Home / Publications / Doing business in Russia / Personal data protection

Personal data protection

This chapter of Doing business in Russia outlines the main data protection provisions and topics relevant in the country.

General approach

Legal and regulatory framework

Federal Law No. 152-FZ “On Personal Data” (the “Data Protection Law”) was adopted in July 2006. A number of its provisions are based on the 1981 Strasbourg Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (the “Strasbourg Convention”) that Russia signed on 7 November 2001. 

The Data Protection Law provides a framework that is complemented by a number of regulations of the Russian Government and governmental authorities as well as certain provisions of Russian labour and administrative law.

Key developments

In 2015, the Data Protection Law was amended with a personal data localisation requirement, according to which personal data of Russian citizens must be stored on servers physically located in Russia. In 2019, significant fines for violation of this requirement were introduced in addition to the previous sanctions which include blocking access to the infringer’s website.

In 2018, Russia signed an Amending Protocol updating the Council of Europe Convention No. 108 for the Protection of Individuals with regard to Automatic Processing of Personal Data. The national data protection law is expected to be amended in order to comply with this Protocol. For example, an obligation on data controllers to notify the data protection authority and data subjects of any personal data breach, as well as the concept of genetic data as a new category of sensitive personal data, should be introduced in Russian law. At this stage, the law ratifying the Amending Protocol has not yet been adopted.

In 2021, new rules regarding the dissemination of personal data and the use of publicly available personal data come into force. In particular, all data controllers will:

  • have to obtain a separate and specific consent to make personal data publicly available; and
  • bear the burden of proof that their processing of publicly available data is lawful.

Supervisory authority

The authority in charge of personal data protection in Russia is the Federal Service for Supervision of Communications, Information Technology and Mass Media (“Roskomnadzor”). 

Scope of the Data Protection Law

The Data Protection Law defines, in particular, personal data and data processing, regulates the rights of data subjects and the obligations of data controllers, consent rules, data localisation and cross-border data transfer. 

Personal data 

The Data Protection Law does not contain an exhaustive list of data that is deemed to be “personal data”. Thus, what constitutes personal data must be assessed on a case-by-case basis. Personal data is defined as any information referring directly or indirectly to an identified or identifiable individual (the “data subject”).

The Data Protection Law also sets forth special categories of personal data. These cover information referring to a person’s racial or ethnic origin, political opinions, religious or philosophical beliefs, personal health, sex life and criminal record. In addition, the processing of biometric data is regulated by the Data Protection Law.

Data processing operations 

The Data Protection Law applies to all personal data processing operations performed within Russia. However, in recent years Roskomnadzor successfully blocked several websites that contained personal data of Russian citizens and have been hosted or managed from abroad. 

Personal data operations under the Data Protection Law include any processing, such as data collection, storage, recording, deletion, transfer. 

The Data Protection Law does not apply to personal data processing performed by individuals for their private needs.

Rights of the data subjects

Under the Data Protection Law, a data subject has the right to:

  • request details of the processing of his/her personal data by a data controller (what data is being processed and why, etc.);
  • revoke his/her consent to the data processing at any time;
  • object to data processing;
  • request, in certain cases, the rectification, blocking or deletion of his/her personal data; and/or
  • be compensated for damages, including for moral harm.

Obtaining consent from the data subjects

Personal data may only be processed (i) based on the prior, voluntary, express and informed consent of the individual (data subject); or (ii) if the law expressly permits processing without the data subject’s consent. 

Consent can be given in any form: orally, in writing, electronically or by implication. The data controller must ensure that it can prove that consent was duly obtained. In certain cases, the law requires written consent as described below.

Qualified consent

Consent must be obtained in written form (“Qualified Consent”) when:

  • special categories of personal data and/or biometric personal data are processed; 
  • personal data is transferred to countries which do not ensure an adequate level of protection of personal data (“Unsafe Countries”);
  • decisions are taken automatically and such a decision could influence the rights and freedoms of a data subject; and
  • employees’ personal data is transferred to a third party, including companies of the same group. 

Qualified Consent must contain the following elements:

  • name, address and passport details of the data subject;
  • name and address of the personal data controller;
  • purpose of the personal data processing;
  • list of the personal data to be processed for which consent is given;
  • list of the operations to be performed with the personal data and a general description of the methods to be used for personal data processing;
  • term during which the personal data will be processed and how consent can be withdrawn; and
  • data subject’s signature.

Cross-border transfer of personal data

The Data Protection Law distinguishes two types of cross-border data transfer:

  • the transfer of data to countries with adequate protection of personal data (“Safe Countries”); and
  • the transfer of data to Unsafe Countries.

Safe Countries comprise signatories to the Strasbourg Convention and countries that are included by Roskomnadzor in the Safe Countries List. Roskomnadzor occasionally amends this list, which now consists of 22 countries.

The cross-border transfer of personal data to Safe Countries may be performed in accordance with the requirements for internal data transfer. The cross-border transfer to Unsafe Countries requires Qualified Consent to be obtained from the data subject, except in cases expressly provided by the law.

Data controllers and data processors

The Data Protection Law defines the data controller as an entity (either a state agency, municipal authority or a legal entity) or individual who organises the processing of and/or processes personal data. It also determines the purposes and scope of processing, the content of personal data to be processed and actions performed with the data. 

Main obligations for data controllers

The main obligations of the personal data controllers are to:

  • notify Roskomnadzor of their intention to process personal data, except when an exemption applies; 
  • ensure personal data security;
  • adopt a personal data processing policy which includes the list of data, the purposes of data processing, etc.; 
  • appoint a data protection officer responsible for the organisation of data processing within the company;
  • periodically perform internal audits and assessments of the effectiveness of measures applied to protect personal data; 
  • retain control over such measures and the level of protection of personal data (in particular in cases where data processing is outsourced); and
  • ensure that the recording, systemisation, accumulation, storage, clarification (updating, modification) and retrieval of Russian citizens’ personal data is conducted in databases located within Russia. 
Exceptions to the requirement to notify Roskomnadzor of the intention to process personal data

Notification is not required, in particular, to process (i) personal data of employees, when such data is processed by their employer for the purposes of employment relations; (ii) personal data received by the data controller to conclude and perform an agreement with the respective data subject; (iii) data made public by the data subject.

Technical requirements

According to the law, personal data must be protected against unauthorised access, alteration, transfer, disclosure by transfer or deletion as well as damage and accidental destruction. In order to ensure the security of personal data, the data controller must, in particular:

  • use technical devices certified by the competent Russian authorities and keep a record of the devices on which the personal data is stored;
  • determine the level of damage which may be caused in the event of unauthorised processing of personal data; and
  • establish rules relating to access to personal data. 

The Data Protection Law does not provide further details on the technical and organisational measures mentioned above, although some detailed requirements are provided in the relevant regulatory orders. 

Localisation requirements

Data controllers who collect personal data of Russian citizens must ensure that the recording, systemisation, accumulation, storage, clarification (updating, modification) and retrieval of Russian citizens’ personal data are conducted only in databases located within Russia. There are a limited number of exceptions to this requirement, which usually do not apply to business.

When notifying Roskomnadzor of the commencement of processing of personal data, data controllers are required to state the location of the database containing Russian citizens’ personal data.

Localisation requirements could apply to foreign data controllers if their activity is aimed at the Russian market (e.g. Russian versions of websites).


Data controllers may outsource the processing of personal data. To do so they must enter into an agreement with a data processing service provider (a “Technical Processor”). The agreement must contain certain substantial conditions as set out by the Data Protection Law. Data controllers nevertheless remain responsible to data subjects for the fulfilment of their obligations. The Technical Processor must ensure the confidentiality and protection of the personal data. 


Administrative fines and other sanctions 

If a data controller has violated the requirements of the Data Protection Law, Roskomnadzor and/or the relevant court may:

  • require the data controller to rectify the violation(s); 
  • issue a warning to the data controller; and/or
  • impose fines.

The following fines may be imposed on data controllers:

  • for individuals: RUB 100 - 5,000 (EUR 1 - 56 1 At the notional exchange rate of RUB 90 = EUR 1, as used for convenience throughout this guide. );
  • for company officials: RUB 300 - 20,000 (EUR 3 - 222);
  • for legal entities: RUB 3,000 - 75,000 (EUR 33 - 833).

The most frequent violations include:

  • failure to file a notification of the commencement of processing of personal data with Roskomnadzor;
  • inconsistency between the details set out in the notification and the actual processing activities; 
  • failure to obtain the Qualified Consent of a data subject and to inform a data subject on the processing of his/her personal data; and
  • processing of personal data without proper legal grounds and failure to provide unrestricted access to its personal data processing policy (e.g. posting on its website).

The Russian Code on Administrative Offences was recently amended to introduce a separate sanction for breach of personal data localisation requirements. In addition to the blocking of websites, the following fines may be imposed: 

  • on individuals: RUB 30,000 - 50,000 (EUR 333 - 556);
  • on company officials: RUB 100,000 - 200,000 (EUR 1,111 - 2,222);
  • on legal entities: RUB 1m - 6m (EUR 11,111 - 66,667).

Repeat violations of the personal data localisation rules may result in higher fines of up to RUB 18m (EUR 200,000) for legal entities.

Judicial remedies

Data subjects can file a court action against a data controller to seek compensation for damages caused by the illegal treatment of personal data. 

Criminal law issues

In serious cases, unlawful data processing may also be deemed as illegal collection and distribution of information on the private life of a person. The Russian Criminal Code provides that such violations are punishable with a fine, compulsory works or imprisonment.

Right to be forgotten

Russian Internet users enjoy the right to demand the removal of online links to information about them. 

Within ten days after the receipt of a relevant request from an individual, a provider must remove relevant link(s) or give reasons if it refuses to do so. This refusal may be appealed by the individual in court.

Key contact

Anton Bankovskiy
Head of Intellectual Property
T +7 495 786 40 63