News and Insights

New rules of the personal data processing

One of the main events of September 2022 – changes in Federal Law of 27.07.2006 № 152 «On personal Data».

Amendments are made by Federal Law No. 266 of 07/14/2022, which partly come into force on September 1, 2022 and on March 2023

What’s new?

1. The principle of extraterritoriality. It means that the laws are applied to the processing of personal data of Russian citizens, carried out by foreign legal entities and foreign individuals on the basis of agreements with Russian citizens or on the approval of Russian citizens to the processing of their personal data (PD).

2. The duties of the PD processor have been clarified. The processor has to keep the confidentiality of the PD and take measures that are necessary to fulfill the obligations provided for by law. Now the list of duties of processor, accordingly to his agreement with the operator, includes:

· to use the databases located in Russian Federation when collecting PD

· to comply with the requirements of the Article 18.1 - Federal law №152

· to provide documents and information which confirm the adoption of measures and the compliance of law measures

· to notify the operator about the facts of illegal or accidental transfer of PD (provision, distribution, access), that led to the violation of PD subjects’ rights.

3. The deadline for providing the information has changed. From now an operator has to react to the request of PD information under Part 7 Article 14 152-ФЗ within 10 working days instead of 30.

4. Interaction with SSDRCA. Operator has to interact with the State System for Detecting, Preventing and Eliminating the Consequences of Computer Attacks (SSDRCA) to inform about computer incidents that led to the illegal transfer of PD information (provision, distribution, access). The information received from the operator is transmitted by the FSB (FBI) authorities to Roskomnadzor in accordance with the procedure agreed by them.

5. Changes in the notification of Roskomnadzor of the start of PD processing. Operator has to notify Roskomnadzor about the beginning or any initiation of processing personal data except for the cases when the data are processed in order to protect the safety of state and public order, safety of transport or when the operator processes the data without any automation. Notification forms will be approved by Roskomnadzor. Meanwhile, an operator can fill the form of notification on the processing of personal data on the Personal Data Portal of Roskomnadzor or send this notification on paper to the territorial administration at the place of registration of the operator.