On July 1, 2025, a new version of paragraph 5 of Article 18 of Federal Law No. 152 “On Personal Data” will come into force.
On May 30, 2025, toughening of the personal data legislation according to the Law No. 420-FZ of November 2024 will come into force, increasing fines for violations up to 18 million RUB.
- the changes will affect the localization, i.e. the location of databases containing personal data of subjects.
Who will be affected by these changes (if at least one of these conditions exists):
- the company uses foreign business services (e.g., cloud services, Google Forms, Google Analytics);
- the company uses foreign IT solutions to process the personal data of Russians (e.g., where your website is hosted);
- the company collects or transfers personal data across borders in transactions with counterparties (whether such provisions are included in contracts);
Localization, taking into account the amendments to the legislation, means not just the presence of a server in Russia, but the complete physical location of all infrastructure elements involved in the collection, storage and processing of data.
Roskomnadzor actively uses automated monitoring tools, such as the Revizor system, to check the location of servers and analyze traffic.
The new version of the Law introduces an explicit prohibition on the collection of personal data using databases anywhere outside the Russian Federation.
In addition, the amendments specify the obligations of data controllers to process the data of Russian citizens exclusively on the territory of the Russian Federation; this now also applies to personal data processors on behalf of the operator. Previously, the legislation allowed data operators to store and process data outside of Russia through processors. This did not allow for reliable protection of personal data and created prerequisites for their leakage.
- At the same time, the changes in the law will not affect cross-border transfer; operators will also be able to transfer personal data outside the Russian Federation (by notifying Roskomnadzor of the fact of cross-border transfer).
However, the access of foreign companies to the personal data of Russian citizens will become more complicated, as it will be necessary to store such data exclusively in Russia.
- Although No. 152-FZ does not explicitly refer to cookies, Roskomnadzor interprets the use of cookies as collection of personal data, requiring explicit user consent.
2025 is now mandatory:
- Consent banners that appear when you first visit the website.
- Ability to clearly opt out of data processing.
- Separation of cookies into categories (analytical, advertising, technical).
- Use of Russian servers to store cookies if they contain identifying data.
To avoid holding the company liable for violation of personal data legislation, it is necessary to check whether personal data is collected and stored outside the Russian Federation.
Author
Anna Reznikova
- Head of legal practice in Labor & Migration
Send message
Please describe your situation and we will find an optimal solution for your business.
info@konsugroup.com