The guidance states that the policy must contain, in general, such information as the:
- main purpose of the policy and definitions used in the policy (e.g., personal data, processing, etc.);
- main rights and obligations of the data operator and data subjects;
- purposes for personal data processing;
- legal grounds for personal data processing (i.e., laws, consents, agreements concluded with data subjects, etc.);
- volume and categories of personal data processed. For each category of data subjects, Roskomnadzor recommends that a company list all the personal data it collects and processes tied to specific purposes and indicate all cases of processing special categories of personal data or biometric data);
- procedures and conditions for personal data processing (i.e., actions to be undertaken with respect to personal data, information on the transfer of personal data, grounds for ceasing personal data processing, storage terms, and information on compliance with the law’s data localization requirement);
- procedures for updating, correcting, deleting, or destroying personal data; and
- procedures for responding to data subjects’ requests.
The guidance also states that, in case there is a need to share personal data with third parties (e.g., service providers or business partners), data operators should explain the measures they take to protect personal data. Specifically, a data operator’s policy should explain that the data operator enters into contracts with third party recipients to protect the personal data. The policy should also list the purposes for such sharing, the volume of personal data to be transferred, data use restrictions (including confidentiality obligations), and security measures (including specific organizational and technical measures). Finally, the policy should set forth the name and addresses of third party recipients of personal data.
Though these recommendations are generally in line with the principles stipulated in the Personal Data Law, and generally were understood by the market as best practices before the guidance was issued, certain of the recommendations in the guidance would require more attention and efforts by data operators (e.g., recommendations on listing all third parties receiving personal data along with details about the data transferred).
Although the guidance is non-binding and of a recommendatory nature, it is likely that Roskomnadzor, when conducting compliance investigations, will consider whether data operators are following the guidance. Therefore, data operators should strongly take these recommendations into account when developing privacy policies to comply with the Personal Data Law.