ARTICLE
23 June 2021

Data Protection Law Amended To Increase Personal Data Subjects' Rights

GP
Gorodissky & Partners

Contributor

Gorodissky & Partners is the largest IP practice in Russia which was originally founded by patent/trademark attorneys and lawyers who commenced their professional careers in 1959. It is the only IP law firm in Russia that provides services in accordance with the requirements of the international standard ISO 9001: 2015, which guarantees the high quality of services provided and confirms compliance with international quality management standards. It is a unique and highly professional team of 140 patent/trademark attorneys and IP lawyers with profound knowledge in various fields of science, technology and law and also with considerable experience and practice of successful representation of clients' interests in the Russian and foreign PTOs, courts and administrative bodies.
Russia's legislation evolves rapidly and its personal data laws are no exception. On 27 March 2021 Russia enhanced personal data subjects' rights by changing fines...
Russian Federation Privacy

Russia's legislation evolves rapidly and its personal data laws are no exception. On 27 March 2021 Russia enhanced personal data subjects' rights by changing fines and extending the limitation period for data-related breaches.

No changes to fines for data localisation breaches

The Federal Law on Amendments to the Code of Administrative Offences (19-ФЗ, 24 February 2021) amends the amount of administrative fines prescribed by Article 13(11) of the Code of Administrative Offences for Several Types of Offences Against the Federal Law On Personal Data (152-ФЗ, 27 July 2006). The fines may apply to legal entities and their responsible managers (eg, CEOs and data protection officers) on a case-by-case basis.

However, the amendments do not change the highest fines, which apply to breaches of the so-called 'data localisation' requirement. As before, companies which fail to ensure that the recording, systematisation, accumulation, storage, clarification (ie, updating or changing) and extraction of Russian nationals' personal data is carried out using databases located in Russia (when collecting such personal data in any manner, including via the Internet) may face a fine of between Rb1 million and Rb6 million (approximately $13,000 to $80,000). Responsible managers may face a fine of between Rb100,000 and Rb200,000 (approximately $1,300 to $2,600).

Administrative fines for repeated offences are higher. A 'repeated offence' is an offence that occurs within one year of the date on which the previous liability was completely enforced. A repeated breach of the localisation requirement incurs a fine of between Rb6 million and Rb18 million (approximately $80,000 to $240,000) for companies, while responsible managers may face a fine of between Rb500,000 and Rb800,000 (approximately $6,600 to $10,500) (Articles 13(11)(8) and 13(11)(9) of the code).

New limitation period

The amendments extend the maximum time after an offence within which an administrative fine may be imposed (known as the 'limitation period') from three months to one year. Accordingly, Russia's data protection authority, Roskomnadzor, may extend its regular and extraordinary supervisory checks to prevent offenders from escaping liability for formal reasons. This changes the strategy of passing such inspections and encourages companies to conduct a privacy audit under Russian law as soon as possible.

New fines

The legislative changes double the administrative fines for seven types of offence against Russia's personal data laws. They introduce new fines for repeatedly committing three types of offence.(1)

For example, amended Paragraphs 1 to 7 of Article 13(11) of the code provide that depending on the nature of the offence, non-compliance with the law may incur a fine of between Rb30,000 and Rb500,000 (approximately $400 to $6,500) for a company, while responsible managers may face a fine of between Rb6,000 and 100,000 (approximately $80 to $1,300).

Comment

The amendments improve the protection of data subjects' rights in Russia. At the same time, they notably increase the legal risks for companies which do business in Russia and the managers thereof. Given the extended limitation period, such companies should not put Russian compliance matters on the back burner. To minimise risks, they should establish routine compliance management procedures and monitor the case law and Roskomnadzor's law enforcement activities.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More