New penalties for the breach of the Russian personal data and information laws

New penalties for the breach of the Russian personal data and information laws

09 March 2021

On February 24th, 2021, the President has signed the law increasing administrative penalties for the breach of personal data laws and introducing new penalties for the breach of information laws. The law enters into force on March 27th, 2021. Liability terms for communication providers’ failure to en-sure sustainable operation enter into force on February 1st, 2023.

Violations in the area of data processing

Below you can find a material summarizing maximum penalties to be imposed on legal entities and compa-nies’ officials for the violation of Russian laws on per-sonal data (except the data localization requirement).

1. Data processing without an appropriate legal ground or excessive data processing

Fine for legal entities

up to RUB 100,000 (app. EUR 1,115, USD 1,355) for the first offence and RUB 300,000 (appr. EUR 3,345, USD 4,070) for a repeated offence

Fine for company’s officials

up to RUB 20,000 (app. EUR 220, USD 270) for the first offence and RUB 50,000 (app. EUR 560, USD 680) for a repeated offence

2. Data processing without written consent or in breach of the requirements for written consent (when such consent is statutory required)

Fine for legal entities

up to RUB 150,000 (app. EUR 1,670, USD 2,035) for the first offence and RUB 500,000 (app. EUR 5,575, USD 6,775) for a repeated offence

Fine for company’s officials

up to RUB 40,000 (app. EUR 440, USD 540) for the first offence and RUB 100,000 (app. EUR 1,115, USD 1,355) for a repeated offence

3. Failure to provide easy access to the privacy policy, which also includes absence of such policy

Fine for legal entities

up to RUB 60,000 (app. EUR 670, USD 815)

Fine for company’s officials

up to RUB 12,000 (app. EUR 135, USD 160)

4. Failure to handle data subject’s request to access their data

Fine for legal entities

up to RUB 80,000 (app. EUR 890, USD 1,085)

Fine for company’s officials

up to RUB 12,000 (app. EUR 135, USD 160)

5. Failure to comply with the requirements for data specification, blockage, deletion

Fine for legal entities

up to RUB 90,000 (app. EUR 1,000, USD 1,120) for the first offence and RUB 500,000 (app. EUR 5,575, USD 6,775) for a repeated offence

Fine for company’s officials

up to RUB 20,000 (app. EUR 220, USD 270) for the first offence and RUB 50,000 (app. EUR 560, USD 680) for a repeated offence

6. Violation of the requirements for non-automated (manual) data processing triggered unauthorized access or other unlawful data processing

Fine for legal entities

up to RUB 100,000 (app. EUR 1,115, USD 1,355)

Fine for company’s officials

up to RUB 20,000 (app. EUR 220, USD 270)

Click here to learn more.


We hope that the information provided herein will be useful for you. If you or any of your colleagues would like to receive our newsletters via e-mail, please fill in the 'Subscribe' form at the bottom of the page.

Practice: Data protection and cybersecurity

Note: Please be aware that all information provided in this letter was taken from open sources. Neither ALRUD Law Firm, nor the author of this letter bear any liability for consequences of any decisions made in reliance upon this information.

We use cookies to offer better performance of the website and fulfill some other purposes specified in the Privacy Policy. By way of ticking the box you provide your consent to use of cookies. Otherwise, we will only use technical cookies, which are necessary for proper functioning of the website.
Accept