Amendments to the law related to those who collect, process and store any personal data will enter into force on July 01, 2017.

What do these amendments entail?

Major changes will be introduced to the checks of personal data processing, in particular:

  • Previously, only the prosecutor’s office could draw up violation reports, and the procedure took a long time. From July 01, 2017, Roskomnadzor will issue these reports, and checks will be conducted more often;
  • Previously, the fine did not depend on the type of violation and was RUB 1,000 maximum for individual entrepreneurs and company directors, and RUB 10,000 for legal entities. From July 01, 2017, if no privacy policy is posted on websites, individual entrepreneurs and company directors could be fined RUB 10,000, and companies RUB 30,000. And if personal data are processed without the consent of website users, individual entrepreneurs or company directors will be required to pay RUB 20,000, and legal entities RUB 75,000.
  • March 15, 2021 Starting from March 27, 2021 fines for violation of laws on personal data are doubled.

If a complaint about the violation of the rules for personal data processing is lodged by a website user, then in addition to the statutory fines, compensation for moral damage could also be recovered from the offending company.

There are already examples of penalties that have been imposed on companies in breach of the rules for personal data processing:

Our company has a website. Are we going to be affected by this law?

If you have a website with feedback forms, registration or mailing subscription, personal account or a call request button, then you or your company is an operator of personal data.

Please note that if your website is serviced by a third-party company, your company will still be held liable if any violations are identified by state authorities.

What needs to be done to comply with the law?

  • Certain public documents should be posted online such as, for example, user agreement, formal notice, privacy policy, and terms of personal data processing. They may be called differently. The main thing is to post them on the website.
  • It is necessary to introduce a solution online that allows clearly establishing that users have agreed to personal data processing upon their submission. For example, ticking a feedback form or a notice when placing an order. Such webpages may be certified by a notary for security purposes.
  • Internal documents setting out the conditions for personal data storage and liability of employees working with personal data must be drawn and available in companies. Please note that it is not necessary to provide public access to these documents.
  • A notification of personal data operator must be sent to Roskomnadzor. After sending such notification, companies are recorded in the register of personal data operators like Accountor, for example. This should be done before data processing begins, and if this is not done then, this should be done as soon as possible.

How can we assist?

Our experts are here to help draw up public documents that should be posted online and all required internal documents, as well as determine whether or not you need to register with Roskomnadzor as a data operator. If so, we also assist in preparing the required notification. Read more about our services for protection of personal data in Russia. We also offer IT infrastructure and security audit.

Feel free to contact us for advice. We look forward to hearing from you.