Data Protection in Russia

Enforcement in Russia

The Agency is the main organization responsible for the enforcement of data protection rules. The Agency is entitled to:

  • carry out checks;
  • consider complaints from data subjects;
  • demand necessary information about personal data processing by the data operator;
  • order the data operator to undertake certain actions according to the law, including discontinuance of the processing of personal data;
  • file court actions;
  • initiate criminal cases; and
  • impose administrative liability for violations of data privacy rules.

If the Agency becomes aware that a data operator is in violation of the law, an enforcement notice may be issued, requiring the data operator to correct the violation.

A data operator can face civil or administrative penalties for violation of personal data law. Executives of the data operator responsible for violations of data rules may also face personal liability, including, in some cases, criminal liability. Criminal liability is not often applied, but may be imposed for violations, such as:

  • Unlawful collection or dissemination of information about a data subject's private life, personal or family secrets, or public dissemination or leaks of such information to mass media;
  • Violation of data subjects’ rights to secrecy of correspondence, telephone conversations, postal, telegraphic and other communications;
  • Unlawfully accessing legally protected computer information, if this act resulted in the destruction, blocking, modification or copying of computer information, including personal data; or
  • Unlawful use, transfer, collection, or storage of computer information containing personal data, as well as the creation or operation of information resources designed to facilitate its unauthorized storage or dissemination.

Usually, in the case of violation of data protection law, the Agency will serve an enforcement notice requiring the correction of the violation. In many cases, the Agency and may also impose an administrative penalty and in some cases, may also recommend further actions against the individuals responsible for the violation.

Effective 30 May 2025, the penalties will increase substantially.

The default administrative fines for most initial violations of data privacy rules are between ₽60, 000 – 150, 000 and ₽300,000 for repeated violations. However, starting from 30 May 2025, these penalties will increase to ₽150,000–₽300,000 for initial violations and up to ₽500,000 for repeated offenses.

There are some specific rules for a breach of rules for written consent.  In these cases, the fine for initial offences is between â‚˝ 300, 000 and â‚˝700, 000, and for repeated violations â‚˝1, 000, 000 – â‚˝1, 500, 000.

For violation of data localization rules, the maximum administrative penalty is currently â‚˝18, 000, 000 for repeated violations, actual penalties are imposed at lower levels.

Beginning 30 May 2025, new fines will be introduced, and several existing penalties will be increased, as follows:

  • Failure to fulfill or untimely fulfillment of the obligation to notify the Agency of the intention to process personal data - from â‚˝ 100,000 to â‚˝300,000;
  • Failure to notify or late notification of the Agency of a leak of personal data. Companies will be fined up to â‚˝3, 000, 000 for this violation;
  • Actions (or inaction) of the data operator causing a leak of personal data would involve a fine for companies between â‚˝3, 000, 000 and â‚˝15, 000 000, depending upon the number of affected data subjects, as well as the number of identifiers relating to affected data subjects. For repeated leaks, a fine ranging from 1% to 3% of the data operator’s aggregate revenue (in any case it must be not less than â‚˝20, 000, 000 or more than â‚˝500, 000, 000); and
  • Actions (or inaction) of the data operator causing a leak of special category personal data would involve a fine for companies between â‚˝10, 000, 000 and â‚˝15, 000 000, a leak of biometrical category personal data would involve a fine for companies between â‚˝15, 000, 000 and â‚˝20, 000 000. For repeated leaks, a fine will be the same as for the leaking of regular personal data (see bullet above).

Fines imposed for personal data breaches may be subject to reduction if specific conditions are met (e.g. company's annual expenditure on information security measures constituting a certain percentage of its revenue, among other criteria).

Continue reading

  • no results

Previous topic
Back to top