Russian law has recently changed to dramatically increase the penalties for non-compliance with the data localization rules. Since 2014, every operator (controller or processor) of personal data related to Russian individuals is obliged to maintain its database in Russia. This is the so-called “data localization rule”, which applies to foreign personal data operators, including those without a presence in Russia, as well. Now, the legislator has introduced new, significant financial penalties and has also extended the liability to executives of data operators. Administrative penalties for failure to comply with the data localization rules by a data operator range up to approximately EUR 88,000 for an initial violation, and up to approximately EUR 265,000 if repeated. In addition to penalties for a data operator, sanctions for top executives of the violating companies (in practice, most likely the company general director, or CEO) have been introduced, ranging up to approximately EUR 3,000 for an initial violation and approximately EUR 12,000 for repeated violations.
