Loading...

A draft law has been submitted to The State Duma on increasing fines for a failure to obtain personal data subjects’ consents and on administrative liability for violations in the processing of biometric data

Pepeliaev Group advises that on 4 May 2023 Draft Law No. 353266-8 “On amending the Russian Code of Administrative Offences” (the “Draft Law”) was submitted to the State Duma. The Draft Law provides for a significant increase of fines for the processing of personal data without the data subject’s written consent in cases when such consent must be obtained under the law, as well as fines for the processing of biometric personal data in violation of statutory requirements.

The Draft Law provides for amending articles 13.11(2) and 13.11(2.1) of the Russian Code of Administrative Offences (“Violating legislation of the Russian Federation on personal data”) as follows:

Current wording

Wording proposed by the Draft Law

2. The processing of personal data without the written consent of the personal data subject to the processing of their personal data in cases when such consent must be obtained under legislation of the Russian Federation on personal data,

 

2. The processing of personal data without the written consent of the personal data subject to the processing of their personal data in cases when such consent must be obtained under legislation of the Russian Federation on personal data, as well as the entering of a personal data subject’s biometric personal data in the unified biometric system or other information systems that provide for identification and/or authentication using individuals’ biometric personal data in violation of requirements established by legislation of the Russian Federation on personal data,

except for cases specified in article 17.13 of this Code, provided that these acts do not include a criminal offence, or the processing of personal data in violation of requirements established by legislation of the Russian Federation on personal data concerning data which must be included in the written consent of a personal data subject to the processing of their personal data,

entails an administrative fine to be imposed on individuals in an amount from RUB 6,000 to RUB 10,000;

No changes

on a company's officers- from RUB 20,000 to RUB 40,000;

on a company's officers- from RUB 100,000 to RUB 300,000;

on legal entities - from RUB 30,000 to RUB 150,000.

on legal entities - from RUB 300,000 to RUB 700,000.

2.1. A repeat of the administrative offence specified in clause 2 of this article -

entails an administrative fine being imposed on individuals in an amount from RUB 10,000 to RUB 20,000;

No changes

on a company's officers- from RUB 40,000 to RUB 100,000;

on a company's officers- from RUB 300,000 to RUB 500,000;

on individual entrepreneurs - from RUB 100,000 to RUB 300,000;

on individual entrepreneurs - from RUB 500,000 to RUB 1,000,000;

on legal entities - from RUB 30,000 to RUB 500,000.

on legal entities - from RUB 1,000,000 to RUB 1,500,000.

1.   The increase of fines for a failure to obtain a subject’s written consent

Please be reminded that in the cases provided for by federal law, personal data may be processed only with the written consent of the personal data subject (article 9(4) of the law on personal data). Such consents include:

a data subject’s consent to the processing of biometric personal data (information that describes a person’s unique physiological and biological features based on which the person’s identity can be determined and which the operator uses to determine the identity of the personal data subject) (article 11(1) of the law on personal data), including an individual’s consent to the processing of their biometric personal data for the purposes of identifying them (article 16(3)(5) of Federal Law No. 572-FZ dated 29 December 2022[1]);

  • a data subject’s consent to the processing of special categories of personal data relating to the racial and national identity, political views, religious or philosophical beliefs, state of health and personal life (article 10(2)(1) of the law on personal data);

  • an employee’s consent to the receipt of their personal data by a third party (article 86(3) of the Russian Labour Code);

  • an employee’s consent to the transfer of their personal data to a third party, including for business purposes (article 88 of the Russian Labour Code);

  • a data subject’s consent to the inclusion of their personal data in publicly available sources of personal data including in directories and address books (article 8(1) of the Law on Personal Data);

  • a data subject’s consent to a decision being made based only on the automatic processing of their personal data, with such decision giving rise to legal consequences for such person or otherwise affecting their rights and lawful interests (article 16(2) of the Law on Personal Data).

As the table above indicates, the Draft Law provides for a significant increase of fines (from 3 to 10 times higher for legal entities) for the processing of personal data without written consent in cases when such consent must be obtained under the law.

Please be reminded that consent in the form of an electronic document signed by an electronic signature according to the federal law is treated as equal to written consent in hard copy containing the data subject’s personal signature (article 9(4) of the Law on Personal Data).

2.   Fines for the processing of biometric personal data in violation of established requirements

Please be reminded that biometric personal data includes information that describes a person’s unique physiological and biological features, based on which the person’s identity can be determined and which the operator uses to determine the identity of the data subject (article 11(1) of the Law on Personal Data).

Biometric personal data includes physiological data (fingerprint data, iris, voice, DNA tests and other data) as well as other physiological or biological qualities of an individual, including the person’s image (photo and video records) (Letter No. 08AP-6782 of the Federal Service for Supervision of Communications, Information Technology and Mass Media (known by the Russian abbreviation “Roskomnadzor”) “On sending information concerning the minutes of a meeting” dated 10 February 2020 together with “Practical recommendations for applying provisions of Federal Law No. 152-FZ “On personal data” dated 27 July 2006 when biometric personal data of minors is processed”).

The possibility of an image of an individual being classified as biometric personal data is a matter of particular importance.

For example, photographic images of visitors of an organisation being stored in the Access Control Management System (“ACMS”) are biometric personal data because they characterise a person’s unique physiological and biological features and make it possible to determine whether this person is the holder of the pass being shown to the ACMS which makes it possible to determine the person’s identity by comparing the photo with the face of the bearer of the pass and comparing the surname, name and patronymic with those stored in the ACMS. Therefore, a photographic image and other information used to ensure a single- or multiple-entry pass to protected premises and determining an individual’s identity is also categorised as biometric personal data (Letter No. 08AP-6782 of Roskomnadzor “On sending information concerning the minutes of a meeting” dated 10 February 2020 (together with “Practical recommendations for applying provisions of Federal Law No. 152-FZ “On personal data” dated 27 July 2006 when biometric personal data of minors is processed”); and Letter No. OP-P24-070-19433 of the Ministry of Digital Development, Communications and the Mass Media “On considering an application” dated 17 July 2020).

Administrative and judicial practice in relation to this issue has been inconsistent.

The following data is not classified as biometric personal data (Letter No. LB-S-074-24059 of the Russian Ministry of Communications “On methodological recommendations” (together with the “Methodological recommendations for comprehensive education providers on matters connected with the processing of personal data”):

  • data obtained when a personal data operator scans a passport to confirm that a certain person has performed certain acts (for example, concluded a service agreement including banking, medical and other services), in other words, without carrying out procedures for identifying (determining the identity) of a person.

  • data obtained when an ID document is photocopied;

  • a photograph contained in an employee’s personal file;

  • a person’s signature which is required in different contractual relationships and a handwriting sample including handwriting samples which authorised bodies analyse when they conduct a handwriting examination;

  • X-ray or fluorography images which characterise a person’s unique physiological and biological features and are kept in a patient's health record (medical chart), regardless of whether it is in hard copy or electronic form, because the operator (the medical institution) does not use them to determine the patient’s identity;

  • video records taken in public places and secured areas.

3.   The Uniform Biometric System (UBS)

If biometric personal data is checked automatically, without an authorised officer of the organisation being involved, the organisation can be covered by Federal Law No. 572-FZ dated 29 December 2022 which provides that:

  • For the identification and/or authentication of individuals the Uniform Biometric System (UBS) is used;

  • Any processing of biometric personal data outside the UBS is prohibited, except for the cases provided for by the Federal Law.

  • The provision by individuals of their biometric personal data for the purposes provided for by this Federal Law cannot be mandatory;

  • An individual’s rejection of identification and/or authentication using their biometric personal data cannot be a ground for a refusal to provide them with a service, to sell them goods, to perform work for them or for a refusal to accept them for the provision of services;

  • It is prohibited to perform identification and/or authentication of individuals using biometric personal data if a cross-border transfer of biometric personal data is necessary for it;

  • Organisations that perform authentication based on biometric personal data of individuals are organisations that own information systems which provide for authentication based on biometric personal data of individuals and/or that provide services of authentication based on biometric personal data of individuals using vectors of the uniform biometric system and have obtained accreditation according to the procedure established by this Federal Law;

  • One of the requirements for the accreditation of organisations that perform authentication based on biometric personal data of individuals is that the organisation's own funds (capital) may not be less than RUB 500 million.

What to think about and what to do

To all whom it may concern, we recommend as follows:

  • to assess whether the organisation processes personal data in cases where written consent is required;

  • draft the appropriate consent forms containing the statutory list of data;

  • ensure that written consents are obtained, including, where necessary, consents in the form of an electronic document signed with an electronic signature;

  • identify whether personal data that the organisation processes is biometric personal data (taking into account that a person’s image is classified as biometric personal data);

  • assess whether provisions of Federal Law No. 572-FZ dated 29 December 2022 apply to the organisation;

  • confirm that the organisation has all necessary documents that regulate the processing of personal data including biometric personal data.

Help from your adviser

Pepeliaev Group’s experts are ready to provide comprehensive legal support to companies in connection with the processing of personal data by organisations including biometric personal data.

Pepeliaev Group provides the following types of services:

1. Preparing a set of necessary consent forms, including:

  • a data subject’s consent to the processing of personal data according to the operator’s separate purposes of personal data processing (consent to the processing of personal data of a candidate for a vacant position, consent to the processing of personal data of an employee’s relative, consent to the processing of personal data of a website visitor and so on);

  • a data subject’s consent to the delegation of the processing of personal data;

  • consent to the processing of personal data of which the data subject has permitted dissemination;

  • a data subject's consent to the processing of personal data for the purposes of promoting goods, work and services on the market by directly contacting a potential consumer using means of communication as well as for the purposes of political agitation;

  • a data subject’s consent to the processing of biometric personal data;

  • a data subject’s consent to the processing of special categories of personal data;

  • an employee’s consent to the receipt of their data from a third party;

  • an employee’s consent to the transfer of their personal data to a third party, including for business purposes;

  • a data subject’s consent to the inclusion of their personal data in publicly available sources of personal data;

  • a data subject’s consent to a decision being made based only on the automatic processing of their personal data, with such decision giving rise to legal consequences for such person or otherwise affecting their rights and lawful interests.

2. Advising on different matters connected with proper forms of consents including usi

ng electronic signatures.

3. Providing assistance in organising the process of obtaining consents.

4. Drafting agreements on electronic cooperation.

5. Providing assistance in identifying whether personal data that an organisation processes is biometric personal data.

6. Analysing whether provisions of Federal Law No. 572-FZ dated 29 December 2022 apply to the organisation.

7. Drafting necessary documents that regulate the processing of personal data including biometric personal data.


[1] Federal Law No. 572-FZ “On the identification and/or authentication of individuals using biometric personal data, on amending certain items of legislation of the Russian Federation and on repealing certain provisions of items of legislation of the Russian Federation” dated 29 December 2022.

Отправить статью

21.03.2024
Pepeliaev Group’s Experts Have Achieved Exceptional Results in the 2023 Individual Rankings of Pravo.ru-300
Read more
11.03.2024
PGP Tax Consultancy is among the leaders in the Pravo.ru rating dedicated to the UAE market
Read more
22.12.2023
The business mission to China of a delegation from Pepeliaev Group’s Far East Office
Read more