July
2017
Personal data: to what extent have fines increased in 2017?
VEGAS LEX_Персональные данные как выросли штрафы в 2017 году
Download fileFile added | 05.07.2017 |
Presentation | .pdf (477 Кб) |
On July 1st, 2017 several amendments[1] to Article 13.11 in the Russian Federation Code on Administrative Offenses (hereinafter the KoAP RF) entered into force that introduce significant changes into the provisions that define the liability for violating legislation in the area of personal data (hereinafter PD).
Not only do these amendments considerably raise the fines for PD operators (for legal entities up to 75,000 rubles), but they substitute one vaguely worded set of elements in the provisions for administrative liability concerning PD with seven new sets of elements.
The power to file administrative charges has been transferred from the Prosecutor's Office to the Federal Service for Oversight of Communications, Information Technologies, and Mass Communications (Roskomnadzor).
What was there before?
Before July 1st, 2017, Article 13.11 in the KoAP RF provided for only one set of elements in the provisions for administrative liability.
Set of elements in the provisions for administrative liability |
Fines for legal entities (rubles) |
|
Minimum |
Maximum |
|
Violating the procedure established by law for collecting, storing, using, and distributing information about people (PD) |
5,000 |
10,000 |
What is there now?
Starting July 1st, 2017 Article 13.11 KoAP RF was completely replaced by seven new sets of elements in the provisions for administrative liability. The thresholds for the maximum and minimum fines for legal entities have been raised.
Section of Article 13.11in the KoAP RF |
Set of elements in the provisions for administrative liability [2] |
Fines for legal entities (rubles) |
|
Minimum |
Maximum |
||
Sec. 1 |
Processing PD in cases not provided for by Russian Federation legislation in the area of PD, or processing PD in ways not consistent with the goals for collecting PD |
30,000 |
50,000 |
Sec. 2 |
Processing PD without written consent from the subject of PD for processing his/her PD in cases where consent must be obtained in conformity with Russian Federation legislation, or processing PD in violation of established Russian Federation legislative requirements concerning the composition of information that needs to be included in the written consent form given by the subject of PD to process his/her PD |
15,000 |
75,000 |
Sec. 3 |
Failure by an operator to perform its responsibilities in relation to publishing or in some other way providing unrestricted access to the document that defines the operator's policies concerning the processing of PD, or provides information about the requirements that have been implemented to keep PD secure
|
15,000 |
30,000 |
Sec. 4 |
Failure by an operator to perform its responsibilities in relation to providing the subject of PD information concerning the processing of his/her PD
|
20,000 |
40,000 |
Sec. 5 |
Failure by an operator to perform its responsibilities in those time frames established by Russian Federation legislation, requirements posed by the subject of PD or his/her representative, or by an authorized agency, for protecting the rights enjoyed by the subject of PD in relation to specifying PD, blocking access to it, or destroying it if the PD is incomplete, inexact, or obtained unlawfully, or are not necessary to meet the objectives set for processing PD
|
25,000 |
45,000 |
Sec. 6 |
Failure by an operator to perform its responsibilities when processing PD to use automated equipment to ensure compliance with conditions that preserve the integrity of PD when PD is being stored on tangible media and the precludes the possibility of unauthorized access to it, if that failure led to unauthorized or accidental access to the PD or to its being destroyed, altered, blocked, copied, furnished, or distributed, or to other unlawful actions with respect to the PD
|
25,000 |
50,000 |
Sec. 7 |
Failure by an operator that is a government federal or municipal authority to perform its responsibilities in the area of PD to depersonalize PD in conformity with established Russian Federation legislation, or failure to comply with requirements or methods used to depersonalize PD
|
Fine for senior officials from 3,000 to 6,000 rubles |
This means that a PD operator should pay special attention to legislation in the area of PD, including developing and adopting a PD policy (or checking to see whether the existing PD policy complies with legislation), designating a person responsible for processing PD, developing a consent form for the subject of PD to have his/her PD processed, fixing that form through a local bylaw (or checking a bylaw that has already been adopted for compliance), obtaining this form in all cases called for under current legislation, and also complying with other legislative requirements in the area of PD.
Implementing a comprehensive set of steps will help prepare for any audits done by Roskomnadzor and avoid administrative penalties.
[1] Introduced into Russian Federation Federal Law No. 13-FZ, dated February 7th, 2017, entitled "On introducing amendments into the Russian Federation Code of Administrative Offenses."
[2] For the sake of convenience in presenting this information, and so the reader can perceive it better, the table only briefly lays out the essence of the set of elements in the provisions for administrative liability.