On 27 March 2021, Federal Law No. 19-FZ of 24 February 2021 "On Amendments to the Code of Administrative Offenses of the Russian Federation" comes into force, which increased sanctions for violations in the field of personal data.
Major changes in sanctions for violations in the field of personal data:
1. The size of the fines is doubled;
2. Liability for repeated violation is introduced;
3. Warning as a type of administrative sanction is excluded;
4. The limitation period for bringing to responsibility has been increased – from 3 months to 1 year.
You can see the changes in sanctions for violations in the area of personal data in the following table:
|
Offense |
Sanction |
||
|
Earlier |
Now |
||
|
Processing of personal data in cases not provided for by the legislation of the Russian Federation, or processing of personal data incompatible with the purposes of collecting personal data |
First time |
1. Warning 2. Fine: 1) Individual – 1 000 to 3 000 rubles. 2) Public person – 5 000 to 10 000 rubles. 3) Legal entity – 30 000 to 50 000 rubles. |
Fine: 1) Individual – 2 000 to 6 000 rubles. 2) Public person – 10 000 to 20 000 rubles. 3) Legal entity – 60 000 to 100 000 rubles. |
|
Repeated |
- |
Fine: 1) Individuals – 4 000 to 12 000 rubles. 2) Public person – 20 000 to 50 000 rubles. 3) Legal entity – 100 000 to 300 000 rubles. |
|
|
Processing of personal data without written consent, or when the written consent does not meet the legal requirements |
First time |
Fine: 1) Individual – 3 000 to 5 000 rubles. 2) Public person – 10 000 to 20 000 rubles. 3) Legal entity – 15 000 to 75 000 rubles. |
Fine: 1) Individuals – 6 000 to 10 000 rubles 2) Public person – 20 000 to 40 000 rubles 3) Legal entity – 30 000 to 150 000 rubles. |
|
Repeated |
- |
Fine: 1) Individuals – 10 000 to 20 000 rubles. 2) Public person – 40 000 to 100 000 rubles. 3) Individual entrepreneur – 100 000 to 300 000 rubles. 4) Legal entity – 300 000 to 500 000 rubles. |
|
|
Untimely fulfillment by the operator of the requirements of the subject of the personal data, his representative or the authorized body for the protection of the rights of subjects of personal data about their clarification, blocking or destruction |
First time |
1. Warning 2. Fine: 1) Individuals – 1 000 to 2 000 rubles. 2) Public officer– 4 000 to 10 000 rubles. 3) Individual entrepreneurs – 10 000 to 20 000 rubles. 4) Legal entity – 25 000 to 45 000 rubles. |
Fine: 1) Individuals – 2 000 to 4 000 rubles. 2) Public officer – 8 000 to 20 000 rubles. 3) Individual entrepreneurs – 20 000 to 40 000 rubles. 4) Legal entity – 50 000 to 90 000 rubles. |
|
Repeated |
- |
Fine: 1) Individuals – 20 000 to 30 000 rubles. 2) Public officer – 30 000 to 50 000 rubles. 3) Individual entrepreneurs – 50 000 to 100 000 rubles. 4) Legal entity – 300 000 to 500 000 rubles. |
|
|
Failure by the operator to publish the processing PD policy and information on the implemented protection requirements |
1. Warning 2. Fine: 1) Individuals – 700 to 1 500 rubles. 2) Public officer – 3 000 to 6 000 rubles. 3) Individual entrepreneurs – 5 000 to 10 000 rubles. 4) Legal entity – 15 000 to 30 000 rubles. |
Fine: 1) Individuals – 1 500 to 3 000 rubles. 2) Public persons – 6 000 to 12 000 rubles. 3) Individual entrepreneurs – 10 000 to 20 000 rubles. 4) Legal entity – 30 000 to 60 000 rubles. |
|
|
Failure by the operator to provide the subject of PD with information regarding the processing of PD |
1. Warning 2. Fine: 1) Individuals – 1 000 to 2 000 rubles. 2) Public officers – 4 000 to 6 000 rubles. 3) IP – 10 000 to 15 000 rubles. 4) Legal entity – 20 000 to 40 000 rubles. |
Fine: 1) Individuals – 2 000 to 4 000 rubles. 2) Public officers – 8 000 to 12 000 rubles. 3) IP – 20 000 to 30 000 rubles. 4) Legal entity – 40 000 to 80 000 rubles. |
|
|
The operator's failure to comply with the obligation to ensure the safety of PD when storing material carriers of PD and excluding unauthorized access to them, if this entailed illegal or accidental access to PD, their destruction, modification, blocking, copying, provision, distribution or other illegal actions in relation to PD |
Fine: 1) Individuals – 700 to 2 000 rubles. 2) Public officer – 4 000 to 10 000 rubles 3) IP– 10 000 to 20 000 rubles. 4) Legal entity – 25 000 to 50 000 rubles. |
Fine: 1) Individuals – 1 500 to 4 000 rubles. 2) Public officer – 8 000 to 20 000 rubles. 3) IP – 20 000 to 40 000 rubles. 4) Legal entity – 50 000 to 100 000 rubles. |
|
|
Failure by an operator, which is a state or municipal authority, to anonymize PD |
1. Warning 2. Fine for public officers – 3 000 to 6 000 rubles. |
Fine for public officers – 6 000 to 12 000 rubles. |
|