Russia: The law introducing significant strengthening of liability for the violation of personal data regulations came into force
On July 1st, 2017, several amendments to the Code of Administrative Offences of the Russian Federation (hereafter – the Code) came into force, significantly elaborating on the list of offences in the sphere of personal data (PD) processing and increasing the penalties.
The amendments addressed Article 13.11 of the Code, which previously established liability for one major offence related to the data processing – the breach of legally prescribed procedure of gathering, storing, using and distribution of PD. The sanction stretched from an official warning to administrative fine limited to 10 000 RUB for companies.
The amended Article 13.11 diversifies and strengthens the liability, introducing seven general groups of offences related to PD, which themselves may have internal division between various administrative offences.
Five of seven Paragraphs of Article 13.11 require the special perpetrator – the operator of PD. According to the Federal Law No. 152-FZ of 27.07.2006 “On Personal Data”, the operator includes governmental body, municipal body, a company or a physical person, who, acting on their own, or jointly with other persons, organize and (or) directly perform the PD processing, as well as those who determine the purposes of processing, the amount of PD to be processed, and specific operations involved in PD processing.
Drawing particular attention is that operator of PD is liable for non‑publishing of its policy on data protection, as well as for depriving the third parties in any other way of access to such document, which is now explicitly stipulated in law. The obligation to elaborate and publicize the policy on data protection is established in the Article 18.1 of the Federal Law on personal data.