Roskomnadzor has explained to operators the procedure for sending notifications about the processing of personal data and has published some forms of electronic notifications
Pepeliaev Group advises that the Russian Federal Service for Supervision of Communications, Information Technology and the Mass Media (commonly abbreviated in Russian as “Roskomnadzor” or “RKN”) has issued clarifications on the timeframes for operators to send notifications about the processing of personal data. The authority has also published electronic forms for operators to notify the fact of an illegal or accidental transfer of personal data that resulted in a violation of the rights of subjects, as well as the implementation of their cross-border transfer.
On 1 September 2022, amendments to Federal Law No. 152-FZ “On Personal Data” dated 27 July 2006 (the “Law”) came into force . Certain provisions of the Law will come into force on 1 March 2023.
The amendments, which entered into force on 1 September 2022, provide for:
a limitation of the list of cases that allow operators not to send a notification about the processing of personal data to RKN. Operators must notify the regulator about the beginning of the implementation of any processing of personal data, except in cases when the data is processed in order to protect the security of the state and public order, transport security, or if the operator processes the data exclusively without automation (article 22(2) of the Law);
the obligation of operators to notify the RKN of facts of an unlawful or accidental transfer (provision, distribution, access) of personal data that resulted in violation of the rights of personal data subjects (article 21(3.1) of the Law);
the obligation of operators to send to RKN, no later than 1 March 2023, a notification of the implementation of a cross-border transfer of personal data (article 6 (5) of Federal Law No. 266-FZ dated 14 July 2022).
Read more about the changes in the Law on Personal Data in Pepeliaev Group’s alert.
Timeframes for sending a notification about the processing of personal data to RKN
As the regulator has explained, 1 September 2022 is not the final date for sending a notification of the processing of personal data, since article 22 of the Law does not set a deadline for operators to send a notification. The form of a notification of the processing of personal data will be approved by RKN later .
Prior to the approval of the new form, the operator has the right to:
fill out the notification form regarding personal data processing on the Personal Data Portal
or to send a notification in hard copy to the address of the local body at the place where the operator is registered, using the form approved by by Order No. 94 of RKN dated 30 May 2017.
After the approval of the new notification form, the operator may send a notification of changes to the previously submitted information.
The Personal Data Portal provides an opportunity to generate and send a notification as follows:
in hard copy;
in electronic form using an enhanced qualified electronic signature or using authentication tools of the Unified System of Identification and Authentication.
Electronic notification forms for operators on the Personal Data Portal
In order to fulfil the obligation to notify RKN of the facts of an unlawful or accidental transfer (provision, distribution, access) of personal data, which has resulted in a violation of the rights of personal data subjects, the operator can use the electronic notification form.
Until 1 March 2023, operators engaged in the cross-border transfer of personal data can send a notification of such transfer using the electronic notificationform.
What to think about and what to do
It will be prudent for companies to take measures to bring their activity into line with the new requirements of the legislation on personal data. In particular, we recommend:
conducting an audit of the processing of personal data by the company;
amending the company's internal regulations governing the processing of personal data;
sending a notification about the processing of personal data to RKN;
companies transferring personal data across the border should determine the list of states to which transfers are carried out and request the information for which the Law provides from foreign counterparties for a notification concerning the cross-border transfer of personal data to be filed before 1 March 2023.
The timely identification and elimination of violations will help to mitigate any legal risks and possible additional expenses on eliminating the consequences, as well as to avoid any reputational losses.
Help from your adviser
Pepeliaev Group's experts have a solid track record of comprehensive business support in issues of compliance with legislation, the identification and assessment of legal risks, and the development of business-oriented proposals to mitigate the risks identified.
The firm provides the following types of services:
advising on compliance with personal data legislation;
carrying out a complex audit of the processing of personal data to establish whether it corresponds to the legislative requirements;
preparing notifications that are to be filed with RKN;
developing and/or amending to the company's internal policies regulating the processing of personal data;
representing companies in dealings with state authorities and in courts in disputes relating to the processing of personal data.
 Federal Law No. 266-FZ dated 14 July 2022 “On amending the Federal Law 'On personal data' and individual items of legislation of the Russian Federation, as well as repealing article 30(14) of the Federal Law 'On banks and banking activity'”.
 Draft order “On the approval of notification forms regarding: the intention to process personal data; amendments to previously submitted information; and the termination of personal data processing”.