Loading...

A draft law is being prepared to introduce new and increasing current fines for non-compliance with requirements in the field of personal data protection

Pepeliaev Group advises that senators Andrey Turchak and Irina Rukavishnikova, and deputy Alexander Hinstein have submitted a draft law to the Russian Government for review. The draft law proposes new administrative fines for operators failing to comply with the requirements of Federal Law No. 152-FZ “On personal data” dated 27 July 2006 (“152-FZ”). In addition, the draft law provides for an increase of current fines for non-compliance with the requirements for the processing of personal data.

The draft law proposes to supplement article 13.11 of the Russian Code of Administrative Offences (the “Code of Administrative Offences”) with clauses 10-17 amended as follows:

Provision of the Code of Administrative Offences

Violation

Fine

article 13.11(10)

Non-fulfilment and/or untimely fulfilment by the operator of the obligation stipulated by Russian legislation in the field of personal data to notify the authorised body for the protection of the rights of personal data subjects of the intention to process personal data

  • for individuals from RUB 5,000 to RUB 10,000;
  • for officers from RUB 30,000 to RUB 50,000;
  • for legal entities from RUB 100,000 to RUB 300,000.

article 13.11(11)

 

Non-fulfilment and/or untimely fulfilment by the operator of the obligation stipulated by Russian legislation in the field of personal data to notify personal data subjects and the authorised body for the protection of the rights of personal data subjects if the fact of an unlawful transfer (the provision, distribution or access) of personal data was identified, which resulted in a violation of the rights of personal data subjects

  • for individuals from RUB 50,000 to RUB 100,000;
  • for officers from RUB 400,000 to RUB 800,000;
  • for legal entities from RUB 1,000,000 to RUB 3,000,000.

article 13.11(12)

 

Actions (omissions) of the operator that resulted in an unlawful transfer (the provision, dissemination or access) of information including personal data from 1,000 to 10,000 subjects of personal data, and/or from 10,000 to 100,000 unique designations of information about an individual necessary to identify such a person (“identifiers”), if these actions (omissions) do not contain signs of a criminally punishable action

  • for individuals from RUB 100,000 to RUB 200,000;
  • for officers from RUB 800,000 to RUB 1,000,000;
  • for legal entities from RUB 3,000,000 to RUB 5,000,000.

article 13.11(13)

 

Actions (omissions) of the operator that resulted in an unlawful transfer (the provision, dissemination or access) of information including personal data from 10,000 to 100,000 subjects of personal data, and/or from 100,000 to 1,000,000 identifiers, if these actions (omissions) do not contain signs of a criminally punishable action

  • for individuals from RUB 200,000 to RUB 300,000;
  • for officers from RUB 1,000,000 to RUB 1,500,000;
  • for legal entities from RUB 5,000,000 to RUB 10,000,000.

article 13.11(14)

 

Actions (omissions) of the operator that resulted in an unlawful transfer (the provision, dissemination or access) of information including personal data of more than 10,000 subjects of personal data, and/or more than 1,000,000 identifiers, if these actions (omissions) do not contain signs of a criminally punishable action

  • for individuals from RUB 300,000 to RUB 400,000;
  • for officers from RUB 1,500,000 to RUB 2,000,000;
  • for legal entities from RUB 10,000,000 to RUB 15,000,000.

article 13.11(15)

 

The commission of the administrative offence under clauses 12-14 of this article by a person subjected to an administrative punishment for an administrative offence provided for in clauses 12-14 of this article

  • for individuals from RUB 400,000 to RUB 600,000;
  • for officers from RUB 2,000,000 to RUB 4,000,000;
  • for legal entities from 0.1% to 3% of the total amount of revenue received from the sale of all goods (work, services) for the calendar year preceding the year in which the administrative offence was identified, or for the part of the calendar year preceding the date of the identified administrative offence in which the administrative offence was identified, if the offender did not carry out activities involving sales of goods (work, services) in the previous calendar year, but not less than RUB 15,000,000 and not more than RUB 500,000,000.

article 13.11(16)

 

Actions (omissions) of the operator that resulted in an unlawful transfer (the provision, dissemination or access) of information including a special category of personal data and/or biometric personal data, except for the cases provided for in article 13.114 of this Code

  • for individuals from RUB 400,000 to RUB 500,000;
  • for officers from RUB 2,000,000 to RUB 3,000,000;
  • for legal entities from RUB 15,000,000 to RUB 20,000,000.

article 13.11(17)

 

The commission of the administrative offence under clause 16 of this article by a person subjected to an administrative punishment for an administrative offence provided for in clauses 12-14 and 16 of this article

  • for individuals from RUB 500,000 to RUB 800,000;
  • for officers from RUB 3,000,000 to RUB 5,000,000;
  • for legal entities from 0.1% to 3% of the total amount of revenue received from the sale of all goods (work, services) for the calendar year preceding the year in which the administrative offence was identified, or for the part of the calendar year preceding the date of the identified administrative offence in which the administrative offence was identified, if the offender did not carry out activities involving sales of goods (work, services) in the previous calendar year, but not less than RUB 20,000,000 and not more than RUB 500,000,000.

According to clauses 2-3 of Notes to article 13.11 of the Code of Administrative Offences (as amended by the draft law), in articles 13.11(10) - 13.11(17) of the Code of Administrative Offences:

  • an officer means an officer of a state or municipal authority, an employee of a state or municipal institution;
  • a legal entity means an operator which is a legal entity and is neither a state or municipal authority, nor a state or municipal institution.

Below we set out suggestions regarding current fines provided for by article 13.11 of the Code of Administrative Offences:

Provision of the Code of Administrative Offences

Current wording

Proposed wording

article 13.11(1)

Processing of personal data in cases not provided for by the Russian legislation in the field of personal data, or processing of personal data that is incompatible with the purposes of collecting personal data, except for the cases provided for in clause 2 of this article and article 17.13 of this Code, if these actions do not contain a criminally punishable action, entails the imposition of an administrative fine on individuals ranging from RUB 2,000 to RUB 6,000; for officers, a fine from RUB 10,000 to RUB 20,000; and for legal entities, a fine from RUB 60,000 to RUB 100,000.

Processing of personal data in cases not provided for by the Russian legislation in the field of personal data, or processing of personal data incompatible with the purposes of collecting personal data, except for the cases provided for in clauses 2 and 11-13 of this article and article 17.13 of this Code, if these actions do not contain a criminally punishable action, entails the imposition of an administrative fine on individuals ranging from RUB 10,000 to RUB 15,000; for officers, a fine from RUB 50,000 to RUB 100,000; and for legal entities, a fine from RUB 150,000 to RUB 300,000.

article 13.11(1.1)

 

A repeated administrative offence provided for by part 1 of this article entails the imposition of an administrative fine for individuals in an amount from RUB 4,000 to RUB 12,000; for officers, a fine from RUB 20,000 to RUB 50,000; for individual entrepreneurs, from RUB 50,000 to RUB 100,000; and for legal entities, from 100,000 to RUB 300,000.

A repeated administrative offence provided for by part 1 of this article entails the imposition of an administrative fine for individuals in an amount from RUB 15,000 to RUB 30,000; for officers, a fine from RUB 100,000 to RUB 200,000; and for legal entities from 300,000 to RUB 500,000.

The draft law also provides for the Code of Administrative Offences to be supplemented with article 13.114 “A violation of requirements in the field of processing biometric personal data”.

What to think about and what to do

It is now advisable for personal data operators already:

  • to check whether information regarding the operator is available in Roskomnadzor’s register of personal data operators(the “Register”). If information about the operator is missing from the Register, the operator should file a notification with Roskomnadzor of the intention to perform processing of personal data (article 22 of 152-FZ);
  • to determine the persons responsible for complying with the requirements for filing a notification of the fact of an unlawful or accidental transfer of (the provision or distribution of, or access to) personal data, and to determine an internal procedure for filing such a notification (article 21(3.1) of 152-FZ);
  • to determine whether the requirements of Order No. 77 of the Russian Federal Security Service “On approving the procedure for operators to interact with the state system for detecting, preventing and eliminating the consequences of computer attacks on information resources of the Russian Federation, including informing the Russian Federal Security Service about computer incidents that have resulted in an illegal transfer of (the provision or distribution of, or access to) personal data” dated 13 February 2023;
  • to ensure that staff are informed of the requirements for the processing of personal data, and that their knowledge is regularly checked.

Help from your adviser

The lawyers of Pepeliaev Group would be happy to provide comprehensive legal support to companies.

Pepeliaev Group provides the following types of services:

  • conducting a full-scale audit (including a technical audit) of the processing of personal data, identifying violations, bringing processes in line with the legislative requirements;
  • drafting and sending a notification of the intention to process personal data, and a notification of the intention to perform cross-border transfers of personal data;
  • drafting legal opinions and providing advice on issues of personal data processing;
  • drafting internal regulations aimed at fulfilling requirements of personal data legislation;
  • providing legal support in liaising with Roskomnadzor and/or a personal data subject;
  • providing training to personnel with regard to the requirements for the processing of personal data; and
  • other services.

Отправить статью

04.06.2024
Pepeliaev Group at the St Petersburg Legal Summit 2024
Read more
05.04.2024
Pepeliaev Group and the Consulate General of the Republic of Korea have renewed their cooperation agreement
Read more
01.04.2024
Pepeliaev Group's delegation has visited Beijing and Shenzhen on a business mission
Read more