Global Data Protection Law Guide  Russia

YUST Law Firm

 

What law(s) specifically govern personal data / information?

National Data Protection Act details:

• Federal Law No. 152-FZ dated July 27, 2006 "On Personal Data" (the “Law”).

Sector-specific legislation containing specific data protection provisions:

• Labor Code of the Russian Federation No. 197-FZ dated December 30, 2001;
• Federal Law No. 149-FZ dated July 27, 2006 "On Information, Information Technologies and Information Protection";
• Decree of the Government of the Russian Federation No. 1119 dated November 01, 2012 "On Approval of requirements for the protection of personal data during their processing in personal Data Information systems";
• Federal Service for Supervision of Communications, Information Technology and Mass Media Order No. 178 dated October 27, 2022 "On Approval of Requirements for the assessment of damage that may be caused to data subjects in case of violation of the Federal Law "On Personal Data", etc.

 

What are the key data protection principles in this jurisdiction?:

The Law provides for the following principles of personal data processing:

• Personal data shall be processed on a legal and equitable basis.
• Personal data processing shall be restricted by achieving specific pre-determined and legal purposes. It is not allowed to process personal data for the purpose incompatible with that one of personal data collection.
• Prohibition on combining databases containing personal data, the processing of which is carried out for purposes incompatible with each other.
• There shall be processed only personal data that comply with the purposes of their processing.
• The scope and character of personal data to be processed shall comply with the intended purposes of such data processing. The personal data to be processed shall not be irrelevant to the declared purposes of their processing.
• In the course of personal data processing it shall be necessary to ensure the personal data accuracy, their sufficiency and in case of need their adequacy for processing purposes. Operators shall take the required measures or ensure their adoption to delete or specify incomplete or inaccurate data.
• Personal data shall be stored in a form that allows verification of the identity of personal data subjects only to the extent necessary for processing purposes unless the personal data storage time is not established by federal laws, agreements concluded with personal data subjects as a beneficiary or guarantor party. Personal data shall be destroyed or de-personalised upon achieving the set goals as well as when such goals cease to be relevant unless otherwise stipulated by federal laws.

 

What is the supervisory authority / regulator in charge of data protection?

Federal Service for Supervision of Communications, Information Technology and Mass Media.

 

Is there a requirement to register with a supervisory authority / regulator?

No registration is necessary.

 

Is there a requirement to notify the supervisory authority / regulator?

As a general rule, before the start of personal data processing, controller is obliged to notify the Federal Service for Supervision of Communications, Information Technology and Mass Media of its intention to process personal data (Part 1 of Article 22 of the Law). After that, the Federal Service for Supervision of Communications, Information Technology and Mass Media enters the relevant information into the register of personal data controllers (Part 4 of Article 22 of the Law).

A controller has the right to process personal data without notifying the authorised body subject to the processing of personal data:

• which have been included in state personal data filing systems which were created for the purpose of protecting the security of the state and public order;
• which are processed solely without the use of automated equipment;
• which are processed in cases provided for in transport safety legislation of the Russian Federation for the purpose of ensuring the stable and safe operation of the transport complex and protecting the interests of the individual, society and the state in the transport sphere against acts of unlawful interference.

It is important to note that since May 30, 2025, a new version of the Code of the Russian Federation on Administrative Offenses dated December 30, 2001 No. 195-FZ has entered into force, according to which failure to comply with the requirement to notify the regulatory authority of the starting of personal data processing entails administrative liability in the form of an administrative fine for citizens in the amount of fifty thousand to one hundred thousand rubles; for legal entities – from one million to three million rubles (Part 11 of Article 13.11 of the Code of the Russian Federation on Administrative Offenses dated December 30, 2001 No. 195-FZ).

Is it possible to register with / notify the supervisory authority / regulator online?

Yes, notification of the processing of personal data can be submitted online (in the form of electronic document).

 

What are the key data subject rights under the data protection laws of this jurisdiction?

Right to information

According to the Part 7 of the Article 14 of the Law the personal data subject has the right to receive information concerning the processing of their personal data, including information containing:

• confirmation of the fact of processing personal data by the controller;
• legal grounds and purposes of personal data processing;
• purposes and methods of personal data processing used by the controller;
• the period of the processing of the personal data, including the period for which they are kept;
• the name and location of the controller, information about persons (except for employees of the controller) who have access to personal data or to whom personal data may be disclosed on the basis of an agreement with the controller or on the basis of federal law, etc.

Right of access

The personal data subject has the right to receive information about their personal data from the controller in an accessible form (Parts 1,2 of the Article 14 of the Law).

Right to rectification of errors

The personal data subject has the right to rectification of inaccurate personal data (Part 1 of the Article 14 of the Law).

Right to deletion/right to be forgotten

The personal data subject has the right to request the controller to delete their personal data in the event that the personal data are incomplete, out-of-date, inaccurate or unlawfully obtained or are not needed for the stated purpose of the processing (Part 1 of the Article 14 of the Law).

Moreover, internet search engine controllers shall stop providing links to information about users who have contacted them with such request (Part 1 of the Article 3 of the Federal Law No. 149-FZ dated July 27, 2006 "On Information, Information Technologies and Information Protection"). In this way, data subjects have the right to be forgotten.

Right to restriction of processing

Personal data subjects have the right to request restriction of the processing of personal data, which means that the data may only be processed for limited purposes (Part 1 of the Article 14 of the Law).

Right to data portability

Data subject decides on the provision of their personal data and consents to their processing freely, of their own free will and in their own interest (Part 1 of the Article 9 of the Law).

Right to object to processing

Personal data subject has the right to request that the transfer (distribution, provision, access) of their personal data, previously authorised by the data subject for distribution, be stopped by any person processing their personal data, in case of non-compliance with the provisions of the Law, or to apply to the court with such a request. This person is obliged to stop the transfer (distribution, provision, access) of personal data within three working days from the date of receipt of the request of the personal data subject or within the period specified in the court decision that has entered into force, and if such a period is not specified in the court decision, then within three working days from the date of entry into force of the court decision into legal force (Part 14 of the Article 10.1 of the Law).

Right to withdraw consent

Personal data subjects have the right to withdraw their consent at any time. The withdrawal of consent does not affect the lawfulness of processing based on consent before the withdrawal (Part 2 of the Article 9 of the Law).

Right to complain to the relevant data protection authority(ies)

Data subjects have the right to file complaints about the processing of their personal data with the competent data protection authority, as well as with the courts (Part 1 of the Article 17 of the Law).

Right not to be subject to automated individual decision-making

It is prohibited to make decisions based solely on automated processing of personal data that generate legal consequences for data subject or otherwise affect their rights and legitimate interests without the consent of data subject (Article 16 of the Law).

 

Is there a requirement to appoint a data protection officer (or equivalent)?

According to Paragraph 5, Part 1, Article 18.1 of the Law a controller is obliged to evaluate the damage which may be caused to data subjects in the event of the violation of the Law and correlate that damage with measures taken by the controller to ensure the fulfillment of the obligations laid down in the Law.

Based on the results of the appropriate assessment, the controller determines the degree of damage that may be caused to the data subject in case of violation of the Law (high, medium or low) and draws up an appropriate act (Federal Service for Supervision of Communications, Information Technology and Mass Media Order No. 178 dated October 27,2022).

In addition, controller is obliged to assess the effectiveness of the measures taken to ensure the security of personal data before commissioning the personal data information system (Paragraph 4, Part 2, Article 19 of the Law).

 

Do data protection/ privacy impact assessments need to be carried out in certain circumstances?

Due to the Part 3.1 of the Article 21 of the Law in case of establishing the fact of unlawful or accidental transfer (provision, dissemination, access) of personal data, which resulted in violation of the rights of data subjects, controller is obliged, from the moment such an incident is detected, to notify the Federal Service for Supervision of Communications, Information Technology and Mass Media:

• within 24 hours about the incident that occurred, about the alleged causes that led to the violation of the rights of data subjects, and the alleged damage caused to the rights of data subjects, about the measures taken to eliminate the consequences of the relevant incident, as well as provide information about the person authorised by the controller to interact with the authorised body for the protection of the rights of data subjects on issues related to the identified incident;
• within 72 hours on the results of the internal investigation of the identified incident, as well as provide information about the persons whose actions caused the identified incident (if any).

 

Does this jurisdiction have any specific data breach notification requirements?

Due to the Part 3.1 of the Article 21 of the Law in case of establishing the fact of unlawful or accidental transfer (provision, dissemination, access) of personal data, which resulted in violation of the rights of data subjects, controller is obliged, from the moment such an incident is detected, to notify the Federal Service for Supervision of Communications, Information Technology and Mass Media:

• within 24 hours about the incident that occurred, about the alleged causes that led to the violation of the rights of data subjects, and the alleged damage caused to the rights of data subjects, about the measures taken to eliminate the consequences of the relevant incident, as well as provide information about the person authorised by the controller to interact with the authorised body for the protection of the rights of data subjects on issues related to the identified incident;
• within 72 hours on the results of the internal investigation of the identified incident, as well as provide information about the persons whose actions caused the identified incident (if any).

 

What restrictions apply to the international transfer of personal data / information?

Controller, prior to the start of cross-border transfer of personal data, is obliged to send a special notification to the Federal Service for Supervision of Communications, Information Technology and Mass Media about intention to carry out cross-border transfer of personal data (Part 3 of the Article 12 of the Law).

Prior to submitting the relevant notification, the controller is obliged to receive from the authorities of a foreign state, foreign individuals, foreign legal entities to whom the cross-border transfer of personal data is planned:

• information on the authorities of a foreign state, foreign individuals, foreign legal entities to whom the transfer of personal data is planned;
• information on the legal regulation of personal data protection in a foreign state, as well as
• information on measures taken in a foreign state to protect the transferred personal data and the conditions for termination of their processing (Part 5 of the Article 12 of the Law).

Upon notification, the controller has the right to carry out cross-border transfer of personal data to States that are members of the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (Strasbourg, January 28,1981) (“Convention”) or specified in a special list approved by the Federal Service for Supervision of Communications, Information Technology and Mass Media. At the same time, if the state is not a member of the Convention or is not included in the list, the controller does not have the right to carry out cross-border transfer of personal data until the Federal Service for Supervision of Communications, Information Technology and Mass Media makes a decision (Parts 9, 10 of the Article 12 of the Law).

Based on the results of consideration of the notification, the Federal Service for Supervision of Communications, Information Technology and Mass Media may both allow the cross-border transfer of personal data, and decide to prohibit or restrict the cross-border transfer of personal data in order to protect morality, health, rights and legitimate interests of citizens (Part 8 of the Article 12 of the Law).

 

Do the data protection laws in this jurisdiction have “extra-territorial effect” (i.e. do they apply to organisations outside this jurisdiction)?

Yes, the provisions of the Law apply to the processing of personal data of citizens of the Russian Federation carried out by foreign legal entities or foreign individuals on the basis of an agreement to which citizens of the Russian Federation are a party, other agreements between foreign legal entities, foreign individuals and citizens of the Russian Federation or on the basis of the consent of a citizen of the Russian Federation to the processing of their personal data (Part 1.1 of the Article 1 of the Law).

 

What rules specifically deal with marketing?

The processing of personal data for the purpose of the market promotion of goods, work and services by means of making direct contact with a potential consumer with the aid of communications facilities, and for purposes of political campaigning, shall be permitted only on condition of the prior consent of the personal data subject. Such processing of personal data shall be deemed to be carried out without the prior consent of the personal data subject unless the controller is able to prove that such consent was obtained.

The controller shall be obliged, upon the request of a data subject, immediately to terminate the processing of their personal data which is referred to above (Article 15 of the Law).

 

Do different rules apply to business-to-business and business-to-consumer marketing?

There is no different regulation set by the Law for business-to-business and business-to-consumer marketing.

 

What rules specially deal with electronic marketing (for example, by email, text message, WhatsApp message, online ads etc)?

There is the same regulation as for the marketing cases in general.

The processing of personal data for the purpose of the market promotion of goods, work and services by means of making direct contact with a potential consumer with the aid of communications facilities (which include the electronic one) shall be permitted only on condition of the prior consent of the personal data subject. Such processing of personal data shall be deemed to be carried out without the prior consent of the personal data subject unless the controller is able to prove that such consent was obtained.

The controller shall be obliged, upon the request of a data subject, immediately to terminate the processing of their personal data which is referred to above (Article 15 of the Law).

 

What rules specifically deal with cookies?

The Law does not contain any special regulation regarding cookies, meanwhile, case law perceives cookies as a kind of personal data.

 

What are the consequences of non compliance with data protections laws (including marketing laws)?

Violation by the controller of the requirements of the Law (for example, processing of personal data without the written consent of the data subject, failure by the controller to provide the data subject with information related to the processing of their personal data, or failure by the controller to collect personal data of citizens of the Russian Federation using databases, located on the territory of the Russian Federation) may entail prosecution with the imposition of fines (Article 13.11 of the Code of the Russian Federation on Administrative Offenses dated December 30, 2001 No. 195-FZ ).

It is important to note that since May 30, 2025, a new version of the Code of the Russian Federation on Administrative Offenses dated December 30, 2001 No. 195-FZ has entered into force, according to which responsibility for violations of the requirements for the processing and protection of personal data has increased significantly.

In addition, the data subject shall have the right to protect their rights and legal interests, including the right to reimbursement for losses and (or) compensation for moral injury through the courts (Part 2 of the Article 17 of the Law).

 

In broad terms, multinational organisations should be aware of what key factors if they process personal data / information from individuals within this jurisdiction, without being located there?

If a foreign controller processes personal data of the Russian citizens, including by collecting information via the Internet, then it shall collect, update and modify them through databases located on the territory of Russia.

At the same time, there is no such obligation if the processing of personal data is required

• for achieving the goals provided for by an international treaty of the Russian Federation,
• in connection with the participation of a person in constitutional, civil, administrative, criminal proceedings, proceedings in arbitration courts,
• personal data processing is required for rendering state or municipal services in accordance with the Federal law of 27 July 2010 № 210-FZ «About provision of state and municipal services»,
• for processing of personal data is required for the purposes of professional activities of a journalist and (or) the legitimate activities of a mass medium or for the purposes of scientific, literary or other creative activity, provided that this not cause the rights and freedoms of the personal data subject to be violated (Part 5 of the Article 18 of the Law).

 

What upcoming data protection developments should multinational organisations be aware of?

An important event worth paying attention to in the future is the entry into force on September 1, 2025 of Federal Law No. 233-FZ dated August 08, 2024, which provides that controllers will be required to provide pseudonymised personal data at the request of the Ministry of Digital Development, Communications and Mass Media. On the basis of these personal data, in accordance with the procedure to be further established by the Government of the Russian Federation, the Ministry of Digital Development, Communications and Mass Media will form datasets obtained as a result of pseudonymisation of personal data and grouped according to a certain attribute, and, further, will consolidate them in the state information system.

 

Search by:

Need more information?
Contact a member firm:

Maria Matyushkina

YUST Law Firm

Russia

Disclaimer:

© 2025, YUST Law Firm. All rights reserved by YUST Law Firm as author and the owner of the copyright in this chapter. YUST Law Firm has granted to Multilaw non-exclusive worldwide license to use and include this chapter in this guide and to sublicense Lexis Nexis, a division of RELX Inc. and its affiliates certain rights to use and distribute this Guide.

The information in the International Data Protection Laws Guide provides a general overview at the time of publication and is not intended to be a comprehensive review of all legal developments nor should it be taken as opinion or legal advice on the matters covered. It is for general information purposes only and readers should take legal advice from a Multilaw member firm.

Publication Date: 2025