What are the penalties for noncompliance with any applicable data protection laws?
Noncompliance with data privacy laws and data breaches may lead to sanctions, fines, and penalties. The amounts are usually calculated according to the risk to which personal rights were exposed and the preventive measures taken by the data controllers, processors and sub-processors in relation to their respective role in the chain of personal data processing.
Employers who violate data protection laws in Russia may be subject to administrative, criminal and civil penalties. Penalties may include:
- being required to terminate unlawful data processing activities by the Roskomnadzor;
- imprisonment and criminal fines for unlawfully accessing computer information which resulted in the destruction, blockage, modification or copying of computer information, as well as for illegal disclosure of information about an individual’s private life. Criminal liability may only be imposed on individuals, such as company officials, as Russian laws do not imply criminal liability for legal entities;
- damages to individuals, including moral damages.
Administrative penalties can range from RUB 12,000 to RUB 18,000,000 depending on the violation and whether the violation was a repeat offense.