It is not uncommon for entrepreneurs to consider using databases of potential customers in their commercial activities. There are many different offers on the market to buy and sell databases of personal data, but when buying them, it is worth considering the legislation on personal data and its application to the buyer of such data. Let us consider the main problems that a buyer of personal data bases may face.

The problem of buyer’s consent to processing of personal data

Any database contains personal data (at least full name and contact details of an individual). If we consider persons who sell databases (hereinafter – DBs), the seller of DBs must collect the relevant consents (and made on a separate document) on the authorization of the subject of personal data to distribute them. At the same time, the legislation in force stipulates that the consent must specify the specific purposes of their processing and, accordingly, the transfer of personal data to third parties (paragraph 1, part 1, Article 6, part 4, Article 9 of the Law on Personal Data).

Since databases for subsequent sale are collected for an indefinite number of persons, the description in the consent of the seller of the database of all purposes properly seems doubtful. In this regard, the purchase of even a legally collected database may become a violation if the consent is not properly executed.

If such a database is purchased (with incorrectly executed consents), the purchaser will be fined for the processing of personal data under part 2 of Article 13.11 of the Code of Administrative Offenses of the Russian Federation. There is no criminal liability for such violations.

If the consent is executed correctly, then on the basis of part 4 of Article 6 of the Law on Personal Data, the processing of personal data will not be a violation of the law, as the buyer of the DB in this case is not obliged to obtain the consent of the subject of personal data for the processing of his personal data (Appellate Determination of the Saratov Regional Court of 11.01.2019 N 33-28/2019, Appellate Determination of the Moscow Regional Court of 23.03.2015 in case N 33-6483/2015).

Nevertheless, it should be taken into account that on the market there are often sellers of databases collected illegally, without formalizing the relevant consents from the subjects of personal data.

Is it legal to buy databases?

To date, no liability for the purchase of databases has yet been introduced. Nevertheless, this issue (the introduction of both administrative and criminal liability) for the sale and purchase of illegal databases has been discussed since 2019 and is likely to be regulated by law in the near future.

Thus, today the purchase of a database itself is not an offense, but one can be held liable for processing personal data without the subject’s consent.

Processing of personal data without the consent in writing of the subject of personal data to the processing of his personal data in cases where such consent must be obtained in accordance with the legislation of the Russian Federation in the field of personal data, if these actions do not contain a criminal offense, shall entail the imposition of an administrative fine (part 2, 3 of article 4.1.2, part 2 of article 13.11 of the CAO of Russia):

  • for citizens in the amount of 6,000 to 10,000 rubles;
  • for officials – from 10,000 to 40,000 rubles;
  • for legal entities – from 30,000 to 150,000 rubles.

The moral damage caused by violation of the rights of the subject of personal data is also subject to compensation in accordance with the legislation of the Russian Federation (Articles 1099 – 1101 of the Civil Code of the Russian Federation, Article 24 of the Law on Personal Data).

Criminal liability for violations in the handling of personal data is established (may occur if the database itself is collected illegally):

  • For unlawful collection or dissemination of information about the private life of a person, constituting his/her personal and family secret, without his/her consent (part 1 of article 137 of the Criminal Code of the Russian Federation);

The problem of obtaining consent to receive advertising

Since the database is acquired for the purpose of attracting new customers, therefore the Law on Advertising applies to these legal relations.

In accordance with Part 1 of Article 18 of the Law on Advertising distribution of advertising over telecommunications networks, including through the use of telephone, facsimile, mobile radio telephony, is allowed only with the prior consent of the subscriber or addressee to receive advertising. At the same time, advertising is recognized as disseminated without the prior consent of the subscriber or addressee, unless the advertiser proves that such consent was obtained. The advertising distributor shall be obliged to immediately stop distributing advertisements to the person who addressed him with such a request.

Consent to receive advertising must be obtained separately from consent to the processing of personal data (Decision of the Thirteenth Arbitration Appeal Court of 29.09.2022 N 13AP-25207/2022 in case N A56-41177/2022).

In case of violation of this requirement on the distributor of advertising may be imposed liability in accordance with Art. 14.3. of the CAO RF:

Violation by an advertiser, advertising producer or advertising distributor of legislation on advertising shall entail the imposition of an administrative fine:

  • for citizens in the amount of 2,000 to 2,500 rubles;
  • for officials – from 4,000 to 20,000 rubles;
  • for legal entities – from 100,000 to 500,000 rubles.

Employee liability for illegal copying of database

Employees who illegally copy the database may be held liable for the following types of liability:

A) The employee will be subject to disciplinary liability in the form of dismissal under subparagraph B, paragraph 6, Article 81 of the Labor Code of the Russian Federation.

B) Criminal liability:

  • unlawful collection or dissemination of information about a person’s private life, which constitutes his/her personal and family secret, without his/her consent (part 1 of article 137 of the Criminal Code of the Russian Federation);
  • Illegal access to computer information, which resulted in the destruction, blocking, modification (change) or copying of information (part 1 of article 272 of the Criminal Code of the Russian Federation, paragraph 3 of the Resolution of the Plenum of the Supreme Court of the Russian Federation of 15.12.2022 N 37) Under this article, the employee who received and unauthorized copying of personal data base is responsible;
  • Illegal disclosure or use of information constituting a commercial, tax or banking secret, without the consent of its owner by a person to whom it was entrusted or became known in the service or work (part 2 of article 183 of the Criminal Code of the Russian Federation);
  • If the database was obtained with the use of software, the employee may be prosecuted under Article 183 of the Criminal Code of the Russian Federation for creation, use and distribution of malicious computer programs;
  • For abuse of official powers under Article 185 of the Criminal Code of the RF.

If the database is collected for a specific buyer, the buyer can also be held criminally liable as a member of a group of persons with prior conspiracy.

Our support

Our experts are ready to support you in aligning your company’s infrastructure, processes and documents with personal data legislation, international standards and best practices:

In Russia

In Kazakhstan

Company risks IT infrastructure IT security Legal Issues Legal risks Personal data Personal data protection