New personal data anonymisation requirements

A number of documents relating to the anonymisation of personal data have been adopted recently; these provide for cases where companies may be obliged to provide the Ministry of Digital Development, Communications and Mass Media of the Russian Federation (“Ministry of Digital Development of Russia”) with anonymised data for government datasets:

• Federal Law FZ-233 dated 8 August 2024 (“Law FZ-233”);
• Resolution of the Government of the Russian Federation No. 966 dated 26 June 2025 (“Resolution 966”);
• Resolution of the Government of the Russian Federation No. 1154 dated 1 August 2025 (“Resolution 1154”); and
• Order of the Federal Service for Supervision of Communications, Information Technology and Mass Media No. 140 dated 19 June 2025 (“Order 140”).

In this review, we address the situations in which you are obliged to provide anonymised data on receiving an official request from the Ministry of Digital Development of Russia.

In which cases may the Ministry of Digital Development of Russia request anonymised data?

The grounds on which the Ministry of Digital Development of Russia may request anonymised personal data are set out in Resolution of the Government of the Russian Federation No. 538 of 24 April 2025. These include:

• the risk of natural and man-made emergencies occurring in a specific area;
• implementation of the government counter-terrorism policy;
• declaration of a state of emergency across the country or in specific regions; and
• introduction of quarantine to prevent the spread of diseases.

The request must be submitted via the controller’s personal account in the information system of the Ministry of Digital Development of Russia, via an integrated portal for government and municipal services (functions) (“Integrated Portal”), provided the controller has a personal account, or by registered mail (paragraph 2 of Resolution 966).

The request must clearly specify the list of anonymised data being requested and the deadline for its provision (article 13.1 of Law No. FZ-152).

What to do when you receive a request?

To anonymise data, it is necessary to use the methods approved by Order 140 and Resolution 1154; the main methods are set out below.

Introduction of identifiers (pseudonymisation): replacing direct identifiers (full names) with a code. The key table is kept separately and is not disclosed to anyone (paragraph 2 of Order 140).
• Changes to the composition or meaning: deletion, generalisation (age “25” → “20–30”) and masking part of the data (paragraph 4 of Order 140).
• Decomposition: the break-down of data into parts and their separate storage (paragraph 11 of Order 140).
• Aggregation (transformation): the presentation of data in a summarised, grouped form (average age by group, percentage) (paragraph 12 of Order 140, paragraph 9 of the Rules set out in Resolution 1154).
The result of anonymisation must preclude the possibility of identifying the data subject without the use of additional information (keys) to which the data recipient does not have access.

How should data be provided?

Before being sent, the anonymised data set must be signed using the controller’s enhanced qualified electronic signature (paragraph 4 of Resolution 966). This confirms the legal validity and source of data.

Data must be submitted within the following timeframes:

• via your personal account or the Integrated Portal, within five working days;
• by other means (mail), within 30 working days (paragraph 3 of Resolution 966).

Data is transferred to the national information system of the Ministry of Digital Development of Russia. If you do not have the requested data, you must send an official reasoned refusal within five working days, explaining the reasons (paragraph 5 of Resolution 966).

If the Ministry of Digital Development of Russia identifies any inaccuracies, omissions or breaches in the anonymisation process, you will be sent a second request (within 15 working days) and you will be obliged to correct and resubmit the data (paragraphs 6 and 7 of Resolution 966).

What else is important?

It is important to verify the legitimacy of the request, especially whether it has indeed been issued by the Ministry of Digital Development of Russia.

It is advisable to check that your IT systems are technically capable of properly anonymising the required data. The Ministry of Digital Development of Russia may provide free software for integration via the Integrated Portal (paragraph 2 of Resolution 966).

It should be also checked whether local regulations describing the anonymisation processes and methods have been prepared. This requirement is set out in paragraphs 16 and 17 of Order 140.

It is important to remember that even anonymised data provided to the state continues to be regarded as personal data (article 6, clause 9.1 of Law FZ-152) and its processing and protection must be carried out in full compliance with the law. Regulatory documents also require that original and anonymised data be stored separately and that information be protected during transmission (paragraph 2 of Resolution 1154, paragraph 1.6 of Order 140).


* * *

Click the link to access the roadmap prepared by the Denuo legal team; it outlines the preferred course of action to take if you receive a request from the Ministry of Digital Development of Russia to provide an anonymised set of personal data.