Criminal liability and fines up to 500 million rubles: the main changes in the field of personal data processing and storage
2024-12-23 15:54
On November 30, amendments to the Code of Administrative Offenses and the Criminal Code were adopted, tightening responsibility for failure to notify Roskomnadzor about the start of personal data processing, processing of personal data in cases unforeseen by law and leakage of personal data: now incorrect actions in the field of personal data threaten fines of up to 500 million rubles and imprisonment for up to 5 years. Acsour experts reviewed the innovations and talked about the main changes.
Failure to notify Roskomnadzor about the start of PD processing and an increase in the fine for PD processing in cases not provided for by law
A separate part has appeared in the Administrative Code of the Russian Federation (Part 10 of Article 13.11 of the Administrative Code), which establishes a fine for failure to notify Roskomnadzor about the start of personal data processing. According to the innovation, now the fine for legal entities will be from 100 thousand to 300 thousand rubles.
Moreover, the legislator increased the fine for processing personal data in cases not provided for by law. In respect of legal entities, the fine will be from 150 thousand to 300 thousand rubles, and for repeated violations — from 300 thousand to 500 thousand rubles.
Turnover penalties for personal data leakage
On November 30, 2024, Federal Law No. 420-FZ dated 11/30/2024 "On Amendments to the Code of Administrative Offences of the Russian Federation" was adopted. The innovation has significantly increased the amount of fines for personal data leaks.
The new fines will be effective from 30.05.25.
You can get acquainted with the new amount of fines in the table.
Articles
Violation
Fine
Part 11 of Article 13.11 of the Administrative Code
For not informing Roskomnadzor about the leak
• for citizens from 50 to 100 thousand rubles.
• for officials from 400 to 800 thousand rubles.
• for legal entities from 1 million to 3 million rubles.
Part 12 of Article 13.11 of the Administrative Code
Leakage of personal data from 1,000 to 10,000 subjects, and/or 10,000 to 100,000 identifiers
• for citizens from 100 to 200 thousand rubles.
• for officials from 200 to 400 thousand rubles.
• for legal entities from 3 to 5 million rubles.
Part 13 of Article 13.11 of the Administrative Code
Leakage of personal data from 10,000 to 100,000 subjects, and/or from 100,000 to 1,000,000 identifiers
• for citizens from 200 to 300 thousand rubles.
• for officials from 300 to 500 thousand rubles.
• for legal entities from 5 to 10 million rubles.
Part 14 of Article 13.11 of the Administrative Code
Leakage of personal data of more than 100,000 subjects, and/or more than 1,000,000 identifiers
• for citizens from 300 to 400 thousand rubles.
• for officials from 400 to 600 thousand rubles.
• for legal entities from 10 to 15 million rubles.
Part 15 of Article 13.11 of the Administrative Code
If the operator has already been subjected to administrative punishment according to parts 12-14 and a leak occurs again (according to Parts 12-14 and 16-18)
• for citizens from 400 to 600 thousand rubles.
• for officials from 800 thousand to 1.2 million rubles.
• for legal entities from 1 to 3% of revenue for the calendar year or for part of the current year, but not less than 20 and not more than 500 million rubles.
Part 16 of Article 13.11 of the Administrative Code
Leakage of special categories of personal data
• for citizens from 300 to 400 thousand rubles.
• for officials from 1 to 1.3 million rubles.
• for legal entities from 10 to 15 million rubles.
Part 17 of Article 13.11 of the Administrative Code
Leakage of biometric personal dataх
• for citizens from 400 to 500 thousand rubles.
• for officials from 1.3 to 1.5 million rubles.
• for legal entities from 15 to 20 million rubles.
Part 18 of Article 13.11 of the Administrative Code
If the operator has already been subjected to administrative punishment under parts 12-17 and there is a leak of special categories or biometric personal data
• for citizens from 500 to 800 thousand rubles.
• for officials from 1.5 to 2 million rubles.
• for legal entities from 1 to 3% of revenue for the calendar year or for part of the current year, but not less than 25 and not more than 500 million rubles
Criminal liability for illegal transfer of personal data
Another significant innovation in the field of storage, processing and transfer of personal data was the introduction of Article 272.1 into the Criminal Code of the Russian Federation, according to which criminal liability is established for crimes in the field of using computer information about personal data.
The changes came into force on December 11, 2024.
You can get acquainted with the innovations and criminal liability for violations below.
1.Illegal use, transfer (distribution, provision, access), collection and storage of computer information containing personal data obtained by unauthorized access to the means of its processing, storage or other interference in their functioning or in other illegal ways (with the exception of acts provided for in Part 2 of Article 272.1 of the Criminal Code of the Russian Federation) is punishable:
a fine of up to 300,000 rubles. or in the amount of the convicted person’s salary or other income for a period up to 1 year
either forced labor for up to 4 years,
or imprisonment for up to 4 years.
2.Similar acts committed in relation to computer information that contains personal data of minors, special categories of personal data or biometric personal data are punishable (Part 2 of Article 272.1 of the Criminal Code of the Russian Federation):
a fine of up to 700,000 rubles. or in the amount of wages or other income of a convicted person for a period of up to 2 years with or without deprivation of the right to hold certain positions or engage in certain activities for a period of up to 2 years
either forced labor for up to 5 years,
or imprisonment for up to 5 years.
3. Acts provided for in Part 1 or Part 2 of Article 272.1 of the Criminal Code of the Russian Federation committed out of selfish interest, causing major damage, by a group of persons by prior agreement, using their official position, are punishable (Part 3 of Article 272.1 of the Criminal Code of the Russian Federation):
a fine of up to 1 million rubles. or in the amount of wages or other income of a convicted person for a period of up to 3 years with or without deprivation of the right to hold certain positions or engage in certain activities for a period of up to 3 years
or forced labor for up to 5 years with a fine of up to 1 million rubles. or other income of a convicted person for a period of up to 3 years and with or without deprivation of the right to hold certain positions or engage in certain activities for a period of up to 3 years,
or imprisonment for up to 6 years with a fine of up to 1 million rubles. or other income of a convicted person for a period of up to 3 years and with or without deprivation of the right to hold certain positions or engage in certain activities for a period of up to 3 years.
4. The acts provided for in Parts 1, 2 or Part 3 of Article 272.1 of the Criminal Code of the Russian Federation, which are related to the cross-border transfer of computer information containing personal data or the cross-border movement of information carriers containing such data, are punishable (Part 4 of Article 272.1 of the Criminal Code of the Russian Federation):
imprisonment for up to 8 years with a fine of up to 2 million rubles. or in the amount of the convicted person’s salary or other income for a period of up to 3 years and with or without deprivation of the right to hold certain positions or engage in certain activities for a period of up to 4 years.
Acsour experts remind that the cross-border movement of media containing computer information is the commission of actions to import into and export from Russia a machine-readable media on which such information is stored.
5. Acts provided for in Parts 1, 2, 3 or part 4 of Article 272.1 of the Criminal Code of the Russian Federation, if they entailed serious consequences or were committed by an organized group, are punished (part 5 of Article 272.1 of the Criminal Code of the Russian Federation):
imprisonment for up to 10 years with a fine of up to 3 million rubles. or in the amount of the convicted person’s salary or other income for a period of up to 4 years and with or without deprivation of the right to hold certain positions or engage in certain activities for a period of up to 5 years.
6.The creation and maintenance of a website on the Internet, an information system, a computer program designed for illegal storage, transmission of computer information containing personal data obtained illegally, are punishable (Part 6 of Article 272.1 of the Criminal Code of the Russian Federation):
a fine of up to 700,000 rubles. or in the amount of the convicted person’s salary or other income for a period of up to 2 years with or without deprivation of the right to hold certain positions or engage in certain activities for a period of up to 2 years
or forced labor for up to 5 years with a fine of up to 700,000 rubles. or other income of a convicted person for a period of up to 2 years and with or without deprivation of the right to hold certain positions or engage in certain activities for a period of up to 2 years,
or imprisonment for up to 5 years with a fine of up to 700,000 rubles. or other income of the convicted person for a period of up to 2 years and with or without deprivation of the right to hold certain positions or engage in certain activities for a period of up to 2 years.
Changes in the field of personal data processing both provide a new level of protection and create a number of challenges for operators: now incorrect actions can lead to significant financial and reputational losses. One of the first steps to prevent negative consequences is to audit the personal data processing system in your company.
Задать вопрос эксперту Acsour
If the material was useful to you, share the article with colleagues and friends.