Securiti Named a 2022 Cool Vendor in Data Security by GartnerDownload Now
Since the law has passed, several amendments have been introduced to ensure that the law is well-equipped to deal with the current technological and data privacy challenges. One of the amendments is regarding the data localization requirement that requires storing and retaining data belonging to Russian citizens in databases within Russia. This still allows data to be transferred across borders if cross-border transfer conditions are met.
As per the recent amendment 266-FZ that comes into effect on 1 September 2022, the processing of personal data via contractual arrangements between the data subject and the operator is possible only if the contract does not contain any conditions restricting the right and freedoms of data subjects.
Here are all the important things an organization needs to know to achieve compliance with the law:
Here’s what kind of data is covered as well as the geographical jurisdiction of this law:
This law applies to federal state government bodies, state government bodies of constituent entities of the Russian Federation, other state bodies, legal entities, or any other organizations that collect and process data for commercial purposes.
However, this law shall not apply in the following cases:
The law applies to any legal entity, including any foreign entity with a legal presence in Russia that collects personal data in Russia. The law also applies to entities not established in the Russian Federation if they purposefully direct their activities towards the Russian Federation and benefit from those activities.
As per the recent amendment law 266-FZ, the law also applies to the processing of personal data of citizens of the Russian Federation carried out by foreign legal entities or foreign individuals based on an agreement to which citizens of the Russian Federation are parties or based on the consent of Russian citizens.
Per Federal Law No. 152-FZ, all data processors and data controllers have certain obligations towards the data subjects whose data they collect. Some of these obligations and responsibilities include the following:
An operator can only proceed with data processing on one of the following lawful basis:
Consent is one of the primary legal bases for data processing. Any consent gained from the data subject must be:
The data subjects have the right to rescind their consent at any time. In such an event, the data controller/processor must cease the processing of personal data or arrange for it to be terminated, and if the storage of personal data is no longer required for the purposes of processing data, data controllers must destroy or ensure its destruction within a period not exceeding ten working days from the date of receipt of the said data withdrawal request.
Written consent is required for the following data processing activities:
Additional amendments were made to Federal Law 152-FZ in March 2021, which introduced new consent requirements for “publicly disseminated data”. This is particularly impactful on the activities of organizations that distribute or disseminate data subjects’ data to an unlimited number of individuals, such as posting such data on a publicly available website.
As such, these organizations are subject to the following consent obligations when it comes to such “publicly disseminated data”:
Lastly, a data controller/processor must gain a user’s express consent before sending them direct marketing communications of any kind. If the user rescinds their consent from receiving such communications, the data controller/processor must cease their data processing at once.
Since an individual under the age of 18 cannot legally consent to any form of data processing, consent must be acquired from the legal guardian or parental authority.
The law states that an operator must take the necessary legal, organizational, and technical measures to ensure the security of personal data.
As per amendment law 266-FZ, data controllers are also required to ensure that data processors take necessary measures to protect personal data and ensure confidentiality.
From September 1, 2022, data operators must notify Roskomnadzor of security breaches concerning personal information if the incident results in the illegal or accidental transfer of personal data. Transfer of personal data means the provision, distribution, or access of data.
Organizations must employ a data protection officer (DPO) in case of the following:
While there are no additional criteria related to hiring a DPO, it is highly recommended that an organization's DPO be someone that understands Federal Law No. 152-FZ thoroughly to ensure all of its and its amendments' provisions are employed adequately within an organization.
There is no explicit requirement for a data protection impact assessment under the law. However, the law mandates all operators to take the appropriate measures to assess the effectiveness of the measures taken to protect the collected personal data.
Transfers of data outside Russia to countries that are members of the Council of European Convention on the Protection of Individuals concerning Automated Processing of Personal Data (Strasbourg Convention) and other countries providing adequate data protection guarantees as per the Roskomnadzor are allowed.
The regulatory body Roskomnadzor is responsible for approving a list of countries that provide adequate data protection despite not being parties to the Strasbourg Convention. These countries include Australia, Gabonese Republic, Israel, Qatar, Canada, Malaysia, Mongolia, Bangladesh, New Zealand, Angola, Belarus, Benin, Zambia, Kazakhstan, Costa Rica, Korea, Mali, Niger, Peru, Singapore, Tajikistan, Uzbekistan, Chad, Vietnam, Togolese Republic, Brazil, Nigeria, South Africa, and Japan.
Data transfers to countries that are either not parties to the Strasbourg Convention nor are approved by the regulatory authority as providing adequate protection can take place on one of the following grounds:
However, any cross-border transfers may be prohibited or limited to protect the foundations of the constitutional system of the Russian Federation, public morality and health, rights, and legitimate interests of citizens or to ensure national defense and state security.
Before transferring personal data, an operator must carry out an assessment to ensure the proposed country has these reliable data protection mechanisms in place. As per the recent amendment 266-FZ that will come into effect from September 1, 2022, the data operator must notify the regulatory authority of the intention to carry out the cross-border data transfer.
Also, data controllers that collect personal data of Russian citizens are required to ensure that recording, systematization, accumulation, storage, clarification, and extraction of personal data is done using databases located in Russia. This data localization requirement applies to foreign entities that carry out targeted activities in the territory of the Russian Federation and collect personal data of Russian citizens.
Like all other major data protection laws globally, Federal Law No. 152-FZ ensures all users or personal data subjects have certain rights and control over their data. Data subject rights can be exercised under specific circumstances and have exemptionsThese rights include the following:
All data subjects have the right to access all personal data collected by the organization.
Additionally, the data subject can request access to the following information:
Data access requests must be responded to within ten working days as per recent amendments to the law.
All data subjects have the right to request an operator to rectify, block or destroy their personal data if the data collected has since become outdated, incomplete, or obsolete. The data subject can also exercise the right to the erasure of data if data is no longer needed for its purpose.
A data subject may request an operator to cease using automated decision-making based on their collected data if they feel their rights or interests are being infringed.
An operator may collect data subject's personal data for direct marketing purposes if they have collected prior consent from the data subject. This may include promoting goods, works, and services on the market.
A data subject may request an operator to cease sending them any such communications or material. The operator must immediately stop their direct marketing activities to the data subject once such a request is made. If the storage of data is no longer required for the purposes the data was collected for, organizations must destroy the data or ensure its destruction within a period not exceeding thirty days from the date of receipt of the withdrawal request by the data subject.
However, as per the amendment 266-FZ that will come into effect on September 1, 2022, the data operator is obliged to stop the processing of personal data within a period of 10 working days from the date the operator receives the request.
Data subject’s consent is required to distribute or allow the personal data to be disseminated to an unlimited number of persons. Such consent must be obtained separately from other kinds of consent.
The Federal Service for Supervision of Communications, Information Technology, and Mass Media (Roskomnadzor) is the main supervisory body enforcing the country's data privacy law. It is the authorized federal executive body exercising control and supervision functions in compliance with the Federal Law on Personal Data provisions.
In March 2021, changes were introduced to penalties related to non-compliance with Federal Law No. 152-FZ by data processors or data controllers.
The law provides for compensation for moral harm and the imposition of administrative fines for violation of data localization requirements, violation of data protection legislation, or failing to obtain consent as per the requirements.
The minimum to the maximum amount that can be awarded is as follows:
Repeated commission of an administrative offense is subject to the following administrative fines:
Simply knowing their responsibilities and obligations is often not enough for organizations. Achieving compliance with the law is often easier said than done, owing to how many complications can arise. Thankfully, many of these problems can be alleviated if an organization has a strong base to work on. Hence, here are some ways an organization can operationalize the law:
Users are now more educated and vigilant about websites or organizations collecting any form of data on them online. Additionally, almost every major country now has a data protection law of some kind in effect or is drafting one. This has meant that organizations have had to amend and evolve their data collection practices to ensure they meet their legal obligations without losing their users' confidence.
However, owing to the sheer amount of data involved, most organizations may find this herculean task reasonably intimidating. The margin for error is extremely low, and violations of any kind are punished heavily.
This is where Securiti can help.
Request a demo today to see what else Securiti has to offer and how it can help your Federal Law No. 152-FZ compliance efforts.