Loading...

New forms of notifications of Roskomnadzor have been approved

Pepeliaev Group advises that, starting fr om 26 December 2022, personal data operators will be required to use new forms of notifications regarding the intention to process personal data, regarding changes in the information contained in the notification of the intention to process personal data, and regarding the termination of personal data processing.

Before starting to process personal data, an operator is obliged to notify the Russian Federal Service for Supervision of Communications, Information Technology and the Mass Media (known in Russia by the abbreviation “Roskomnadzor”) of its intention to process personal data (article 22(1) of the Federal Law "On Personal Data"). Please note that the person processing personal data is the operator of personal data, regardless of whether it is registered in the register of Roskomnadzor operators.

If there are changes in the information contained in a notification of the intention to process personal data, as well as if personal data processing terminates, the operator is obliged to notify Roskomnadzor within 10 business days from the date when such changes occur or from the date when personal data processing terminates (article 22(7) of the Federal Law "On Personal Data").

Forms of the notifications are established by Roskomnadzor (article 22(8) of the Federal Law “On personal data”). At present, the forms provided for by Roskomnadzor’s Order No. 94 dated 30 May 2017 are in force.

On 26 December 2022, Roskomnadzor Order No. 180 dated 28 October 2022 will come into force, which have approved new forms of the above notifications:

  • of the intention to process personal data;

  • of a change in the information contained in the notification of the intention to process personal data; and

  • of personal data processing terminating.

Notification of the intention to process personal data

In accordance with article 22(3) of the Federal Law "On Personal Data", the notification of the intention to process personal data must contain the following information:

  • the operator's name (full name), and its address;

  • the purpose of processing personal data;

  • a description of measures aimed at ensuring that the operator fulfils the obligations stipulated by the Federal Law "On Personal Data", as well as measures to ensure the security of personal data during its processing (articles 18.1 and 19 of the Federal Law "On Personal Data"), including information on the availability of encryption (cryptographic) means and the names of these means;

  • the name of an individual or a legal entity responsible for the organisation of the processing of personal data, and their contact phone numbers, mailing addresses and email addresses;

  • the commencement date of the processing of personal data;

  • the timeframe or condition for terminating the processing of personal data;

  • information regarding the presence or absence of the cross-border transferring of personal data while it is being processed;

  • information on wh ere the database containing Russian citizens' personal data is located;

  • the full name of an individual or the name of a legal entity that has access and/or processes personal data contained in state and municipal information systems on the basis of a contract;

  • information about how the security of personal data is ensured in accordance with the requirements for the protection of personal data established by the Russian Government.

Unlike the form that is valid until 26 December 2022, in the new notification form, the operator is obliged to specify the following for each purpose of processing personal data:

  • the categories of personal data;

  • the categories of data subjects whose personal data is processed;

  • the legal ground for the processing of personal data;

  • a list of actions with personal data; and

  • the methods for processing personal data.

Notification of a change in the information contained in the notification of the intention to process personal data

Unlike the form that was in force until 26 December 2022, the new form of notification does not provide for the grounds of the changes to be specified. In addition, the operator is obliged to specify the following for each purpose of processing personal data:    

  • the categories of personal data;

  • the categories of data subjects whose personal data is processed;

  • the legal ground for the processing of personal data;

  • a list of actions with personal data; and

  • the methods for processing personal data.

Notification of terminating personal data processing

The operator is considered to have terminated its processing of personal data if either of the conditions below is met:

  • the operator is liquidated;

  • the operator is reorganised;

  • the activities in relation to processing personal data are terminated, or the licence is revoked;

  • the timeframe or condition for terminating the processing of personal data specified in the notification occurs;

  • a court decision that came into legal force;

  • and other grounds.

Unlike the form that was in force until 26 December 2022, the new form of notification does not directly provide for the obligation of the operator to attach documents confirming the conditions for excluding the operator from Roskomnadzor's register of operators.

What to think about and what to do

The change in the notification forms relates to the change in the requirements of the Federal Law "On Personal Data" in terms of informing Roskomnadzor. Notification forms are approved by this authority.

The change in the form of the Notification of the intention to process personal data can be assessed in two ways. On the one hand, now operators will need to disclose more information to Roskomnadzor, and filling out the form itself will take longer. On the other hand, to fill out this form correctly, operators will need to do quite a lot of work in the company. The result of this work may be the improvement of the processing of personal data and, as a result, its greater security.

The reduction of data in the Notification of a change in the information contained in the notification of the intention to process personal data and the Notification of the termination of the processing of personal data can be assessed as a slight plus, but it does not eliminate the need to initially disclose more information to Roskomnadzor.

It is advisable for operators to bring activities aimed at personal data processing into line with the statutory requirements. In particular, companies that are not registered in Roskomnadzor's register of operators must send a notification to Roskomnadzor of their intention to process personal data.

Before sending a notification, it is recommended to identify and analyse all processes in which the company encounters personal data.

For each of the identified processes, it is necessary to collect the information that is required in accordance with the new notification form, check whether there is a legal basis for processing personal data, check that the composition of the processed data is not excessive for the specific purpose of processing, check whether the company has appointed a person responsible for processing personal data, and, if necessary, identify such a person and issue an order.

The notification can be sent to Roskomnadzor using one of the following methods:

  • in hard copy;

  • in electronic form using an enhanced qualified electronic signature;

  • in electronic form using authentication tools of the Unified System of Identification and Authentication.

Help from your adviser

Pepeliaev Group's lawyers are ready to provide companies with comprehensive legal assistance on issues of complying with legislation in the area of personal data, including:

  • Auditing the company's current activities for compliance with the legislation on personal data and preparing recommendations for bringing activities into compliance;

  • Bringing the company's internal documents into compliance with the requirements of the Federal Law "On Personal Data", including updating or developing a personal data processing policy, consent forms for the processing of personal data and other necessary documents in the field of personal data;

  • Preparing notifications to be sent to Roskomnadzor, including notifications of the intention to process personal data, of changes in the information contained in the notification of the intention to process personal data, and of the termination of personal data processing;

  • Providing legal advice on issues surrounding the cross-border transfer of personal data;

  • Advising on the localisation of personal data;

  • Advising on the processing of personal data by third parties, including the development of the operator's instructions for the processing of personal data;

  • Conducting a technical audit for the operator to ensure the security of personal data, including identifying threats to the security of personal data during its processing in personal data information systems, determining the levels of personal data security and other measures;

  • Preparing lists, including a list of persons authorised to process personal data, a list of personal data information systems used, etc.;

  • Representing a client when dealing with Roskomnadzor;

  • Providing training to employees on issues of personal data processing.

Отправить статью

21.03.2024
Pepeliaev Group’s Experts Have Achieved Exceptional Results in the 2023 Individual Rankings of Pravo.ru-300
Read more
11.03.2024
PGP Tax Consultancy is among the leaders in the Pravo.ru rating dedicated to the UAE market
Read more
22.12.2023
The business mission to China of a delegation from Pepeliaev Group’s Far East Office
Read more