How to Prepare for Roskomnadzor Inspection and Avoid Penalties
Roskomnadzor checks compliance with mass media and information technology laws. When inspecting a company, Roskomnadzor is primarily guided by Federal Law No. 152-FZ "On Personal Data". An audit can be either scheduled or unplanned. Individual entrepreneurs and legal entities that are personal data operators must prepare in advance for the inspection.
Scheduled inspection by Roskomnadzor is conducted once in 3 years. Thus, if there were no inspections in your company in the last 3 years, then it is time to prepare for it.
Types of inspections
They can be scheduled and unscheduled, documentary and field check.
Roskomnadzor informs in advance about these inspections. You will receive a letter with information about the date. Each company can find out whether it is included in the list of those who will be checked this year. The inspection plan is published on Roskomnadzor's website.
As mentioned above, the criterion for including an organization into the plan is the 3-years period from the date of state registration of the company or the last scheduled audit. In some cases, it may be conducted once every 2 years. They are as follows:
The operator uses GIS (Geographic Information System) for personal data processing
The operator collects biometric, or special categories of personal data
Cross-border transfer of personal data to countries that do not provide adequate protection of the rights of subjects.
The operator processes personal data on behalf of the foreign state.
It is usually initiated if the company is subject to complaints. For example, people may complain about unsolicited advertisement e-mails, SMS-spam, or phone calls.
Roskomnadzor informs about unscheduled inspection at least 24 hours before.
In this case, Roskomnadzor requests a list of documents. You should send copies of documents to the territorial body of Roskomnadzor. If the documents are not submitted in time, the regulator has the right to initiate a field inspection.
Inspectors come to the company office to check if their activities meet the requirements of Federal Law No. 152-FZ.
The scheduled inspection takes 20 working days and can be prolonged for up to 20 more working days. The unscheduled inspection takes 10 working days. If an organization operates on the territory of several entities, the inspection is conducted in each office, but the total period of an inspection for a company shall not be more than 60 working days.
What do the Roskomnadzor inspectors check?
First, the inspectors check all the necessary documents. The main thing that they will pay attention to is whether the company has submitted a notification to Roskomnadzor. A company that has not sent a notification and does not fall under the exceptions of the law will be subject to prosecution.
If a notification is submitted to Roskomnadzor, the inspectors will compare it with the real processes of processing personal data in the company. If the information does not correspond to reality, the company may be fined. For example, if the person responsible for organizing the processing of personal data has changed in the company and you did not send to Roskomnadzor the information letter about this change in time.
Roskomnadzor also reviews the company's website. If a website collects personal data (name, phone number, user's email address) but does not publish the company's policy regarding the processing of personal data, the company will be fined.
During the inspection, the regulator may ask for forms of documents containing personal data. For example, these may be questionnaires for job applicants. The forms themselves should be prepared in advance.
Roskomnadzor pays particular attention to the processing of special personal data. These categories include information on race, nationality, political views, religious or philosophical beliefs, health status, and intimate life. Such data can be collected only with the written consent of a person and only on legal grounds.
If your company provides personal data to other organizations (e.g. to banks), check a contract with them. It should specify the following: a purpose for the personal data transfer to another company, what actions they perform with them, the obligation of the company to ensure the confidentiality and security of personal data received.
The inspection results in the drawing up of an act. All errors found during the inspection, are included in the document. The responsible person of the company receives an act by registered letter or e-mail. The head of the company can find out the inspection results on the website of the supervisory authority.
You can appeal against the results of the inspection within 15 days. To do so, you should send objections to the Supervisory Authority. For the successful outcomes, it is necessary to prepare reasonable arguments to defend your position. For example, it is possible to refer to the lack of notification in time, involvement of specialists without accreditation, and failure to meet deadlines. The complaint will be considered within 30 days.