Data & Privacy - Russia

Federal Law No. 152-FZ 'On Personal Data' (enacted 2006) is the primary cross-sectoral statute; Roskomnadzor is the authorized federal body for control and supervision of personal-data processing.

Federal Law No. 242-FZ (effective 1 September 2015) requires operators to collect, record, store and process the personal data of Russian citizens using databases located within Russia, and to notify Roskomnadzor of server location.

Processing generally requires the data subject's prior consent; since a 2021 amendment, making data publicly available and any subsequent dissemination requires separate express consent. Data subjects have rights of access, correction, and deletion.

Since 1 March 2023, controllers must notify Roskomnadzor before transferring personal data abroad; transfers to 'adequate-protection' jurisdictions may proceed after notification, while others require prior Roskomnadzor approval, and Roskomnadzor may ban or restrict transfers.

Federal Law No. 420-FZ (signed 30 Nov 2024, in force 30 May 2025) introduced tiered fines for data leaks (up to RUB 15 million) and revenue-based fines of 1-3% of prior-year turnover (RUB 20 million–500 million) for repeat leaks, plus a separate fine for failing to notify Roskomnadzor of incidents within 24 hours.

A new Criminal Code article (in force 11 December 2024) criminalizes the illegal use, transfer, collection or storage of personal data, with the most severe penalty being up to 10 years' imprisonment and a fine of up to RUB 3 million.