
Increasing fines for handling personal data

2023-12-20 18:44 Legal Digest News
The President of the Russian Federation signed a law increasing the amount of penalties for incorrect processing of personal data of individuals.

Since December 12, 2023, a new version of Article 13.11 of the Code of Administrative Offenses of the Russian Federation has been in effect, according to which for the processing of personal data (PD) of individuals without their signed consent, a new amount of fines is in effect:

  • for officials – in the amount of 100,000 – 300,000 rubles (previously 20,000 – 40,000 rubles);
  • for legal entities – in the amount of 300,000 – 700,000 rubles (previously 30,000 – 150,000 rubles)

For repeated violation of this requirement the amount of fines increases:

  • for officials – in the amount of 300,000 – 500,000 rubles (previously 40,000 – 100,000 rubles);
  • for legal entities – in the amount of 1,000,000 – 1,500,000 rubles (previously 300,000 – 500,000 rubles)

Please note that a bill to tighten the amount of penalties in case of personal data leakage was put forward for discussion in the State Duma of the Russian Federation. If the document is adopted by the State Duma in the third reading and signed by the President of the Russian Federation, a fine will be established for the actions (inactions) of the company - the operator of personal data, resulting in the unlawful transfer of information. The size of the fine will depend on the number of individuals - personal data subjects in respect of whom the data leak occurred.

  • from 3 – 5 million rubles, if the leak contained data of 1,000 – 10,000 personal data subjects;
  • 5 – 7 million rubles, if the leak contained data of 10,000 – 100,000 personal data subjects;
  • 10 – 15 million rubles, if the leak contained data of more than 100,000 personal data subjects.

For this violation, a fine is provided for officials in the amount of:

  • 800,000 - 1 million rubles, in case of data leakage of 1,000 - 10,000 personal data subjects;
  • 1 – 1.5 million rubles, in case of data leakage of 10,000 – 100,000 personal data subjects;
  • 1.5 – 2 million rubles, in case of data leakage of more than 100,000 personal data subjects.

For failure to comply with the requirements for notifying Roskomnadzor authorities about personal data leaks, the company may also face a fine up to 3 million rubles. For officials, the fine will be 800,000 rubles.

If you have any questions regarding the application of legislation in the field of personal data, please contact the Acsour Legal Department.