21 November 2023

Termination and Destruction of Personal Data in Russia: Legal Requirements under Law No. 152-FZ

November 21, 2023

BRACE Law Firm ©

To conduct their activities, all organizations and individual entrepreneurs collect, store, and use personal data of individuals to some extent. These and any other actions involving personal data are defined as the processing of personal data. However, no data may be processed indefinitely. Upon achieving the processing purposes or the occurrence of other grounds provided for by legislation, processing must be terminated and personal data must be destroyed.

Since March of this year, the issue of personal data destruction has regained relevance. This is due to the entry into force of amendments to Federal Law No. 152-FZ dated July 27, 2006, On Personal Data (the "Personal Data Law", "Federal Law No. 152-FZ", or the "Law"), as well as the approval by the regulatory authority of requirements for confirming the destruction of personal data [1].

This article examines the cases in which an operator (of personal data — the "Operator" or "PD Operator") must terminate the processing of personal data and the procedure for their destruction.

What Is the Termination of Personal Data Processing?

The processing of data may be terminated temporarily or permanently. The Personal Data Law refers to temporary termination as blocking, which is one of the types of operations involving personal data. As a rule, the blocking of personal data is carried out during the period of verifying the fact of unlawful processing or the inaccuracy of the processed data.

Further in this article, we will consider only the termination of personal data processing on a permanent basis.

When Must a PD Operator Terminate Personal Data Processing and Delete Data?

The Personal Data Law provides for several grounds for terminating the processing of personal data. These are spread across different articles of the Law and entail different legal consequences.

The Operator shall terminate the processing of personal data and ensure the termination of processing by a third party to whom it was assigned in the following cases:

The PD Operator terminates activities related to the processing of personal data (Part 7 of Article 22 of Federal Law No. 152-FZ);
A ban is placed on the cross-border transfer of personal data (Part 14 of Article 12 of Federal Law No. 152-FZ);
The PD Operator achieves the processing purposes (Part 4 of Article 21 of Federal Law No. 152-FZ);
The processing of personal data is found to be unlawful (Part 3 of Article 21 of Federal Law No. 152-FZ);
Consent to the processing of personal data is withdrawn (Part 12 of Article 10.1, Part 5 of Article 21 of Federal Law No. 152-FZ);
A demand for the termination of processing is received (Part 5.1 of Article 21 of Law No. 152-FZ).

Each of these grounds is examined in more detail below.

Termination of Personal Data Processing Activities by a PD Operator and Data Deletion

According to Paragraph 5.1 of the Roskomnadzor Methodological Recommendations, an Operator is considered to have terminated the processing of personal data upon the occurrence of the following conditions:

Liquidation of the PD Operator;
Cessation of the PD Operator’s activities as a result of its reorganization;
Annulment of licenses to carry out activities if their condition is a ban on the transfer of personal data to third parties without the written consent of the personal data subject;
A court decision that has entered into legal force regarding the termination of personal data processing by the PD Operator;
The occurrence of a period or condition for terminating the processing of personal data specified by the Operator in the notification of the start of personal data processing [2].

In the event of the termination of personal data processing, the PD Operator must notify Roskomnadzor within 10 business days (Part 7 of Article 22 of the Personal Data Law). The form for such notification was approved by Roskomnadzor Order No. 180 dated October 28, 2022 [3]. Within 30 days from the date of registration of the notification, Roskomnadzor enters information regarding the termination of personal data processing into the Register of PD Operators.

Prohibition or Restriction of the Cross-border Transfer of Personal Data

Transborder transfer of personal data is the transfer of personal data to the territory of a foreign state to an authority of a foreign state, a foreign individual, or a foreign legal entity (Paragraph 11 of Article 3 of Federal Law No. 152-FZ).

Starting March 1, 2023, Roskomnadzor must be notified for transborder transfers to any country. For countries that provide adequate protection of personal data, transborder transfer may begin immediately after sending such a notification [4].

At the same time, Roskomnadzor has the right to prohibit or restrict the transborder transfer of personal data. Upon receipt of such a decision, pursuant to Part 14 of Article 12 of Federal Law No. 152-FZ, the Operator must ensure that the foreign person who received such personal data terminates the processing and destroys the previously transferred information.

Achievement of Personal Data Processing Purposes

According to Part 2 of Article 5 of Federal Law No. 152-FZ, the processing of personal data must be limited to the achievement of specific, predetermined, and lawful purposes. The purpose of personal data processing is formulated by the PD Operator in the consent to processing obtained from the owner of the personal data (referred to in the Law as the personal data subject). Examples include maintaining personnel and accounting records, promoting products, works, or services on the market, etc.

As a general rule, if the purpose of personal data processing is achieved, the Operator must terminate processing. For example, if personal data was collected to perform a contract concluded for the benefit of the personal data subject, processing should terminate after its performance.

Processing may continue only in cases where it is directly permitted by law. For example, Federal Law No. 115-FZ dated August 7, 2001, On Counteracting the Legalization (Laundering) of Proceeds from Crime and the Financing of Terrorism, requires credit organizations to store client data necessary for identification for at least 5 years, notwithstanding the performance of the contract.

Identification of Unlawful Personal Data Processing

If unlawful processing of personal data is identified, the PD Operator must terminate the processing of personal data within 3 business days from the date this fact was identified (Part 3 of Article 21 of Federal Law No. 152-FZ). If possible, the PD Operator shall eliminate the circumstances causing the unlawful nature of the processing. For example, it may obtain the consent of the personal data subject to processing if the data was processed without consent and in the absence of other legal grounds.

If it is impossible to ensure the lawfulness of processing, the Operator must destroy such personal data within 10 business days and notify the personal data subject or their representative of this fact; if the request was received from Roskomnadzor, the specified authority must also be notified.

Withdrawal of Consent to the Processing of Personal Data

As a reminder, the Personal Data Law provides for two types of consent that an Operator must obtain to work with personal data:

Consent to the processing of personal data (the "Consent to PD Processing");
Consent to the processing of personal data authorized by the personal data subject for distribution (the "Consent to PD Distribution").

A personal data subject may withdraw either of these without explaining the reasons. However, the consequences of withdrawing such consents differ.

Upon withdrawal of Consent to PD Processing, the Operator must terminate the processing of personal data or ensure its termination if it is carried out by another person acting on behalf of the PD Operator, and destroy the data within 30 days from the date the withdrawal is received. An exception applies if the Law permits processing even without the consent of the personal data subject. The list of such grounds is established for general categories of data by Part 1 of Article 6 of Federal Law No. 152-FZ, for special categories of PD by Part 2 of Article 10 of Federal Law No. 152-FZ, and for biometric PD by Part 2 of Article 11 of Federal Law No. 152-FZ.

In the event of the withdrawal of Consent to PD Distribution, the Operator must terminate the distribution of such personal data from the moment the withdrawal is received. The Law establishes special requirements for the withdrawal of Consent to PD Distribution. According to Part 12 of Article 10.1 of Federal Law No. 152-FZ, such a demand must include the surname, first name, and patronymic (if any), contact information (phone number, email address, or mailing address) of the personal data subject, as well as a list of the personal data for which processing must be terminated. A demand to terminate the transfer of personal data may be presented not only to the initial operator but also to any other person carrying out their processing. Other persons must terminate the distribution of personal data within 3 business days from the moment the demand is received.

Continued distribution of personal data after demands are received is permitted only when necessary for the exercise of the powers of public authorities (Part 15 of Article 10.1 of Federal Law No. 152-FZ).

We also note that pursuant to Part 2 of Article 15 of Federal Law No. 152-FZ, upon receiving a withdrawal of consent, the Operator must immediately terminate the processing of personal data used for promoting products, works, or services on the market, as well as for the purposes of political campaigning.

Receipt of a Demand to Terminate the Processing of Personal Data

In addition to withdrawing consent, a personal data subject may approach the Operator with a demand to terminate the processing of their data (Part 5.1 of Article 21 of Law No. 152-FZ). This provision entered into force on March 1, 2023.

Within 10 business days from the date of receipt of the relevant demand, the Operator must terminate the processing of personal data or ensure its termination if it was carried out by a third party on behalf of the PD Operator. This period may be extended by no more than 5 business days, provided the personal data subject is notified and the reasons for the extension are stated. As with the withdrawal of consent, processing may continue if the Law permits processing even without the consent of the personal data subject.

In addition to the personal data subject, a demand to terminate processing may also be presented by the regulatory authority, including upon an application to it by the owner of the personal data. We illustrate this with an example of a case that reached court review.

Roskomnadzor received an application from "B." regarding the lawfulness of the processing of her personal data by a legal firm. Following a review of the application, it was established that a contract for the provision of paid medical services was concluded between a medical clinic and "B.". During its performance, the clinic developed claims against "B."; to protect its interests, the clinic entered into a contract with a legal firm. With the involvement of the legal firm, the parties entered into a pre-trial settlement agreement. Roskomnadzor concluded that the clinic’s actions violated the Personal Data Law, specifically in the transfer of a special category of personal data (information about health status) without the consent of "B.". It issued a demand to prevent violations, requiring that the clinic ensure the termination of personal data processing by the third party — the legal firm.

The clinic attempted to challenge the demand of the supervisory authority in court. During the hearing, it was revealed that "B." had given consent to the processing of her personal data for the purpose of providing her with medical care. However, this consent did not contain authorization to provide personal data to a legal firm. The court concluded that the clinic’s involvement of a legal firm at the pre-trial settlement stage was not a violation of the Personal Data Law; however, providing it with access to a special category of personal data without the consent of "B." was not required and contradicted the Law. The arguments regarding the impossibility of the clinic exercising its right to qualified legal assistance without processing the client’s special category of personal data were rejected by the court. The clinic’s petition to declare Roskomnadzor’s demand invalid was denied [5].

Destruction (Deletion) of Personal Data

In several cases, personal data must be destroyed after processing is terminated. The destruction of PD is defined as actions that make it impossible to restore the content of personal data in a personal data information system and/or as a result of which material carriers of personal data are destroyed (Paragraph 8 of Article 3 of Federal Law No. 152-FZ).

Cases in which the Operator is required to destroy personal data and the timeframes for destruction are summarized below:

Achievement of processing purposes — within 30 days from the date the processing purpose is achieved;
Identification of unlawful processing of personal data, if it is impossible to ensure its lawfulness — within 10 business days from the date the unlawful processing is identified;
Withdrawal of consent to the processing of personal data — within 30 days from the date such withdrawal is received;
Provision by the personal data subject (or their representative) of information confirming that the data was obtained illegally or is not necessary for the stated processing purpose — within 7 business days from the date such information is provided;
Issuance by Roskomnadzor of a decision to prohibit or restrict the transborder transfer of personal data — the timeframe is not regulated by Federal Law No. 152-FZ.

If it is not possible to destroy personal data within the aforementioned timeframes, the Operator shall block the data and ensure its destruction no later than 6 months.

A different timeframe for data destruction may also apply if:

It is provided for by a contract to which the personal data subject is a party, beneficiary, or guarantor;
It is provided for by another agreement between the Operator and the personal data subject;
The PD Operator has the right to process personal data without the consent of the subject on other legal grounds provided for by Federal Law No. 152-FZ or other federal laws.

For example, even after an employee is dismissed, the Operator continues to store personnel documents for the periods established by Federal Law No. 125-FZ dated October 22, 2004, On Archival Affairs in the Russian Federation, and the Rosarkhiv Order: employment contracts, orders on hiring, transfer, combined positions, and dismissal — 50 years; on annual paid leave — 5 years; on disciplinary sanctions — 3 years from the moment of completion of records management, etc. [6].

Procedure for the Destruction of Personal Data and Requirements for Its Confirmation

The procedure for destroying personal data is not regulated by normative acts. We recommend that Operators independently develop a local act regulating the destruction of personal data. Destruction may be carried out either by a person specifically authorized by the Operator or by a commission. In the latter case, the activities of the commission must be regulated in a local act, defining its composition, powers, and procedure of activity.

The method of destruction depends on the type of storage of the personal data:

Data stored on paper carriers may be destroyed by cutting, burning, shredding, chemical destruction, etc.;
Data stored on electronic carriers may be destroyed by erasing it from the device, reformatting the disk, destroying the material carrier, etc.

The key requirement is the impossibility of subsequently restoring the personal data.

Note that the Personal Data Law does not provide for the possibility of partial destruction of personal data or the destruction of separate carriers of personal data while preserving others [7].

On March 1, 2023, Roskomnadzor Order No. 179 dated October 28, 2022 (the "Order No. 179"), which establishes requirements for confirming the destruction of personal data, entered into force [8]. Pursuant to Paragraphs 1–2 of Order No. 179, if the processing of personal data is carried out without the use of automation tools, the document confirming destruction is an act of destruction of personal data. If data is processed using automation tools, data destruction is confirmed by two documents: an act of destruction of personal data and an extract from the event log in the information system.

While the form of these documents has not been approved, Order No. 179 establishes requirements for their content. Thus, an act of destruction of personal data must contain:

The name/Full Name and address of the Operator;
The name/Full Name and address of the person carrying out personal data processing on behalf of the Operator;
The Full Name of the personal data subject or other information relating to them;
A list of categories of the destroyed personal data;
The name of the destroyed material carriers, indicating the number of sheets for each material carrier (in the case of personal data processing without the use of automation tools);
The name of the information systems from which the subject’s personal data was destroyed (in the case of personal data processing with the use of automation tools);
The method of destruction of the personal data;
The reason for the destruction of the personal data;
The date of destruction;
The Full Name, position, and signature of the persons (person) who destroyed the personal data.

An act of destruction of personal data signed in the form of an electronic document is recognized as equivalent to an act of destruction of personal data on a paper carrier.

An extract from the log must contain:

The Full Name of the personal data subject or other information relating to them;
A list of categories of the destroyed personal data;
The name of the personal data information system from which the data was destroyed;
The reason for the destruction of the personal data;
The date of destruction of this data.

If the extract from the log does not allow for certain information to be specified, the missing information is entered into the act of destruction of personal data.

If the processing of personal data is carried out simultaneously with and without the use of automation tools, both an act of destruction and an extract are prepared.

Documents confirming the destruction of data must be stored for three years.

Liability for Violation of Rules on the Termination of Processing and Destruction of Personal Data

For failure by a PD Operator to comply with a demand from a personal data subject or Roskomnadzor regarding destruction, administrative liability is imposed under Part 5 of Article 13.11 of the CAO RF. Fines for individuals range from 2,000 to 4,000 rubles; for officials — from 8,000 to 20,000 rubles; for individual entrepreneurs — from 20,000 to 40,000 rubles; and for legal entities — from 50,000 to 90,000 rubles. Higher fines are established for repeated administrative offenses.

We illustrate this with an example from judicial practice. A business company failed to comply with a Roskomnadzor order to delete the personal data of employees on the company’s internet pages. By a magistrate’s order, the Company was found guilty of committing an administrative offense under Part 5 of Article 13.11 of the CAO RF and was subjected to an administrative penalty in the form of a fine of 25,000 rubles. An attempt to challenge the decision on the grounds of innocence in a higher court was unsuccessful [9].

Furthermore, if violations of the procedure for terminating and destroying personal data are identified, Roskomnadzor will issue an order, and administrative liability under Part 1 of Article 19.5 of the CAO RF is provided for failure to comply. The fine for officials ranges from 1,000 to 2,000 rubles, and for legal entities — from 10,000 to 20,000 rubles.

In one case, following a scheduled inspection by Roskomnadzor, an order was issued to an Information and Settlement Center to eliminate violations of the Personal Data Law provisions consisting of the failure to destroy the personal data of citizens upon achieving the purpose of their processing. By a magistrate’s order, the Information and Settlement Center was held administratively liable under Part 1 of Article 19.5 of the CAO RF, and a fine of 10,000 rubles was imposed [10].

Moreover, a personal data subject may file a lawsuit in court for moral damage compensation in the event of failure to act to terminate data processing and/or destroy data. The amount of compensation for moral damage is determined by the court depending on the nature of the physical and mental suffering caused to the victim, as well as the degree of fault of the person who caused the harm. In determining the amount of compensation, the requirements of reasonableness and justice must be considered. Practice shows that while the amounts of monetary compensation awarded in these cases are currently small, the number of lawsuits is growing.

"F." filed a lawsuit in court against a business company to terminate the unlawful processing of personal data and to recover moral damage compensation in the amount of 50,000 rubles. In support of the claim, he stated that a bank deposit agreement had been concluded between him and "Bank U". The Central Bank of Russia revoked Bank U’s license to perform banking operations. Subsequently, "F." received a letter from the Company with a proposal to transfer the rights under the bank deposit agreement to the Company. The letter used the personal data of "F."; however, "F." had not given consent to the Company for its processing. To protect his violated rights, "F." turned to Roskomnadzor, which sent a demand to the business company to destroy "F.’s" personal data. The Company failed to comply with this demand within the timeframe established by law. During the court session, the Company presented neither evidence of the lawfulness of processing "F.’s" personal data nor evidence of the termination of unlawful processing. The court decided that these actions violated the Personal Data Law. Taking into account the degree of "F.’s" mental suffering and the period of the violation of the plaintiff’s rights, it awarded moral damages in the amount of 1,000 rubles [11].

In another case, "S." filed a lawsuit in court against a microfinance company to recover moral damage compensation in the amount of 20,000 rubles. In support of the claims, she stated that a loan agreement had been concluded in her name; she applied to the microfinance organization with a demand to waive the debt and terminate the processing of her personal data. The microfinance organization notified "S." that the agreement in her name was recognized as not concluded. However, as a result of the microfinance organization’s actions, the plaintiff experienced mental suffering, which served as the reason for the application to court. Taking into account the circumstances of the case and the conduct of each party, the court reduced the moral damage compensation to 4,000 rubles [12].

In practice, moral damage compensation may be recovered from a PD Operator in cases where, despite the presence of documents confirming the destruction of personal data, the personal data subject continues to receive SMS mailings or phone calls [13].

In conclusion, we note that the procedure and timeframes for terminating personal data processing vary depending on the grounds for termination, and the norms utilize complex grammatical structures. All of this creates additional difficulties and does not contribute to uniformity in law enforcement practice. Furthermore, due to the insufficient regulation of the procedure for personal data destruction, PD Operators must develop local regulatory acts governing such destruction and ensure that the fact of destruction is recorded in accordance with the requirements of the regulatory authority’s order.

____________________________

References

[1] Federal Law No. 266-FZ dated July 14, 2022, On Amending the Federal Law "On Personal Data", Certain Legislative Acts of the Russian Federation, and Recognizing Part Fourteen of Article 30 of the Federal Law "On Banks and Banking Activities" as Terminated.

[2] Roskomnadzor Order No. 94 dated May 30, 2017, On the Approval of Methodological Recommendations for Notifying the Authorized Body of the Start of Personal Data Processing and on Amending Previously Submitted Information.

[3] Roskomnadzor Order No. 180 dated October 28, 2022, On the Approval of Notification Forms Regarding the Intent to Process Personal Data, on Amending Information Contained in the Notification of Intent to Process Personal Data, and on the Termination of Personal Data Processing.

[4] Roskomnadzor Order No. 128 dated August 5, 2022, On the Approval of the List of Foreign States Providing Adequate Protection of the Rights of Personal Data Subjects.

[5] Decision of the Arbitration Court of the Penza Region dated May 22, 2023, in Case No. A49-14214/2022.

[6] Rosarkhiv Order No. 236 dated December 20, 2019, On the Approval of the List of Standard Management Archival Documents Generated in the Course of the Activities of State Bodies, Local Self-Government Bodies, and Organizations, Indicating Their Storage Periods.

[7] Resolution of the Fourth Arbitration Appellate Court dated July 9, 2012, in Case No. A10-125/2012.

[8] Roskomnadzor Order No. 179 dated October 28, 2022, On the Approval of Requirements for Confirming the Destruction of Personal Data.

[9] Resolution of the Second Cassation Court of General Jurisdiction dated November 30, 2021, No. 16-9529/2021.

[10] Resolution of the Third Cassation Court of General Jurisdiction dated December 23, 2021, No. 16-4787/2021.

[11] Appellate Ruling of the Sverdlovsk Regional Court dated February 15, 2021, in Case No. 33-975/2021.

[12] Default Judgment of the Oktyabrsky District Court of the City of Arkhangelsk dated June 21, 2023, in Case No. 2-2030/2023.

[13] Appellate Ruling of the Altai Regional Court dated May 27, 2020, in Case No. 33-2930/2020.