Can breaches of the law on personal data protection lead to administrative sanctions or criminal penalties? How would such violations be prosecuted? The article describes the consequences of non-compliance with the law.
The Constitution of the Russian Federation (article 24) prohibits the collection, storage and use of information on the private life of any person without his or her consent. This constitutional right is also protected by the Law “On Personal Data”. According to Article 24 of 152-FZ, persons violating the law, are subject to civil, administrative or criminal liability.
Liability for violation of the 152-FZ
civil – property sanctions are imposed on the violator of the law;
administrative – payment of a fine, suspension of activities, prohibition to hold certain offices;
criminal – prison for a period determined by the legislation on a specific case;
disciplinary – an employee is subject to a reprimand or dismissal.
Civil liability
According to article 13.11 of the Code of Administrative Offences of the Russian Federation the data operator or its officials can be charged for several violations at processing of personal data.
part 1 of the article 13.11 – Processing of the personal data in the cases which are not provided by the legislation of the Russian Federation, or processing of the personal data which is incompatible with the purposes of gathering of the PD.
Fines for non-compliance
-
Companies – up to 50 000 rubles
-
Officials – up to 10 000 rubles
For example, scans of documents collected via a website, can be considered excessive information. It will as well be a breach if you get subject’s data for the execution of a contract, but use this information for other purposes, like marketing activities.
part 2 of the article 13.11 – data processing without the subject’s written consent when obtaining such consent is required.
Fines for non-compliance
-
Companies – up to 75 000 rubles
-
Officials – up to 20 000 rubles
IP and cookies refer to the PD. If you gather this information on your website without notifying users, you could be fined.
part 3 of the article 13.11 – failure to publish the policy on data processing on the website.
Fines for non-compliance
-
Companies – up to 35 000 rubles
-
Officials – up to 6 000 rubles
-
Individual entrepreneurs – 10 000 rubles
part 4 of the article 13.11 – Failure of the operator to fulfill the obligation provided by the legislation of the Russian Federation in the field of the personal data on providing the subject of the PD with the information concerning processing.
Fines for non-compliance
-
Companies – up to 40 000 rubles
-
Officials – up to 6 000 rubles
-
Individual entrepreneurs – up to 15 000 rubles
If you ignore individual’s requests regarding the processing and protection of their personal data or provide false information.
part 5 of the article 13.11 – Failure of the operator to fulfill the requirement of the subject of the personal data on specification of the personal data, their blocking or destruction in case it is incomplete, outdated, inaccurate, illegally received or is not necessary for the purpose of processing.
Fines for non-compliance
-
Companies – up to 45 000 rubles
-
Officials – up to 10 000 rubles
-
Individual entrepreneurs – up to 20 000 rubles
Processing of personal data must be terminated upon request of the subject of personal data or Roskomnadzor. If this request is ignored, a fine will be imposed.
part 6 of the article 13.11 – Failure of the operator at PD processing without use of means of automation of the obligation on maintenance the conditions providing safety of the personal data at storage on material carriers, and excluding unapproved access to them, if it has entailed illegal or casual access to the personal data, their destruction, change, blocking, copying, granting, distribution or other illegal actions concerning the personal data, in the absence of signs of criminal activity.
Fines for non-compliance
-
Companies – up to 50 000 rubles
-
Officials – up to 10 000 rubles
-
Individual entrepreneurs – up to 20 000 rubles
To fulfill this requirement you must provide separate storage of the personal data (material carriers) which processing is carried out for the various purposes; provide a list of persons allowed to process personal data.
Disciplinary liability
The Labour Code in Chapter 14 covers the protection of employees' personal data. They have the right to appeal against the employer's actions in processing their personal data in court, and the employees responsible for the violations will receive a reprimand, or even be fired. It is also stated that disclosure of any legally protected secret, including personal data of another employee, may be followed by firing on the employer's initiative.
Criminal liability
The Russian Criminal Code ensures the protection of personal or family secrets from the illegal collection or disclosure of information on private life. A fine of 300,000 rubles or more may be imposed as a penalty for the offence. A penalty of up to four years' imprisonment is also established.
How to avoid liability for violation of 152-FZ
The leakage of personal data and the penalties cause serious damage to the reputation of the business and provoke customers’ loss. Especially if personal information has been used for illegal credit processing, or for participation in advertising campaigns.
Summing up, we should note that Roskomnadzor has always paid special attention not to the documents package, but to the principles and conditions of personal data processing.
Cloud4Y strongly recommends to comply with the requirements of Russian law and to be serious in protecting and storing personal data. Our company is ready to take responsibility for organizing a safe and compliant storage system for your personal data. We cooperate with both business and government agencies. Our secure circuit has all the necessary certificates from FSB, FSTEC and other organizations.