On February 24, 2021 the President of the Russian Federation has signed a law¹ increasing liability for violations in the field of personal data. The changes will take effect on March 27, 2021. Special attention to these changes should be paid by operators who process large volumes of personal data.
Article 13.11 of the Code of Administrative Offences was amended to increase fines by twofold compared to the previous version, and also established increased liability for repeated offenses.
In particular, fines for processing personal data in cases not provided for by the legislation of the Russian Federation in the field of personal data, or processing personal data that is incompatible with the purposes of collecting personal data, can amount up to RUB 100,000 for companies, and for repeated offenses – up to RUB 300,000.
The penalty for companies processing personal data without the written consent of the data subject, when such consent is required, or for violations of the requirements for the content of such consent, will range from RUB 30,000 to150,000, and for repeated offenses – RUB 300,000 – 500,000.
For the non-publication of the operator's policy regarding the processing of personal data or information about the implemented requirements for the protection of personal data, the company may be fined in the amount of RUB 30,000 – 60,000.
Failure by the operator to rectify the personal data, or failure to block or destroy it if the personal data is incomplete, outdated, inaccurate, illegally obtained or is not necessary for the stated purpose of processing, threatens the company with a fine in the amount of RUB 50,000 – 90,000, and for repeated offenses – RUB 300,000 – 500,000.
Increased fines are also established for officials of operators who have committed violations in the field of personal data processing.
Also, if the operator violates the rights of several data subjects, there is a risk of a multiple increase in the total amount of fines.
- Evaluate the current processes and solutions used in the processing of personal data in relation to their compliance with the requirements of the legislation of the Russian Federation in the field of personal data and, if necessary, adjust them.
- Monitor recommendations of regulatory authorities and law enforcement practice.
Authors: Counsel Elena Agaeva, Associate Elena Kvartnikova
¹ Federal Law No. 19-FZ dated February 24, 2021