Changes to criteria for classifying personal data operators into risk groups based on potential damage to valuables protected by law

When exercising control and supervision over compliance with personal data laws, Roskomnadzor is guided by criteria for classifying businesses into risk categories. The higher the risk profile of a company, the greater the likelihood of monitoring and control efforts in its regard. Such criteria are provided by a separate Government resolution.

Due to amendments to Russian Government Resolution No. 1046Russian Government Resolution No. 1046 of 29 June 2021 "On the federal state control (supervision) over personal data processing," certain provisions in respect of classifying controlled persons into certain risk categories were revisited.

When determining such a category, two parameters are to be taken into account:

• the estimated severity of the likely damage; and
• the likelihood of its occurrence.

For clarity, we have summarised these criteria in a separate chart available at the link.

Depending on the assigned risk category (high, significant, medium, moderate and low risk), the frequency of mandatory preventive visits and the frequency of scheduled control (supervisory) efforts are established. To help you determine the frequency of such efforts for your company, you may also use the chart available at the link.

You may independently assess such likelihood based on these charts and, if necessary, prepare for Roskomnadzor visits.

We comment on the principal changes and the regulator’s toughened approach below.

Special emphasis should be on the analysis of the proportionality of factors that result in the situation being classified into the highest zone in terms of the level of potential adverse consequences.

1. 1. Severity group “A” (the most severe) still includes the processing of special and biometric categories of personal data. In addition, this group now includes the processing of personal data in personal data information systems (“PDIS”) containing data of more than 100,000 personal data subjects. 
   Such changes demonstrate the regulator’s attempts to follow a consistent risk-based approach to determining the level of damage and the protection of personal data correlating with such level of damage, since these parameters are used to establish the level of PDIS protection, which hinges on the list of requirements imposable on personal data operators. As a reminder, depending on the type of immediate threats and the number (more or less than 100,000) and the categories of personal data subjects, the processing of special and biometric data could lead to the imposition of the 1st, 2nd or 3rd level of protectionRussian Government Resolution No. 119 of 1 November 2012 "On approval of personal data protection requirements during processing in personal data information systems (“LSP”).
2. The high-risk zone also includes the processing of personal data carried out based on the consent of the personal data subject (“consent”), except in cases where obtaining such consent is expressly provided by laws of the Russian Federation. 
   This approach is a tool for limiting the excessive use of consent (we addressed the trend of minimising consent earlier), since classifying processing into class “A” may serve as an incentive for the operator to choose another legal framework for processing personal data, for example, an agreement with the personal data subject or the use of legitimate interest.
3. In addition, the legislator classifies the use of foreign information systems and software in the collection of personal data as a high-risk level, which has now been moved from group “B” to group “A” (the most severe). operator complies with the requirements for localising databases containing personal data of Russian citizens on Russian territory and/or ensures their subsequent lawful cross-border transfer, as in the case of using Telegram bots, such use is moved to the “red” zone, which may lead to operators abandoning foreign software and switching to domestically produced alternatives.
4. Group “A” still includes cross-border transfers of personal data to countries that do not provide an adequate level of protection, as well as the transfer of anonymised personal data to third parties.
5. As in the previous version of Russian Government Resolution No. 1046, severity group “B” (the second most severe) includes the processing of personal data of minors. However, the legislator has reduced the threshold for the number of subjects starting from which this category is applied — from 20,000 to 10,000 personal data subjects.
6. In addition, group “B” includes the collection of personal data using databases located outside the Russian Federation on such grounds as compliance with the requirements of the law of the Russian Federation, the involvement of the personal data subject in litigation, the provision of state and municipal services, the professional activities of a journalist and/or the lawful activities of the media, and scientific, literary or other creative activities. 
   This category includes the cross-border transfer of personal data carried out without notifying Roskomnadzor of the intention to transfer data abroad, as well as operations to depersonalise personal data that was moved from group “B” higher in the category.
7. Group “B” was supplemented by the dissemination of personal data based on the special consent of the personal data subject. As noted earlier, such an addition is consistent with the assignment of the 3rd LSP.
8. Failure to notify Roskomnadzor of the intention to process and/or the processing of personal data and their cross-border transfer to countries that are parties to the Council of Europe Convention for the Protection of Individuals with Regard to the Automatic Processing of Personal Data were excluded from Group “D.”

The changes did not significantly affect the assessment of the likelihood of non-compliance by operators with the mandatory requirements established by the laws of the Russian Federation on personal data.

The list of offences for Group 1 included new administrative liability offences that came into force on 30 May 2025, with the exception of breaches of the requirements for failing to notify Roskomnadzor of the intention to process personal data and failing to notify of a personal data leak, which were attributed to likelihood Group 2. In addition, parts 8 and 9 of Article 13.11 of the Administrative Offences Code of the Russian Federation regulating liability for breaching the requirements for the localisation of personal data, as well as Article 13.11.3 of the Administrative Offences Code of the Russian Federation establishing liability for breaching the requirements for the processing of biometric personal data in the GIS or other information systems that provide authentication based on biometric data, have been added to Group 1.

The 2nd likelihood group also includes the administrative offence related to the illegal use of information systems and/or software belonging to foreign persons (Article 13.11.2 of the Administrative Offenses Code of the Russian Federation).