Violations in the area of protecting personal data are administrative liabilities. Fines for such violations are not too high: 5,000-10,000 rubles for the company and 500-1,000 rubles for the company’s chief executive. However, every instance of the violation may receive a separate fine. Therefore, 10,000 rubles may easily grow into 50,000-100,000 rubles even in the process of one inspection.
The agency responsible for regulating this is The Federal Service for Supervision in the Sphere of Communications, Information Technology, and Mass Communications (also known as Roscomnadzor). However, this agency is not entitled to administer or collect fines. All documentation for the discovered violations is passed by Roskomnadzor to The Office of the Public Prosecutor. The Public Prosecutor is authorized to make decisions regarding filing charges for administrative violations. The final decision on charging fines belongs to the courts.
Since November 2007, Roscomnadzor has conducted 3307 inspections.
In 2011, 1743 inspections were conducted, - in other words, more than half of the total number of inspections accumulated in the past 4 years! The number of planned and off-schedule (based on complaints) inspections are 954 and 789, accordingly. The number of complaints received from private persons and organizations is constantly growing – from 465 in 2009 to 3,240 in 2011 (by Dec 26, 2011).
Fines are also growing and, to date, exceed 12.5 billion rubles. This being sad, the average fine is 3,000-5,000 rubles.
It is worth noting that, according to the law, the regulations apply not only to companies and organizations working with client databases. The requirements must be met by all companies with at least one person on staff. This is due to the fact that legislators included in the list of personal data all information received by company from employees accepted for employment. Therefore, this data must be protected in full accordance with the law.
In an inspection, the first thing inspectors will want to see is an administrative order by a chief executive of the company assigning a person to be in charge of personal data and its protection. Another document must confirm a list of personal data used in the course of company activity.
The next stage is to draft and approve a list of persons admitted to work with personal data.
Another document that must be prepared and approved is an Instruction for work with personal data. The Instruction must include all specific requirements for collecting, storing, combining, transferring and any other use of personal data, as well as guarantees for its protection. All employees allowed to work with personal data must be familiar with the Instruction and confirm their acknowledgement of it by signature.
There is another very important aspect: the company must notify the Roscomnadzor about using personal data in its activities. This is a controversial issue.
At first sight, the law excludes companies working only with the personal data of their employees from this requirement. However, in practice, the Roscomnadzor often demands this notification regardless, taking advantage of the law’s inconsistencies. According to Article 22 of the Law on Personal Data (Personal Information Protection Act) which creates the exclusion, transferring this data to a bank for purposes of transferring salaries to bank accounts, or transferring information to state agencies when submitting information about employees, becomes an exception to the exception. Therefore, in order to avoid unnecessary arguments and fines, we suggest filing the notification.
Copyright © 2005- Enquiry Service of Legal Entities LLC.
All rights reserved.