Total changes to 152-FZ On personal data

On September 1, 2022, amendments to 152-FZ On Personal Data come into force. The changes were introduced by Federal Law No. 266-FZ of July 14, 2022, and are the largest since 2011. It can be said that starting from September, the requirements for the processing of personal data of both employees and other persons will be significantly changed. At the same time, these changes apply to almost all persons working with personal data.

1. The most important clarification is the requirement to submit a notification to Roskomnadzor on the processing of personal data from September 1, 2022. In the old version of the law there were a lot of exceptions that allowed not to do this.

The main reasons for working without “registration” in the RKN were the processing of personal data of employees or in connection with the conclusion and execution of contracts. However, since September, almost all exceptions have become invalid.

Only cases of non-automated processing of personal data (i.e. with the direct participation of a person in the use, clarification, distribution, destruction of personal data in relation to each of the subjects of personal data) remained relevant.

Thus, the previously working link User Agreement – Privacy Policy, which served as the basis for the processing of PD for the purpose of concluding and executing an agreement, becomes irrelevant from September 01, 2022. Even if there is a User Agreement, an offer and another agreement, it is necessary to submit a notification to the RKN and prepare local documents for the protection of PD (they are reported in the notification).

The consequence of the notification is the inclusion in the register of personal data operators and scheduled checks by the ILV of compliance with the organizational and technical requirements for the protection of personal data.

2. The second most important change should be considered the notification of the RKN on the cross-border transfer of personal data from March 01, 2023. This is relevant for services with foreign hosting or service/goods providers to Russian citizens. If desired, the RKN can also find fault with the use of metric programs for traffic analytics or widgets of foreign service providers on the site.

You need to be prepared that the RKN may refuse permission for the cross-border transfer of PD for a number of reasons. Therefore, it is better to think in advance about the transition to domestic solutions that do not require data transfer abroad.

3. The third most important change can be considered the imposition on the person processing personal data on behalf of the operator (the so-called “processor”), all the obligations for their protection imposed on the operator. The foreign processor is additionally jointly and severally liable with the PD operator, i.e. the subject may submit a claim directly to both the operator and the processor.

These changes are relevant for cloud service providers and SaaS (PaaS) solutions. The law obliges to include a detailed description of the requirements for processing PD directly in the contract with the processor.

4. In conclusion, let us mention a significant reduction in the response time to requests from the subject of personal data. They were reduced from 30 calendar days to 10 business days. But given the above, this amendment is clearly the lesser of evils.

Similar Posts

Leave a Reply