What are the penalties for noncompliance with any applicable data protection laws?
Noncompliance with data privacy laws and data breaches may lead to sanctions, fines, and penalties. The amounts are usually calculated according to the risk to which personal rights were exposed and the preventive measures taken by the data controllers, processors and sub-processors in relation to their respective role in the chain of personal data processing.
Employers who violate data protection laws in Russia may be subject to administrative, criminal and civil, penalties. Penalties may include:
- fines of up to RUB 75,000 (approx. USD 1,040) on the company for individual personal data processing violations, such as processing without an appropriate legal ground. Separate fines may be imposed for different types of offences. Multiple fines may be imposed for repeat violations (Ex., when multiple administrative proceedings are initiated);
- fines on company officials for personal data processing violations up to RUB 20,000 (approx. USD 270);
- fines on companies of up to RUB 6,000,000 (approx. USD 83,000) for violating the data localization requirement, and up to RUB 18,000,000 (approx. USD 249,000) for repeat offences;
- fines on company officials for violations of the data localization requirement of up to RUB 200,000 (approx. USD 2,730), and up to RUB 800,000 (approx. USD 10,900) for repeat offenses;
- being required to terminate unlawful data processing activities by the Roskomnadzor;
- imprisonment and criminal fines for unlawfully accessing computer information which resulted in the destruction, blockage, modification or copying of computer information, as well as for illegal disclosure of information about an individual’s private life. Criminal liability may only be imposed on individuals, such as company officials, as Russian laws do not imply criminal liability for legal entities;
- damages to individuals, including moral damages.