In the European Union (EU), the legal framework for privacy and data protection centers around the General Data Protection Regulation (GDPR) and the Directive on Privacy and Electronic Communications (ePrivacy Directive, also known as the “Cookie Directive”).
Both the GDPR and the ePrivacy Directive (as implemented at national level) apply to the European Economic Area (EEA), which includes all 27 EU Member States, as well as Iceland, Lichtenstein and Norway.
Please note, although the GDPR and ePrivacy Directive do not apply in Switzerland, Swiss laws are in the process of being harmonized with the legislative requirements of the GDPR and the ePrivacy Directive.
Following the UK’s departure from the EU, the GDPR has been transposed into UK law (please see ‘UK GDPR’ below). The UK has additionally transposed the Privacy and Electronic Communications Regulations (PECR) into UK law. While the obligations stemming from the GDPR and UK GDPR are near on identical, it remains to be seen whether the UK will eventually deviate from the EU data protection rulebook to pursue its own regulatory path.
The GDPR, namely Regulation (EU) 2016/679, the “General Data Protection Regulation”. Sets out the general rules for the collection, use and any other activity (collectively “processing”) performed on “personal data”. The latter is defined as any information relating to an identified or identifiable natural person and includes data such as:
- Telephone numbers;
- Bank account information;
- National identification numbers;
- Online identifiers;
- Location data;
- To personal preferences;
- Shopping behavior;
- Health data; or
- Political opinions.
The GDPR mandates that companies processing personal data, namely ‘data controllers’, map all the personal data they collect and process and record for each data processing activity the type of data involved, the purposes for the processing and the technical and organisational measures that protect the personal data and data transfers. This is referred to as ‘records of processing activities’. The data controller must comply with certain obligations for each processing activity. For example, it must inform the relevant individuals whose data is being processed. In some cases, it must obtain their prior consent. The GDPR grants natural persons (“data subjects”) certain rights with regards to their personal data, such as the right to access one’s personal data. Companies must respond to such rights. Failing to meet the requirements of the GDPR can lead to fines of up to €20 million or 4% of an entity or group of entity’s global turnover. It can also give rise to claims and class actions by data subjects.
As an EU regulation, the GDPR is directly applicable in all EEA Member States. Ensuring harmonisation of the horizontal data protection rules across the EU digital single market. However, the GDPR allows EEA Member States to supplement its rules with specific national rules in certain areas, where there is traditionally less EU harmonization. Such as in the employment context or regarding the determination of child’s consent in relation to information society services.
Material Scope: The GDPR applies to all companies, organisations, authorities, agencies etc. processing personal data, except for:
- Law enforcement authorities (for which there is a “Data Protection Law Enforcement Directive”); and
- EU institutions, bodies, offices and agencies (for which there is a specific regulation – Regulation (EU) 2018/1725).
Territorial scope: The GDPR applies to:
- Organisations that are established in the EEA; or
- Organisations that are not established in the EEA:
- If they are offering services to data subjects in the EEA (this criterion does not require a consideration/payment from the data subject) or
- if they are monitoring the behavior of data subjects based in the EEA.
Key obligations on controllers and/or processors
There are two main types of parties involved in the processing of personal data:
- Controllers: who determine the purposes and means of the processing of personal data; and
- Processors: who may process personal data on behalf of the controller.
Both controllers and processors have a number of responsibilities and obligations under the GDPR.
At the heart of the GDPR lie several main principles that apply throughout the lifecycle of data processing, these are:
- Lawfulness. For each data processing controller must be able to demonstrate a proper reason (a legal basis). This includes consent, legitimate interest, contract, etc.
- Transparency. Controllers need to provide individuals with a privacy notice at the beginning of the data processing and inform them of any changes.
- Privacy by design & default. Controllers must consider data protection issues upfront and integrate necessary measures into processing activities from the design stage and throughout the lifecycle of the processing.
- Security and data breach notifications. Controllers and processors should implement appropriate technical and organizational measures to protect the security of data, and in case of data breach report to supervisory authorities and inform data subjects thereof.
- DPAs with processors. Controllers may only employ processors who can appropriately protect data subjects’ personal data and meet all the GDPR requirements. Processing by a processor is governed by a data processing agreement (DPA) that sets out the rights and obligations concerning the protection of personal data.
- Data subject rights. The controller must facilitate the exercise of data subject rights, such as right to access to the data and its copies, right to transfer data to another controller (data portability), right to rectify inaccurate or incomplete data, and right to restriction of processing or erasure of data.
Restricted transfers outside EEA: Special safeguards must be implemented when an EEA/UK organisation transfers personal data to an organisation that is outside of the EEA/UK. If the recipient organisation is not in a country that benefits from an ‘adequacy decision’ from the EU Commission, then safeguards must be put in place.
The Countries which benefit from an adequacy decision:
- Andorra, Argentina, Canada (commercial organisations), Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Switzerland, the United Kingdom, and Uruguay as providing adequate protection.
Following the annulment of the EU-US Privacy Shield by the Court of Justice of the European Union, the privacy shield constitutes an invalid transfer mechanism of personal data from the EU to the US. As such, transfers to the US, or any country that does not have an adequacy decision in place, require safeguards to be put in place. Safeguards include, most notably, EU Standard Contractual Clauses (for international transfers) “EU SCCs”, and binding corporate rules (BCRs).
In June 2021, the European Commission adopted their modernized SCCs giving organizations a three-month transitional period to begin introducing the news SCCs into contractual agreements. This period ended on September 27, 2021. Companies are requested to use SCCs for all new agreements, and following the 27th of December 2022, incorporate EU SCCs into existing agreements that were already signed prior to September 27.
Prior to utilising SCCs and BCRs, it is imperative that the data exporter and data importer conduct a transfer impact assessment. This is an assessment of the data importer/s privacy laws and practices to check if such laws/practices prevent the data importer from fulfilling its obligations under the EU SCCs and BCRs.
National and EU regulators
EEA Member states supervisory authorities are equipped with investigative, corrective, authorization and advisory powers. They may also impose sanctions such as administrative fines on an organization breaching the GDPR.
EDPB
The EDPB is an independent European body which safeguards the consistent application of data protection rules throughout the European Union. The EDPB is composed of the representatives of the national data protection supervisory authorities of the EU/EEA countries and of the European Data Protection Supervisor (EDPS). The EDPB supports consistency in the application of the GDPR by issuing guidelines on the interpretation of the main concepts of the GDPR and various recommendations.
The EDPB can issue opinions on some decisions made by European supervisory authorities, which have cross-border effects. If authorities fail to respect an opinion issued by the EDPB, the EDPB may adopt a binding decision.
ePrivacy Directive
The ePrivacy Directive refers to Directive 2002/58/EC on Privacy and Electronic Communications, as amended by Directive 2009/136/EC.
The ePrivacy Directive complements the GDPR and sets specific rules regarding direct marketing communications, and the placement of cookies and similar identifiers in users’ equipment (computers, laptops, smartphones and other devices). In addition, the ePrivacy Directive sets forth specific rules for electronic communications service providers when they provide electronic communication services (ECS). Since the entry into force of the European Electronic Communications Code at the end of 2021, ECS include not only traditional communication services, such as mobile telephony and access to the Internet, but also: instant messaging applications, Voice over IP (VoIP), web-based email services, or video conferencing (often called Over-the-Top communications services, or OTTs).
As the ePrivacy Directive is not an EU regulation, it is not directly applicable. This means that the EEA Members States must transpose the EU ePrivacy rules into national law. This has resulted in some variations between EEA Member States’ ePrivacy laws.
Main Obligations
- Direct marketing: the ePrivacy Directive sets forth the rules on sending direct marketing communications (email, SMS, marketing calls). The Directive generally prohibits the use of automated calling and communications systems (without human intervention) and email for direct marketing, unless the user (or the subscriber) has given their consent. The consent of the user in practice tends to be gained through opt-ins. ‘Opt in’ means a person has to take a specific positive step (eg tick a box, send an email, or click a button) to say they want marketing. ‘Opt out’ means a person must take a positive step to refuse or unsubscribe from marketing.
As an exception to the opt in rule, the Directive allows companies and organizations to send direct marketing emails to existing customers without their consent, provided that such emails market similar products or services of that company or organization and that the customer has been offered a choice to opt out from such communications.
- Cookies: The ePrivacy Directive requires that EEA countries to ensure that users grant their consent before any information, such as cookies and similar technologies, are stored or accessed in their computers, smartphones or other devices connected to the Internet. Some exceptions apply.
- Electronic communication services: The ePrivacy Directive also establishes rules on the confidentiality of electronic communications and the permitted use of traffic data, routing data and location data (electronic communications metadata) by electronic communications service providers.
Competent EEA national authorities and sanctions
- Competent national authorities: The ePrivacy Directive has left it to EEA Member States to designate the authority in charge of enforcing the ePrivacy rules at national level. This has resulted in a lack of harmonization across the EEA. In some countries, there are several authorities in charge, competent for enforcing a different piece of the ePrivacy rules (e.g. a data protection authority competent for enforcing the cookie rules, but a national telecom regulator competent for enforcing the rules in relation to electronic communications services). This variety of competent authorities at national level is illustrated by the list published by the EU Commission.
- Sanctions: Contrary to the GDPR, the ePrivacy Directive does not provide for any tier or amount of fines or sanctions, only indicating that these must be effective, proportionate and dissuasive. As a result, the amount of maximum fines varies from one EEA Member State to another, also often for a breach of different rules the maximum fine varies.
Proposal for an ePrivacy Regulation
The ePrivacy Directive was adopted in 2002 and revised in 2009. In 2017, the EU Commission proposed new ePrivacy rules through a draft proposal for a Regulation on Privacy and Electronic Communications (ePrivacy Regulation).
This has since slowly been flowing through the EU legislative process. The EU Parliament adopted its version of the ePrivacy Regulation in October 2017. Meanwhile the Council, did so in February 2021. The EU co-legislators are currently negotiating in ‘trilogues’ the final text of the ePrivacy Regulation. The timeframe for the final adoption of the Regulation remains to be seen. However, it is expected that following the adoption, companies and organizations will be given some transitory grace period to adapt their practices to the new rules.
Main changes compared to the current ePrivacy rules
Once adopted, the ePrivacy Regulation will replace the current ePrivacy rules. While the text of the Regulation is not final yet, we give a gist of its draft content:
- Cookies: The rules will be updated, providing for more scenarios where certain cookies and similar technologies will be exempt from consent.
- Electronic communications services: It will provide more comprehensive rules for ECS providers with respect to the processing of electronic communications content and metadata, taking into account the specificities of OTTs.
- Enforcement authorities: it remains unclear whether the enforcement will be limited to data protection authorities and if the EDPB will have the same competencies as for the GDPR.
- Sanctions: will be likely similar to those in the GDPR.
UK GDPR
Following the UK’s departure from the European Union, the UK’s data protection framework is made up of the following key components:
- The GDPR is retained in domestic law as the UK GDPR;
- The ‘UK GDPR’ sits alongside an amended version of the Data Protection Act (DPA) 2018; it came into effect on 25 May 2018, when the UK was still a member of the EU. The Act was amended on 1 January 2021 by regulations under the European Union (Withdrawal) Act 2018, to reflect the UK’s status outside the EU. It sets out separate data protection rules for law enforcement authorities, extends data protection to some other areas such as national security and defence, and sets out the UK’s data protection authority, the Information Commissioner’s Office (ICO)’s functions and powers
- The Privacy and Electronic Communications Regulations (PECR), derived from the EU’s e-Privacy Directive, continues to apply.
As such, the key principles, rights and obligations, explained in the EU section (both the GDPR and ePrivacy Directive) remain largely the same for the UK. From a practical perspective, this means that certain obligations are often mirrored and we are increasingly seeing that the ‘UK GDPR’ and ‘EU GDPR’ can be referenced interchangeably. For example, in records of processing or privacy notices.
However, there are a few key distinctions that are relevant to the UK.
International Transfers: Post-Brexit, the UK is a ‘Third Country’ for the purposes of personal data transfers outside the EEA. This means that the typical provisions in the GDPR are invoked for transfers to a third country. For the time being, the UK has been granted adequacy by the EU Commission and vice versa allowing data flows between the jurisdictions. However, we are starting to see more divergences and both the EU and UK have stated that their respective adequacy decisions are subject to being reviewed.
The arrival of the EU’s ‘new’ SCCs is one area that has seen divergence. This is because the new SCCs cannot (at the moment) be used for transfers from the UK. The ICO has launched a public consultation to seek views on the UK’s position and has produced a draft data transfer agreement (IDTA) and guidance, with the intention that this would replace the SCCs.
Regulator and Sanctions: The Information Commissioner’s Office (ICO) is the UK’s independent national authority charged with policing and enforcing the data protection and freedom of information regime in the UK. The ICO regulates compliance with the GDPR and PECR and has the power issue sanctions.
Establishments:
The UK GDPR also applies to controllers and processors not only inside the UK but also outside the UK if their processing activities relate to:
- offering goods or services to individuals in the UK; or
- the monitoring the behaviour of individuals taking place in the UK.
There are also implications for UK controllers who do not have a branch, office or other establishment in any other EU or EEA state, but either:
- offer goods or services to individuals in the EEA; or
- monitor the behaviour of individuals in the EEA.
The EU GDPR still applies to this processing. If the UK controller does not have a base inside the EEA, the EU GDPR requires that a representative in the EEA is appointed.
Although we have touched on the key divergences between the EU and UK data protection structures, it is with much anticipation that we continue to monitor this space. Especially in light of the UK Government’s publication of a proposed reform of the UK’s data protection framework.
The legal framework for personal data processing is established by the Federal Law of the Russian Federation No.152-FZ “On Personal Data” dated 27 July 2006 (the “PDL”). In addition some data privacy provisions are to be found in sectoral pieces of legislation, including the Federal Law No. 149‑FZ on Information, Information Technologies and Data Protection 2006, the Labour Code of the Russian Federation (the “Labour Code”), the Civil Code of the Russian Federation and others.
The Russian Federal Service for Supervision in the Sphere of Telecom, Information Technologies and Mass Communication (the “Roskomnadzor” or the “Regulatro”) is the Russian data privacy regulator, which issues guidelines on the interpretation of the data privacy laws, maintains a Register of the Personal Data Operators, carries out the investigations on compliance of the operators with the data privacy laws. More information about the Roskomnadzor can be found on its official web-site: https://rkn.gov.ru/
Under the PDL “personal data” means any data related to a person who is directly or indirectly identified or being identified (“personal data subject” or “data subject”). It can be in either electronic or hard copy format. Existing, prospective and past employees, and other workers fall within the scope of a data subject.
GENERAL
In addition to the PDL, some data privacy provisions are to be found in sectoral pieces of legislation, including the Federal Law No. 149-FZ on Information, Information Technologies and Data Protection 2006, the Labour Code of the Russian Federation (the “Labour Code”), the Civil Code of the Russian Federation and others.
The PDL contains the following data processing principles:
- personal data must be processed fairly and lawfully;
- personal data must be obtained for the particular, lawful and defined purposes (which is defined in advance). Processing of personal data in a manner incompatible with such purposes is not allowed;
- the content and volume of the processed personal data must fully correspond to the stated purposes of the data processing. Personal data must not be excessive in relation to the purpose(s) for which it is being processed;
- personal data must be accurate, sufficient, and, where necessary, kept-up-to-date with the purposes of the data processing. The data operator (e.g. the employer) must take/procure all measures necessary for deletion or updating of the incomplete or inaccurate personal data; and
- personal data must be retained in a manner allowing to it to be possible to identify the data subject (e.g. the employee) but no longer than it is necessary for the purpose(s) of its processing, unless different retention period is provided by the applicable laws or agreement with the data subject. The processed personal data must be destroyed or depersonalized as soon as the stated purpose(s) of the data processing are achieved or achievement of such purposes is no longer required, unless otherwise provided by the applicable laws.
Unlike the Convention of the Council of Europe for the Protection of Individuals with regard to Automatic Processing of Personal Data dated January 28, 1981 (the “CE Convention”), the PDL does not contain concepts of a “data controller” and a “data processor”, but instead provides for “operator” and “3rd party operator”:
- “operator” means a state or municipal authority, legal entity or individual which organizes and/or performs, individually or together with other persons, the processing of personal data, and determines the purposes of personal data processing, types of the processed personal data, and the actions (operations) to be performed with the personal data (a concept similar to a “data controller” under the EU Data Protection Directive). In most cases an employer will be an “operator” and
- “3rd party operator” means a third party appointed by the operator on the contractual basis to process personal data (a concept similar to a “data processor” under the EU Data Protection Directive).
LAWFULNESS OF PROCESSING
Personal data can be processed by the operator only subject to the prior consent of the data subject.
Consent as a general rule may be given in any form, which makes it possible to confirm receipt thereof.
It should be emphasized however, that the PDL does not explicitly allow receipt of the consent in a simple electronic form (by clicking “I agree/I accept” button), but at the same time it does not prohibit to obtain consent in such form. Therefore, based on common practice we can consider consent obtained in such manner as acceptable and compliant with the PDL until the Regulator advises otherwise or subordinate legislation is adopted to this extent.
The consent however must be always given in writing (i.e. must contain handwritten or digital signature of the data Subject) when:
- the special or sensitive data is being processed (i.e. race, ethnic origins, information on state of health or sexual life, political, religious and philosophical believes);
- the biometric data is being processed (e.g. fingerprints, DNA, physiological data etc.);
- personal data is processed automatically; and
- personal data is being transferred outside of Russia to the countries who are not a signatory to the CE Convention or are not included in the list approved by the Regulator.
DATA BREACH NOTIFICATION
- At the moment, there are no statutory requirements to notify (report) the Regulator on data breach.
- In the event of discovery of unlawful processing of personal data upon request of a personal data subject or the Regulator the operator is required to block access to wrongfully processed personal data upon receiving such request or inquiry for the duration of verification.
- In case of inaccuracy of personal data, the operator is required to block access to such personal data associated with the relevant personal data subject upon receiving such request or inquiry for the duration of verification, as long as the blocking of access to the personal data does not violate the rights and legitimate interests of the personal data subject or third parties.
- In the event of confirmation of inaccuracy of personal data, the operator must verify the personal data within seven business days from the date of receipt of such communication and remove the blocking of access to personal data.
- In the event of unlawful processing of personal data is discovered, the operator is required to stop unlawful processing of personal data within a period not exceeding three business days.
- In the event it is not possible to ensure that personal data is process lawfully, the operator must destroy such personal data or cause the same to be destroyed within a period not exceeding ten business days from the date such unlawful processing of personal data was discovered.
- The operator is required to notify the personal data subject or his representative on that the violations have been corrected and personal data has been destroyed, and where the request of the personal data subject or his representative, or inquiry of the authorized body responsible for protection of the rights of personal data subjects were sent by such authority, such authority is also to be notified. No period for such notification has been prescribed.
RETENTION OF DATA
Under the PDL, personal data processed for any purpose must not be stored longer than is necessary for the purpose for which had been obtained, unless a different retention period is provided by the applicable laws or with agreement of the employee. The provisions of Order of RosArchive dated December 20, 2019, (“Archive Order”) registered with the Ministry of Justice on 6 February, 2020 No. 236 “On approval of index of administrative archival documents that are produced in the course of the activities of state bodies, local self-government bodies and organizations, indicating the terms of their retention” shall be observed. It should be noted that the Russian statutory retention requirements are quite onerous, and the applicable retention period must be defined on a case by case basis.
The list of documents contains hundreds of documents. Each document has its own specified retention period. For low-significance documents a retention period would be 3 to 5 years.
Examples:
- Documents and correspondence related to personal data protection – permanently and 3 years after replacement by the new ones;
- Documents by-laws, instructions on personal data processing – permanently and 3 years after replacement by the new ones;
- Consent of personal data subject to process his/her personal data – 3 years after expiration or revocation;
NOTIFICATION OF REGULATOR (ROSKOMNADZOR) ON PERSONAL DATA PROCESSING
Subject to few exemptions provided by the PDL (see below) the operator can start personal data processing only upon filing within Roskomnadzor of a written notification on its intention to start personal data processing. Notification must be filed before such operator begins to process personal data.
Such notification shall be prepared based on the approved form (available on the website of Roskomnadzor: https://pd.rkn.gov.ru/operators-registry/notification/form/) in Russian language, and can be filed in written from (by letter) or in an electronic form through the website of Roskomnadzor. Depending on the form in which the notification is being filed (in writing or electronic), it can be filed and signed by an authorized officer/authorized representative (acting under the PoA) of the operator either by hand or by digital signature.
SECURITY OF PERSONAL DATA
The operator must implement (or procure implementation of) necessary and sufficient security measures to ensure compliance with the data privacy laws, including the following.
- appointment of a data protection officer;
- adoption of the data protection policy, internal regulations on personal data processing, and other internal regulations for the purpose of prevention and detection of data privacy laws breach;
- application of relevant legal, organizational and technical security measures (as described in the below paragraph);
- performance of internal control and/or audit to ensure compliance with the data privacy laws and the internal regulations/policies adopted by the operator;
- evaluation of the damages that may be caused to data subjects in case of data privacy laws breach; and
- familiarization of the operator’s employees with the Russian data privacy laws including the data privacy requirements as well as with the internal regulations/policies adopted by the operator.
In any event, the operator must implement (or procure implementation of) appropriate legal, technical and organization measures to protect personal data against accidental or unlawful access, destruction, alteration, blocking, copying, transmission, and against all other unlawful forms of processing.
LOCALIZATION REQUIREMENT
Subject to few exemptions set forth below, the operator, when collecting personal data, including by means of the information and telecommunication network “Internet”, must ensure the recording, systematization, accumulation, storage, adjustment (update, alteration), retrieval of personal data of citizens of the Russian Federation to be performed through database located in the territory of the Russian Federation (“Localization requirement”).
- Storing in Foreign Data Centers. The operators are allowed to store personal data of the Russian citizens in foreign data centers only if such processing is required:
- to achieve goals prescribed by an international treaty or other Russian laws and necessary for the operators to perform their functions, authorities and obligations imposed on them by the Russian laws;
- to perform administration of justice or enforcement proceedings;
- (to assure provision of public/municipal services by the Russian state and municipal authorities, local government authorities and entities; and
- to implement a journalist’s professional activity and (or) the legitimate activities of the mass media or scientific, literary and creative activities.
- The web-site is considered to be targeting Russia if the following criteria are met:
- use of Russia-related domain names, for example .ru, .su, .moscow; and (or)
- availability of a Russian-language version of a website, with the exception of versions of the website translated into Russian by automatic translation plugins;
- and one of the following terms is provided:
- ability to make payments in Russian Rubles;
- ability to execute an agreement on the website, which will be performed on the territory of Russia (e.g. delivery of goods or services);
- use of Russian-language advertisements to promote the respective web-site; and
- other circumstances that clearly indicate that the website’s owner intended to include the Russian market in his business strategy.
Consequently, a non-Russian entity operating a website targeting Russia (subject to the above criteria and terms) shall be considered as an operator of personal data of Russian citizens and should be subject to localization requirement (i.e. the personal data of Russian citizens collected by such entity through the website must be stored in a database located in Russia).
SANCTIONS AND REMEDIES
Failure to comply with the Russian data privacy laws can result in administrative, criminal and civil (for instance, moral damages) penalties.
In certain cases non-compliance with the legislative requirements with respect to collection, storage, use and transmission of the personal data can be qualified as violation of the labour legislation, and lead therefore to fines
- for officials – RUB 1,000 – 5,000,
- for legal entities – RUB 30,000 – 50,000.
In addition, the Roskomnadzor has the right to block websites and online resources that process personal data of the Russian citizens in violation of the provisions of the Russian data privacy laws.
Individuals also have a right to compensation for moral damages caused by the infringements but, in practice, this is rarely used.
On February 7, 2017, the President of Russia signed Federal Law No. 13-FZ “On the Introduction of Amendments to the Administrative Offenses Code of the Russian Federation” (the “Law”). The Law was officially published on February 7, 2017 and became effective as of July 1, 2017.
Beginning July 1, 2017, the Code will introduce new sets of constituent elements of an administrative offense, with varying sanctions applicable to each set (see table below). The maximum amount of a fine in accordance with the Law will be ₽75,000 (approximately US$1,014):
- Processing of personal data that is incompatible with the purposes of the gathering of personal data – caution or RUB 5,000-10,000 for Public Officers and caution or RUB 30,000-50,000 for the company;
- Processing of personal data without written consent or a violation of the constituent elements of data in any such consent – RUB 10,000-20,000 for Public Officers and RUB 15,000-75,000 for the company;
- Failure by an operator to comply with the duty to provide a personal data owner with information in relation to the processing of his/her personal data – caution or RUB 4,000-6,000 for Public Officers and caution or RUB 20,000-40,000 for the company;
- Failure by an operator to comply with the requirement for updating, blocking or destroying personal data if such personal data is incomplete, outdated, inaccurate, illegally obtained or unnecessary for the alleged purpose of processing – caution or RUB 4,000-10,000 for Public Officers and caution or RUB 25,000-45,000 for the company;
- Failure by an operator, when processing personal data without using automation tools, to comply with the duty to safeguard such personal data while storing tangible media – RUB 4,000-10,000 for Public Officers and RUB 25,000-50,000 for the company.
On December 2, 2019, the President of Russia signed Federal Law No. 405-FZ “On the Introduction of Amendments to the Administrative Offenses Code of the Russian Federation” (the “Amendments”). The Amendments became effective as of December 2, 2019.
Beginning December 2, 2019, the Code introduces new constituent element of an administrative offense – breach of localization requirements.
Failure by an operator to comply with the requirement that the operator (e.g. the employer) must ensure the recording, systematization, accumulation, storage, adjustment (update, alteration), retrieval of personal data of citizens of the Russian Federation to be performed through database located in the territory of the Russian Federation and lead to fines
- for officials – up to RUB 200,000 (approximately US$2,707),
- for legal entities – up to RUB 6,000,000 (approximately US$ 81,081).
For repeated violation:
- for officials – up to RUB 800,000 (approximately US$10,811),
- for legal entities – up to RUB 18,000,000 (approximately US$ 243,243.