What has changed since March 1, 2023 in personal data (PD) protection?

1. Additional measures of control over cross-border transfer of Russian citizens’ PD

Roskomnadzor now has the right to impose bans and restrictions.
Grounds for prohibition:
  • The PD recipient failed to protect PD or to determine the conditions for stopping the PD processing
  • The PD recipient is a company prohibited in Russia
  • The PD recipient is listed among “undesirable” companies
  • Cross-border transfer and further processing of PD does not meet the initial PD collection purposes
  • Transferred PD is processed illegally

Grounds for restriction:
  • The content and scope of PD do not correspond to the purpose of the transfer
  • The list of PD owners does not correspond with the PD collection purposes

2. New rules for deleting PD

Roskomnadzor has defined requirements for PD deletion (the companies used to decide how to formalize the deletion at their own discretion).
  • If PD is processed without automatization tools (paper or simple files, for example, in Excel, Word without further processing in software), it is necessary to draw up a free-form PD Deletion Act
  • If PD is processed by means of automatization tools (1C, SAP, Workday, Concur and any other software, which implies PD automated processing), or in case of a combined processing (paper and software), it is necessary to draw up PD Deletion Act with the report from the software registry attached. Both documents are prepared according to the new Roskomnadzor requirements

(!) PD deletion acts shall be kept for 3 years.

3. Assessment of harm

Companies are obliged to assess in advance the potential harm to PD owners. The results of the assessment are fixed in an act.

Level of harm:
  • High - for example, biometric PD processing or information about minors, “sensitive” categories of PD (race, ethnicity, political views, health, criminal records, and others), entrusting PD processing to foreign companies, or failure to comply with localization rule
  • Medium - for example, publication of the PD in Internet, selling goods on a marketplace, collecting e-consents without proper identification of users
  • Low - for example, PD in open-sources (address books, etc.), outsourcing of a PD manager (DPO, etc.)


  1. Verify the list of PD recipients and PD owners (employees, clients and counterparties), which data is transferred.
  2. Limit the list of countries, whereto the PD is transferred, up to the most necessary ones (mind the countries with “inadequate” PD protection).
  3. Request information from foreign recipients on the terms of processing of PD (wanted by Roskomnadzor).
  4. Notify Roskomnadzor on a cross-border transfer of PD.
  5. Audit the documents and information systems and delete unnecessary PD.

AB Lawyers will be glad to assist you on any personal data protection matter.

For more details, please follow the link.