New rules for inspection of personal data operators by Roskomnadzor
On February 13, 2019, the government approved rules according to which Roskomnadzor will inspect personal data operators. These new rules have been developed instead of regulations on personal data processing. We have reviewed the main changes below.
Two grounds for scheduled inspection instead of three
The beginning of personal data processing is excluded from the list of grounds for inclusion in inspection schedule so only the two following grounds remain for inclusion in inspection schedule within 3 years of:
- The operator’s state registration as legal entity, individual entrepreneur;
- The last scheduled inspection of the operator.
Changes in frequency of scheduled inspection
According to the new rules, Roskomnadzor will now conduct scheduled inspections no more than once every 2 years if:
- The operator uses state information systems for personal data processing;
- The operator collects biometric and other special personal data;
- The operator transfers data to a foreign country that does not provide adequate protection of data subjects’ rights;
- The operator processes personal data on behalf of a foreign state body, foreign legal entity or foreign individual not duly registered in the Russian Federation.
Additional ground for unscheduled inspection
It will now be possible to conduct unscheduled inspections on the basis of decisions issued by the head of Roskomnadzor upon examination of reports on violations identified without the operator. For example, when an inspector finds that a company fails to observe the rules when posting information on the internet or in the media.
Shorter unscheduled inspection
Unscheduled inspections cannot exceed 10 working days and may be extended once by no more than 10 working days. The duration for conducting scheduled inspections has remained unchanged, i.e. no more than 20 working days.
Changes to documentary inspections
- Unscheduled documentary inspections will no longer be conducted.
- The deadline for document submission by operators for scheduled inspections has been shortened from 10 to 5 working days from the date of receipt of Roskomnadzor request.
- If errors are found in the documents and information provided during a documentary inspection, or if Roskomnadzor finds inconsistencies in the documents and information it has, then it will inform the operator and request clarifications. The operator should provide the necessary clarifications in writing or electronically within 3 working days instead of 10 working days previously.
Procedure for field check
- A field check begins with the inspection officers:
- Presenting their official ID;
- Being introduced to the representative of the inspected company with the:
- order for field check and his/her credentials, inspection goals, objectives and grounds;
- type and scope of verification;
- inspection deadlines and conditions.
- Prior to the inspection, inspection officers make a written request for provision of documents and information necessary for the inspection;
- The operator is given at least 2 working days to provide these documents;
- The operator must send via the internet copies of the requested documents certified by company seal (if any) and signature of its representative. Documents must also be certified by an encrypted digital signature.
Longer list of grounds for inspection extension
Inspections may be extended if:
- Documents evidencing that the operator is in breach of the law are received during the inspection from law enforcement agencies, procurators or other sources;
- Circumstances of force majeure (flooding, fire, etc.) occur where an inspection is conducted;
- The operator has failed to provide the necessary documents during the inspection;
- The inspection officer does not have time to complete the inspection due to the large number of documents, personal data processing activities, the operator’s multidivisional structure the complexity of technological processes.
Previously, only that the last ground from this list used to apply.
Roskomnadzor must issue orders for inspection extension
To extend an inspection, Roskomnadzor must:
- Issue an order to inspection extension.
- Send a copy of the order to the operator in any convenient way within 3 days of the order issuance date. The term for elimination of violations is 6 months.
During the inspection, Roskomnadzor compiles a list of violations that must be rectified. The term for rectification of violations may not exceed 6 months from the date of issuance of order for elimination of violations.
Roskomnadzor may request to suspend personal data processing
If the operator violates the legal rights and interests of data subjects, then Roskomnadzor may request to suspend the processing of personal data until rectification of the violation specified in the order issued by Roskomnadzor.
We recommend verifying compliance with legal requirements in advance. We would be pleased to verify that your company duly complies with personal data laws.