A law has been published to toughen liability for violations in the sphere of personal data
Pepeliaev Group advises that, on 24 February 2021, a Federal Law[1] was published to amend the Russian Code of Administrative Offences (the “Administrative Code”), namely: to significantly increase administrative fines for violating legislation in the sphere of personal data (“PD”).
Within the trend of increasing state control in the sphere of PD, almost all fines have been doubled (except for those which were established for violating localisation requirements). Thus, for instance, a company may be fined up to RUB 150,000 for the absence of a written consent. A rather strict new development is that a warning is excluded from article 13.11 of the Administrative Code as a type of administrative sanction.
Moreover, sanctions have been introduced for repeated administrative violations. This applies to the following elements of the offence:
A crucially important new development is that the statute of limitations for holding a person liable in the sphere of PD has been increased from 3 months up to one year.
Please find below a detailed description of the new sanctions:
Within the trend of increasing state control in the sphere of PD, almost all fines have been doubled (except for those which were established for violating localisation requirements). Thus, for instance, a company may be fined up to RUB 150,000 for the absence of a written consent. A rather strict new development is that a warning is excluded from article 13.11 of the Administrative Code as a type of administrative sanction.
Moreover, sanctions have been introduced for repeated administrative violations. This applies to the following elements of the offence:
- processing PD in cases for which Russian legislation provides, or if such processing is incompatible with the purposes for gathering the PD;
- processing PD without a written consent, or when such written consent does not correspond to the statutory requirements;
- untimely fulfilment by a PD operator of the demands of a PD subject, his or her representative or an authorised body responsible for protecting the rights of PD subjects.
A crucially important new development is that the statute of limitations for holding a person liable in the sphere of PD has been increased from 3 months up to one year.
Please find below a detailed description of the new sanctions:
What to think about and what to do
To mitigate the risks of a liability being imposed for violations in the sphere of PD we recommend that companies should check in advance whether they are complying with PD legislation and rectify any violations identified. Among other things, this will allow companies that are affected to prepare well in advance for regulatory activities of the supervisory authority Roskomnadzor, with a view to managing (mitigating or ruling out) the risk of liability being imposed or of other enforcement measures being taken as a result of such regulation.Help from your adviser
Pepeliaev Group’s experts have extensive experience of handling issues relating to compliance with personal data legislation. They are ready to provide comprehensive legal support and technical assistance in checking compliance with the requirements of personal data legislation, and in eliminating any violations identified. They also represent a company and its employees when administrative authorities exercise regulatory control and in disputes with such authorities.[1] Federal Law No. 19-FZ “On amending the Russian Code of Administrative Offences” dated 24 February 2021.