Loading...

The list of grounds has been expanded for Roskomnadzor to conduct unscheduled audits of personal data operators

Pepeliaev Group advises that, on 18 November 2023, Order No. 720 of the Russian Ministry of Digital Development, Communications and the Mass Media dated 17 August 2023Order No. 720 of the Ministry of Digital Development, Communications and the Mass Media dated 17 August 2023 “On amending the list of indicators of risks of mandatory requirements being violated while federal state control (supervision) is being exercised over the processing of personal data", approved by Order No. 1187 of the Ministry of Digital Development, Communications and the Mass Media of the Russian Federation dated 15 November 2021”
 came into effect which supplements the list of indicators of risks of mandatory requirements being violated while federal state control (supervision) is being exercised over the processing of personal data.

By its Order No. 1187 dated 15 November 2021Order No. 1187 of the Digital Ministry dated 15 November 2021 “On approving the list of indicators of risks of mandatory requirements being violated while federal state control (supervision) is being exercised over the processing of personal data”
, the Ministry of Digital Development, Communications and the Mass Media (the “Digital Ministry”) has approved the list of indicators of risks of mandatory requirements being violated while federal state control (supervision) is being exercised over the processing of personal data (a “risk indicator”). If the Russian Federal Service for Supervision of Communications, Information Technology and the Mass Media (known by the Russian abbreviation “Roskomnadzor”) identifies at least one risk indicator with an operator, this is a ground for an unscheduled control (supervisory) measure to be conducted (an “unscheduled audit”).

By Order No. 720 of the Digital Ministry dated 17 August 2023, a new risk indicator has been added to the list, namely:

  • Roskomnadzor identifying three or more instances when information set out by an operator in notifications (regarding its intention to process personal data; changing the information contained in the notification of the intention to process personal data; its intention to transmit personal data across the border; and terminating the processing of personal data) contradicts data placed on the website owned by the controlled entity in the “Internet” information and telecommunications network in line with article 18.1(2) of the Federal Law “On personal data”.

Comment

According to article 18.1(2) of the Federal Law “On personal data”, an operator is obliged to publish or otherwise ensure unlimited access to the document which determines its policy regarding the processing of personal data, and to the information concerning how the requirements for the protection of personal data are implemented. For each purpose of the processing of personal data, the policy regarding the processing of personal data should determine the categories and the list of the personal data to be processed, the categories of subjects whose personal data is processed, as well as the methods and timeframes for such personal data to be processed and stored, the procedure for destroying personal data when the purposes of its processing have been achieved, or when other lawful grounds emergeArticle 18.1(1)(2) of Federal Law No. 152-FZ “On personal data” dated 27 July 2006
.

Roskomnadzor is actively implementing control measures without interacting with the controlled party, which includes:

a) observing how the requirements are complied with when information is published on the Internet; and

b) observing how the requirements are complied with by analysing information concerning the activities of the controlled party which the operator provides to Roskomnadzor (e.g. in a notification of the intention to process personal data) or may be received by Roskomnadzor (including within the framework of information exchange between authorities)AClause 59 of the Regulation on federal state control (supervision) over the processing of personal data approved by Resolution No. 1046 of the Russian Government “On federal state control (supervision) over the processing of personal data” dated 29 June 2021
.

In other words, Roskomnadzor is entitled to analyse an operator’s website independently (without having dealings with the operator). We believe that, if Roskomnadzor compares the information stated in the register of personal data operators with the information contained in the policy regarding the processing of personal data as posted on the operator’s website, and identifies any discrepancies in the information stated, then an unscheduled control (supervisory) measure may be carried out.

The above risk indicator has been in effect since 18 November 2023.

In addition to the above, the identification of one of the following risk indicators may serve as a ground for Roskomnadzor to conduct an unscheduled audit:

  • If Roskomnadzor identifies, within one calendar year, ten or more instances when data provided by an operator at Roskomnadzor’s request is at odds with the data provided to Roskomnadzor by citizens in terms of whether the operator’s activities demonstrate signs of unlawful processing of citizens’ personal data.

Comment

According to article 23(3)(1) of the Federal Law “On personal data”, Roskomnadzor has the right to request from individuals or legal entities (operators) information it needs to exercise its powers, and to obtain such information free of charge. An operator is obliged to report to Roskomnadzor the necessary information within 10 business days from the date when it receives such request.

At the same time, according to article 17(1) of the Federal Law “On personal data”, if a personal data subject believes that the operator is processing such subject's personal data in violation of legal requirements or is otherwise violating the subject's rights and freedoms, then the personal data subject may challenge the acts or omissions of the operator with Roskomnadzor or in court.

If, within a calendar year, Roskomnadzor identifies ten or more instances when the data provided by an operator has been at odds with the information received from personal data subjects, an unscheduled control (supervisory) measure may be carried out in relation to the operator.

If, within a calendar year, Roskomnadzor identifies ten or more instances when the public at large have obtained access to databases of personal data and/or databases of personal data have been disseminated on the Internet which show signs of being owned by the operator.

Comment

We believe that in this case one could refer to ‘leakages’ of personal data, where it is impossible to positively determine who owns the database which has ‘leaked’; however, based on individual signs, it is apparent that the database is owned by a specific operator. 

We remind you that the subject matter of federal state control (supervision) over the processing of personal data is whether operators comply with mandatory requirements in the field of personal data set by the Federal Law “On personal data” and regulatory instruments adopted in accordance with such requirements.

According to clause 37 of the Regulation on federal state control (supervision) over the processing of personal dataApproved by Resolution No. 1046 of the Russian Government dated 29 June 2021 “On federal state control (supervision) over the processing of personal data”.
, such control (supervision) shall be conducted in the form of scheduled and unscheduled control (supervisory) measures (“audits”).

Based on the provisions of clause 11(3) of Resolution No. 336 of the Russian Government dated 10 March 2022 “On the specifics of organising and performing state control (supervision) and municipal control”, until 2030 only operators classed in the]high-riskThe criteria for classing operators in a certain risk category are set out in the Annex to the Regulation on control over the processing of personal data.
 category will be included in the plans for scheduled audits.

As far as unscheduled audits are concerned, in 2023 they have been conducted only on the grounds listed in clause 3 of Resolution No. 102 of the Government, for instance:

  • where indicators are identified of risks that the mandatory requirements will be violated;

  • further to a decision of the head or the deputy head of Roskomnadzor, if it has been identified that databases (in full or in part) containing personal data have been disseminated (provided) on the Internet.

According to the provisions of article 90(2) of Federal Law No. 248-FZ “On municipal control (supervision) and municipal control in the Russian Federation” dated 31 July 2020, if discrepancies with legal requirements are identified, an unscheduled audit may result in:

  • an order to remedy the identified violations;

  • administrative liability; or

  • criminal liability.

It should also be borne in mind that administrative liability for violating Russian legislation in the field of personal data is set in article 13.11 of the Russian Code of Administrative Offences. For example, if an operator does not have consents to the processing of personal data (and such consents are mandatory), it may have an administrative fine imposed of between RUB 60,000 up to RUB 100,00Article 13.11(1) of the Code of Administrative Offences.
. If, on the other hand, an operator uses databases located outside the Russian Federation while collecting personal data, including via the Internet, the fine could amount to between RUB 1 million and RUB 6 million.

What to think about and what to do

Roskomnadzor conducting an unscheduled audit (even under the current restrictions) in relation to an operator is possible in the following instances:

  • if, within a calendar year, Roskomnadzor identifies ten or more instances when the data provided by the operator was at odds with the information received from personal data subjects (dissatisfied clients/former employees/competitors);

  • if, during the calendar year, Roskomnadzor identifies ten or more leakages of databases of personal data showing signs of being owned by the operator;

  • if, further to Roskomnadzor comparing the information set out in the register of personal data operators with the policy regarding the processing of personal data published on the operator’s website, three or more discrepancies are identified.

Thus, every personal data operator risks becoming subject to an unscheduled audit by Roskomnadzor, which may result in the operator being held administratively and/or criminally liable.

In order to mitigate the risks of being held liable for violations in the field of legislation on personal data, the following is recommended:

  1. conducting an audit of compliance with legal requirements concerning personal data, either independently or involving advisers, and eliminating the violations identified;

  2. keeping an internal register of procedures for processing personal data containing information about the purposes of the processing of personal data, the categories and the list of the personal data to be processed, the categories of subjects whose personal data is processed, as well as the methods and timeframes for such personal data to be processed and stored, the procedure for destroying personal data when the purposes of its processing have been achieved, or when other lawful grounds emerge;

  3. monitoring changes in the procedures of processing personal data, updating in a timely manner information in internal regulations (e.g. in the policy on the processing of personal data); and

  4. regularly conducting training events for the company’s employees regarding the requirements for the processing of personal data as well as controlling the employees’ level of awareness (by conducting tests).

We recommend paying special attention to the content and functions of the company's website. It is necessary to:

  1. analyse what personal data is processed using the website (for example, via data collection forms, cookies, and services for collecting technical data),

  2. ensure that personal data of Russian citizens is recorded, systematised, accumulated, stored, specified (updated, changed) and retrieved using databases located in the Russian Federation (i.e. to ensure the website is hosted in the Russian Federation, refuse to use foreign services for the collection of personal data (e.g. Google Analytics, Google Forms), and use Russian CMS),

  3. publish on all the pages of the website that are used to collect personal data the policy in relation to the processing of personal data as well as information about the requirements implemented for the protection of personal data,

  4. ensure that the information stated in the register of personal data operators (in the notification of the intention to process personal data) corresponds to the information published on the website (including the policy on the processing of personal data).

If the company has not submitted any notification of the intention to process personal data and has not been included in the register of personal data operators, it is necessary to additionally assess the risks connected with the possible identification of discrepancies in the information provided.

Help from your adviser

Pepeliaev Group's lawyers are ready to provide companies with comprehensive legal assistance on complying with legislation in the area of personal data.

Pepeliaev Group provides the following types of services:

  • updating and bringing the company's internal documents into compliance with the requirements of 152-FZ, including the personal data processing policy, the personal data processing guideline, forms of consent to the processing of personal data and other necessary documents in the field of personal data;

  • preparing and sending to Roskomnadzor a notification of the intention to process personal data, a notification of the intention to transmit personal data across the border, a notification of a change in the information contained in the notification of the intention to process personal data and the notification to transmit personal data across the border, and a notification of terminating personal data processing;

  • drafting legal opinions and providing advice on issues of personal data processing; 

  • providing legal support in liaising with Roskomnadzor and/or a personal data subject.
Translated by the Translation Department of Pepeliaev Group

Отправить статью

22.12.2023
The business mission to China of a delegation from Pepeliaev Group’s Far East Office
Read more
22.12.2023
Pepeliaev Group’s lawyers have protected a client’s interests before the Supreme Court in a dispute concerning mineral extraction tax on the extraction of gold concentrates
Read more
11.12.2023
Pepeliaev Group’s Far East office in Vladivostok has celebrated its 5th anniversary
Read more