Changes in the processing of personal data from September 1, 2025

09.11.2025|9 Minutes

A brief overview of changes in personal data protection legislation that came into force on September 1, 2025.

New rules for obtaining consent for the processing of personal data

The obligation to obtain consent for the processing of personal data separately from other information or documents that an individual confirms or signs has been introduced.

This innovation will eliminate the common practice of including permission to process personal data in user agreements, etc. From September 1, 2025, such wording will be considered invalid.

Previously, a similar restriction applied only to consent for the processing of data that individuals authorized to be distributed. This document is still drawn up separately from other consents given by the same subject for the processing of their personal information.

It is important to understand that this does not only apply to paper documents. Consent can be given in any form that allows a person’s will to be confirmed. This can be:

  • A paper document with a signature;
  • An electronic form (e.g., a separate field or button on a website);
  • A checkbox or other technical means, if it is clearly separated from the agreement to the terms of the contract.

At the same time, the consent must contain the mandatory details listed in Part 4 of Article 9 of Law No. 152-FZ:

  • Information about the subject (full name, passport details);
  • Information about the operator (name of the LLC or full name of the individual entrepreneur, address);
  • List of data and the purpose of its processing;
  • Actions planned to be taken with the information (collection, storage, transfer, etc.);
  • Term of consent and procedure for its withdrawal.

Please note: if you plan to transfer data to third parties, you will need another separate consent form specifying the specific recipient and purpose of the transfer.

What you need to do now:

  • сheck all contract templates, questionnaires, and offers – remove built-in consent clauses.
  • prepare separate consent forms (paper and electronic);
  • check how consent is collected on the website: checkboxes must be ticked manually by the user;
  • the form must contain all mandatory details;
  • familiarize employees with the new requirements and update the LNA.

Depersonalization and transfer of data to government systems

From September 1, all operators (from sole proprietors to large companies) are required to use only certified anonymization methods.

De-identification is a procedure that eliminates the possibility of identifying a specific person based on stored information. In practice, various methods are used for this purpose, such as replacing personal data with codes, generalizing attributes, and dividing data into parts.

The new requirement stipulates that anonymized data arrays must be transferred upon request to state information systems (GIS) supervised by the Ministry of Digital Development, Communications and Mass Media.

Such data may only be transmitted via secure communication channels. It must not include information about health, political or religious beliefs, or other special categories.

This means that operators must:

  • Be listed in the register of personal data operators;
  • The Unified State Register of Legal Entities must contain accurate information;
  • Implement tools for proper anonymization;
  • Establish a process for storing source and anonymized data separately;
  • Be prepared for requests from the state and be able to quickly export data in the required format.
  • Check whether the programs and algorithms for anonymizing personal data are functioning. They may be needed in case of a corresponding request from the Ministry of Digital Development, Communications and Mass Media.

Personal data and supervisory authorities

Until recently, Roskomnadzor remained the main body controlling the processing of personal data. Since September 1, 2025, law enforcement agencies have also joined the system:

  • The Russian Federal Security Service (FSB) can now verify how correctly companies implement technical and organizational measures to protect personal data. This applies to any organizations (including commercial ones) that work with data.
  • FSTEC (Federal Service for Technical and Export Control) — develops methodologies and certifies security measures. However, if amendments are adopted in the future, the Service will be able to check information systems for compliance with requirements.

Thus, individual entrepreneurs and organizations now have several supervisory centers at once. This means:

  • Increased risk of inspections: whereas previously it was sufficient to put documents and policies in order, now special attention must be paid to IT infrastructure.
  • Stricter software requirements: operators must ensure that their data storage and processing systems comply with certified standards.
  • Greater responsibility: violations identified by the FSB or FSTEC may be interpreted not only as administrative offenses, but also as threats to national security.

The tightening of requirements for working with personal data will continue in 2026

Register of data centers (DC)

A registry of data centers will begin operating on March 1, 2026. Its main purpose is to systematize the infrastructure in which information about citizens is stored and to ensure that it complies with security requirements.

This means that:

  • Personal data operators will only be able to use data centers that are included in the state register.
  • Data centers will be subject to requirements for technical protection, redundancy, and geographical location.
  • The use of foreign cloud services for storing personal data will remain prohibited, and violations of the rules will be punishable by fines.

For companies (sole proprietors), this is primarily a matter of choosing a service provider: before signing a contract for hosting or server rental, it will be necessary to check whether the provider is listed in the official register.

Biometric data for accredited operators

Special attention is paid to biometric data (photos, voice, fingerprints, physical characteristics). Starting in 2026, only companies that have undergone special accreditation by the Ministry of Digital Development, Communications and Mass Media will be able to process such data.

This requirement is particularly important for:

  • Banks and fintech companies;
  • IT companies and remote identification services;
  • Medical organizations that work with digital patient profiles.

For companies without accreditation, storing or processing biometric data will be considered a violation and will result in serious penalties.

New reversible penalties

Starting in 2026, the Administrative Offenses Code plans to introduce recurring fines for repeated or systematic violations in the field of personal data — up to 3% of a company’s annual revenue.

Strengthening of automatic control

Roskomnadzor is actively developing a system for monitoring leaks and violations using artificial intelligence.

By 2026, automated checks are planned to be introduced: algorithms will identify websites and services that collect data without consent, use foreign platforms, or do not publish their processing policies.

This means that violations will be recorded automatically.

Penalties for personal data violations continue to increase.

Our specialists will help you develop and review the necessary set of personal data documents in order to minimize the risks of liability.

152-FZ Operators of personal data Personal data Personal data protection Personal data protection in Russia

Author

Konsu - Анна Резникова
Anna Reznikova
  • Head of legal practice in Labor & Migration

Send message

Please describe your situation and we will find an optimal solution for your business.
info@konsugroup.com

    Name*

    Email*

    Phone number

    Message


    Privacy Preference Center

    Privacy Preferences

    Our site uses cookies to improve user experience. Please read Konsu's Privacy Policy.