Federal Law No. 19-FZ dated February 24, 2021 amending Article 13.11 of the Code of Administrative Offenses was published on February 24, 2021. Under this new law, fines for violation of personal data laws have been increased twofold, and repeated violations are deemed separate sets of offenses.

The limitation period for offenses related to personal data has been increased from three months to 1 year (Article 4.5(1) Code of Administrative Offenses).

December 04, 2019 What companies need to do to comply with personal data laws in the Russian Federation

More information about the changes introduced by the new law:

Offense Current law New law as amended (effective from March 27, 2021)
Processing of personal data in cases not provided by Russian law, or processing of personal data for purposes other than personal data collection.

First time

 Warning or fines:

  • Fines of RUB 1,000-3,000 for individuals;
  • Fines of RUB 5,000-10,000 for company officers;
  • Fines of RUB 30,000-50,000 for legal entities.
 Fines:

  • Fines of RUB 2,000-6,000 for individuals;
  • Fines of RUB 10,000-20,000 for company officers;
  • Fines of RUB 60,000-100,000 for legal entities.
Repeated violation Are not deemed separate offenses Fines:

  • Fines of RUB 4,000-12,000 for individuals;
  • Fines of RUB 20,000-50,000 for company officers;
  • Fines of RUB 100,000-300,000 for legal entities;
  • Fines of RUB 50,000-100,000 for individual entrepreneurs.
Processing of personal data without the written consent of data subject to process his/her personal data when such consent must be obtained under Russian law, or processing of personal data in violation of the requirements for the information included in such consent.

First time

 Fines:

  • Fines of RUB 3,000-5,000 for individuals;
  • Fines of RUB 10,000-20,000 for company officers;
  • Fines of RUB 15,000-75,000 for legal entities.
 Fines:

  • Fines of RUB 6,000-10,000 for individuals;
  • Fines of RUB 20,000-40,000 for company officers;
  • Fines of RUB 30,000-150,000 for legal entities.
Repeated violation Are not deemed separate offenses Fines:

  • Fines of RUB 10,000-20,000 for individuals;
  • Fines of RUB 40,000-100,000 for company officers;
  • Fines of RUB 300,000-500,000 for legal entities;
  • Fines of RUB 100,000-300,000 for individual entrepreneurs.
Failure by the operator to meet within the deadlines set out under Russian law the requirements provided for data subjects or their representative or authorized body for protection of the rights of data subjects to rectify, block, or destroy their personal data if personal data are incomplete, outdated, inaccurate, illegally obtained or are not necessary for the stated processing purposes.

First time

 Warning or fines:

  • Fines of RUB 1,000-2,000 for individuals;
  • Fines of RUB 4,000-10,000 for company officers;
  • Fines of RUB 25,000-45,000 for legal entities;
  • Fines of RUB 10,000-20,000 for individual entrepreneurs.
 Fines:

  • Fines of RUB 2,000-4,000 for individuals;
  • Fines of RUB 8,000-20,000 for company officers;
  • Fines of RUB 50,000-90,000 for legal entities;
  • Fines of RUB 20,000-40,000 for individual entrepreneurs.
Repeated violation Are not deemed separate offenses Fines:

  • Fines of RUB 20,000-30,000 for individuals;
  • Fines of RUB 30,000-50,000 for company officers;
  • Fines of RUB 300,000-500,000 for legal entities;
  • Fines of RUB 50,000-100,000 for individual entrepreneurs.
Failure by the operator to fulfill the obligation provided by Russian law to publish or otherwise provide unrestricted access to the document defining the operator’s policy on personal data processing or to information on the requirements implemented to protect personal data. Warning or fines:

  • Fines of RUB 700-1,500 for individuals;
  • Fines of RUB 3,000-6,000 for company officers;
  • Fines of RUB 15,000-30,000 for legal entities;
  • Fines of RUB 5,000-10,000 for individual entrepreneurs.
 Fines:

  • Fines of RUB 1,500-3,000 for individuals;
  • Fines of RUB 6,000-12,000 for company officers;
  • Fines of RUB 30,000-60,000 for legal entities;
  • Fines of RUB 10,000-20,000 for individual entrepreneurs.
Failure by the operator to fulfill the obligation provided by Russian law to provide data subjects with information about personal data processing. Warning or fines:

  • Fines of RUB 1,000-2,000 for individuals;
  • Fines of RUB 4,000-6,000 for company officers;
  • Fines of RUB 20,000-40,000 for legal entities;
  • Fines of RUB 10,000-15,000 for individual entrepreneurs.
 Fines:

  • Fines of RUB 2,000-4,000 for individuals;
  • Fines of RUB 8,000-12,000 for company officers;
  • Fines of RUB 40,000-80,000 for legal entities;
  • Fines of RUB 20,000-30,000 for individual entrepreneurs.
Failure by the operator upon processing of personal data without automation tools to comply with the conditions ensuring under Russian law the safety of personal data when stored on physical media and excluding unauthorized access to personal data if this entailed illegal or accidental access to personal data, their destruction, modification, blocking, copying, provision, dissemination, or other unlawful actions. Fines:

  • Fines of RUB 700-2,000 for individuals;
  • Fines of RUB 4,000-10,000 for company officers;
  • Fines of RUB 25,000-50,000 for legal entities;
  • Fines of RUB 10,000-20,000 for individual entrepreneurs.
 Fines:

  • Fines of RUB 1,500-4,000 for individuals;
  • Fines of RUB 8,000-20,000 for company officers;
  • Fines of RUB 50,000-100,000 for legal entities;
  • Fines of RUB 20,000-40,000 for individual entrepreneurs.
Failure by an operator, which is a state or municipal body, to fulfill the obligation provided by Russian law to depersonalize personal data or non-compliance with the set requirements or methods for personal data depersonalization. Warning or fines of RUB 3,000-6,000 for company officers. Fines of RUB 6,000-12,000 for company officers.

Our support

We offer advice on personal data law, help drawing up all necessary documents, and can also conduct audits of IT infrastructure.

152-FZ Company risks Fines GDPR Personal data protection