New rules for personal data processing

By Elena Rybnikova, Head of Internal Audit, Expertise and Methodology Department

Liability for violation of personal data processing has been significantly increased since July 01, 2017. The list of grounds to bring employers to administrative liability is now longer, fines are now greater, and first instances of such administrative liability cases have already been seen in court. Below we will look at what needs to be done to avoid receiving a warning from Roskomnadzor and how to secure one’s business under these new circumstances.

How it used to be

List of grounds

Previously, there was no list of grounds for penalties as such as the law provided only for the following general wording: Penalties will be imposed for “violation of statutory procedure for collection, storage, use or dissemination of information about citizens (personal data).”

Penalties

For company officers from RUB 500 to RUB 1,000
For legal entities from RUB 5,000 to RUB 10,000

The highest penalty is provided for personal data processing without the data subject’s written consent.

What has changed?

List of grounds introduced in July 01, 2017:

  1. Processing of personal data for “other” purposes;
  2. Processing of personal data without consent
  3. Access to personal data processing policy
  4. Data hiding
  5. Updating or blocking
  6. Personal data security
  7. Depersonalization

Penalties

Violation

Penalties

Company officer

Legal entity

Individual entrepreneur

Processing of personal data in cases not provided by Russian law

RUB 5,000 – RUB 10,000

RUB 30,000 – RUB 50,000

 

Processing of personal data incompatible with the purposes of personal data collection

RUB 5,000 – RUB 10,000

RUB 30,000 – RUB 50,000

 

Processing of personal data without written consent

RUB 10,000 – RUB 20,000

RUB 15,000 – RUB 75,000

 

Non-fulfillment of conditions ensuring personal data security

RUB 4,000 – RUB 10,000

RUB 25,000 – RUB 50,000

RUB 10,000 – RUB 20,000

Examples

An accountant has not provided a payslip to an employee. Now, Roskomnadzor could qualify such violation as personal data hiding and impose a fine on the company and the accountant.

It is also not necessary to keep a second copy of payslip after issuance to employee. The Ministry of Finance has clarified that organizations are not required to keep second copies of payslips. According to new provisions in Federal Law N 152-FZ, payslips are not subject to storage (Russian Ministry of Finance Letter No. 02-06-05/21573 dated April 14, 2016). Payroll records, i.e. data of payroll account still remain in companies.
A bank has made public someone’s salary/bonus payments without their consent and passed on the “debtor’s” details to a legal entity to draw up a statement of claim
Now, Roskomnadzor could qualify such violation as disclosure of personal data without written consent or with improper written consent.
A company has posted a vacancy on its site and suggested to fill out a profile form or questionnaire, but the Personal Data Processing Policy is not available or easy to access for the user. Now, Roskomnadzor could qualify such violation as a failure by the operator to fulfill its obligation to publish or provide unrestricted access to its Personal Data Processing Policy or information about their protection.

Storage of personal data

Save for employment record books, it is not necessary to store copies of documents submitted by employees upon their hiring (passport, insurance individual account number, diplomas, etc.) Information from such personal documentation should be recorded in employment contracts or the accounting system used by the company before returning the documents to employees without keeping any copies.

Court case example

North Caucasus District Commercial Court Ruling dated April 21, 2014 Case No. А53-13327/2013. 

The employer kept copies of the birth certificate of an employee’s child as well as the employee’s marriage certificate containing information about the employee’s nationality. The employer also kept copies of passport pages and pages of the employee’s military service record book. The court rules that storage of copies of these documents exceeds the volume of the employee’s processed personal data, violates civil rights and freedoms, decreases the level of employee rights and guarantees and is contrary to federal law. The employer was thus brought to administrative liability.

Recommendation

  • We recommend checking on Roskomnadzor’s site whether your company is in the list of inspections scheduled for 2017.
  • If you have not yet informed Roskomnadzor of your intention to process personal data, you should do so.
  • We recommend checking whether a notice of personal data processing has been drawn up as well as the relevance of the data in this notice. To do so, you will need to visit Roskomnadzor’s site and enter your INN to proceed with the verification.
  • We recommend strictly observing all principles of personal data processing.
  • Virtually all companies in the business community such as, for example, site owners collecting personal data of visitors in one form or another, are now affected by the new amendments to the law. We recommend checking whether Terms of Personal Data Processing and Personal Data Policy are published online. Even if your company does not sell goods and services and does not post order/request forms, any feedback form or applicant questionnaire is deemed to be a tool for collection of personal data.

How we can help

  • We can prepare any documentation as required by Federal Law N 152-FZ
  • We can conduct business analyses for compliance with Federal Law N 152-FZ On Protection of Personal Data
  • We can provide legal support as well as support in case of inspections from Roskomnadzor