accountor: “amendments to the data protection law and their potential impact on business”
TRANSCRIPT
AMENDMENTS TO THE FEDERAL LAW “ON PERSONAL DATA”: IMPLICATIONS FOR BUSINESSES
PAVEL ANTONOV, ACCOUNTOR
15.04.2023
2
GROUNDS FOR LEGAL REGULATION OF PERSONAL DATA HANDLING RELATIONS
•Respect for personal rights and fundamental freedoms;•Necessity for strengthening personal rights and guarantees of fundamental freedoms, namely the right for privacy with a view to increasing the transboundary flow of automatically processed personal data;•Adherence to the concept of freedom of information regardless of boundaries;•Necessity for combining the fundamental values of personal privacy with free international information exchange.
15.04.2023
3
INTERNATIONAL LEGISLATION• The Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (Strasbourg, January 28th 1981) (as amended on June 15th 1999)
This Convention was ratified by the Federal Law №160-ФЗ of December 19th 2005. It came into force in the Russian Federation
on September 1st 2013.
• The Additional Protocol to the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data on supervisory bodies and transboundary data transfer
Signed by the RF on March 13th 2006. Has not been ratified. It is planned to consider the possibility of regulatory bodies being consolidated according to the Protocol in the very near future.
15.04.2023
4
INTERNATIONAL LEGISLATION•Directive 95/46/EC of the European Parliament and of the Council of
24th October 1995 on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data (as revised in the Regulation 1882/2003 of the European Parliament and of the Council of 29th September 2003)
• Directive 2002/22/EC of the European Parliament and of the Council of 7th March 2002 on the Universal Services and Users Rights Concerning the Electronic Communication Networks and Services (Universal Services Directive)
• Directive 2002/58/EC of the European Parliament and of the Council of 12th July 2002 Concerning the Processing of Personal Data and the Protection of Privacy in the Electronic Communications Sector (Protection of Privacy in the Electronic Communications Directive)
15.04.2023
5
RUSSIAN LEGISLATION• Constitution of the Russian Federation (approved by the nation-wide voting on 12th December 1993)
• Federal Law №160-ФЗ of 19th December 2005 “On the Ratification of the EC Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data”
• Federal Law №149-ФЗ of 27th July 2006 “On Information, Information Technologies and Data Protection” (with the latest amendments of 21st July 2011)
• Federal Law №152-ФЗ of 27th July 2006 “On Personal Data” (with the latest amendments of 5th April 2013)
15.04.2023
6
RUSSIAN LEGISLATION• Labour Code of the Russian Federation of 30th December 2001 №197-ФЗ (with the latest amendments of 21st June 2012)
• Federal Law №63-ФЗ of 6th April 2011 “On the Electronic Signature”
• Federal Law №67-ФЗ of 12th June 2002 “On the Electoral Rights and the Right to Participate in Referendums (Basic Guarantees for Citizens of the Russian Federation)”
• Federal Law №99-ФЗ of 7th May 2013 “On the Amendments to a Number of Legislative Acts with regard to the Adoption of the Federal Laws “On the Ratification of the EC Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data” and “On Personal Data””
15.04.2023
7
EDICTS OF THE PRESIDENT OF THE RUSSIAN FEDERATION
• Edict of the President of the Russian Federation №351 of 17th March 2008 “On Measures to Provide the Information Security of the Russian Federation when Using International Data and Telecommunications Networks ”
• Edict of the President of the Russian Federation №609 of 30th May 2005 “On the Approval of the Russian Federation Civil Officers Personal Data and Personal File Maintenance Regulation”
• Edict of the President of the Russian Federation №188 of 6th March 1997 “On the Approval of the Confidential Data List”
15.04.2023
8
THE RF GOVERNMENT REGULATIONS• The RF Government Regulation №1119 of 1st November 2012 “On the Approval of the Requirements for the Assurance of Personal Data Security at their Processing within the Information Systems of Personal Data”
• The RF Government Regulation №584 of 13th June 2012 “On the Approval of the Payment System Data Protection Regulation”
• The RF Government Regulation №211 of 21st March 2012 “On the Approval of the List of Measures to Ensure Compliance with the Federal Law “On Personal Data””
• The RF Government Regulation №125 of 4th March 2010 “On the List of Personal Data Held on Electronic Media Devices that Contain Information on RF Citizens’ Primary Identity Documents Giving the RF Citizens the Right to Leave and Enter The Russian Federation”
15.04.2023
9
THE RF GOVERNMENT REGULATIONS• The RF Government Regulation №687 of 15th September 2008 “On the Approval of the Non-automated Personal Data Processing Peculiarities Regulation”
• The RF Government Regulation №512 of 6th July 2008 “On the Approval of Requirements for Biometric Personal Data, Tangible Media, and Storage Technologies Outside of the Personal Data Information Systems”
• The RF Government Regulation №756 of 12th December 2005 “On Submitting a Proposal to the President of the Russian Federation to Sign the Additional Protocol to the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data on supervisory bodies and transboundary data transfer”
• The RF Government Regulation №1233 of 3rd November 1994 “On the Approval of the Regulation of Procedures for the Handling of Sensitive Information which is of Restricted Distribution in the Federal Agencies of the Executive Authority”
15.04.2023
10
REGULATORY LEGAL ACTS OF THE FEDERAL AGENCIES OF THE RUSSIAN
FEDERATION• Ministry of Communications and Mass Media of the RF Order №312 of 14th November 2011 “On the Approval of the Administrative Procedure for the Federal Service for the Supervision of Communications, Information Technology, and Mass Media to Fulfill the Federal Duty for the Supervision of the Compliance of Personal Data Processing with the Applicable Legal Requirements of the Russian Federation”
•Ministry of Communications and Mass Media of the RF Order №346 of 21st December 2011 “On the Approval of the Administrative Procedure for the Federal Service for the Supervision of Communications, Information Technology, and Mass Media to Provide the Federal Service “Maintenance of a Personal Data Processors Register””
•The Federal Security Service of the RF and the Federal Service for Technology and Export Control of the RF Order №416/489 of 31 August 2010 “On the Approval of Security Requirements for the Data Contained in Public Information Systems”
• The Federal Security Service of the RF Order №378 of 10 July 2014 “On the Approval of the List and Content of Technical and Organizational Measures to Ensure Personal Data Security at its Processing within the Information Systems of Personal Data”
15.04.2023
11
THE FEDERAL SERVICE FOR THE SUPERVISION OF COMMUNICATIONS, INFORMATION TECHNOLOGIES AND MASS MEDIA’S
(ROSCOMNADZOR) ORDERS• Roscomnadzor Order №246 of 13th April 2011 “On the Approval of Regulation of Data Processing in the Federal Service for the Supervision of Communications, Information Technology, and Mass Media Headquarters”
• Roscomnadzor Order №621 of 20 June 2012 “On the Approval of Regulation of the Authorized Body for the Protection of the Subjects of the Personal Data Rights Advisory Board”
•Regulation for the Authorized Body for the Protection of the Subjects of the Personal Data Rights Advisory Board
• Roscomnadzor Order №996 of 5th September 2013 “On the Approval of the Measures and Requirements for Personal Data Depersonalization”
15.04.2023
Clause Violation Penalty
Administrative Offences Code
Clause 5.27Part 1. Violations of labour laws and other regulatory legal acts containing norms of labour laws
Violations of labour laws and other regulatory legal acts containing norms of labour laws (personal data regulations)
FINE:for public officers – 1,000 – 5,000 RUBfor legal entities -30,000 – 50,000 RUB
Clause 5.27Part 4. Violations of labour laws and other regulatory legal acts containing norms of labour laws
The same violations committed by a person who has already been subjected to administrative punishment for a similar offence (personal data regulations)
FINE:for public officers – 10,000 – 20,000 RUB, or disqualification for 1-3 yearsfor legal entities -50,000 – 70,000 RUB
RESPONSIBILITY
15.04.202312
Clause Violation Penalty
Administrative Offences Code
Clause 5.39Denial of information
Wrongful refusal to provide a person with information about his/her personal data processing
FINE:for public officers -1,000 – 3,000 RUB
Clause 13.11Violation of personal data collection, storage, use or dissemination procedures
Violation of personal data collection, storage, use or dissemination procedures established by law
FINE:for public officers -500 – 1,000 RUBfor legal entities -5,000 – 10,000 RUB
RESPONSIBILITY
15.04.202313
Clause Violation Penalty
Administrative Offences Code
Clause 13.11.1Dissemination of information about job vacancies that contains discriminatory restrictions (on personal data)
Dissemination of information about job vacancies that contains discriminatory restrictions (on personal data)
FINE:for public officers – 3,000 – 5,000 RUBfor legal entities -10,000 – 15,000 RUB
Clause 13.121. Violation of data protection rules
Violation of rules, set out in the license for data protection activities
FINE:for public officers -1,500 – 2,500 RUBfor legal entities -15,000 – 20,000 RUB
RESPONSIBILITY
15.04.202314
Clause Violation Penalty
Administrative Offences Code
Clause 13.122. Violation of data protection rules
Using uncertified information systems, databanks and databases, as well as uncertified information security products, when they are subject to compulsory certification
FINE:for public officers -2,500 – 3,000 RUBfor legal entities -20,000 – 25,000 RUB with or without information security products confiscation
Clause 13.14Disclosure of information of restricted distribution
Disclosure of information (personal data) that has restricted distribution under federal law, committed by a person having access to such information in connection with his/her professional duty
FINE:for private individuals -500 – 1,000 RUBfor public officers -4,000 – 5,000 RUB
RESPONSIBILITY
15.04.202315
Clause Violation Penalty
Administrative Offences Code
Clause 19.15Failing to comply on time with the regulatory body’s lawful order
Failing to comply with the lawful order of Roscomnadzor
FINE:for public officers -1,000 – 2,000 RUBfor legal entities -10,000 – 20,000 RUB
Clause 19.7Failure to present data (information)
Failure to present data to Roscomnadzor or failure to do it on time
FINE:for public officers -300 – 500 RUBfor legal entities -3,000 – 5,000 RUB
RESPONSIBILITY
15.04.202316
Clause Violation Penalty
CRIMINAL CODE
Clause 1371. Violation of privacy
Illegal collection or dissemination of an individual’s private information that constitutes his/her personal or family secrets without his/her consent, or disclosure of such information in a public statement, a publicly displayed work, or in the mass media
FINE: up to 200,000 RUB, or compulsory community service of 120 to 180 hours, or correctional labour of up to 1 year, or compulsory labour for up to 2 years, or arrest for up to 4 months
Clause 1372. Violation of privacy
The same violation committed by a person using his/her official position
FINE: up to 300,000 RUB, or compulsory labour for up to 4 years, or arrest for up to 6 months, or imprisonment for up to 4 years
RESPONSIBILITY
15.04.202317
Clause Violation Penalty
CRIMINAL CODE
Clause 140Denial of information to an individual
Wrongful refusal by a public officer to provide personal data collected in accordance with established procedure
FINE: up to 200,000 RUB, or salary for 18 months, or deprivation of the right to practice certain activities for up to 5 years
Clause 272Wrongful access to computerized information
Wrongful access to computerized information protected by law (personal data)
FINE: up to 200,000 RUB, or imprisonment for up to 2 years (part 1) + aggravations with more strict penalties
RESPONSIBILITY
15.04.202318
Clause Violation Penalty
LABOUR CODE
Clause 81Termination of labour contract by the employer
Disclosure of another employee’s personal data
Termination of labour contract by the employer
Clause 238Employee’s liability for damages caused for the employer
The employee is liable for reimbursing the actual direct damage caused to the employer
The employee is liable for reimbursing the actual direct damage caused to the employer
RESPONSIBILITY
15.04.202319
20
PERSONAL DATA: DEFINITIONS AND CATEGORIES
Personal data – any information relating to a directly or indirectly identified, or identifiable, natural person (a personal data subject)
Personal data: full name, place of birth, year of birth, month of birth, family status, property status, professional status, address, social status, educational level, revenues
15.04.2023
21
PERSONAL DATA: DEFINITIONS AND CATEGORIES
Special categories of personal data: race, political views, philosophical convictions, intimate life, nationality, religious beliefs, state of health
Biometric personal data: data that reflects biological and physiological make-up of an individual and that allows them to prove their identity
15.04.2023
22
INFORMATION SYSTEMS
1. IS that processes PD of the processor’s employees,
2. IS that processes PD of individuals who are NOT the processor’s employees
2.1. IS that processes special categories of PD2.2. IS that processes biometric PD2.3. IS that processes publicly available PD
15.04.2023
23
DON’T NEED TO NOTIFY ROSCOMNADZOR
PD of company employees in accordance with the Labour Code PD received by the processor as a result of executing a contract with the personal data subject (PD is not to be disseminated or passed to third parties) PD that consists only of the full name of an individual PD needed only for a one-time entry permission Non-automatically processed PD
15.04.2023
24
AMENDMENTS OF 1ST SEPTEMBER 2015,
FEDERAL LAW №242-ФЗAmendments to Federal Law №149-ФЗ of 27th July 2006 «On Information, Information Technologies and Data Protection»
Clause 15.5. Procedures for restricting access to information being processed in violation of the Russian Federation’s data protection laws
15.04.2023
25
AMENDMENTS OF 1ST SEPTEMBER 2015,
FEDERAL LAW №242-ФЗIn order to restrict access to online information that is being processed in violation of the personal data protection laws, Roscomnadzor establishes the automated information system “Register of violators of personal data subjects’ rights”
IMPORTANT: An entity can be put on the Register
only by a court decision
15.04.2023
26
AMENDMENTS OF 1ST SEPTEMBER 2015,
FEDERAL LAW №242-ФЗThe Register of violators include:1) domain names and/or URLs of website pages that contain PD violating the law;2) IP-addresses that allow identification of websites that contain PD being processed in violation of the law;3) reference to the court decision that has become enforceable;4) notification of eliminating the violation;5) date of notifying the communications service provider about the data resource in order to restrict access to this resource.
15.04.2023
27
AMENDMENTS OF 1ST SEPTEMBER 2015,
FEDERAL LAW №242-ФЗAPPLYING THE PENALTY–
RESTRICTING ACCESS TO DATA RESOURCES
Within 3 business day of receiving the court decision, Roscomnadzor will notify the service provider in both Russian and English about the violation Within 1 business day the provider notifies the resource owner Within 1 business day the owner must take appropriate measures
If such measures aren’t taken ACCESS TO THE RESOURCE CAN BE RESTRICTED
AFTER ELIMINATING THE VIOLATION the resource owner notifies ROSCOMNADZOR about it and ROSCOMNADZOR
(or its representative) has 3 days to exclude the violator from the Register
15.04.2023
28
AMENDMENTS OF 1ST SEPTEMBER 2015,
FEDERAL LAW №242-ФЗAmendments to the Federal Law №149-ФЗ of 27th July 2006 «On Information, Information Technologies and Data Protection»Clause 16. Holders of data and information system processors are liable for ensuring
that databases used for collecting, recording, systematizing, accumulating, storing, rectifying (updating, changing),
and extracting the personal data of citizens of the Russian Federation are placed within
the territory of the Russian Federation
15.04.2023
29
AMENDMENTS OF 1ST SEPTEMBER 2015,
FEDERAL LAW №242-ФЗAmendments to the Federal Law №152-ФЗ of 27th July 2006 “On Personal Data”Clause 18. While collecting personal data, including collecting it through the Internet telecommunications system, the processor
is liable for ensuring that all recording, systematizing, accumulating, storing, rectifying (updating, changing), and
extracting of personal data of citizens of the Russian Federation is carried out with
the use of databases that are placed within the territory of the Russian Federation
15.04.2023
30
AMENDMENTS OF 1ST SEPTEMBER 2015,
FEDERAL LAW №242-ФЗAmendments to the Federal Law №152-ФЗ of 27th July 2006 “On Personal Data”
Clause 22. Notifications sent to Roscomnadzor must contain the following new information:
location of the database containing the personal data of citizens ofthe Russian Federation
15.04.2023
31
AMENDMENTS OF 1ST SEPTEMBER 2015,
FEDERAL LAW №242-ФЗAmendments to the Federal Law №152-ФЗ of 27th July 2006 “On Personal Data”
Clause 23. Roscomnadzor receives the new power:
the right to restrict access to data that is being processed in violation of the RF data protection laws, through following relevant legally established procedures
15.04.2023
32
WHAT ACTIONS ARE TO BE TAKEN BEFORE
1ST SEPTEMBER 2015 COMES?LEGAL ACTIONS:
1. Send notification to Roscomnadzor, making sure to provide it with information on the location of databases containing PD
2. Check the current state of documentation on compliance with Federal Laws 152-ФЗ and 242-ФЗ and rectify defects, including:
assigning an authorized person, preparing consent forms (for different parties –
partners, employees, applicants, etc.), preparing amendments to various types of existing
contracts, internal audit of company activities
15.04.2023
33
WHAT ACTIONS ARE TO BE TAKEN BEFORE
1ST SEPTEMBER 2015 COMES?TECHNICAL ACTIONS:
DEVELOPMENT AND IMPLEMENTATION OF
ALL INSTRUCTIONS AND TECHNICAL
SOLUTIONS NECESSARY TO LOCALIZE
PROCESSING OF PERSONAL DATA OF
CITIZENS OF THE RUSSIAN FEDERATION
15.04.2023
34
1. ROSCOMNADZOR SCHEDULED INSPECTIONS
2. UNSCHEDULED INSPECTIONS (customers, suppliers, competitors)
3. INSPECTIONS FOLLOWING EMPLOYEES COMPLAINTS – THE
HIGHEST RISK LEVEL (NUMBER OF COMPLAINTS RECEIVED BY
ROSCOMNADZOR IN 2013 – 6153)
RISKS OF TAKING NO NOTICE OF THE CHANGES
15.04.2023
Year Total number of inspections
Total number of PD inspections
Number of inspections in St.
Petersburg
2015 2650 1223 30
2014 2873 1308 30
35
WHAT ACTIONS ARE TO BE TAKEN BEFORE
1ST SEPTEMBER 2015 COMES?TAKING INTO ACCOUNT AMENDMENTS MADE TO
FEDERAL LAWS 152-ФЗ AND 149-ФЗ IT MAY BE CONCLUDED THAT
THE RISKS ARE QUITE HIGH. THAT IS WHY WE RECOMMEND
YOU DEVELOP AND IMPLEMENT A PROPER ACTION PLAN AIMED TO ENSURE FULL COMPLIANCE WITH
THE PERSONAL DATA PROTECTION LAWS.
15.04.2023
15. HUHTIKUUTA 2023
36
PASSION FOR RESULTS