• about
  • people
  • expertises
  • insights
  • events
    • English
    • Russian
  • career
  • contact
  • sign up
SEAMLESS
03/27/2025
Toughening the requirement for localisation of personal data

On 28 February 2025, Law No. 23* was adopted, amending the regulation of personal data. These changes will come into force on 1 July 2025.

The amendments significantly transform the requirement for localizing personal data of Russian citizens. From now on, when collecting personal data of Russian citizens, it will be prohibited:

  • to record,
  • systematise,
  • accumulate,
  • store,
  • clarify (update, change), and
  • extract such data

using foreign databases.

Previously, the Law on Personal Data stipulated that when collecting personal data, operators were required to perform the initial processing using databases located in the Russian Federation. However, it was not prohibited to transfer or duplicate the data to foreign databases during subsequent processing.

In essence, the provision has shifted from a prescription to a strict prohibition.

These changes have sparked widespread discussion in the professional community, with differing interpretations, including some suggesting a complete prohibition on cross-border data transfer. However, such an interpretation does not appear to follow from a literal reading of the law, and the legal provisions on cross-border data transfer have been left untouched.

The amendments appear to refer only to the primary processing of Russian citizens' data at the point of data collection — that is, when personal data is directly received from the individual (for example, via a registration form). Therefore, based on a literal interpretation, the storage or further processing of this data for other purposes not related to the initial collection, or the processing of generated data, should not be subject to this prohibition.

In particular, the amendments do not exclude the possibility of subsequent cross-border data transfers, provided that the relevant requirements of the Personal Data Law are met.

Importantly, the localisation obligation now applies not only to operators but also to “processors”.

In addition to the amendments mentioned above, Law No. 23* introduces provisions concerning the processing of civil servants' data, along with additional measures to enhance the security of such data.

These amendments are part of a broader trend towards tighter regulations and increased responsibilities in the field of personal data protection.

Given the supervisory authority's close scrutiny of data localisation issues, we recommend that companies conduct audits of their internal processes, data localisation schemes, and partnerships with “processors” to ensure compliance with the law and avoid liability.

* In Russian

Publication is also available in Chinese, Japanese, and Russian.

Authors:

Alisa Mikheeva, Associate

Shermet Kurbanov, Associate

Elizaveta Isaeva, Associate

All Insights Next Publication
Privacy Policy Cookie Policy Terms of Use
mail linkedin telegram youtube
© SEAMLESS LEGAL LIMITED 2026
Our website uses cookies to ensure the best user experience. Please accept cookies for optimal performance. For more information check our Cookie Policy.
ACCEPT COOKIES
REJECT COOKIES
Send your request
Many thanks for your inquiry.
We have received your message and will revert shortly.