Data protection laws sometimes include conformity assessments, which help to ensure businesses follow regulations. Requirements can include registration before the Data Protection Authority and random audits.
In Russia, Controllers, such as employers, are required to notify the Data Protection Authority of the intention to process personal data, with few exceptions (Data Protection Law, Sec. 22). These exceptions are treated very restrictively by the Roskomnadzor (The Federal Service for Supervision of Communications, Information Technology and Mass Media), and therefore almost all companies fall within the scope of the requirement to file a notification. The exceptions that may apply to employers include when the personal data:
HR Best Practices: Employers and other data Controllers are required to notify the Data Protection Authority if personal data will be processed, with few exceptions. The notification should be filed once and include all of the company’s data processing activities. If there are any changes in processing activities, the data controller is obliged to notify the Roskomnadzor of the changes within ten business days.
Only the company, branch or representative office which is registered in Russia can file the notification. The requirement to notify Roskomnadzor is not applicable to non-Russian legal entities without any presence in Russia (branch, representative office, or subsidiary).