Bringing the Processing of Personal Data in Line with Federal Law No. 266-FZ of July 14, 2022
Legal support for bringing the documents of the organization into compliance in connection with Federal Law of July 14, 2022 No. 266-FZ
The processing of personal data is inextricably linked not only with public services to residents and non-residents of Russia, but also with business activities in general. At the same time, the changes being made to the legislation in the field of personal data processing are increasingly imposing duties and responsibilities on personal data operators. This is due to the fact that cases of uncontrolled leakage of personal data from various organizations that have received access to personal data in the course of their activities have become more frequent.
At the same time, the amendments introduced by Federal Law No. 266-FZ of July 14, 2022 “On Amendments to the Federal Law “On Personal Data”, certain legislative acts of the Russian Federation and the invalidation of part fourteen of Article 30 of the Federal Law “On Banks and Banking activities” (hereinafter referred to as “Law No. 266-FZ”), significantly change the obligations of personal data operators. These responsibilities of personal data operators include:
- Notification of Roskomnadzor on the processing of personal data. After making changes in almost all cases of processing personal data, it is necessary to notify Roskomnadzor, with the exception of non-automated processing, processing of personal data in state information systems, created in order to protect state security and public order, as well as personal data processed in cases provided for by transport security legislation . At the same time, all employers that process the personal data of their employees automatically are required to send such a notification. The organization that sent such a notification is included in the register of personal data operators. It should be noted that if the processing of personal data is carried out without automation, it is not necessary to notify the department.
- Making changes to the Personal Data Processing Policy. Changes must be made in terms of the category and lists of processed data, the category of data subjects, the methods and terms of processing, storage of data, and the procedure for their destruction. Such provisions must be established for each purpose of data processing.
- Correction of consent to the processing of personal data. Consent must be specific and unambiguous.
- Termination of data processing at the request of an individual in accordance with the amended rules. The operator now has only 10 working days from the receipt of the request of an individual to stop processing data about him or to ensure that such processing stops.
- Entrusting the processing of personal data to another person under new requirements. In such an order, it is necessary to reflect the list of personal data, the obligation to use databases in the territory of the Russian Federation for recording and storing personal data, the obligation, upon request, to provide information on compliance with the conditions for processing personal data during the term of the order, the obligation to notify cases of compromise of the processed data.
- Report to Roskomnadzor in case of compromise of personal data. In the event of a compromise of personal data, the operator is obliged, within 24 hours from the moment of the incident, to report to Roskomnadzor information about such an incident, its alleged cause and harm caused to data subjects, the measures taken to eliminate the consequences of the incident, a representative of the organization who is authorized to interact with Roskomnadzor on issues related to the current situation. At the same time, the operator must conduct an internal investigation of the incident within 72 hours and report its results to Roskomnadzor.
- Use of personal data by foreign persons. The provisions of the Law on Personal Data now apply to foreign organizations and individuals that use the personal data of Russian individuals.
The list of all newly emerged obligations for personal data operators is reflected in Law No. 266-FZ, which has made significant changes to the legislation on personal data. It should be noted that the amendments to the legislation on personal data obliged the operators to adjust the Personal Data Processing Policy and introduced new obligations for personal data operators. At the same time, personal data operators are liable for violation of personal data legislation.
Given that more and more sectors of life are subject to digitalization, information about consumers of certain services is often collected electronically, while competent and qualified processing of personal data is becoming a hot topic for all personal data operators. There are a lot of changes introduced by Law No. 266-FZ in the field of personal data processing, this branch of legislation does not stand still, more and more obligations appear for personal data operators, for violations of which there is appropriate liability. Competent and qualified bringing the processing of personal data in accordance with the requirements of the legislation in this area by experienced lawyers will reduce the possible risks of leakage of information about personal data, as well as avoid penalties and inspections by Roskomnadzor.
- Advising on the processing of personal data and the necessary changes to the processing of personal data in connection with the adoption of Law No. 266-FZ
- Checking and updating existing documents in the field of personal data processing in accordance with Law No. 266-FZ Support for the activities of organizations related to the processing of personal data
- Preparation of other necessary documents in the field of personal data processing
- Representing the interests of the personal data operator in interaction with Roskomnadzor