The President of the Russian Federation has signed a law that establishes the procedure for processing personal data that is allowed by its subject for distribution to the general public.
According to the Law, starting from March 1, 2021, the concept of “publicly available personal data” is excluded and the concept of “personal data allowed by its subject for distribution” is introduced. Such data is considered to be the personal information of an individual (subject of personal data), to which general public can be granted access. Access is granted by giving consent to the processing of personal data (PD) by an individual. Without consent, it is prohibited to publish personal information of an individual, even on the company’s corporate websites.
It is possible to obtain consent to the processing of PD that is allowed for distribution only from the PD subject. However, starting from July 1 of this year, this consent can be obtained using the information system of the Federal Service for Supervision in the Sphere of Telecom, Information Technologies and Mass Communications authorities (abbreviated in Russian as “Roskomnadzor”). Person engaged in the processing of PD (PD operator), within three working days of the receipt of consent from the PD subject, is obliged to publish information on the processing conditions, the presence of restrictions and conditions for the processing of personal information of individual by general public.
When obtaining consent to the processing of PD, the following provisions have to be taken into account:
The distribution of PD has to be stopped within three working days from the date of the PD subject’s request to the PD operator.
Please be reminded that for violation of the requirements of the legislation in the field of personal data, administrative liability is provided for under article 13.11 of the Administrative Code of the Russian Federation. The scope of punishment depends on the type of offense committed. For more information about the scope of liability, see the table below.
|Type of offense||Scope of punishment|
|Processing of PD that is not provided for by the legislation of the Russian Federation or processing of PD that is incompatible with the purposes of collecting such data||Imposition of a fine: for officers – a fine of 5,000 – 10,000 rublesfor legal entities – a fine of 30,000 – 50,000 rubles.|
|Processing of PD without the consent of the PD subject||Imposition of a fine: for officers – a fine of 10,000 – 20,000 rubles;for legal entities – a fine of 15,000 – 70,000 rubles.|
|Failure of the PD operator to provide the PD subject with information about the processing of its PD||Imposition of a fine: for officers – a fine of 4,000 – 6,000 rubles;for legal entities – a fine of 20,000 – 40,000 rubles.|
|Failure by the PD operator in the collection of PD, including through the Internet, to ensure the recording, systematization, accumulation, storage, rectification or extraction of PD of citizens of the Russian Federation using databases located in the Russian Federation||Imposition of a fine: for officers – a fine of 100,000 – 200,000 rubles;for legal entities – a fine of 1,000,000 – 6,000,000 rubles. For repeated violations, the measures of punishment are increased and will be: for officers – a fine of 500,000 – 800,000 rubles;for legal entities – a fine of 6,000,000-18,000,000 rubles.|
In the matters of compliance with the requirements of the legislation in the field of personal data of employees, please contact Acsour specialists.