Russia adopts new rules on supervision of data controllers

At the end of 2021, the Russian Data Protection Authority (DPA) will publish its 2022 plans for regular inspections to investigate companies' compliance with data protection laws. As 2022 inspections will be subject to the new rules, it is time for companies to start preparing and monitoring their regular inspections schedule.

Scope of inspections

On 29 June 2021, the government adopted Decree No. 1046, which approved new rules of inspections for companies processing personal data. The new rules came into force on 1 July 2021 and introduce a risk-based approach and new supervisory measures for DPA inspections.

Under the new regulations, the DPA must inspect entire data processing operations and the compliance procedures performed by data operators and their processors. The concept of a "data operator" in Russia is similar to the concept of a "data controller" under the EU General Data Protection Regulation. The DPA may check national companies and local offices of international companies as well.

What is a risk-based approach?

Taking a "risk-based approach" means that the DPA will classify inspectees in one of five risk groups. Such groups determine the frequency and type of the scheduled supervisory measures carried out as part of the inspections. For instance:

• A "high-risk" company will be subject to scheduled inspections once in a two-year period.
• A "substantial-risk" company will be subject to scheduled inspections once in a three-year period.
• A "low-risk" company will not be subject to any scheduled inspections at all.

International companies should take into account that the following actions may lead to classification in a high-risk or substantial-risk group:

• the collection of personal data using databases located outside Russia;
• the use of non-Russian programs and services for the collection of personal data; and
• cross-border data transfers to countries that do not provide an adequate level of protection (ie, countries that are not signatories to the Strasbourg Convention and are not included in the DPA's official list).

Some of the DPA's regional offices have started publishing lists of companies classified in certain risk groups. For instance, the central DPA division has published a list of companies categorised in the substantial-risk and average-risk groups. It is expected that companies mentioned on these lists will be subject to regular inspection schedules in 2022.

The application of a risk-based approach will make the DPA's inspections more targeted, taking into account the actual activities of data operators. International companies operating in Russia should monitor the lists of companies categorised in certain risk groups on the websites of the DPA's regional offices and analyse the criteria mentioned above to assess their risks of being subject to the DPA's inspections.

How will the DPA carry out inspections?

Under the new rules, the DPA will conduct scheduled and unscheduled inspections and supervise compliance by monitoring companies on the Internet and analysing any available information about their processing activities.

Supervisory activities include documentary and on-site inspections that should not exceed 10 business days. In addition, there is the possibility of an inspector's visit. Inspectors may conduct short-term (one-day) on-site inspections and inspectees must provide free access to offices and respond to all of the inspector's inquiries. This type of supervisory activity is conducted without prior notice. Thus, the only way to be ready for such unscheduled visits is to establish routine compliance management procedures and always be prepared to demonstrate compliance with data protection laws.

Since the pattern of supervisory activities has changed, there is no relevant practice yet on how these activities will be carried out.

What should companies do?

In light of this development, companies should:

• determine the risk group of their Russian offices and check the lists of companies categorised in certain risk groups on the websites of the DPA's regional offices;
• monitor the regular inspections schedule on the websites of the DPA's regional offices from the end of November 2021 and into the start of December 2021. The new rules require inspection plans to be confirmed with the public prosecutors' offices. Therefore, it is expected that DPA inspections will appear on the unified register of state inspections;
• keep their privacy compliance procedures in good order and never leave them to the last minute; and
• keep monitoring the DPA's supervisory activities and related case law.