On March 1, 2023, a new version of Article 12 of the Federal Law “On Personal Data” comes into force, which establishes the operator's obligation to submit a notification about his intention to carry out cross-border transfer of personal data to the Federal Service for Supervision in the Sphere of Telecom, Information Technologies and Mass Communications (Roskomnadzor).
Such notification must contain the following information:
- information about the operator
- information about the notification on the intention to process personal data
- information about the person responsible for processing personal data
- legal basis of personal data processing
- the purpose of cross-border transfer and further processing of personal data
- categories and list of personal data transferred
- categories of the personal data subjects
- a list of foreign countries in whose territory the cross-border transfer of personal data is planned
- the date of the operator's assessment of compliance by the authorities of foreign states, foreign individuals, foreign legal entities to whom the cross-border transfer of personal data is planned, the confidentiality of personal data and ensuring the security of personal data during their processing
What should be done before submitting such a notification?
An audit of personal data processing procedure should be conducted and the general notification of personal data processing should be brought (in particular, the list of data, processing purposes, legal grounds) into line with the current processes.
When preparing an updated notification on the processing of personal data, the forms approved by the new Order of Roskomnadzor1 should be followed.
Why is this necessary?
In order to avoid a contradiction between the notification of the intention to carry out a cross-border transfer and the notification of the processing of personal data and to reduce the risks of prohibiting the cross-border transfer of personal data.
What should be taken into account in case of cross-border transfer?
- if there is a consent of the subject or other legal basis for the cross-border transfer of personal data
- if the host country does provide an adequate level of personal data protection (see Order of Roskomnadzor2)
1 Order of the Federal Service for Supervision in the Sphere of Telecom, Information Technologies and Mass Communications № 180 dated October 28, 2022 "On approval of forms of notifications of intent to process personal data, on changing the information contained in the notification of intent to process personal data, on termination of personal data processing"
2 Article 5 of Federal Law No. 154-FZ of 11.06.2022 Order of the Federal Service for Supervision in the Sphere of Telecom, Information Technologies and Mass Communication № 128 dated August 5, 2022 "On Approval of the List of Foreign States Providing adequate protection of the rights of personal data subjects" (effective from March 1, 2023)