Skip to main content
Article

Liability for violation of personal data laws. Changes introduced on December 02, 2019

A law regulating liability for violation of laws on personal data and their online dissemination by personal data operators and information hosts was published on December 02, 2019

Personal data operators

A personal data operator is an individual or legal entity who on its own or with other entities coordinate personal data processing and process personal data. Operators also determine the processing objectives, the composition of the data to be processed as well as the operations with data.

Obligations of personal data operators

When collecting data (including on the internet), operators must record, classify, gather, store, update, modify and retrieve personal data.

Fines imposed on personal data operators for failure to fulfill obligations: 

  • Individuals – RUB 30,000–RUB 50,000
  • Legal entities – RUB 1,000,000–RUB 6,000,000

In case of repeated offense:

  • Individuals – RUB 50,000–RUB 100,000
  • Legal entities – RUB 6,000,000–RUB 18,000,000

Online information hosts

An online information host is an entity operating information systems and software programs used to receive, transfer, deliver and process electronic messages on the internet, i.e. any information that is transferred or received by the user of a network. 

These electronic messages may be transferred in any form (text, audiovisual, etc.) and be available to the public for online dissemination of information.

It is clear that almost all sites providing services online are classified as online information host as defined above. Regardless of the activity – whether sales, advertising, news reporting, etc. – if a website has a contact form, a comment section, forum, chat, etc., then it is an information host. Examples of websites that may be online information hosts: 

  • Websites used to place orders for goods or services. On these sites, users may enter their personal data and receive an order confirmation or directly receive an online service immediately after orders are placed;
  • Websites with a forum for communication between users. For example, when users can discuss, compare and leave feedback about products;
  • Websites with online operator services (chats, online consultants, chatbots). Many sites give users the opportunity to write to their operator or bot about their problem in a pop-up window. A phone number or email is usually requested for a consultant to contact the user;
  • Websites allowing feedback or subscription to notifications and messages. Functions such as “Order a call”, “Contact us”, “Subscribe to newsletter” may be on these sites, and users could enter their data to be contacted in the future.

Obligation to notify Roskomnadzor

If a company is an online information host, the company must notify Roskomnadzor of activities related to the processing of personal data on the internet. 

If Roskomnadzor requests the submission of such notice or finds out that the information submitted is incomplete or inaccurate, the company must submit a notice within 5 working days of the date of receipt of the request from Roskomnadzor.

Fines for non-submission of notice to Roskomnadzor

 

  • Individuals – RUB 1,000–RUB 3,000
  • Company officers – RUB 10,000–RUB 30,000
  • Legal entities and individual entrepreneurs – RUB 100,000–RUB 300,000

In case of repeated offense:

  • Individuals – RUB 5,000–RUB 10,000
  • Company officers – RUB 50,000–RUB 100,000
  • Legal entities and individual entrepreneurs – RUB 500,000–RUB 1,000,000

Obligation to store data

Online information hosts must store:

  • Information about website user – for a year after the user’s actions on the site;
  • Content (text messages, voice data, images, sounds, videos and other messages from users) – for 6 months. 

The government has specified the composition of data to be stored, the place and rules for its storage as well as the procedure for its submission to authorized bodies. 
 

Liability for violation of data storage rules 

If online information hosts: 

  • Do not store the abovementioned data, or
  • Does not provide it at the request of an authorized body

They will be brought to administrative liability in the form of fines imposed as follows: 

  • Individuals – RUB 3,000–RUB 5,000
  • Company officers – RUB 30,000–RUB 50,000
  • Legal entities and individual entrepreneurs – RUB 800,000–RUB 1,000,000

In case of repeated offense:

  • Individuals – RUB 15,000–RUB 30,000
  • Company officers – RUB 100,000–RUB 500,000 
  • Legal entities and individual entrepreneurs – RUB 2,000,000–RUB 6,000,000

Online information hosts must also fulfill requirements for equipment and for software and hardware. The fines for failure to fulfill these requirements are as follows:

  • Individuals – RUB 3,000–RUB 5,000
  • Company officers – RUB 30,000–RUB 50,000
  • Legal entities and individual entrepreneurs – RUB 300,000–RUB 500,000

In case of repeated offense:

  • Individuals – RUB 15,000–RUB 30,000
  • Company officers – RUB 100,000–RUB 500,000
  • Legal entities and individual entrepreneurs – RUB 2,000,000–RUB 6,000,000

How may we help?

Our specialists can help with the documents related to personal data processing:

  • We can determine whether your company needs to register with Roskomnadzor;
  • We can help with the notification to Roskomnadzor;
  • We can draw up the documents that need to be published on your company’s website as well as all internal documents necessary for your company.

If you have any questions, please feel free to contact us.

Share