On September 1, 2022, amendments to Federal Law №152 "On Personal Data" and Federal Law №2300-1 "On the Protection of Consumer Rights" came into force. In this article, we explain what this means for business.
According to Roskomnadzor, since the beginning of 2022, at least 40 databases containing the personal data of Russians have been leaked online. Forty databases with a total volume of 300 million records belonged to Ozon, SDEK, Russian Post, and other well-known companies. These are significant figures, so the government has adopted measures that should improve the security of citizens' data.
Amendments to Law No. 152-FZ are introduced by Federal Law No. 266-FZ dated 14.07.2022. It specifies that certain provisions will take effect on September 1, 2022, but some changes will not come into effect until March 1, 2023. The postponed amendments concern cross-border data transfer and the procedure for the provision of information from the Unified State Register of Immovable Property.
Earlier, Law No. 519-FZ of December 30, 2020, defined three basic principles for consent to the processing of personal data:
- Silence or inactivity does not mean consent to the processing of personal data.
- Consent to the processing and further distribution of personal data is executed separately.
- Consent to the processing and further distribution of personal data may include a prohibition on data transfer to an unlimited number of people – only specific individuals.
The innovations toughen and detail the requirements for handling personal data. What exactly is changing?
Data control is strengthening
Every leak must be reported immediately. In the event of a data leak, the personal data operator must report the incident to the RKN no later than within 24 hours. In addition, the operator must conduct an internal investigation of the incident and inform the RKN of the results within 72 hours.
The position of the State system for detection, prevention, and elimination of consequences of computer attacks (GosSOPKa) is also strengthened. The organization investigates security incidents and identifies vulnerabilities in information systems. If an organization has experienced a cyberattack or any of the listed, it must pass the information to the GosSOPKa.
Personal liability. Before September 1, 2022, foreign data processors were responsible only to personal data operators. Now the processor is responsible personally to each data owner and is obliged to respect confidentiality and avoid leaks.
More reporting to Roskomnadzor. Before processing any personal data, the operator must complete a special questionnaire and submit it to Roskomnadzor, informing them of what they intend to do. Previously this procedure was not obligatory.
Extension of the law on foreign nationals. The law extended its effect on foreign physical and legal entities if the processing of personal data is carried out based on an agreement with a Russian citizen or with his or her consent.
More transparency. If a website collects data, it should contain a Data Collection Policy and make it available so that anyone can read it.
Specification of Consent. Consent to the processing of personal data was supposed to be concrete, informed, and conscious. From September 1, 2022, it must also be concrete and unambiguous. All clauses in the consent must be unambiguous. The consent can be withdrawn at any time.
Data processing is getting faster
Under the new amendments, the personal data operator must respond to requests from citizens and Roskomnadzor faster.
For citizens. If the owner of personal data requests to stop their data processing, the operator must stop it within 10 days. Information relating to the processing of personal data is also provided within 10 days after the request.
For Roskomnadzor. The operator must provide information relating to the processing of personal data to Roskomnadzor within 10 working days (previously it was 30). The deadline can be prolonged by up to 5 days if the operator sends a notification to Roskomnadzor with a justification for the prolongation. If answers are not satisfactory to Roskomnadzor several times within a year, you may be subject to an unscheduled inspection.
Here's an example. According to the law, the employer must respond or prepare a reasoned refusal within 10 days to an employee who has requested information on how the company handles his or her data. The response is prepared in the form used by the employee (but a different form of response may be specified in the request). The data operator may also be asked if it has specific personal data on the applicant.
Non-mandatory biometrics
From September 1, 2022, it is officially prohibited to refuse service provision to citizens if they have not submitted biometrics (as long as it is not a mandatory condition for receiving the service). For example, Russians now have the right to refuse to submit a photo, if it is not stipulated in the rules of service provision or is not implied by the position.
Also, biometric processing of adolescents' data is directly prohibited. For example, if you hire workers under the age of 18 for a summer job, it is recommended to remove their photos, videos, and voice recordings. It is prohibited to use their photo on a badge and a personnel file.
Stores will be limiting the collection of personal data
Online and offline stores can no longer collect personal data from customers without their explicit consent. Full name, bank card and phone number, email, and residential address must be provided only if this is necessary for the purchase. The law allows the customer the right to demand explanations regarding the necessity of certain personal data.
If a retailer refuses to serve a customer who has not provided his data, they can complain. Penalties for officials range from 5,000 ₽ to 10,000 ₽, and for legal entities from 30,000 ₽ to 50,000 ₽.
Changes in the rules for the protection of Personal Data
Now the employer must prepare and adopt a regulation on personal data protection. This document specifies the risk categories of each document/electronic data carrier, as well as the risks of compromising information from these carriers. Previously, such a document was recommended, but now it is mandatory.
As for the destruction of personal data, it is possible only in specific cases, listed in paragraph 3 of Article 21, Article 21 of the Federal Law № 266-FZ from 14.07.2022:
-
The retention period of the document has expired.
-
The purpose of processing has been fulfilled or they no longer need to be processed.
-
The operator processes personal data illegally.
-
The owner of personal data has withdrawn consent, demanding to stop processing and distributing his Personal Data.
The law does not specify the method for destroying personal data.
New requirements for the trans-border transfer of personal data will be introduced on March 1, 2023. If a company transfers personal data abroad, it is important to send a notification to Roskomnadzor. The supervisory authority will decide whether to forbid or permit the transfer of personal data to a foreign person.
Cloud4Y offers a ready-made solution, built following the requirements of Federal Law No.152-FZ to host personal data. Renting cloud infrastructure eliminates the need to build and maintain infrastructure in accordance with legal requirements. Federal Law 152-FZ Cloud service is tailored specifically to international companies that seek to store or/and protect personal data following Russian data localization and protection legislation.