Tougher personal data localisation requirements from 1 July 2025

Summary of key changes

On 28 February 2025, a federal law amending the Federal Law “On Personal Data” (draft law) was published. The amendments will enter into force on 1 July 2025 and tighten the requirements for the localisation of personal data of citizens of the Russian Federation. In addition, based on the amendments, localisation requirements now apply not only to operators, but also to “processors” (persons processing personal data as instructed).

More details

Ban on the use of foreign databases when collecting personal data

The law now requires operators to use databases located in Russia when collecting personal data.

Effective 1 July 2025, the following changes have been made to this provision:

• this requirement will apply not only to operators, but also to persons processing personal data as instructed (so-called “processors,” which include, for example, HR document management services and cloud HR systems). In general, this amendment continues the changes of 2022, which introduced the so-called “dual localisation,” i.e. the situation where the provisions of the law imposed the localisation obligation only on operators, but operators were obliged to include in the processing order provisions obliging processors to comply with localisation requirements.
• a stricter requirement is formulated that any use of foreign databases for the collection of personal data will be prohibited. In practice, various ways of formally using databases in Russia for the sole purpose of their further transfer abroad are currently often used, but from 1 July 2025, such practices may be deemed illegal.

Cross-border transfer and different interpretations

The amendments have caused a wide discussion in the professional environment. There are different positions: from the conclusion that these amendments almost completely prohibit cross-border transfers to relatively liberal interpretations suggesting that the amendments just eliminate the ambiguity of the previous version and will not affect the ability to transfer personal data abroad.

What does this mean for business?

We can expect the regulator will start paying closer attention to business processes related to the localisation of personal data of Russian citizens, as well as increased attention to foreign and Russian “processors” to whom personal data is transferred or who are involved in the collection of personal data. These issues should also be studied by the companies themselves when conducting personal data audits as part of their compliance activities, as well as when conducting due diligence when acquiring companies.