Increased fine
As the most crucial changes introduced by the foregoing law, we would like to mention the following:Increased fines for processing of personal data without the subject’s consent
According to the adopted amendments, the fines for processing personal data of a personal data subject without his/her consent, which in accordance with the law should be given in writing (for example, while processing biometric personal data, personal data of special categories, processing personal data of employees, when it is necessary to disclose the data to a third party), or processing on the basis of such written consent issued in violation of the requirements related to the scope of information to be reflected in such a consent, will be significantly increased.
In the Law as amended, fines for the abovementioned violation shall be ranging: for citizens — from RUB10,000 to RUB15,000; for officials — from RUB100,000 to RUB300,000; for legal entities — from RUB300,000 to RUB700,000.
For a repeated violation, the fine shall be even higher, ranging: for citizens — from RUB15,000 to RUB30,000; for officials — from RUB300,000 to RUB500,000; for individual entrepreneurs — from RUB500,000 to RUB1,000,000; for legal entities — from RUB1,000,000 to RUB1,500,000.
It should not be overlooked that compared to the current version of parts 2 and 2.1 of Art. 13.11 of the Russian AOC, the fines for the foregoing violations will be increased by more than three times.
New fines for violation of the requirements regulating uploading biometric personal dataInformation that characterises physiological and biological features of a person, on the basis of which it is possible to establish his/her identity
The Russian AOC shall be also supplemented with new article 13.11.3 stating that uploading and updating by banks, multifunctional public and municipal services centres, other organisations in the events determined by federal laws, of biometric personal data of a personal data subject into the Unified Biometric SystemState information system the Unified System of Identification and Authentication of Individuals Using Biometric Personal Data in violation of the requirements established by law shall entail the imposition of an administrative fine on:
- officials in an amount ranging from RUB100,000 to RUB300,000;
- legal entities in an amount ranging from RUB500,000 to RUB1,000,000.
We would like to remind you that biometric personal data uploaded or intended to be uploaded into the UBS are now subject to a special legal regime, which is determined by a special lawFederal Law No. 572-FZ of 29 December 2022 “On Identification and (or) Authentication of Individuals Using Biometric Personal Data, on Amending Certain Regulations of the Russian Federation and Invalidation of Certain Provisions of Regulations of the Russian Federation and several bylaws adopted thereunder.
It should also be noted that according to anti-money laundering laws, starting from 2020, certain persons have special obligations as to uploading and updating data on citizens into such UBS.
Practical recommendations
Today, the vector of the state policy is aimed at toughening the responsibility for violation of the rules of personal data processing. A study conducted by Kaspersky Lab experts shows that in 2023, the number of data protection tickets in large companies increased by 1.5 times, with more than half of the “leaked data” becoming public within a month after the “leak.”The increased fines, as well as “turnover-based” fines (we covered the draft law on their introduction earlier) are designed to combat leaks and other personal data breaches.
It is important to note that in some cases the amount of fine may be higher than the one provided by the Law. For example, we have repeatedly heard the position of the representatives of Roskomnadzor, voiced during their public appearances, that if several complaints are filed by several subjects, each such violation would be considered separately, which means that Roskomnadzor would theoretically be able to impose a fine for each violation. This means that if, for example, five personal data subjects complain about the absence of written consent, the fine (according to Roskomnadzor’s logic) can be up to RUB3 500 000.
Entities should keep in mind that in the ordinary course of business, an employer, being a personal data controller, almost always faces the need to obtain the employee’s written consent, as in most cases the employer transfers the employee’s data to third parties (banks, insurance organisations, counterparties, etc.), and that transfer often requires the employee’s written consent. At the same time, we should not forget about Roskomnadzor’s position on the requirements to a written consent of employees (for example, that each separate purpose of processing should be specified in a separate consent). With the increase in administrative fines, this issue will require more attention.
It should also be noted that, from a practical point of view, a consideration could be given to obtaining written consents from employees through HR electronic document management systems in order to be able to record and track the fact that each employee has given his or her consent and to comply with Roskomnadzor’s requirements regarding the scope of information to be included in such written consent.
In summing up, we would like to note that, given the vector of the state policy towards tougher sanctions for breaches related to personal data processing, especially in the anticipation of the introduction of “turnover-based” fines (that we have covered separately), it is advisable to conduct, in advance, an audit of own procedures involving personal data processing, to identify bottlenecks (some sort of gap analysis) and outline a plan for their addressing.
Our team has extensive experience in dealing with the requirements of Russian personal data regulation and will be happy to help you to adapt to the new Russian regulation realities.
