On 14.07.2022 the Federal Law No. 266-FZ introduced substantial amendments to the Federal Law of 27.07.2006 No. 152-FZ "On Personal Data" (hereinafter referred to as the "Personal Data Law") with regard to cross-border transfer of personal data that will become effective as of 01.03.2023.
Additional requirements will apply to personal data operators.
Who is considered as the operator of personal data?
Pursuant to the clause 2 of the article 3 of the Personal Data Law, the operator is a public authority, municipal authority, legal entity or natural person that independently or jointly with other persons organizes and/or carries out the processing of personal data, as well as determines the purposes of personal data processing, the personal data to be processed and the actions (operations) carried out with the personal data.
For example, an organisation is an operator of personal data in relation to its employees and other individuals whose data it receives.
What is personal data and what is recognized as a cross-border transfer?
Let us remind you that under clause 1 of the article 3 of the Personal Data Law, personal data means any information relating to a directly or indirectly defined or identifiable natural person (personal data subject) (e.g. full name, nationality, tax identification number, gender, etc.).
In turn, the cross-border transfer of personal data is the transfer of personal data to the territory of a foreign state to a foreign authority, a foreign natural person or a foreign legal entity (clause 11 of the article 3 of the Personal Data Law).
Some examples of cross-border data transfer:
Example 1. Employees are sent on a business trip abroad (e.g. to the holding company). The employer (Russian company) sends the employees' names, phone numbers, positions and email addresses to the holding company to arrange meetings abroad.
Example 2. The acceptance of applicants for certain positions or internal transfers requires the approval of the founders (participants, shareholders), who are foreign persons, and the personal data of the applicants/employees is sent abroad for this purpose.
What will change in 2023?
Fr om 01.03.2023 the operator will have to notify Federal Service for Supervision in the Sphere of Telecom, Information Technologies and Mass Communications (Roskomnadzor) of its intention to transfer personal data across borders before starting a cross-border transfer of personal data. This notification shall be sent separately fr om the notification of the intention to process personal data mentioned in the article 22 of the Personal Data Law.
Please note that operators who transferred personal data across borders before 01.09.2022 and continue to do so after 01.09.2022 must send notifications about cross-border transfers of personal data to Roskomnadzor no later than 01.03.2023.
The notification of the intention to transfer personal data across borders shall be sent as a paper document or in the form of an electronic document and shall be signed by an authorized person of the operator. The requirements for the content of the notification are stipulated by para 4 of the article 12 of the Personal Data Law (as amended by Federal Law No. 266-FZ of 14.07.2022).
What must be done before submitting a notification to Roskomnadzor?
The following information must be obtained from the foreign persons, to whom the transfer of personal data is planned (foreign authorities, foreign natural or legal persons):
- information on measures taken by the foreign persons to protect the personal data transmitted and conditions of termination of their processing;
- information on legal regulations in the field of personal data of the foreign country, under which jurisdiction the foreign persons are;
- information on foreign persons (company name or full name, as well as contact telephone numbers, postal and email addresses).
Why is it important to obtain the above information and data before submitting a notification to Roskomnadzor?
They may be requested by Roskomnadzor in order to assess the reliability of the information contained directly in the notification. In such a case, the operator will be obliged to provide the requested data to Roskomnadzor within 10 working days since the moment of the request receipt.
Can Roskomnadzor prohibit or lim it the cross-border transfer of personal data?
Yes, Roskomnadzor may prohibit or lim it the cross-border transfer of personal data for the purposes of:
- protecting the foundations of the constitutional system of the Russian Federation, morality, health, rights and legitimate interests of citizens,
- ensuring national defence and state security,
- protecting the economic and financial interests of the Russian Federation,
- ensuring the protection of rights, freedoms and interests of citizens of the Russian Federation, sovereignty, security, territorial integrity of the Russian Federation and its other interests in the international arena by diplomatic and international legal means.
In such a case, the operator will be obliged to ensure that the previously transmitted personal data is destroyed by foreign persons.
What are the penalties for failure to submit or untimely submission of a notification to Roskomnadzor?
Under article 19.7 of the Code of Administrative Offences of the Russian Federation, failure to submit or late submission of a notification to Roskomnadzor may entail a warning or imposition of an administrative fine on both an official and a legal person.
Our services:
- advising on compliance with legislation on personal data processing and protection;
- preparation of notifications to be sent to Roskomnadzor;
- development and/or comprehensive audit of local acts of your organization, regulating the processes of personal data processing and protection and, if necessary, amendment of these local acts.
Contacts:
Maria Matrossowa, Project leader swilar OOO
M:
maria.matrossowa@swilar.ru, T: + 7 495 648 69 44 (ext. 308)
Yulia Belokon, Senior Project Manager swilar OOO
M:
yulia.belokon@swilar.ru, T: +7 495 648 69 44 (ext. 309)