New rules for the processing of personal data

LEGAL DIGEST, NEWS \ 25.02.2021

The President of the Russian Federation has signed a law that establishes the procedure for processing personal data that is allowed by its subject for distribution to the general public.

According to the Law, starting from March 1, 2021, the concept of “publicly available personal data” is excluded and the concept of “personal data allowed by its subject for distribution” is introduced. Such data is considered to be the personal information of an individual (subject of personal data), to which general public can be granted access. Access is granted by giving consent to the processing of personal data (PD) by an individual. Without consent, it is prohibited to publish personal information of an individual, even on the company’s corporate websites.

It is possible to obtain consent to the processing of PD that is allowed for distribution only from the PD subject. However, starting from July 1 of this year, this consent can be obtained using the information system of the Federal Service for Supervision in the Sphere of Telecom, Information Technologies and Mass Communications authorities (abbreviated in Russian as “Roskomnadzor”). Person engaged in the processing of PD (PD operator), within three working days of the receipt of consent from the PD subject, is obliged to publish information on the processing conditions, the presence of restrictions and conditions for the processing of personal information of individual by general public.

When obtaining consent to the processing of PD, the following provisions have to be taken into account:

1. Consent to the processing of PD allowed for distribution must be issued separately from the subject’s other consents to the processing of its PD.
2. The subject of the PD should be given the opportunity to determine the list of information that it allows to distribute for each category of PD.
3. If an individual discloses their PD to third parties, but does not provide consent for its processing, then it will be necessary to prove the lawfulness of the distribution of PD by all persons who were engaged in the processing of such information.
4. If it does not follow from the provided consent to the processing of PD that the PD subject gave consent to its distribution, then it is necessary to process such data without further distribution to general public.
5. The silence or inaction of the PD subject can be considered as their consent to the processing of the relevant data allowed for distribution under no circumstances.
6. The PD subject has the right to establish a prohibition on the transfer, processing or conditions for processing PD to general public. The operator’s refusal is not allowed in this case.
7. The transfer of PD that is allowed for distribution must be stopped at any time at the request of the PD subject. The consent is terminated when the operator receives such a request. In the request, it is necessary to specify:

• full name of the PD subject;
• phone number, e-mail address, or postal address of the PD subject;
• PD, the processing of which should be stopped.

The distribution of PD has to be stopped within three working days from the date of the PD subject’s request to the PD operator.

Please be reminded that for violation of the requirements of the legislation in the field of personal data, administrative liability is provided for under article 13.11 of the Administrative Code of the Russian Federation. The scope of punishment depends on the type of offense committed. For more information about the scope of liability, see the table below.

Type of offense	Scope of punishment
Processing of PD that is not provided for by the legislation of the Russian Federation or processing of PD that is incompatible with the purposes of collecting such data	Imposition of a fine: for officers – a fine of 5,000 – 10,000 rublesfor legal entities – a fine of 30,000 – 50,000 rubles.
Processing of PD without the consent of the PD subject	Imposition of a fine: for officers – a fine of 10,000 – 20,000 rubles;for legal entities – a fine of 15,000 – 70,000 rubles.
Failure of the PD operator to provide the PD subject with information about the processing of its PD	Imposition of a fine: for officers – a fine of 4,000 – 6,000 rubles;for legal entities – a fine of 20,000 – 40,000 rubles.
Failure by the PD operator in the collection of PD, including through the Internet, to ensure the recording, systematization, accumulation, storage, rectification or extraction of PD of citizens of the Russian Federation using databases located in the Russian Federation	Imposition of a fine: for officers – a fine of 100,000 – 200,000 rubles;for legal entities – a fine of 1,000,000 – 6,000,000 rubles.   For repeated violations, the measures of punishment are increased and will be: for officers – a fine of 500,000 – 800,000 rubles;for legal entities – a fine of 6,000,000-18,000,000 rubles.

In the matters of compliance with the requirements of the legislation in the field of personal data of employees, please contact Acsour specialists.