• about
  • people
  • expertises
  • insights
  • events
    • English
    • Russian
  • career
  • contact
  • sign up
SEAMLESS
12/19/2024
Turnover fines and criminal liability: sanctions toughened for personal data breaches

On 30 November 2024, Laws No. 420* and No. 421* were enacted, tightening administrative liability as well as introducing criminal liability for violations in the field of personal data.

The changes regarding administrative liability will come into force on 30 May 2025, while the new criminal offences have taken effect on 11 December 2024.

Administrative Liability for Businesses

Violation Previous Fines (RUB) New Fines (RUB)
Unauthorised processing or processing of personal data incompatible with the purpose of collection (First violation) 60,000 – 100,000 150,000 – 300,000
Unauthorised processing or processing of personal data incompatible with the purpose of collection (Repeated violation) 100,000 – 300,000 300,000 – 500,000
Failure to notify Roskomnadzor of personal data processing 3,000 – 5,000 100,000 – 300,000
Failure to notify Roskomnadzor of personal data leakage 3,000 – 5,000 1m – 3m
Data leakage (1,000 – 10,000 users; or 10,000 – 100,000 identifiers) 60,000 – 100,000 3m – 5m
Data leakage (10,000 – 100,000 users; or 100,000 – 1m identifiers) 60,000 – 100,000 5m – 10m
Data leakage (more than 100,000 users; or more than 1m identifiers) 60,000 – 100,000 10m – 15m
Repeated leakage of “ordinary” data 100,000 – 300,000 1–3% of last year's revenue (min 20m, max 500m)
Leak of special categories of personal data 60,000 – 100,000 10m – 15m
Leakage of biometric personal data 60,000 – 100,000 15m – 20m
Repeated leakage of special or biometric personal data 100,000 – 300,000 1–3% of last year's revenue (min 25m, max 500m)

Individual entrepreneurs are subject to the same fines as companies for most of the above violations.

Additionally, new fines have been introduced for violations related to the processing of biometrics within the unified biometric system.

Furthermore, the law introduces amendments to various procedural matters, specifically:

  • Administrative cases related to violations in the field of personal data will be handled by commercial courts.
  • Roskomnadzor will be granted the authority to initiate administrative proceedings without conducting supervisory activities in cooperation with the controlled entity for violations under Parts 10-18 of Article 13.11 of the Russian Code of Administrative Offences.
  • Administrative fines for violations in the field of personal data will not be subject to a 50% discount.

Mitigating circumstances for repeated data leakage

Amendments to the Code of Administrative Offences also provide for a reduction of the fine for repeated data leakage for diligent personal data operators if they simultaneously meet the following conditions:

  1. The operator’s annual expenditures on information security measures amounted to at least 0.1% of their annual revenue for the past three years;
  2. The operator complied with personal data protection requirements provided there is documentary evidence to that, covering 12 months prior to the identification of the violation;
  3. There are no aggravating circumstances.

If these conditions are met, the fine will be set at 0.1 of the minimum established fine, but no less than RUB 15m and no more than RUB 50m.

Criminal liability

Law No. 421* introduces new criminal offences for the unlawful processing of personal data, specifically:

Violation Liability
Unlawful use of personal data obtained by illegal means A fine of up to RUB 300,000, compulsory works, or imprisonment for up to 4 years
Unlawful use of minors' data, “special” categories, or biometrics A fine of up to RUB 700,000, compulsory works, or imprisonment for up to 5 years
Unlawful use of data associated with cross-border transfer Imprisonment for up to 8 years, a fine of up to RUB 2m, and a possible ban on certain activities
Creation/provision of resources for unlawful data processing A fine of up to RUB 700,000, compulsory works, or imprisonment for up to 5 years with a ban on certain activities

Thus, as per the new laws, liability for violations in the field of personal data has been significantly toughened. In view of this, to avoid liability, we recommend conducting an audit of the company’s internal processes related to personal data processing and confidentiality and bringing them into compliance with the law.

* In Russian

The publication is also available in Russian.

All Insights Next Publication
Privacy Policy Cookie Policy Terms of Use
mail linkedin telegram youtube
© SEAMLESS LEGAL LIMITED 2026
Our website uses cookies to ensure the best user experience. Please accept cookies for optimal performance. For more information check our Cookie Policy.
ACCEPT COOKIES
REJECT COOKIES
Send your request
Many thanks for your inquiry.
We have received your message and will revert shortly.