A Law has been passed to increase fines threefold or more for the lack of a personal data subject's written consent
Law firm Pepeliaev Group advises that, on 5 December 2023, the State Duma passed Draft Law No. 353266-8 https://sozd.duma.gov.ru/bill/353266-8
“On amending the Russian Code of Administrative Offences” (the “Law”). The Law provides that fines will be increased for processing personal data without the subject's written consent in cases when such consent must be obtained.
On 7 December, the Law was approved by the Federation Council and forwarded to the Russian President. The Law should be officially published within 7 days from the date when the Russian President signs it and will come into force 10 days after it is officially published.
The Law amends articles 13.11(2) and 13.11(2.1) "A violation of the legislation of the Russian Federation in the field of personal data” of the Russian Code of Administrative Offences (the “Administrative Code”), with article 13.11(2) of the Administrative Code being amended by the Law as follows in terms of fines.
|
The processing of personal data without the written consent of the personal data subject to the processing of his/her personal data in cases when such consent must be obtained in accordance with Russian legislation in the field of personal data, except in the cases provided for in article 17.13 of this Code, if these actions do not contain a criminally punishable act, or the processing of personal data in violation of the requirements established by Russian legislation in the field of personal data for the composition of information to be included in the written consent of a personal data subject to the processing of his/her personal data, shall result in an administrative fine being imposed: |
||
|
Liable party |
Current version |
The Law’s version |
|
for individuals for a company's officers for legal entities |
from RUB 6,000 to RUB 10,000 from RUB 20,000 to RUB 40,000 from RUB 30,000 to RUB 150,000 |
from RUB 10,000 to RUB 15,000 from RUB 100,000 to RUB 300,000 from RUB 300,000 to RUB 700,000 |
The Law has amended article 13.11(2.1) of the Administrative Code as follows in terms of the fines stipulated for a violation:
|
The repeated commission of the administrative offence provided for by part 2 of this article shall result in an administrative fine being imposed |
||
|
Liable party |
Current version |
The Draft Law's version |
|
for individuals for a company's officers for individual entrepreneurs for legal entities |
from RUB 10,000 to RUB 20,000
from RUB 40,000 to RUB 100,000 from RUB 100,000 to RUB 300,000 from RUB 300,000 to RUB 500,000 |
from RUB 15,000 to RUB 30,000
from RUB 300,000 to RUB 500,000 from RUB 500,000 to RUB 1 million from RUB 1 million to RUB 1.5 million |
We remind you that, in cases stipulated by the federal law, personal data is processed only with the written consent of the personal data subject (article 9(4) of the Law on personal dataFederal Law No. 152-FZ “On personal data” dated 27 July 2006.
). Such consents may include:
-
an employee's consent to his/her personal data being transferred to a third party, including for commercial purposes (article 88 of the Russian Labour Code);
-
an employee's consent to his/her personal data being received from a third party (article 86(3) of the Russian Labour Code);
-
a subject's consent to special categories of personal data being processed concerning his/her racial or national origin, political views, religious or philosophical convictions, state of health or intimate life (article 10(2)(1) of the Law on personal data);
-
a subject's consent to biometric personal data (information that characterises the physiological and biological features of a person, based on which his/her identity can be established and which is used by the operator to establish the identity of the personal data subject) being processed (article 11(1) of the Law on personal data), including an individual’s consent to biometric personal data being processed for the purposes of authenticating him/her (article 16(3)(5) of Federal Law No. 572-FZ dated 29 December 2022);Federal Law No. 572-FZ dated 29 December 2022 "On identifying and/or authenticating individuals using biometric personal data, on amending certain legislative instruments of the Russian Federation and on repealing certain provisions of legislative instruments of the Russian Federation".
-
a subject's consent to his/her personal data being included in publicly available sources of personal data, including directories and address books (article 8(1) of the Law on personal data);
-
a subject's consent to a decision being taken, based solely on automated processing of his/her personal data, that gives rise to legal consequences with respect to him/her or otherwise affects his/her rights and legitimate interests (article 16(2) of the Law on personal data).
The Law on personal data, in article 9(4), provides for requirements for written consents of personal data subjects. In particular, written consent of a personal data subject must include:
-
the forename, patronymic name and surname, and address of the personal data subject, and the number, date of issuance and issuing authority of the personal data subject’s principal ID document;When consent is received from a representative of a personal data subject, there is a need also to state in the consent the forename, patronymic name and surname, and the address of the personal data subject's representative, as well as the number of the principal ID document that establishes his/her identity together with information about the date of issuance and issuing authority of the document in question, and details of the power of attorney or other document confirming such representative’s powers.
-
the full name/corporate name and address of the operator receiving the consent of the personal data subject;
-
the purpose of processing personal data;
-
the list of personal data to the processing of which the personal data subject has given his/her consent;
-
the full name/corporate name and address of a person processing personal data at the operator’s request if another person is to be instructed to carry out the processing;
-
the list of actions with personal data to which consent is given, and a general description of the methods for processing personal data that the operator uses;
-
the period throughout which the subject’s consent will have effect and the procedure for revoking the consent, unless the federal law establishes otherwise; and
-
the signature of the personal data subject.
If the requirements for the form of consent are not met, this is a violation of legislation on personal data and may entail liability under article 13.11(2) of the Administrative Code.
We remind you that consent in the form of an electronic document signed using an electronic signature in accordance with the federal law is acknowledged to be equivalent to written consent in hard copy containing the personal data subject’s handwritten signature (article 9(4) of the Law on personal data).
What to think about and what to do
If a company, for example, transfers employees' personal data to third parties (when dealing with counterparties) and/or processes special categories of personal data (information about the state of health in sick leave certificates), it must comply with the statutory requirements for the written consent of subjects. Not complying with such requirements can lead to a company (an officer of it) having an administrative fine imposed.
We recommend that all interested parties should:
-
determine whether the company processes personal data in cases requiring that written consent be obtained;
-
draw up the corresponding forms of consents, which contain the established list of information;
-
ensure that written consents are received, including that consents are received when necessary in the form of an electronic document signed with an electronic signature.
Help from your adviser
The lawyers of Pepeliaev Group stand ready to provide comprehensive legal support to companies as they comply with personal data legislation.
The range of services that Pepeliaev Group provides includes the following:
1. Drawing up the set of necessary forms of consent, including:
-
a subject's consent to personal data being processed in accordance with the operator's specific purposes of processing the personal data (consent to the personal data of a candidate for a vacant position being processed, consent to personal data of an employee's relative being processed, consent to personal data of visitor to a website being processed, etc.)
-
a subject's consent to an instruction to process personal data;
-
consent to personal data being processed that the personal data subject has permitted to be disseminated;
-
a subject's consent to personal data being processed with a view to promoting goods, work or services on the market by contacting a potential consumer directly using communications tools, and for the purpose of political campaigning;
-
a subject's consent to biometric personal data being processed;
-
a subject's consent to special categories of personal data being processed;
-
an employee's consent to his/her personal data being obtained from a third party;
-
an employee's consent to his/her personal data being transferred to a third party, including for commercial purposes;
-
a subject's consent to his/her personal data being included in publicly available sources of personal data;
-
a subject's consent to a decision being taken based solely on automated processing of his/her personal data, which gives rise to legal consequences with respect to him/her or otherwise affects his/her rights and legitimate interests.
2. Advising on issues of complying with the written form of consents, including issues of using electronic signatures.
3. Assisting in arranging the process of obtaining consents.
4. Drawing up agreements for electronic interaction.
5. Assisting in determining whether personal data that a company is processing constitutes biometric personal data.
6. Drawing up the necessary documents regulating the processing of personal data.
Translated by the Translation Department of Pepeliaev Group