Acsour
The Ministry for Digital Development, Communications and Mass Media of the Russian Federation has established indicators of the risk of violations of mandatory requirements arising from the processing of personal data of individuals.
Starting from January 25, 2022, the bodies of the Federal Service for Supervision of Communications, Information Technology and Mass Media (Russian acronym – “Roskomnadzor”) have the right to appoint and conduct unscheduled inspections in the field of personal data (PD) in case of detection of one of the following risk indicators in companies:
1. Illegal processing of personal data
This risk of violation may appear if, during a calendar year, Roskomnadzor identifies ten or more facts of discrepancy between the information provided by the company at the request of the authority and the data received from individuals.
2. Providing an unlimited range of persons with access to personal data databases
This indicator is taken into account if there are ten or more facts of providing an unlimited range of persons with access to PD or spreading databases of such data on the Internet that have signs of belonging to the company being checked.
Please be reminded that for violation of the requirements of the legislation in the field of personal data, administrative liability is provided for under article 13.11 of the Administrative Code of the Russian Federation. The scope of punishment depends on the type of offense committed. For more information about the scope of liability, see the table below.
| Type of offense | Scope of punishment |
| Processing of PD that is not provided for by the legislation of the Russian Federation or that is incompatible with the purposes of collecting such data | Imposition of a fine: – for officers – in the amount of 10,000 – 20,000 rubles – for legal entities – in the amount of 60,000 – 100,000 rubles. For repeated violations, the measures of punishment are increased and will be: – for officers – in the amount of 20,000 – 50,000 rubles; – for legal entities – in the amount of 100,000 -300,000 rubles. |
| Processing of PD without the consent of the PD subject | Imposition of a fine: – for officers – in the amount of 20,000 – 40,000 rubles; – for legal entities – in the amount of 30,000 – 150,000 rubles. For repeated violations, the measures of punishment are increased and will be: – for officers – in the amount of 40,000 – 100,000 rubles; – for legal entities – in the amount of 300,000 – 500,000 rubles. |
| Non-fulfilment by the PD operator of the obligation to publish or otherwise provide unlimited access to the document defining the PD processing operator’s policy | Imposition of a fine: – for officers – in the amount of 6,000-12,000 rubles; – for legal entities – in the amount of 30,000 – 60,000 rubles. |
| Failure of the PD operator to provide the PD subject with information about the processing of its PD | Imposition of a fine: – for officers – in the amount of 8,000 – 12,000 rubles; – for legal entities – in the amount of 40,000 – 80,000 rubles. |
| Failure by the PD operator in the collection of PD, including through the Internet, to ensure the recording, systematization, accumulation, storage, rectification or extraction of PD of citizens of the Russian Federation using databases located in the Russian Federation | Imposition of a fine: – for officers – in the amount of 100,000 – 200,000 rubles; – for legal entities – in the amount of 1,000,000 – 6,000,000 rubles. For repeated violations, the measures of punishment are increased and will be: – for officers – in the amount of 500,000-800,000 rubles; – for legal entities – in the amount of 6,000,000 – 18,000,000 rubles. |
In the matters of compliance with the requirements of the legislation in the field of personal data, please contact Acsour specialists.
