Concise and to the point with ALRUD: HR & DIGITAL (№ 21)

Administrative liability for leaks of personal data or illegal processing of personal data will soon be tightened

On ****30 May 2025****, Federal Law No. 420-FZ of 30 November 2024 will come into force, amending the Russian Code of Administrative Offences and toughening liability for violations in personal data processing, including for:

• ****leaks of personal data**** (a fine of up to ****RUB 15 million**** (approx. USD 175,512 or EUR 159,957) for the first violation, and up to ****3% of revenue**** for the corresponding year for subsequent violations);

• ****failure to notify Roskomnadzor of a leak of personal data**** (up to ****RUB 3 million****, approx. USD 35,102 or EUR 31,991) or of the intention to ****process personal data**** (up to ****RUB 300,000****, approx. USD 3,510 or EUR 3,199).

Read more about these amendments and our corresponding recommendations here.

There is already a practice according to which violations related to data leaks and failure to notify Roskomnadzor ****are recognized as continuing violations****. In this regard, we cannot rule out the risk that companies that had data leaks or failed to notify about leaks before 30 May 2025 may be fined for these and other violations after May 30 under the new rules.

We suggest reviewing the ****Decision of the Savelovsky District Court of Moscow dated 23 November 2023 in case No. 12-4119/23**** to understand when violation may be recognized as ****continuing violation****.

Facts of the case

While monitoring Internet resources, Roskomnadzor (Russian Personal Data Authority) for the Central Federal District discovered a company’s ****database was**** openly accessible, exposing the ****personal data of its clients****: names, phone numbers, ID numbers, and residential addresses. The company ****notified Roskomnadzor**** of the leak on 2 and 4 June 2023, noting that the information in the database was ****current as of 2006**** and had been compromised by unidentified third parties.

Roskomnadzor classified the incident as a ****repeated violation**** and drew up a protocol under ****Part 1.1 of Article 13.11 of the Russian Code of Administrative Offences****, since in February 2023, the company faced liability under Part 1 of Article 13.11 of the same Code for a ****leak of personal data****.

A representative of the company posited that there were no signs of such repetition, and the ****statute of limitations**** for administrative liability had expired since the database had been posted on the Internet back in ****2006****. He also stressed that sending a notification on a leak is not an ****admission of guilt****, but only the fulfillment of a legal duty.

The court recognized the violation as ****a continuing offense****, establishing the date of detection of the offense as 1 June 2023, the day when information about the leak appeared on the Internet, which was confirmed by ****notifications and screenshots**** from the company.

The court ****rejected**** the company's argument that notification of a leak was no grounds to launch a case. The court noted that ****voluntary reporting**** of a leak does not prevent the initiation of proceedings if an offense has been established. Nevertheless, this factor was taken into account as ****mitigating**** with reference to Paragraph 3 of Part 1 of Article 4.2 of the Russian Code of Administrative of Offences (voluntary notification of an administrative offense). As a result, the fine amounted to a minimum of ****RUB 100,000**** (approx. USD 1,170 or EUR 1,066).