Roskomnadzor publishes privacy guidelines for data operator
The Russian data protection authority Roskomnadzor published guidelines for data operators on the drafting of privacy policies on July 31.
Russian data operators must adopt a privacy policy to comply with Russian data protection law. The policy must describe how they process of personal data. This policy shall be published online if personal data is collected online. In case of collecting personal data offline an unrestricted access to the policy has to be guaranteed.
The policy shall be detailed so that data subjects are aware of all potential actions.
According to the guidance the policy must contain in general the following information:
- main purpose of the policy and definitions used in the policy
- main rights and obligations of the data operator and data subjects,
- purposes for personal data processing,
- legal grounds for personal data processing
- volume and categories of personal data processed. For each category of data subjects, Roskomnadzor recommends that a company list all the personal data it collects and processes tied to specific purposes and indicate all cases of processing special categories of personal data or biometric data,
- procedures and conditions for personal data processing,
- procedures for updating, correcting, deleting, or destroying personal data and
- procedures for responding to data subjects’ requests.
In addition the guideline regulates the case of sharing personal data with third parties. The data operator has to explain the taken measures to protect personal data and beside the purpose of sharing, the volume of personal data to be transferred, the data use restrictions and security measures. Furthermore the name and the address of the the third party need to be published in the policy.
Finally it shall be mentioned that the guidance is recommendatory nature and non-binding. Nonetheless data operators should strongly take these recommendations into account if they develop new privacy policies to be compliant with the Personal Data Law.