AMENDMENTS TO THE FEDERAL LAW “ON PERSONAL DATA”: IMPLICATIONS FOR BUSINESSES

PAVEL ANTONOV, ACCOUNTOR

15.04.2023

2

GROUNDS FOR LEGAL REGULATION OF PERSONAL DATA HANDLING RELATIONS

•Respect for personal rights and fundamental freedoms;•Necessity for strengthening personal rights and guarantees of fundamental freedoms, namely the right for privacy with a view to increasing the transboundary flow of automatically processed personal data;•Adherence to the concept of freedom of information regardless of boundaries;•Necessity for combining the fundamental values of personal privacy with free international information exchange.

15.04.2023

3

INTERNATIONAL LEGISLATION• The Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (Strasbourg, January 28th 1981) (as amended on June 15th 1999)

This Convention was ratified by the Federal Law №160-ФЗ of December 19th 2005. It came into force in the Russian Federation

on September 1st 2013.

• The Additional Protocol to the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data on supervisory bodies and transboundary data transfer

Signed by the RF on March 13th 2006. Has not been ratified. It is planned to consider the possibility of regulatory bodies being consolidated according to the Protocol in the very near future.

15.04.2023

4

INTERNATIONAL LEGISLATION•Directive 95/46/EC of the European Parliament and of the Council of

24th October 1995 on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data (as revised in the Regulation 1882/2003 of the European Parliament and of the Council of 29th September 2003)

• Directive 2002/22/EC of the European Parliament and of the Council of 7th March 2002 on the Universal Services and Users Rights Concerning the Electronic Communication Networks and Services (Universal Services Directive)

• Directive 2002/58/EC of the European Parliament and of the Council of 12th July 2002 Concerning the Processing of Personal Data and the Protection of Privacy in the Electronic Communications Sector (Protection of Privacy in the Electronic Communications Directive)

15.04.2023

5

RUSSIAN LEGISLATION• Constitution of the Russian Federation (approved by the nation-wide voting on 12th December 1993)

• Federal Law №160-ФЗ of 19th December 2005 “On the Ratification of the EC Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data”

• Federal Law №149-ФЗ of 27th July 2006 “On Information, Information Technologies and Data Protection” (with the latest amendments of 21st July 2011)

• Federal Law №152-ФЗ of 27th July 2006 “On Personal Data” (with the latest amendments of 5th April 2013)

15.04.2023

6

RUSSIAN LEGISLATION• Labour Code of the Russian Federation of 30th December 2001 №197-ФЗ (with the latest amendments of 21st June 2012)

• Federal Law №63-ФЗ of 6th April 2011 “On the Electronic Signature”

• Federal Law №67-ФЗ of 12th June 2002 “On the Electoral Rights and the Right to Participate in Referendums (Basic Guarantees for Citizens of the Russian Federation)”

• Federal Law №99-ФЗ of 7th May 2013 “On the Amendments to a Number of Legislative Acts with regard to the Adoption of the Federal Laws “On the Ratification of the EC Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data” and “On Personal Data””

15.04.2023

7

EDICTS OF THE PRESIDENT OF THE RUSSIAN FEDERATION

• Edict of the President of the Russian Federation №351 of 17th March 2008 “On Measures to Provide the Information Security of the Russian Federation when Using International Data and Telecommunications Networks ”

• Edict of the President of the Russian Federation №609 of 30th May 2005 “On the Approval of the Russian Federation Civil Officers Personal Data and Personal File Maintenance Regulation”

• Edict of the President of the Russian Federation №188 of 6th March 1997 “On the Approval of the Confidential Data List”

15.04.2023

8

THE RF GOVERNMENT REGULATIONS• The RF Government Regulation №1119 of 1st November 2012 “On the Approval of the Requirements for the Assurance of Personal Data Security at their Processing within the Information Systems of Personal Data”

• The RF Government Regulation №584 of 13th June 2012 “On the Approval of the Payment System Data Protection Regulation”

• The RF Government Regulation №211 of 21st March 2012 “On the Approval of the List of Measures to Ensure Compliance with the Federal Law “On Personal Data””

• The RF Government Regulation №125 of 4th March 2010 “On the List of Personal Data Held on Electronic Media Devices that Contain Information on RF Citizens’ Primary Identity Documents Giving the RF Citizens the Right to Leave and Enter The Russian Federation”

15.04.2023

9

THE RF GOVERNMENT REGULATIONS• The RF Government Regulation №687 of 15th September 2008 “On the Approval of the Non-automated Personal Data Processing Peculiarities Regulation”

• The RF Government Regulation №512 of 6th July 2008 “On the Approval of Requirements for Biometric Personal Data, Tangible Media, and Storage Technologies Outside of the Personal Data Information Systems”

• The RF Government Regulation №756 of 12th December 2005 “On Submitting a Proposal to the President of the Russian Federation to Sign the Additional Protocol to the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data on supervisory bodies and transboundary data transfer”

• The RF Government Regulation №1233 of 3rd November 1994 “On the Approval of the Regulation of Procedures for the Handling of Sensitive Information which is of Restricted Distribution in the Federal Agencies of the Executive Authority”

15.04.2023

10

REGULATORY LEGAL ACTS OF THE FEDERAL AGENCIES OF THE RUSSIAN

FEDERATION• Ministry of Communications and Mass Media of the RF Order №312 of 14th November 2011 “On the Approval of the Administrative Procedure for the Federal Service for the Supervision of Communications, Information Technology, and Mass Media to Fulfill the Federal Duty for the Supervision of the Compliance of Personal Data Processing with the Applicable Legal Requirements of the Russian Federation”

•Ministry of Communications and Mass Media of the RF Order №346 of 21st December 2011 “On the Approval of the Administrative Procedure for the Federal Service for the Supervision of Communications, Information Technology, and Mass Media to Provide the Federal Service “Maintenance of a Personal Data Processors Register””

•The Federal Security Service of the RF and the Federal Service for Technology and Export Control of the RF Order №416/489 of 31 August 2010 “On the Approval of Security Requirements for the Data Contained in Public Information Systems”

• The Federal Security Service of the RF Order №378 of 10 July 2014 “On the Approval of the List and Content of Technical and Organizational Measures to Ensure Personal Data Security at its Processing within the Information Systems of Personal Data”

15.04.2023

11

THE FEDERAL SERVICE FOR THE SUPERVISION OF COMMUNICATIONS, INFORMATION TECHNOLOGIES AND MASS MEDIA’S

(ROSCOMNADZOR) ORDERS• Roscomnadzor Order №246 of 13th April 2011 “On the Approval of Regulation of Data Processing in the Federal Service for the Supervision of Communications, Information Technology, and Mass Media Headquarters”

• Roscomnadzor Order №621 of 20 June 2012 “On the Approval of Regulation of the Authorized Body for the Protection of the Subjects of the Personal Data Rights Advisory Board”

•Regulation for the Authorized Body for the Protection of the Subjects of the Personal Data Rights Advisory Board

• Roscomnadzor Order №996 of 5th September 2013 “On the Approval of the Measures and Requirements for Personal Data Depersonalization”

15.04.2023

Clause Violation Penalty

Administrative Offences Code

Clause 5.27Part 1. Violations of labour laws and other regulatory legal acts containing norms of labour laws

Violations of labour laws and other regulatory legal acts containing norms of labour laws (personal data regulations)

FINE:for public officers – 1,000 – 5,000 RUBfor legal entities -30,000 – 50,000 RUB

Clause 5.27Part 4. Violations of labour laws and other regulatory legal acts containing norms of labour laws

The same violations committed by a person who has already been subjected to administrative punishment for a similar offence (personal data regulations)

FINE:for public officers – 10,000 – 20,000 RUB, or disqualification for 1-3 yearsfor legal entities -50,000 – 70,000 RUB

RESPONSIBILITY

15.04.202312

Clause Violation Penalty

Administrative Offences Code

Clause 5.39Denial of information

Wrongful refusal to provide a person with information about his/her personal data processing

FINE:for public officers -1,000 – 3,000 RUB

Clause 13.11Violation of personal data collection, storage, use or dissemination procedures

Violation of personal data collection, storage, use or dissemination procedures established by law

FINE:for public officers -500 – 1,000 RUBfor legal entities -5,000 – 10,000 RUB

RESPONSIBILITY

15.04.202313

Clause Violation Penalty

Administrative Offences Code

Clause 13.11.1Dissemination of information about job vacancies that contains discriminatory restrictions (on personal data)

Dissemination of information about job vacancies that contains discriminatory restrictions (on personal data)

FINE:for public officers – 3,000 – 5,000 RUBfor legal entities -10,000 – 15,000 RUB

Clause 13.121. Violation of data protection rules

Violation of rules, set out in the license for data protection activities

FINE:for public officers -1,500 – 2,500 RUBfor legal entities -15,000 – 20,000 RUB

RESPONSIBILITY

15.04.202314

Clause Violation Penalty

Administrative Offences Code

Clause 13.122. Violation of data protection rules

Using uncertified information systems, databanks and databases, as well as uncertified information security products, when they are subject to compulsory certification

FINE:for public officers -2,500 – 3,000 RUBfor legal entities -20,000 – 25,000 RUB with or without information security products confiscation

Clause 13.14Disclosure of information of restricted distribution

Disclosure of information (personal data) that has restricted distribution under federal law, committed by a person having access to such information in connection with his/her professional duty

FINE:for private individuals -500 – 1,000 RUBfor public officers -4,000 – 5,000 RUB

RESPONSIBILITY

15.04.202315

Clause Violation Penalty

Administrative Offences Code

Clause 19.15Failing to comply on time with the regulatory body’s lawful order

Failing to comply with the lawful order of Roscomnadzor

FINE:for public officers -1,000 – 2,000 RUBfor legal entities -10,000 – 20,000 RUB

Clause 19.7Failure to present data (information)

Failure to present data to Roscomnadzor or failure to do it on time

FINE:for public officers -300 – 500 RUBfor legal entities -3,000 – 5,000 RUB

RESPONSIBILITY

15.04.202316

Clause Violation Penalty

CRIMINAL CODE

Clause 1371. Violation of privacy

Illegal collection or dissemination of an individual’s private information that constitutes his/her personal or family secrets without his/her consent, or disclosure of such information in a public statement, a publicly displayed work, or in the mass media

FINE: up to 200,000 RUB, or compulsory community service of 120 to 180 hours, or correctional labour of up to 1 year, or compulsory labour for up to 2 years, or arrest for up to 4 months

Clause 1372. Violation of privacy

The same violation committed by a person using his/her official position

FINE: up to 300,000 RUB, or compulsory labour for up to 4 years, or arrest for up to 6 months, or imprisonment for up to 4 years

RESPONSIBILITY

15.04.202317

Clause Violation Penalty

CRIMINAL CODE

Clause 140Denial of information to an individual

Wrongful refusal by a public officer to provide personal data collected in accordance with established procedure

FINE: up to 200,000 RUB, or salary for 18 months, or deprivation of the right to practice certain activities for up to 5 years

Clause 272Wrongful access to computerized information

Wrongful access to computerized information protected by law (personal data)

FINE: up to 200,000 RUB, or imprisonment for up to 2 years (part 1) + aggravations with more strict penalties

RESPONSIBILITY

15.04.202318

Clause Violation Penalty

LABOUR CODE

Clause 81Termination of labour contract by the employer

Disclosure of another employee’s personal data

Termination of labour contract by the employer

Clause 238Employee’s liability for damages caused for the employer

The employee is liable for reimbursing the actual direct damage caused to the employer

The employee is liable for reimbursing the actual direct damage caused to the employer

RESPONSIBILITY

15.04.202319

20

PERSONAL DATA: DEFINITIONS AND CATEGORIES

Personal data – any information relating to a directly or indirectly identified, or identifiable, natural person (a personal data subject)

Personal data: full name, place of birth, year of birth, month of birth, family status, property status, professional status, address, social status, educational level, revenues

15.04.2023

21

PERSONAL DATA: DEFINITIONS AND CATEGORIES

Special categories of personal data: race, political views, philosophical convictions, intimate life, nationality, religious beliefs, state of health

Biometric personal data: data that reflects biological and physiological make-up of an individual and that allows them to prove their identity

15.04.2023

22

INFORMATION SYSTEMS

1. IS that processes PD of the processor’s employees,

2. IS that processes PD of individuals who are NOT the processor’s employees

2.1. IS that processes special categories of PD2.2. IS that processes biometric PD2.3. IS that processes publicly available PD

15.04.2023

23

DON’T NEED TO NOTIFY ROSCOMNADZOR

PD of company employees in accordance with the Labour Code PD received by the processor as a result of executing a contract with the personal data subject (PD is not to be disseminated or passed to third parties) PD that consists only of the full name of an individual PD needed only for a one-time entry permission Non-automatically processed PD

15.04.2023

24

AMENDMENTS OF 1ST SEPTEMBER 2015,

FEDERAL LAW №242-ФЗAmendments to Federal Law №149-ФЗ of 27th July 2006 «On Information, Information Technologies and Data Protection»

Clause 15.5. Procedures for restricting access to information being processed in violation of the Russian Federation’s data protection laws

15.04.2023

25

AMENDMENTS OF 1ST SEPTEMBER 2015,

FEDERAL LAW №242-ФЗIn order to restrict access to online information that is being processed in violation of the personal data protection laws, Roscomnadzor establishes the automated information system “Register of violators of personal data subjects’ rights”

IMPORTANT: An entity can be put on the Register

only by a court decision

15.04.2023

26

AMENDMENTS OF 1ST SEPTEMBER 2015,

FEDERAL LAW №242-ФЗThe Register of violators include:1) domain names and/or URLs of website pages that contain PD violating the law;2) IP-addresses that allow identification of websites that contain PD being processed in violation of the law;3) reference to the court decision that has become enforceable;4) notification of eliminating the violation;5) date of notifying the communications service provider about the data resource in order to restrict access to this resource.

15.04.2023

27

AMENDMENTS OF 1ST SEPTEMBER 2015,

FEDERAL LAW №242-ФЗAPPLYING THE PENALTY–

RESTRICTING ACCESS TO DATA RESOURCES

Within 3 business day of receiving the court decision, Roscomnadzor will notify the service provider in both Russian and English about the violation Within 1 business day the provider notifies the resource owner Within 1 business day the owner must take appropriate measures

If such measures aren’t taken ACCESS TO THE RESOURCE CAN BE RESTRICTED

AFTER ELIMINATING THE VIOLATION the resource owner notifies ROSCOMNADZOR about it and ROSCOMNADZOR

(or its representative) has 3 days to exclude the violator from the Register

15.04.2023

28

AMENDMENTS OF 1ST SEPTEMBER 2015,

FEDERAL LAW №242-ФЗAmendments to the Federal Law №149-ФЗ of 27th July 2006 «On Information, Information Technologies and Data Protection»Clause 16. Holders of data and information system processors are liable for ensuring

that databases used for collecting, recording, systematizing, accumulating, storing, rectifying (updating, changing),

and extracting the personal data of citizens of the Russian Federation are placed within

the territory of the Russian Federation

15.04.2023

29

AMENDMENTS OF 1ST SEPTEMBER 2015,

FEDERAL LAW №242-ФЗAmendments to the Federal Law №152-ФЗ of 27th July 2006 “On Personal Data”Clause 18. While collecting personal data, including collecting it through the Internet telecommunications system, the processor

is liable for ensuring that all recording, systematizing, accumulating, storing, rectifying (updating, changing), and

extracting of personal data of citizens of the Russian Federation is carried out with

the use of databases that are placed within the territory of the Russian Federation

15.04.2023

30

AMENDMENTS OF 1ST SEPTEMBER 2015,

FEDERAL LAW №242-ФЗAmendments to the Federal Law №152-ФЗ of 27th July 2006 “On Personal Data”

Clause 22. Notifications sent to Roscomnadzor must contain the following new information:

location of the database containing the personal data of citizens ofthe Russian Federation

15.04.2023

31

AMENDMENTS OF 1ST SEPTEMBER 2015,

FEDERAL LAW №242-ФЗAmendments to the Federal Law №152-ФЗ of 27th July 2006 “On Personal Data”

Clause 23. Roscomnadzor receives the new power:

the right to restrict access to data that is being processed in violation of the RF data protection laws, through following relevant legally established procedures

15.04.2023

32

WHAT ACTIONS ARE TO BE TAKEN BEFORE

1ST SEPTEMBER 2015 COMES?LEGAL ACTIONS:

1. Send notification to Roscomnadzor, making sure to provide it with information on the location of databases containing PD

2. Check the current state of documentation on compliance with Federal Laws 152-ФЗ and 242-ФЗ and rectify defects, including:

assigning an authorized person, preparing consent forms (for different parties –

partners, employees, applicants, etc.), preparing amendments to various types of existing

contracts, internal audit of company activities

15.04.2023

33

WHAT ACTIONS ARE TO BE TAKEN BEFORE

1ST SEPTEMBER 2015 COMES?TECHNICAL ACTIONS:

DEVELOPMENT AND IMPLEMENTATION OF

ALL INSTRUCTIONS AND TECHNICAL

SOLUTIONS NECESSARY TO LOCALIZE

PROCESSING OF PERSONAL DATA OF

CITIZENS OF THE RUSSIAN FEDERATION

15.04.2023

34

1. ROSCOMNADZOR SCHEDULED INSPECTIONS

2. UNSCHEDULED INSPECTIONS (customers, suppliers, competitors)

3. INSPECTIONS FOLLOWING EMPLOYEES COMPLAINTS – THE

HIGHEST RISK LEVEL (NUMBER OF COMPLAINTS RECEIVED BY

ROSCOMNADZOR IN 2013 – 6153)

RISKS OF TAKING NO NOTICE OF THE CHANGES

15.04.2023

Year Total number of inspections

Total number of PD inspections

Number of inspections in St.

Petersburg

2015 2650 1223 30

2014 2873 1308 30

35

WHAT ACTIONS ARE TO BE TAKEN BEFORE

1ST SEPTEMBER 2015 COMES?TAKING INTO ACCOUNT AMENDMENTS MADE TO

FEDERAL LAWS 152-ФЗ AND 149-ФЗ IT MAY BE CONCLUDED THAT

THE RISKS ARE QUITE HIGH. THAT IS WHY WE RECOMMEND

YOU DEVELOP AND IMPLEMENT A PROPER ACTION PLAN AIMED TO ENSURE FULL COMPLIANCE WITH

THE PERSONAL DATA PROTECTION LAWS.

15.04.2023

15. HUHTIKUUTA 2023

36

PASSION FOR RESULTS