompatible with the stated purposes carries the risk of administrative liability under Part 1 of Article 13.11 of the CAO RF, with fines of up to 20,000 rubles for officials and up to 100,000 rubles for legal entities.

3. Categories of personal data. The Personal Data Law identifies several categories:

• General (full name, address, telephone number, place and date of birth, information on education, marital status, employment history, salary, etc.);
• Special (information concerning racial or ethnic origin, political views, religious or philosophical beliefs, health status, and intimate life);
• Biometric (information characterizing physiological and biological characteristics of a person, based on which their identity can be established: photo and video images, voice data, etc.).

The notification must specify the entire volume of processed personal data in as much detail as possible.

4. Categories of subjects whose personal data is processed. Roskomnadzor recommends specifying the categories of personal data subjects (individuals) and the types of relationships the operator has with these subjects, such as employees or individual clients (subscriber, passenger, borrower, depositor, insured person, etc.).

5. Legal basis for personal data processing. The legal basis for personal data processing consists of the regulatory acts under which the Operator performs processing. These may include:

• Federal laws and other regulatory legal acts regulating the activities of the personal data operator;
• The number and name of the license for the performed type of activity (for licensed activities);
• The consent of the personal data subject to processing;
• Contracts concluded between the personal data operator and the personal data subject.

It is recommended to list all regulatory legal acts that establish the grounds and procedure for the operator's personal data processing and correspond to the operator's powers. The Law on Personal Data itself is not a legal basis.

6. List of actions with personal data. The list of actions is provided in Article 3 of the Personal Data Law: collection, recording, systematization, accumulation, storage, clarification (updating, changing), extraction, use, transfer (dissemination, provision, access), depersonalization, blocking, deletion, and destruction of personal data, among others.

7. Description of the personal data processing methods used by the operator. Legislation distinguishes the following methods of personal data processing:

• Non-automated personal data processing;
• Exclusively automated personal data processing;
• Mixed personal data processing.

In the case of automated or mixed processing, Roskomnadzor recommends specifying whether the information obtained during processing is transferred over the operator's internal network (accessible only to strictly defined employees), via the Internet, or without the transfer of the obtained information.

8. Description of organizational and technical measures taken by the PD operator to protect personal data. Measures to protect personal data from unlawful or accidental access, destruction, modification, blocking, copying, or dissemination are provided for by Articles 18.1 and 19 of Federal Law No. 152-FZ, such as:

• Appointing a person responsible for organizing personal data processing;
• Issuing a Personal Data Processing Policy;
• Conducting audits;
• Identifying threats to personal data security during processing in personal data information systems, etc.

However, this list is not exhaustive; the PD operator independently determines the composition and list of measures necessary and sufficient for protection. If the PD operator uses encryption (cryptographic) tools, they must provide information on the name and class of the cryptographic information protection tools (CIPF) (Clause 3.1.7 of Methodological Recommendations No. 94).

The notification must include the full name of the individual or the name of the legal entity responsible for organizing personal data processing, their contact telephone numbers, mailing addresses, and email addresses. The PD operator must appoint such a person in accordance with Clause 1 of Part 1 of Article 18.1 of Federal Law No. 152-FZ.

9. Commencement date of personal data processing. It is recommended to specify the actual date actions with personal data began, which is generally the date the PD operator commenced the activities established in its constituent documents.

10. Term or condition for termination of personal data processing. Roskomnadzor recommends specifying a specific date or a condition whose occurrence will trigger the termination of personal data processing—for example, the liquidation of the legal entity or the termination of activities by an individual entrepreneur.

11. Information on the presence or absence of cross-border transfer of personal data during processing. Cross-border transfer is the transfer of personal data to the territory of a foreign state to an authority of a foreign state, a foreign individual, or a foreign legal entity. If such a transfer is planned, it will be necessary to specify the list of foreign states to whose territory the cross-border transfer will be performed.

Note that mentioning cross-border transfer in the notification does not waive the PD operator's obligation to submit a separate notification to Roskomnadzor of the intent to perform cross-border transfer of personal data (Part 3 of Article 12 of Federal Law No. 152-FZ).

12. Information on the location of the database containing the personal data of citizens of the Russian Federation. It is necessary to specify the names of the countries where the database is located (Russia or foreign states) and the specific addresses of the database location.

13. Information on ensuring personal data security in information systems. The list of measures taken to protect personal data in information systems must be specified in accordance with Decree of the Government of the Russian Federation No. 1119 dated November 1, 2012, On Approving Requirements for the Protection of Personal Data During Its Processing in Personal Data Information Systems. The Operator selects the protection tools in accordance with the regulatory legal acts of the FSB and FSTEC.

How to Submit a Notification of Personal Data Processing?

A notification may be submitted:

1. As a paper document signed by an authorized person. The form can be taken from Order No. 180 or filled out on the Roskomnadzor website, printed, and sent to the supervisory authority.
2. As an electronic document using an enhanced qualified electronic signature (UK(E)P). This also requires filling out the form on the Roskomnadzor website and signing it with a UK(E)P.
3. As an electronic document via the Gosuslugi Portal. To submit a notification this way, one must authenticate on the Gosuslugi Portal, fill out, and submit the provided form. When submitting a notification electronically, a subsequent paper submission is not required.

Inclusion in the Register of Personal Data Operators

Roskomnadzor reviews the notification within 30 days from the date of its receipt. No state fee is charged for reviewing the notification.

If there are no inaccuracies or incomplete information, Roskomnadzor enters the information into the Register of Personal Data Operators (the "Register of PDO"). This register is published on the Roskomnadzor Personal Data Portal. Information contained in the Register of PDO is public, except for information on tools used to ensure personal data security.

Roskomnadzor does not issue any documents confirming inclusion in the Register of PD Operators. However, any interested party may apply to the supervisory authority for an extract from the Register. It is recommended to draft the application according to the form defined in Methodological Recommendations No. 94. It must contain information about the applicant (name, INN, OGRN, location address, and mailing and/or email address) and information about the operator in question (name, INN (OGRN) and/or the registration number of the entry in the register). The extract is sent within 5 business days from the date of registration of the application. If the application lacks the necessary information, the applicant is sent a letter stating the reason for the refusal to provide the extract.

If the operator provides incomplete or unreliable information, the data is not entered into the Register of Personal Data Operators. A letter is sent to the PD operator containing a list of deficiencies and a proposal to provide them. If the PD operator fails to submit clarified information within 30 days from the date of receipt of the request, the notification is returned to the PD operator without entering the information into the Register.

Obligations of a Personal Data Operator After Submitting a Notification

In the event of a change in the information contained in the submitted notification, the personal data operator must inform Roskomnadzor no later than the 15th day of the month following the month in which such changes occurred (Part 7 of Article 22 of the Personal Data Law).

The form for the notification of a change in information is provided in Order No. 180. It must contain the PD operator's details, the registration number of the entry in the register of operators, the date of the change in information, and the information subject to change. It may be submitted using the same methods as the initial notification.

In the event of termination of personal data processing, the operator must notify Roskomnadzor within 10 business days (Part 7 of Article 22 of the Personal Data Law).

According to Clause 5.1 of Methodological Recommendations No. 94, an operator is deemed to have terminated personal data processing upon the occurrence of the following conditions:

• Liquidation of the operator;
• Termination of the PD operator's activities as a result of its reorganization;
• Cancellation of licenses for the licensed activity of the PD operator, if a condition of the license for such activity is a prohibition on the transfer of personal data to third parties without the written consent of the personal data subject;
• A court decision that has entered into legal force regarding the termination of personal data processing by the Operator;
• The occurrence of the deadline or condition for the termination of personal data processing specified by the PD operator in the notification.

The form for the notification of termination of personal data processing is also provided in Order No. 180. The notification specifies the personal data operator's details, the registration number of the entry in the Register of PD Operators, and the grounds and date for the termination of personal data processing.

After reviewing the application, information regarding the termination of personal data processing by the Operator is entered into the Register of PDO.

Appealing Roskomnadzor's Decisions, Actions (Inactions)

If the supervisory authority refuses to accept an operator's notification, refuses to enter information about it into the Register of Personal Data Operators, or if such information is not entered within the established timeframe, the corresponding decision or action (inaction) may be appealed in an arbitration court in the manner provided for by Chapter 24 of the APC RF.

The appeal period is 3 (three) months from the day the person became aware of the violation of their rights and legitimate interests. This period may be restored by the court if there are valid reasons.

For the court to grant the application, the following circumstances must be proven in combination: the inconsistency of the contested decision or action (inaction) with the law or another regulatory act; the violation of the applicant's rights and legitimate interests in the sphere of entrepreneurial and other economic activity; or the unlawful imposition of any obligations on the applicant or the creation of other obstacles to the performance of entrepreneurial and other economic activity.

In practice, the supervisory authority's requirements to provide a notification of personal data processing are usually contested. Thus, in one case, a Company applied to an arbitration court to invalidate a non-normative legal act — a Roskomnadzor written document "On the Obligation to Notify of Processing (the Intent to Perform Processing) of Personal Data". This letter was sent by the supervisory authority due to the identification of signs of activity implying the Company's processing of personal data. The Company argued that it processed personal data exclusively from the list in Part 2 of Article 22 of Law No. 152-FZ, which gives it the right not to notify Roskomnadzor of the intent to process personal data. The court stated that, in addition to indicating the need to submit a processing notification, the contested letter also indicated the need to submit relevant information on the presence of grounds allowing the applicant to perform processing activities without notification. The court denied the application.

Furthermore, attempts are often made to contest the supervisory authority's decision to refuse removal from the Register of PD Operators. For example, a company applied to an arbitration court to recognize Roskomnadzor's inaction as unlawful, expressed in the failure to remove the business entity from the Register of PD Operators, and to recover a court penalty of 1,000 rubles for each day of non-compliance with the court decision. During the court's review, none of the grounds provided for by Methodological Recommendations No. 94 under which a PD operator is deemed to have terminated personal data processing were identified. It was also established that the business entity's web pages featured an online appointment booking option involving the collection of personal data including name, telephone number, and email address. The court denied the application.

An analysis of judicial practice shows that most such disputes result in a decision against the operators.

Liability for Failure to Submit a Notification of Personal Data Processing

Failure to submit a notification of personal data processing entails liability under Article 19.7 of the CAO RF, "Failure to Submit Information". The fine for officials is from 300 to 500 rubles, and for legal entities, it is from 3,000 to 5,000 rubles. Liability under this article may also arise if information is provided in an incomplete or distorted form.

We illustrate this with examples from judicial practice. In one case, a business entity failed to provide, upon Roskomnadzor's request, a notification of personal data processing or an information letter stating the grounds under which it is entitled to process personal data without notifying the supervisory authority. By the order of a justice of the peace, the business entity was found guilty of an administrative offense under Article 19.7 of the CAO RF and fined 3,000 rubles. Attempts to contest this decision in higher courts were unsuccessful. The courts stated that the Company had the opportunity to comply with this legal requirement but failed to take all measures within its power to do so. No evidence of the impossibility of timely complying with the authorized body's request was submitted by the business entity.

Parties are also held liable under this provision for failing to fulfill other obligations when interacting with Roskomnadzor, for example, in the event of failure to notify the supervisory authority of a change in information. Thus, in another case, Roskomnadzor sent a letter to an Institution requesting a notification of changes to the information in the Register of PD Operators. However, the requested information was not provided within the established 30-day period. The Institution was held administratively liable under Article 19.7 of the CAO RF and fined 3,000 rubles. An attempt to appeal the decision on the grounds that the inaction led to no consequences and did not violate the legally protected rights and freedoms of others was unsuccessful.

In conclusion, submitting a notification to Roskomnadzor and inclusion in the Register of Operators increases the risk of supervisory activities and entails the need to develop and implement measures to protect the processed personal data. However, if the legal requirements for notifying the supervisory authority are ignored, a person who actually performs actions with personal data risks being held administratively liable not only under Article 19.7 of the CAO RF but also for violating personal data processing rules under Article 13.11 of the CAO RF, where fines reach 6 million rubles.

____________________________

References

1. Roskomnadzor Information, Answers to Questions in the Sphere of Personal Data Subject Rights Protection.
2. Resolution of the First Arbitration Appeal Court dated March 30, 2022, No. 01AP-1041/2022 in Case No. A79-6634/2021.
3. Roskomnadzor Letter No. 08-80975 dated September 6, 2022, On Review of the Letter.
4. Roskomnadzor Order No. 180 dated October 28, 2022, On Approval of Notification Forms of the Intent to Process Personal Data, on Amending Information Contained in the Notification of the Intent to Process Personal Data, and on the Termination of Personal Data Processing.
5. Ruling of the Supreme Court of the Russian Federation dated October 11, 2021, No. 303-ES21-18542 in Case No. A51-16912/2020.
6. Resolution of the Arbitration Court of the Volga District dated March 4, 2022, No. F06-14499/2022 in Case No. A57-13625/2021.
7. Resolution of the First Court of Cassation of General Jurisdiction dated March 14, 2022, No. 16-1309/2022.
8. Decision of the Chegem District Court of the Kabardino-Balkarian Republic dated February 10, 2016, in Case No. 12-13/2016.