Personal data protection changes in the year. Federal Law on Personal Data. Notification may not be submitted if

In particular, it expanded the list of grounds for bringing to administrative responsibility for the illegal processing of personal data (PD) and increased fines.

Personal data: fines

Please note: it is precisely this reason, such as processing personal data without obtaining the consent of its subject, that provides for the largest fines for all categories of violators - up to 75,000 rubles.

In this regard, many questions arise, the most frequently asked:

• Am I a data controller?
• Does the Personal Data Law apply to me?
• How to notify Roskomnadzor about the processing of personal data?
• What should a website owner do to avoid fines?

Let's deal with all the questions in order.

As of July 1, 2017, changes to Art. 13.11 Code of Administrative Offenses of the Russian Federation on administrative liability for violation of legislation on personal data of individuals. Since the amendments affect everyone who uses personal data, we will consider these innovations in our article.

Processing of personal data – 2017

Personal data is any information directly or indirectly related to a specific individual (name, residential address, date of birth, passport details, telephone number, photo, email address, etc.). An organization, government agency or individual that collects and processes personal data is called an operator (Law on Personal Data dated July 27, 2006 No. 152-FZ). These include employers, as well as everyone who receives personal data from citizens - medical institutions, educational institutions, online stores, etc.

For the employer, such data is necessary in connection with employment relations. They can only be received personally from the employee himself, and from third parties - with his written consent. The individual gives written consent to the processing of personal data. The form is not approved by law; you can draw it up yourself, taking into account the requirements of paragraph 4 of Art. 9 of Law No. 152-FZ (Clause 3, Part 1, Article 86 of the Labor Code of the Russian Federation, Clause 1, Article 9 of Law 152-FZ).

Consent to the processing of personal data (sample)

It is unacceptable to collect and process employee personal data that is not related to his work activity, for example, about participation in public associations, religion, personal life, etc. The same applies to other operators who request data that is not related to the purpose of their processing (for example, indicating passport data in a questionnaire about assessing the site’s performance). The received data should not be disclosed to third parties or distributed without the consent of the individual (Article 7 of Law No. 152-FZ).

The operator is obliged to provide adequate protection to the data, for which it establishes the procedure for their receipt, processing and storage in the Regulations on Personal Data or other internal regulations. The document defines the necessary measures and also assigns a person responsible for processing. Access to such data should be allowed only to authorized persons, and they have the right to receive only the information necessary to perform specific functions (Article 88 of the Labor Code of the Russian Federation, Article 18.1 of Law No. 152-FZ).

The regulations on personal data or another document on the policy for their processing are in the public domain and are presented at the request of authorized bodies - this applies to both employers and other operators (Parts 2 and 4 of Article 18.1 of Law No. 152-FZ).

Personal data – 2017: new in administrative responsibility

Law No. 13-FZ dated 02/07/2017 adopted a new version of Article 13.11 of the Code of Administrative Offenses of the Russian Federation. If previously the article contained one single element - violation of the Federal Law on personal data, now it is a whole list of seven grounds for administrative liability and, accordingly, various fines. It is likely that if several violations are detected by one operator, he will face several fines, not just one.

Also, Articles 28.3 and 28.4 of the Code of Administrative Offenses of the Russian Federation have undergone changes, simplifying the process of bringing operators to justice: from 07/01/2017, protocols on violations of Law 152-FZ on personal data are drawn up by Roskomnadzor employees, and not by the prosecutor, as before. The period for bringing to justice remained the same - 3 months.

What are they fined for now?

So, here are the grounds on which entrepreneurs and organizations processing personal data can now be held administratively liable:

• Data is processed in cases not provided for by the Federal Law on personal data or their processing is incompatible with the purposes of collection (Part 1 of Article 13.11 of the Code of Administrative Offenses of the Russian Federation). Illegal use of personal data, if it does not entail criminal liability, is subject to a warning or a fine: for individuals in the amount of 1,000-3,000 rubles, for officials - 5,000-10,000 rubles, for organizations - 30,000-50,000 rubles.
• Processing of data without written consent required by law (clause 2 of article 13.11 of the Code of Administrative Offenses of the Russian Federation). Consent to processing must contain the information specified in Part 4 of Art. 9 of Law 152-FZ on personal data. The 2017 changes provide for a fine for its absence from July 1 in the following amount: for violators of individuals - 3,000-5,000 rubles, for officials - 10,000-20,000 rubles, for organizations - 15,000-75,000 rubles.
• Lack of unlimited access to the operator’s policy in the field of processing personal data (clause 3 of article 13.11 of the Code of Administrative Offenses of the Russian Federation). The obligation to provide access is established in clause 2 of Art. 18.1 of Law 152-FZ on personal data. The inability to familiarize yourself with such a document on paper or on a website, if the data is collected via the Internet, will cost operators: 700-1500 rubles. - individuals, 3000-6000 rubles. – officials, 5,000-10,000 rubles. – Individual entrepreneur, 15,000-30,000 rubles. – organizations, and at best, everything will be done with a warning.
• Failure to provide a person with information regarding the processing of his personal data (clause 4 of article 13.11 of the Code of Administrative Offenses of the Russian Federation). The procedure for requesting such information is prescribed in Article 14 of Law 152-FZ. Changes from 07/01/2017 are as follows: violation is subject to a warning or a fine of 1000-2000 rubles. – individuals, 4000-6000 rubles. - officials, 10,000-15,000 rubles. – Individual entrepreneur, 20,000-40,000 rub. – organizations.
• Failure to comply within the established time frame with the requirement to block, change or destroy personal data (Clause 5 of Article 13.11 of the Code of Administrative Offenses of the Russian Federation). An individual or his representative may make such demands if the data is incomplete, inaccurate, obtained in violation of the law, or is out of date, this is established by Article 21 of the Law on Personal Data No. 152-FZ. Violators will receive a warning or a fine: 1000-2000 rubles. for individuals, 4,000-10,000 rubles. officials, 10,000-20,000 rubles. – Individual entrepreneur, 25,000-45,000 rubles. organizations.
• Failure to comply with the conditions ensuring the safety of personal data during non-automated processing (Clause 6, Article 13.11 of the Code of Administrative Offenses of the Russian Federation). This applies to “paper” data, unauthorized access to which has caused its destruction, damage, illegal distribution, etc. Failure to ensure personal data protection in 2017 entails a fine of 700-2000 rubles. for citizens, 4,000-10,000 rubles. for officials, 10,000-20,000 rubles. for individual entrepreneurs and 25,000-50,000 rubles. for organizations.

These are the changes in the protection of personal data in 2017, effective from July 1. As we can see, the offenses have become more specific, and the fines for operators have become noticeably tougher.

Don't rush to close the article. You probably mentally asked yourself the question: “What does this have to do with me?” — I answer, this law may affect you, too, and you may not even suspect it. Let's go in order.

Introduction

On February 7, 2017, amendments were made to Article 13.11 of the Code of Administrative Offenses regarding violations of the law on personal data. These amendments will come into force soon - July 1, 2017.

What is personal data?

Personal data can be understood as any information directly or indirectly related to a specific individual (subject of personal data) - paragraph 1 of Article 3 of the Federal Law of July 27, 2006 No. 152-FZ. Examples of such information may be last name, first name, patronymic, date and place of birth, place of residence, etc.

What will change on July 1, 2017?

New Federal Law of 02/07. 2017 No. 13-FZ significantly expanded the list of grounds for bringing persons to administrative responsibility in the field of personal data protection, and also increased the amount of administrative fines.

What’s interesting is that it will not be the prosecutor’s office, as before, but Roskomnadzor that will issue protocols for violations in this area. This means that things will go much faster and fines will be sent out in batches, if not in packages.

What do we have to do with it

Probably most of my readers still don’t understand how all this applies to them. But the line here is very thin; how do you know if you are a personal data operator?

If, with the help of your blog, website, portal, or online store, you receive any personal data from the user (which ones, see above) - then you automatically fall under this law. Elementary, is it possible to register on your site by entering your name, email, address? Congratulations, you are already under the law.

This applies to you if:

Your website allows you to produce user registration(even with a minimal set of data “name + e-mail”). Examples:

• forums;
• social media;
• many news sites;
• online stores;
• blogs;
• sites with private advertisements;
• and so on.

Your website allows enter personal data of users into forms, which are subsequently published on the website or sent by e-mail. For example, if the site has a “call me back” function, the ability to send a quick order or subscribe to a newsletter, etc.

Your website just already contains real personal data citizens.

Your company(legal entity or individual entrepreneur) are engaged in the processing of personal data on an ongoing basis citizens. This is true for:

• most law firms;
• absolutely all registrars (in the sense of companies involved in registration of legal entities and individual entrepreneurs, changes, liquidation, and so on);
• registrar;
• accounting companies providing accounting and HR outsourcing services;
• banks, microfinance organizations and other financial sector companies working with citizens’ data;
• medical institutions;
• shops, beauty salons and other similar organizations with personal club cards (this is especially popular among chain cosmetics stores);
• educational organizations and institutions (including those conducting short-term courses or one-time trainings);
• Homeowners associations and management companies in the housing and communal services sector;
• travel agencies;
• arbitration courts;
• and so on.

Your company actively works with freelancers(under a civil contract).

Your company uses CRM or similar systems.

What to do?

You need to be able to work correctly with personal data.

At a minimum you need:

• obtain written consent from each user, client or subscriber for the processing, storage and distribution of personal data;
• publish publicly available information about everything related to the user’s personal data;
• Request only the data that is needed for a specific purpose. For example, you cannot ask for your home address or passport information to subscribe to an email newsletter;
• use data only for the purposes specified in the documents and about which the person was warned;
• inform, upon request of a person, what data you have about him, how and why it is processed and to whom you transferred it;
• delete, upon request, the data that is used to send information about discounts and promotions;
• store databases in a safe place, protect them from hacking and leakage;
• train employees to work with personal data;

Exceptions

This does not concern you in the following cases, since the Federal Law “On Personal Data” does not apply to them:

1. The processing of personal data is carried out by individuals solely for personal and family needs, but if the rights of the subjects of personal data are not violated;
2. Processing of personal data is carried out when working with documents from the Archive Fund of the Russian Federation and similar documents;
3. Personal data is classified as information constituting a state secret;
4. Personal data refers to public information about the activities of courts in the Russian Federation.

Unfortunately, I am not a lawyer in this area and I cannot give you exact answers on what exactly you need to do to protect yourself 100%. Well, even the pros themselves cannot give definite answers, since there are a lot of nuances and inaccuracies, not to mention the fact that the law has not come into force. In any case, the purpose of my post was precisely to warn you that such “crap” exists. Well, then, as they say, forewarned is forearmed.

One of the most important changes in legislation that awaits personnel officers in the summer of 2018 is the following: from July 1, fines for personal data will increase. If previously the maximum fine was 10,000 rubles, now it can reach 75,000 rubles. In addition, from July 1, Roskomnadzor will be able to fine employers directly, while previously cases of this category were initiated by the prosecutor’s office. Let’s take a closer look at how fines for personal data will increase from July 1.

From the article you will learn:

Personal data of employees

Before considering penalties for Personal Information in 2018, we will find out what applies to such data. Personal data of employees is information that either directly or indirectly relates to an individual. This is information about facts, events and events in private life that make it possible to identify a person, with the exception of information that is subject to dissemination in the media (Clause 1, Article 3 of Law No. 152-FZ of July 27, 2006, hereinafter referred to as Law No. 152-FZ, Decree of the President of the Russian Federation of March 6, 1997 No. 188).

Download documents on the topic:

There are three types of personal data of employees: general, special and biometric. Common ones include:

Full name, place of residence;

passport details;

information about education;

Family status;

General personal data of employees is contained in a passport, diploma, military ID, personal card, work book and other documents.

From July 1, fines for personal data for processing in violation of the ban on special data will increase. These include information about (Part 1, Article 10 of Law No. 152-FZ):

race, affiliation, nationality;

political views;

religious or philosophical beliefs;

state of health and the like.

Special personal data of employees may be in the questionnaire that the employee fills out when hiring, a medical report, etc.

Serious fines for violating the law on personal data threaten if the procedure for working with biometric data is violated. This is information about the physiological and biological characteristics of a person, by which his identity can be established. For example, features such as:

• fingerprint data;
• iris of the eyes;
• DNA tests;
• height, weight, etc.

Note! A photograph or video recording also constitutes biometric personal data if it can be used to identify a person. The exception is photo and video recordings made at mass and public events (Clause 1 of Article 152.1 of the Civil Code of the Russian Federation).

New fines: personal data

In 2017, from July 1, fines for personal data will increase. Amendments to the Code of Administrative Offenses of the Russian Federation were introduced by Federal Law No. 13-FZ dated 02/07/2017. The changes in the amounts of new fines for personal data are significant. Therefore, personal data operators, which include all employers, need to carefully prepare for the changes.

The current version of Article 13.11 of the Code of Administrative Offenses of the Russian Federation contains only one general basis for bringing an organization to administrative responsibility - for violating the procedure for collecting, storing, using or distributing personal data defined by law. From July 1, fines for personal data will increase and there will be seven types of violations for which you can be punished.

Important: currently the maximum fine is 1,000 rubles. (for officials) and 10,000 rubles. (for legal entities). From July 1, the maximum will increase to 20,000 and 75,000 rubles. respectively.

From July 1, fines for Personal Information and at the same time, the procedure in which cases of administrative offenses in the field of personal data are opened will change. Now such cases are initiated by prosecutors (clause 1 of article 28.4 of the Code of Administrative Offenses of the Russian Federation). From July 1, 2017, these powers are transferred to officials of Roskomnadzor (subclause 58, clause 2, article 28.3 of the Code of Administrative Offenses of the Russian Federation, as amended). They will be able to impose new fines for personal data themselves:

• fine for disclosure of personal data;
• fines for incorrect processing of personal data;
• fine for disseminating personal data;
• fines for violation of work with personal data, and so on.

Transferring the functions of initiating administrative cases to Roskomnadzor will speed up the process of holding employers accountable. Currently, such bodies only collect information about violations and transfer it to the prosecutor's office to decide on the application of administrative punishment.

Personal Data Law: Fines

From July 1, fines for personal data will increase. Let's look at seven trains that will be introduced on July 1 (table below). For violation of the law on personal data, fines for organizations will range from 15,000 to 75,000 rubles.

Fines for violation of the law on personal data from July 1, 2017

To avoid increased new fines for personal data in 2018, employers need to analyze whether they have correctly organized the system for working with personal data, identify and eliminate shortcomings. In particular, it is important to check whether the employer has obtained written consent from employees for data processing where it is required.

Consent to the processing of personal data in writing must be obtained when (subclause 1, clause 2, article 10, clause 1, article 11, subclause 1, clause 4, article 12 of Law No. 152-FZ):

• we are talking about their transfer to a state that does not provide the necessary protection of personal data;
• biometric data is processed to establish identity;
• Special categories and information are processed that relate to race, nationality, political views, religious or philosophical beliefs, health status, and intimate life.

The legal information portal contains a document signed by the President of the Russian Federation “On Amendments to the Code of the Russian Federation on Administrative Offenses”, establishing new fines for violating the legislation of the Russian Federation in the field of personal data, which will come into force on July 1, 2017.

The provisions of the Federal Law clarify the grounds for applying administrative liability measures for violation of the legislation of the Russian Federation in the field of personal data, taking into account the amendments made to the Federal Law of July 27, 2006 No. 152-FZ “On Personal Data”. Changes are being made mainly to Article 13.11, as well as Articles 28.3 and 28.4 of the Code of Administrative Offenses of the Russian Federation.

So, what will change in the field of personal data from July 1, 2017. The new version of Article 13.11 now contains seven specific offenses and provides for corresponding fines with the highest of them being 75 thousand rubles (for legal entities). Unlike the previous edition of Article 13.11, the new edition of the article clearly establishes cases for which the PD operator may be punished. For example, under Article 13.11 it was possible to punish for violation of Federal Law No. 242, with the new edition it will be impossible to do this, just as it will be difficult to punish for failure to notify Roskomnadzor.

The texts of Article 13.11 are briefly presented in the figure below. A more detailed description can be downloaded in the form of a table. A clause-by-clause analysis is given in the article.

Let us recall that changes to Article 13.11 have been prepared since December 2014, but work on them was frozen for a long time by legislators. The most significant point of the early version of this bill was the relatively large (up to 300,000 rubles) fine for unlawful processing of personal data of special categories, but in the adopted version this text was removed:

Processing of special categories of personal data relating to race, nationality, political views, religious or philosophical beliefs, health status, intimate life, and also personal data on criminal records in cases not provided for by law Russian Federation on personal data,
- entails the imposition of an administrative fine on citizens from three thousand to five thousand rubles; for officials - from ten thousand to twenty-five thousand rubles; for individual entrepreneurs - from fifty thousand to one hundred thousand rubles;for legal entities - from one hundred fifty thousand up to three hundred thousand rubles.

What are the main consequences of the amendments? There are several of them:

1. Due to the fact that the wording of Article 13.11 has become more specific, many experts are expressing concern ( , ) that the scheme for assigning penalties may change fundamentally. If according to the current edition the punishment could be one for “violation of the order established by law...”, in total, no matter how many violations are found, the new wording of Article 13.11 has changed and it simply lists seven offenses for which it is possible to draw up a separate protocol and assign a separate fine. Apparently, we should expect an increase in the total amount of the fine upon inspection.
2. After July 1, protocols on administrative offenses classified under the new wording of Article 13.11 will be Roskomnadzor officials and its territorial departments, and not prosecutors, as it is now. The period for bringing to justice remains the same as before - 3 months, but the procedure for bringing to justice has been significantly simplified: the chain of “territorial department of Roskomnadzor” - “Prosecutor's Office” - “Court” has been shortened, materials will move faster and there will most likely be more fines.
3. Not all violations previously qualified under Article 13.11 can be held against operators in accordance with the new edition: this article does not provide, for example, liability for failure to comply with Federal Law No. 242 on the localization of personal data bases.