At the end of December 2023, a federal law[1] came into force which increases fines for processing personal data in the absence of the written consent of the subject or on the basis of an improperly executed consent.
When is written consent to the processing of personal data required?
As a general rule, consent to the processing of personal data may be given by the subject in any form that allows the receipt of such consent to be confirmed (even verbally). Written consent is required for the processing of special categories of personal data concerning
- racial and national origin,
- political views,
- religious or philosophical convictions,
- state of health,
- intimate life.
In addition, written consent is required for the processing of biometric personal data, which is information that characterizes the physiological and biological features of a person (e.g., fingerprints, DNA).
Fines for processing personal data without the written consent of the data subject
According to the new rules, a violation committed for the first time will result in a fine for legal entities ranging from three hundred thousand to seven hundred thousand rubles (around EUR 3000 – 7000). Previously, the fines for a similar offense were much smaller, the maximum fine for a legal entity being one hundred and fifty thousand rubles (around EUR 1500).
The fine for the repeated processing of personal data without the required written consent will be from five hundred thousand to one million rubles for individual entrepreneurs (around EUR 5000 – 10 000), while the fine for legal entities will be from one million to one and a half million rubles (around EUR 10 000 – 15 000). Previously, the maximum fine for legal entities for a repeated violation could be up to five hundred thousand rubles (around EUR 5000).
Fines for violations during downloading biometrics into the UBS
In addition, the Code of Administrative Offences (CAO) has been supplemented with a new article 13.11.3, which establishes liability for violations in the processing of biometrics.
The placement of biometric data in the Unified Biometric System (UBS) in violation of the legislative requirements will entail an administrative fine for legal entities ranging from five hundred thousand to one million rubles (around EUR 5000 – 10 000). The requirements for downloading data in the UBS are centered on Article 4 of Law No. 572[2]: in particular, data shall be placed in the UBS in the presence of the subject, while consent to processing shall be given in writing and signed with a “live” or enhanced non-qualified electronic signature; a consent shall comply with the form established by the Government. In general, the amendments to the CAO primarily concern the processing of biometric personal data and the placement of such data in the UBS. Thus, working with biometric data requires particular attentiveness and strict adherence to the legislation.
[1] Federal Law No. 589-FZ dated 12.12.2023 “On Amendments to the Code of Administrative Offenses of the Russian Federation”.
[2] Federal law No. 572-FZ dated 29.12.2022 “On the implementation of identification and/or authentication of individuals using biometric personal data…”.