 |
Elvira Danilova Associate Director |
Please kindly be informed of the latest amendments to the legislation on personal data processing, which are of particular importance and relevance to business operations.
Changes in the liability for certain violations in personal data processing (effective from 30.05.2025)
Enhanced liability for certain violations related to personal data processing
|
Provision |
Offense |
Current liability |
New liability |
|
pt. 1-1.1. of art. 13.11. of the Code of Administrative Offences of the Russian Federation (hereinafter - «CAO of Russia») |
Processing of personal data in cases not stipulated by law, or processing of personal data incompatible with the purpose of collecting personal data, except for cases stipulated in p. 2, 11-18 of art. 13.11 and 17.13 of the CAO of Russia, if these actions do not contain a criminal offense. |
Administrative fine:
For repeated violations:
|
Administrative fine:
For repeated violations:
|
|
pt. 10 of art. 13.11. of the CAO of Russia |
Failure to notify or untimely notification of Roskomnadzor regarding the intention to process personal data. |
There is no specific liability. In practice, liability under art. 19.7 of the CAO of Russia «Failure to provide information» applied (administrative fine for officials: 300 - 500 RUB; for legal entities: 3 000 – 5 000 RUB). |
Administrative fine:
|
New offenses for violations related to personal data breach
|
Provision |
Offense |
Liability |
|
pt. 11 of art. 13.11. of the CAO of Russia |
Failure to notify or untimely notification of Roskomnadzor in the event of establishing the fact of unlawful or accidental transfer (provision, distribution, access) of personal data resulting in a violation of the data subject rights (hereinafter – «data breach»). |
Administrative fine:
|
|
pt. 12 of art. 13.11. of the CAO of Russia |
Actions (inaction) of the data operator that resulted in the data breach of 1 000 to 10 000 data subjects and (or) from 10 000 to 100 000 identifiers, if these actions (inaction) do not contain signs of a criminal offense. An identifier refers to a unique designation of information about an individual contained in the operator's personal data information system and relating to that individual (note 4 to art. 13.11 of the CAO of Russia). |
Administrative fine:
|
|
pt. 13 of art. 13.11. of the CAO of Russia |
Actions (inaction) of the data operator that resulted in the data breach of 10 000 to 100 000 data subjects and (or) 100 000 to 1 million identifiers, if these actions (inaction) do not contain signs of a criminal offense. |
Administrative fine:
|
|
pt. 14 of art. 13.11. of the CAO of Russia |
Actions (inaction) of the data operator that resulted in the data breach of more than 100 000 data subjects and (or) more than 1 million identifiers, if these actions (inaction) do not contain signs of a criminal offense. |
Administrative fine:
|
|
pt. 15 of art. 13.11. of the CAO of Russia |
Repeated data breach, stipulated by pt. 12-14 of art. 13.11 of the CAO of Russia committed by a person subjected to administrative punishment under pt. 12-16, 18 of art. 13.11 of the CAO of Russia. |
Administrative fine:
|
|
pt. 16 of art. 13.11. of the CAO of Russia |
Actions (inaction) of the data operator that caused a breach of special categories of personal data. |
Administrative fine:
|
|
pt. 17 of art. 13.11. of the CAO of Russia |
Actions (inaction) of the data operator that resulted in the biometric data breach, except for cases stipulated by art. 13.11.3 of the CAO of Russia. |
Administrative fine:
|
|
pt. 18 of art. 13.11. of the CAO of Russia |
Repeated breach of special categories of personal data or biometric data, committed by a person subjected to administrative punishment under pt. 12-18 of art. 13.11. of the CAO of Russia. |
Administrative fine:
|
|
pt. 2 of art. 13.11.3. of the CAO of Russia |
Violation of the procedure for processing biometric personal data in the unified biometric system (hereinafter – «UBS»), UBS vectors in the information systems of state bodies, the Central Bank of Russia and accredited organizations, which carry out authentication on the basis of individuals’ biometric personal data, or requirements to information technologies and technical means, intended for processing biometric personal data, UBS vectors for the purposes of identification and (or) authentication. |
Administrative fine:
|
|
pt. 3 of art. 13.11.3. of the CAO of Russia |
Failure to take organizational and technical measures to ensure the security of biometric personal data during their processing in the UBS, its interaction with other information systems or failure to take organizational and technical measures to ensure the security of biometric personal data during their processing in other information systems providing authentication using individuals’ biometric personal data, including information systems of accredited state bodies. |
Administrative fine:
|
|
pt. 4 of art. 13.11.3. of the CAO of Russia |
Processing of biometric personal data, UBS vectors for individuals’ authentication in information systems of state bodies, organizations, information system of the Central Bank of Russia, without accreditation or if accreditation is suspended or terminated. |
Administrative fine:
|
|
pt. 8 of art. 14.8 of the CAO of Russia |
Refusal to conclude, execute, amend or terminate an agreement with a consumer due to the consumer's refusal to pass identification and (or) authentication using their biometric personal data. |
Administrative fine:
|
Changes in personal data localization requirements for Russian citizens (effective from 01.07.2025)
The personal data localization requirements for of Russian citizens are tightened:
- the localization requirement will be mandatory for compliance not only by personal data operators, but also by persons processing personal data on behalf of the operator – so-called «processors» (prior to the amendments, the localization requirement actually applied to processors due to the legal requirement for operators to include in the personal data processing order provisions stating that the processor is obliged to comply with localization requirements).
- the provisions on the use of databases located abroad will apply in the form of a prohibition: any use of foreign databases for the collection of personal data will be prohibited, which will have important practical implications for the localization mechanisms currently applied in practice.
Please be reminded that the following administrative liability is provided for violation of the localization requirement (pt. 8-9 of art. 13.11 of the CAO of Russia):
a) For the first violation:
- for officials – administrative fine from 100 000 to 200 000 RUB.
- for legal entities – administrative fine from 1 to 6 million RUB.
b) For repeated violations:
- for officials – administrative fine from 500 000 to 800 000 RUB.
- for legal entities – administrative fine from 6 to 18 million RUB.
In connection with the above changes in legislation, Marillion specialists recommend to:
- Conduct an audit of business processes involving personal data processing (paying special attention to the processes of collection and localization of Russian citizens’ personal data) for compliance with the legislation on personal data, and correct the processes that do not comply with the legislation.
- Review and, if necessary, update company documents confirming compliance with personal data legislation.
- Consider filing the necessary notifications with Roskomnadzor.
The Marillion legal advisory team is ready to assist in assessing the company's compliance with the personal data legislation requirements on, in providing recommendations on the construction of the company's processes with personal data and the execution of the necessary documents and notifications, as well as in the preparation and revision of existing documents.
