|
||
Pepeliaev Group advises that senators Andrey Turchak and Irina Rukavishnikova, and deputy Alexander Hinstein have submitted a draft law to the Russian Government for review. The draft law proposes new administrative fines for operators failing to comply with the requirements of Federal Law No. 152-FZ “On personal data” dated 27 July 2006 (“152-FZ”). In addition, the draft law provides for an increase of current fines for non-compliance with the requirements for the processing of personal data.
The draft law proposes to supplement article 13.11 of the Russian Code of Administrative Offences (the “Code of Administrative Offences”) with clauses 10-17 amended as follows:
Provision of the Code of Administrative Offences |
Violation |
Fine |
article 13.11(10)
|
Non-fulfilment and/or untimely fulfilment by the operator of the obligation stipulated by Russian legislation in the field of personal data to notify the authorised body for the protection of the rights of personal data subjects of the intention to process personal data |
|
article 13.11(11)
|
Non-fulfilment and/or untimely fulfilment by the operator of the obligation stipulated by Russian legislation in the field of personal data to notify personal data subjects and the authorised body for the protection of the rights of personal data subjects if the fact of an unlawful transfer (the provision, distribution or access) of personal data was identified, which resulted in a violation of the rights of personal data subjects |
|
article 13.11(12)
|
Actions (omissions) of the operator that resulted in an unlawful transfer (the provision, dissemination or access) of information including personal data from 1,000 to 10,000 subjects of personal data, and/or from 10,000 to 100,000 unique designations of information about an individual necessary to identify such a person (“identifiers”), if these actions (omissions) do not contain signs of a criminally punishable action |
|
article 13.11(13)
|
Actions (omissions) of the operator that resulted in an unlawful transfer (the provision, dissemination or access) of information including personal data from 10,000 to 100,000 subjects of personal data, and/or from 100,000 to 1,000,000 identifiers, if these actions (omissions) do not contain signs of a criminally punishable action |
|
article 13.11(14)
|
Actions (omissions) of the operator that resulted in an unlawful transfer (the provision, dissemination or access) of information including personal data of more than 10,000 subjects of personal data, and/or more than 1,000,000 identifiers, if these actions (omissions) do not contain signs of a criminally punishable action |
|
article 13.11(15)
|
The commission of the administrative offence under clauses 12-14 of this article by a person subjected to an administrative punishment for an administrative offence provided for in clauses 12-14 of this article |
|
article 13.11(16)
|
Actions (omissions) of the operator that resulted in an unlawful transfer (the provision, dissemination or access) of information including a special category of personal data and/or biometric personal data, except for the cases provided for in article 13.114 of this Code |
|
article 13.11(17)
|
The commission of the administrative offence under clause 16 of this article by a person subjected to an administrative punishment for an administrative offence provided for in clauses 12-14 and 16 of this article |
|
According to clauses 2-3 of Notes to article 13.11 of the Code of Administrative Offences (as amended by the draft law), in articles 13.11(10) - 13.11(17) of the Code of Administrative Offences:
Below we set out suggestions regarding current fines provided for by article 13.11 of the Code of Administrative Offences:
Provision of the Code of Administrative Offences |
Current wording |
Proposed wording |
article 13.11(1)
|
Processing of personal data in cases not provided for by the Russian legislation in the field of personal data, or processing of personal data that is incompatible with the purposes of collecting personal data, except for the cases provided for in clause 2 of this article and article 17.13 of this Code, if these actions do not contain a criminally punishable action, entails the imposition of an administrative fine on individuals ranging from RUB 2,000 to RUB 6,000; for officers, a fine from RUB 10,000 to RUB 20,000; and for legal entities, a fine from RUB 60,000 to RUB 100,000. |
Processing of personal data in cases not provided for by the Russian legislation in the field of personal data, or processing of personal data incompatible with the purposes of collecting personal data, except for the cases provided for in clauses 2 and 11-13 of this article and article 17.13 of this Code, if these actions do not contain a criminally punishable action, entails the imposition of an administrative fine on individuals ranging from RUB 10,000 to RUB 15,000; for officers, a fine from RUB 50,000 to RUB 100,000; and for legal entities, a fine from RUB 150,000 to RUB 300,000. |
article 13.11(1.1)
|
A repeated administrative offence provided for by part 1 of this article entails the imposition of an administrative fine for individuals in an amount from RUB 4,000 to RUB 12,000; for officers, a fine from RUB 20,000 to RUB 50,000; for individual entrepreneurs, from RUB 50,000 to RUB 100,000; and for legal entities, from 100,000 to RUB 300,000. |
A repeated administrative offence provided for by part 1 of this article entails the imposition of an administrative fine for individuals in an amount from RUB 15,000 to RUB 30,000; for officers, a fine from RUB 100,000 to RUB 200,000; and for legal entities from 300,000 to RUB 500,000. |
The draft law also provides for the Code of Administrative Offences to be supplemented with article 13.114 “A violation of requirements in the field of processing biometric personal data”.
It is now advisable for personal data operators already:
The lawyers of Pepeliaev Group would be happy to provide comprehensive legal support to companies.
Pepeliaev Group provides the following types of services: