New rules of audits/inspections of companies processing personal data by the Russian Data Protection Authority

New rules of audits/inspections of companies processing personal data by the Russian Data Protection Authority

04 March 2019

We would like to inform you of the new rules of audits/inspections of companies processing personal data approved by the Decree of the Russian Government dated February 13, 2019 No. 146 «On Approving the Rules on Arranging and Exercising Control over Compliance of Personal Data Processing» («Decree»).

The Russian Data Protection Authority (DPA) is entitled to investigate companies’ compliance with data protection laws. For this purpose, it conducts audits/inspections (scheduled/unscheduled) in accordance with the rules specified in the legislation.

The Decree sets out a new set of rules whichcompletely replacethe previous ones. The key changes introduced by the document are as follows:

  • Certain categories of companies can be inspected more frequently. For example, companies processing sensitive and biometric data; companies acting in the capacity of data processors which are processing data on behalf of data controllers which haveno presence in Russia; companies transferring data to countries considered «inadequate» under Russian law, in terms of data protection (e.g., USA).
  • There is an additional ground for unscheduled inspection. This ground is a decision of the DPA based on monitoring of the company on the Internet (e.g., if data is collected and otherwise processed through websites/app).or analysis of any available information (e.g., information contained in data subjects' complaints; any information in a public domain).
  • Companies will have maximum 6 months to rectify violations revealed in the course of inspection. After inspection, the DPA requests the company to rectify revealed violations. Previous legislation did not set out statutory deadlines for companies to comply with such requests. Under the Decree, the deadline cannot exceed 6 months.
  • The DPA can suspend data processing activities for a period, until the company rectifies violation. This is not a new enforcement power of the DPA. However, unlike previous regulations, the Decree clearly specifies a case/ground where the DPA will request suspension of processing activities - if company does not rectify violation upon request of the DPA, and this violation is sensitive in terms of data subjects' rights and legitimate interests.
  • Apart from inspections, the DPA supervises compliance by way of monitoring companies on the Internet, or analyzing any available information about their processing activities (e.g., information received from data subjects, any other parties, or available in a public domain). Upon such monitoring, the DPA is entitled to request the company to rectify notifiedviolations. If the company does not comply, it will face administrative fines.

We hope that the information provided herein will be useful for you. If you or any of your colleagues would like to receive our newsletters via e-mail, please fill in the 'Subscribe' form at the bottom of the page.

Practices: Data Protection and Cybersecurity

Note: Please be aware that all information provided in this letter was taken from open sources. Neither ALRUD Law Firm, nor the author of this letter bear any liability for consequences of any decisions made in reliance upon this information.

We use cookies to offer better performance of the website and fulfill some other purposes specified in the Privacy Policy. By way of ticking the box you provide your consent to use of cookies. Otherwise, we will only use technical cookies, which are necessary for proper functioning of the website.