Changes in personal data legislation effective from March 01, 2023

On March 1, 2023, final part of amendments introduced by the Federal Law No. 266-FZ as of July 14, 2022 into the legislation on personal data (hereinafter – “PD”) came into force.

According to the introduced amendments, operators of PD are obliged to notify Roskomnadzor of their intention to carry out cross-border transfer of PD prior to commencing such transfer. Roskomnadzor has the right to prohibit the transfer of PD to other countries. For the period of consideration of the notification, it is prohibited to transfer PD to countries that do not provide their adequate protection. The list of such countries is approved by the Order of Roskomnadzor No. 128 as of August 5, 2022.

At the same time, if the operator has submitted a notification of cross-border transfer of PD before March 1, 2023, it is not required to submit new notification until introduction of changes in its activities associated with cross-border transfer of PD.

Operator is obliged to notify Roskomnadzor about any changes in the information previously reported to Roskomnadzor that occurred within a month, no later than on the 15th day of the next month.

Requirements for confirmation of the destruction of PD approved by the Order of Roskomnadzor as of October 28, 2022 No. 179 came into force.

In the event of destruction of PD in information systems, as well as on physical media, the operator is obliged to draw up an act containing information about the destroyed data, the method and reason for the destruction, as well as other information.

Operators are required to notify Roskomnadzor about the facts of PD leakage (illegal transfer, provision, distribution, access) no later than 24 hours.

Further, within 72 hours, another notification must be submitted about the results of internal investigation of the incident, as well as information about the persons whose actions caused the incident.

Order of Roskomnadzor No. 178 as of October 27, 2022 introduced new rules for assessing the harm that may be caused to PD subjects in the event of a violation of the Federal Law “On Personal Data”.

Operators are recommended to audit internal documents and business processes related to PD processing and amend them to ensure compliance with the updated legal requirements.