On 1 March 2023, changes to Federal Law No. 152-FZ On Personal Data came into force, regarding the procedure for transferring personal data outside the Russian Federation.
According to these changes, foreign states will be still divided into those that provide adequate protection of the rights of personal data subjects, and those that do not provide such protection, as was previously the case in 152-FZ.
However, now two regimes have been introduced for cross-border transfer of personal data — notification and permitting. This means that personal data operators must anyway notify Roskomnadzor of their intention to transfer personal data outside of Russia and RKN will consider such notifications within 10 working days.
Notification regime is applied when transferring personal data to countries with adequate protection of the rights of subjects (which ratified the Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data) . After notification, the operator may transfer personal data to the specified countries until RKN makes a decision to prohibit or restrict such transfer;
Permissive regime is applied when transferring personal data to countries without adequate protection of the rights of subjects. After notification, the operator cannot transfer personal data to the specified countries until RKN considers the notification, except in cases where this is necessary to protect the life, health or other important interests of the subject or other persons. Thus, the transfer of personal data to these countries is possible without the consent of the subject or other grounds provided for by law, subject to the permission of RKN.
Roskomnadzor has the right to request additional information from the operator in order to assess the reliability of the data specified in the notification. This information includes measures taken by foreign authorities, foreign individuals and legal entities to protect transferred personal data and the conditions for terminating their processing. Roskomnadzor may also request information on the legal regulation of personal data in foreign countries under the jurisdiction of which data recipients are located, if these states do not provide adequate protection of the rights of personal data subjects. In addition, Roskomnadzor may request information about authorities of foreign states, foreign individuals and legal entities, including their names, full names, contact numbers, postal addresses and email addresses.
The list of purposes for which cross-border transfer of personal data may be prohibited or limited has been expanded. Previously, this list included protecting the foundations of the constitutional system of the Russian Federation, morality, health, rights and legitimate interests of citizens, ensuring the defense of the country and the security of the state. From 1 March 2023, the following goals are added to the list: protecting the economic and financial interests of the Russian Federation, ensuring the protection of the rights, freedoms and interests of citizens of the Russian Federation through diplomatic and international legal means, as well as protecting the sovereignty, security, territorial integrity of the Russian Federation and its other interests in the international arena.
If RKN decides to prohibit or restrict the cross-border transfer of personal data, the operator is obliged to destroy previously transferred personal data by an authority of a foreign state, a foreign individual or a foreign legal entity.
Denmark is not a party of Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, as well as it is not included in the list of Roskomnadzor of the countries which duly comply with the provisions of this Convention, the rules of law in force in the relevant state and the measures taken to ensure the confidentiality and security of personal data during their processing.
Therefore, it is most probably that the transfer of personal data to Denmark may will not be approved by Roskomnadzor if the personal data operator applies there with a corresponding request.