A new stage of localization of work with personal data: changes since July 2025

Dear colleagues,

The improvement of legislation in the field of personal data protection continues.

Since July 1, 2025 the amendments to the Article 18 of the Federal Law No. 152-FZ (introduced by the Federal Law No. 23-FZ from 28.02.2025), which impose additional restrictions for operators and processors of personal information, came into force.

The updated provision explicitly prohibits the use of databases located abroad when collecting the data of Russian citizens: 

“When collecting personal data, including through the information and telecommunications network Internet, recording, systematization, accumulation, storage, clarification (update, change), extraction of personal data of citizens of the Russian Federation using databases located outside the territory of the Russian Federation is not allowed, except in cases specified in the paragraphs 2, 3, 4, 8 of the Part 1 of the Article 6 of the present Federal Law.”

Below we will analyze the key changes, consider the risks and offer recommendations for action.

The scope of restrictions

According to the direct interpretation of the article of the law (see above for the complete version), we can conclude that the new rules relate exclusively to the initial collection of personal data. 

Subsequent cross-border data transfer is not prohibited – however, it is important to remember and take into account previously introduced requirements (see our review here and here). 

Expanded range of responsible parties

Previously the requirements applied directly only to personal data controllers, but now all data processors, such as HR providers, cloud storage services and electronic document management platforms are subject to control.

High fines! 

Non-compliance with the rules can lead to serious sanctions:

• Primary violation – a fine of 1-6 million rubles (for legal entities), 100-200 thousand rubles (for company officials).

• Repeated violation – 6-18 million rubles (for legal entities), 500-800 thousand rubles (for company officials).

Recommendations

Definitely, you should start with a process audit. It is necessary to analyze the current company IT infrastructure (including the location of databases and the physical location of servers), making sure that data collection takes place in the territory of the Russian Federation.

It is important not to ignore all data collection channels: for example, the company’s website (often containing forms to fill out or analytical data collection services), mobile applications (if available), etc.

It will be also necessary to check and update internal local regulations and policies, in particular, the regulation on personal data processing.

We will be glad to answer your questions, help you with preparation of the necessary documentation and advise you on this and other issues.