Inspections of Personal Data Operators
Legal support for the Federal Service for Supervision of Communications, Information Technology, and Mass Media inspections of personal data operators
Compliance with the rules for the processing of personal data is mandatory for all personal data operators. At the same time, state control over compliance with such requirements is carried out by the Federal Service for Supervision of Communications, Information Technology, and Mass Media (Roskomnadzor) in the form of inspections of personal data operators. The procedure for organizing and carrying out inspections is determined by the Decree of the Government of the Russian Federation dated June 29, 2021 No. 1046 “On federal state control (supervision) over the processing of personal data”.
The main types of inspections carried out by Roskomnadzor are:
- Scheduled inspections, which are carried out according to a pre-compiled inspection plan, which is published on the official website of Roskomnadzor. The supervisory authority must notify the personal data operator of the scheduled inspection carried out against him.
- Unscheduled inspections. As a rule, such verification is carried out on the basis of complaints from individuals whose rights in relation to personal data have been violated. At the same time, an unscheduled inspection may be carried out at the request of the prosecutor or in case of failure to comply with a previously issued order. Notification of such an inspection shall be sent 24 hours prior to its commencement.
In addition, inspections are classified into:
- Field inspections. When conducting such checks, the employees of the controlling body come directly to the personal data operator and check compliance with the legislation in the field of personal data on the spot.
- Documentary inspections. Such inspections are carried out without visiting the organization being inspected, in which case Roskomnadzor sends a list of documents, copies of which must be submitted to the regulatory authority within the appropriate timeframes specified in the notification.
- Inspection visit. This type of inspection is carried out in organizations that are classified as high and significant risk, at the same time, in relation to persons who begin activities in the field of processing personal data. Notification of such an audit must be received by the audited organization no later than 5 working days before the start date of such a visit.
At the same time, like most regulatory bodies, Roskomnadzor can carry out preventive measures in addition to inspections, for example, such as: issuing a warning about the inadmissibility of violating the law, a preventive visit, informing, consulting, generalizing law enforcement practice.
As a rule, when conducting inspections within the framework of the implementation of personal data legislation, regulatory authorities check:
- Documents, local acts in the field of personal data processing. Such a requirement is reflected in Part 1 of Article 18.1 of the Federal Law “On Personal Data. In the audited organization, local acts regulating the activities of the organization in the field of personal data must be developed, approved and put into effect. At the same time, a person responsible for organizing the processing of personal data must be appointed, and a policy for the processing of personal data should be developed and applied.
- Direct processing of personal data. The processing of personal data must comply with the requirements of the legislation in this area.
- nformation systems through which personal data is processed, including how such systems are protected.
- Activities of third parties that process personal data on behalf of the personal data operator.
It should be noted that in accordance with Decree No. 1046, supervised objects belong to one of the following categories of risk of causing harm (damage):
- high risk;
- significant risk;
- medium risk;
- moderate risk;
- low risk.
Attribution of objects of state control to a certain category of risk is carried out on the basis of the criteria for attributing objects of state control to a certain category of risk. The types and frequency of planned control measures depend on the category of risk of causing harm.
It is also necessary to take into account the level of responsibility that may arise in case of violation of the legislation on personal data:
- The sanction in the event of administrative liability comes in the form of a fine or a warning.
- Criminal liability, as a rule, if penalties are applied, they are much higher than when administrative liability occurs, while correctional labor, forced labor, arrest or imprisonment for a period determined depending on the severity of the offense can be applied.
- Such liability comes in the form of compensation for harm or compensation for non-pecuniary damage and is regulated by the Civil Code of the Russian Federation.
- The types of disciplinary liability include reprimand, reprimand, dismissal, while this type of liability occurs in accordance with labor legislation.
In order to avoid liability for violation of legislation in the field of personal data processing, it is important for personal data operators to strictly follow the requirements established in the regulations governing this activity. At the same time, the participation of a qualified lawyer can reduce the risk of violation of personal data legislation, minimize the possibility of violation of such legislation and bring all the necessary documentation to the requirements established in the regulatory documents in this field of activity.
- Advice on the processing of personal data
- Checking documents available to the organization in the field of personal data processing
- Accompanying organizations during inspections by the Federal Service for Supervision of Communications, Information Technology, and Mass Media
- Preparation of necessary documents in the field of personal data processing
- Representing the interests of the personal data operator in interaction with the Federal Service for Supervision of Communications, Information Technology, and Mass Media