Request of personal data processing notification from Roskomnadzor

By Elena Rybnikova, Head of Internal Audit, Expertise and Methodology Department

Roskomnadzor requires all legal entities and individual entrepreneurs to submit notices of personal data processing prior to processing such data. Failure to do so will be subject to fines of up to RUB 75,000 for each violation. 

Such notification is done by completing a form on the following website rkn.gov.ru.


Elena Rybnikova
Head of Internal Audit, Expertise and Methodology Department


Roskomnadzor has set out this requirement to reconcile the databases of taxpayers registered with the Federal Tax Service with Roskomnadzor’s database of personal data operators. 

Please note that all companies processing personal data of individuals must submit a notice of personal data operator which can be filled out on Roskomnadzor website.

Article 22 of Federal Law N 152-FZ On Personal Data provides that before processing personal data, operators must notify the body authorized to protect the rights of data subjects that they intent to process personal data.

Am I a personal data operator?

If you at least once requested personal data from an individual and passed them on to third parties, then YES, you are a personal data operator. This occurs when, for example, tickets are bought for an employee sent on business trip, payroll or corporate bank cards are issued to employees, a business center pass is issued to employees by a third-party security company, and upon receipt of resumes from applicants, etc.

Fines

Liability for violation of personal data processing has been significantly tougher since July 01, 2017 (see table).

Violation

Penalties

Company officer

Legal entity

Individual entrepreneur

Processing of personal data in cases not provided by Russian law

5,000 – 10,000 rubles

30,000 – 50,000 rubles

5,000 – 10,000 rubles

Processing of personal data not compatible with purposes for data collection

5,000 – 10,000 rubles

30,000 – 50,000 rubles

5,000 – 10,000 rubles

Processing of personal data with no written consent 
10,000 – 20,000 rubles
15,000 – 75,000 rubles
10,000 – 20,000 rubles

Non-fulfillment of conditions for personal data safety

10,000 – 20,000 rubles

25,000 – 50,000 rubles

10,000 – 20,000 rubles

Failure to fulfill operator obligation for personal data policy

3,000 – 6,000 rubles

15,000 – 30,000 rubles

5,000 – 10,000 rubles

Non-fulfillment by operator of obligation to inform data subject about personal data processing

4,000 – 6,000 rubles

20,000 – 40,000 rubles

10,000 – 15,000 rubles

Non-fulfillment by operator of obligation to inform data subject about personal data destruction

4,000 – 10,000 rubles

25,000 – 45,000 rubles

10,000 – 20,000 rubles

No comments are available at the moment on what to do if a company has been processing personal data for a while but has not submitted any notice. Although penalties have not yet been applied (first violations are subject to warning, and then a maximum of RUB 75,000 per violation is imposed on legal entities and RUB 20,000 on individual entrepreneurs), we recommend submitting the required notices to be on the safe side.

Background information

Definition of operator and personal data processing

Appendix to Roskomnadzor order N 94 dated May 30, 2017:

2.1. An operator is any federal state body, any state authority of the constituent entities of the Russian Federation, other state bodies (further “state authorities”), local authorities, other municipal bodies (further “local authorities”), legal entity or individual managing and/or processing personal data, as well as determining personal data processing purposes and content.

2.4. Personal data processing consists in any action (operation) or series of actions (operations) performed with or without automated equipment on personal data, including collection, recording, classification, accumulation, storage, clarification (updating, modification), retrieval, use, transmission (distribution, provision, access), depersonalization, blocking, deletion, destruction of personal data.