Changes in personal data legislation-Publication
Olga Abashnikova

Lead Methodology Expert Unicon Outsourcing

From September 1, 2022, the Federal Law of July 27, 2006 No. 152-FZ "On Personal Data" will come into force in a new version.

Amendments were introduced by Federal Law No. 266-FZ of July 14, 2022.

  1. Roskomnadzor must be notified about the processing of personal data of employees in accordance with labour legislation. Employers have an obligation to notify the Federal Service for Supervision of Communications, Information Technology, and Mass Media (Roskomnadzor) about the processing of personal data of their employees, even if the processing is carried out only within the frame of labour legislation. The current version of the Federal Law "On Personal Data" exempts employers from such obligation (subclause 1 of clause 2 of Article 22 of the Federal Law "On Personal Data"). The list of cases where the operator of personal data may not notify Roskomnadzor will be significantly reduced from September 1, 2022. Such cases include, in particular, the processing of personal data exclusively without the use of automation tools. The procedure for notifying Roskomnadzor about the processing of personal data is provided in Article 22 of the Law "On Personal Data". The Notice can be generated on the Personal Data Portal of Roskomnadzor, sent to the territorial body of Roskomnadzor in paper form, in electronic form using an enhanced qualified electronic signature, or in electronic form using USIA authentication tools (
  2. The requirements for the content of the notice has changed. The list of information that must be specified in the notice of Roskomnadzor has been adjusted; it can be found in clause 3 of Article 22 of the Federal Law “On Personal Data”.
  3. The requirements for the consent of the subject of personal data to the processing of his/he personal data are specified. According to the new requirements, consent must be not only specific, informed and conscious, but also subject and unambiguous (clause 1 of Article 9 of the Federal Law “On Personal Data”). This means that separate consent must be given for each specific purpose. For example, when transferring personal data to an outsourcing company for personnel records and payroll, employees are required to provide a separate consent indicating the name of the legal entity that will process the personal data of employees on behalf of the operator.
  4. The requirements for the content of local acts on the processing of personal data (hereinafter referred to as PD) have been clarified. According to the new rules, for each purpose of processing personal data, it is required to determine the categories and list of processed PD, the categories of subjects whose PD are processed, the methods, terms of their processing and storage, the procedure for destroying PD when the goals of their processing are achieved or when other legal grounds occur. It is also prohibited to include in local acts provisions restricting the rights of PD subjects, as well as imposing on operators powers and obligations not provided for by the legislation of the Russian Federation.
  5. The deadlines for fulfilling requests from Roskomnadzor (hereinafter referred to as RKN) and PD subjects have been reduced. Earlier, the deadline for fulfilling requests was 30 days, now it has been reduced to 10 business days with a possible extension by 5 working days if there is a motivated notification. We recommend making adjustments to the regulatory documents regarding the new changes.
  6. Clarifications on the provision of PD. If, in accordance with federal law, the provision of personal data and (or) obtaining by the operator of consent to the processing of personal data are mandatory, the operator is obliged to explain to the subject of personal data the legal consequences of the refusal to provide this personal data and (or) give consent to their processing. We recommend developing explanations for the subject.
  7. The obligation of operators to notify Roskomnadzor of the cross-border transfer of PD is introduced. This notification is submitted separately from the notification about the start of PD processing. The provision comes into force on March 1, 2023. Operators that carried out cross-border transfer of PD before the date of entry into force of changes to 152-FZ and continue to carry out such transfer after the day of entry into force of changes to 152-FZ are required to send a notification to Roskomnadzor no later than March 1, 2023 about the cross-border transfer of PD.
  8. Interaction with the State system of Detection, Prevention and Elimination of Consequences of Computer Attacks. The obligation of the operator to ensure interaction with the State system of Detection, Prevention and Elimination of Consequences of Computer Attacks, including informing about computer incidents, is established. The procedure for interaction with the State system of Detection, Prevention and Elimination of Consequences of Computer Attacks must be approved by the Federal Security Service of the Russian Federation.
  9. Placement of the PD processing policy on websites. A requirement is introduced to place the operator's policy regarding the processing of PD, or a link to it, on those pages of Internet sites that are used to collect PD.
  10. Notification of Roskomnadzor about incidents with PD. The obligation of the operator to notify Roskomnadzor of the leakage of personal data within 24 hours from the moment the incident is detected is established. Also, within 72 hours, the operator will have to send a notification of the results of the internal investigation of the identified incident, as well as provide information about the persons whose actions caused the identified incident (if any).
  11. Termination of PD processing. The obligation of the operator is introduced in the event that the subject of PD applies with a request to stop processing personal data, within a period not exceeding 10 business days from the date of receipt of the relevant request, to stop processing or ensure the termination of such processing if the PD is transferred to the processor.
  12. Destruction of PD by foreign nationals. Please note that when a decision is made by the authorized body to prohibit the transfer of PD to a foreign person, the obligation to destroy the PD that the foreigner received from the operator is on the operator. We recommend that this be written in contracts with foreigners and in orders.
  13. Biometric PD. A prohibition is introduced for the operator to refuse service in the event that the PD subject refuses to provide his/her biometric personal data or consent to the processing of such data. This rule is aimed at curbing the unfair practices of some organizations, primarily credit ones, to force customers to provide consent to the processing of their biometric PD.


Subscribe to our publications
We write only about the most important. You will be the first to know about economic events that affect your business, how to reduce costs, optimize the company's operations and make the right management decisions without immersion in operational processes.



Changes in legislation on job quotas for the disabled

We inform you that the FL of June 28, 2021 No. 219-FZ amended the law of the RF "On employment in the Russian Federation" and the law "On the social protection of disabled persons in the Russian Federation".


Temporary transfer of employees to another employer

Due to the current geopolitical situation, some companies have to suspend their activities and declare downtime for their employees.


Extension of deadlines for payment of insurance contributions

The Government of the Russian Federation has decided to extend the deadlines for paying insurance contributions for Q2-Q3 of 2022 by a year.
  1. Unicon Outsourcing
  2. Blog
  3. Changes in personal data legislation
We use cookies to improve our service. By continuing working with the website, you accept Terms and Conditions and give your consent for us to process your personal data in accordance with the Unicon BS JSC Policy on personal data processing. I AGREE