Concise and to the point with ALRUD: HR & DIGITAL (№18)

The authorities have tightened the requirements for businesses to follow when storing personal data (PD)

The President of the Russian Federation signed Federal Law No. 23-FZ dated 28 February 2025 with amendments to several legislative acts, including Federal Law No. 152-FZ dated 27 July 2006 “On Personal Data”. Part 5 of Article 18 of this Federal Law is set out in a new wording: from 01 July 2025, when collecting PD, including via the Internet, any recording, systematization, accumulation, storage, clarification (updating, modification), or extraction of PD of citizens of the Russian Federation, using databases located outside the Russian Federation is forbidden. An exception may be made in cases which are usually not applicable to business, for example, when processing is related to the fulfillment of an international agreement to which the Russian Federation is party, the duties or powers of the data controller, participation in legal proceedings, or when necessary for scientific activity, journalistic work (if the rights of the PD subjects are not violated), or the functioning of government agencies.

Previously, the same article stipulated that, when collecting PD, including via the Internet, the data controller was obliged to ensure the recording, systematization, accumulation, storage, clarification (updating, modification), and extraction of the PD of citizens of the Russian Federation using databases located in the Russian Federation (with the same exceptions). In other words, the obligation to use databases in the Russian Federation (which in itself did not exclude the further transfer of PD abroad during its processing processing) is replaced by a ban on using databases located abroad.

It is worth noting that the database localization requirement has been in effect since September 2015. Administrative fines of up to RUB 6 million, approx. USD 69,258 or EUR 65,977 (up to RUB 18 million, approx. USD 207,775 and EUR 197,931 for repeated violations) are stipulated in the event of a violation.

At present, there is no official indication as to whether new changes clarify the existing localization requirement or introduce new restrictions or even an absolute ban on the use of foreign databases.

At the same time, the federal law does not change the provisions of the law regarding cross-border transfer of PD, which means that the possibility of cross-border transfer of PD will be preserved.

We are currently developing our position on the interpretation of the amendments and will definitely share our opinion with you.

What exactly will need to be done?

• Companies that deal with foreign jurisdictions in their business activities will need to evaluate and possibly review their localization schemes for compliance with new requirements.

• For those processes where there is a risk of violation, it will be necessary to restructure the process of providing PD to foreign databases by 01 July 2025. In most cases, this will involve legal changes, such as the revision of processing agreements and the introduction of new contractual control mechanisms for the data controller over the processing of PD, a change in the status of the recipient abroad from the processor to the data controller, a change in consent to the processing of PD, the purposes of cross-border transfer and the updating of notifications on cross-border transfer.

• We also recommend monitoring possible clarifications from regulatory authorities, in particular the Ministry of Digital Development, Communications and Mass Media and Roskomnadzor (Russian Personal Data Authority). If such clarifications appear, we will definitely inform you.

The Ministry of Digital Development, Communications and Mass Media has published a draft with amendments to the rules of accreditation for IT companies

According to the agency's draft. Organizations that work in the field of information security or companies with preferential state participation will be able to be accredited as an IT company if they receive more than 70% of their income from information security activities.

At the same time, additional restrictions for state accreditation are proposed. Thus, companies should not have more than 50% foreign participation. In addition, large accredited companies will be required to enter into an agreement with educational organization for joint training of IT specialists.

The website of an accredited or applying for accreditation company should now include the name of the organization, legal and actual address, Tax ID, code from the classifier of economic activities (OKVED), contact information, and information about the types of IT activities in accordance with the order of the Ministry of Digital Development, Communications and Mass Media. Compliance with the requirements will be confirmed during the annual scheduled audit, which will begin in May 2025. The requirement for the share of foreign participation will enter into force on 01 September 2025.

We recall that, as a general rule, organizations are entitled to receive state accreditation if:

• The main type of economic activity is one of the types contained in Attachment 1 to the Regulation on State Accreditation;
• The average salary of employees is not less than the average for the country or the region in which the organization is registered;
• Income from IT business activities is more than 30% from total income;
• The official website of the organization contains information about the IT activities carried out in Russian.

Russian business shows interest in investing in PD protection products

The volume of investments in PD protection products in Russia in 2024 increased by 20%, reaching RUB 23 billion (approx. USD 265,491,300 or EUR 252,912,600). The increase in demand for leak response tools and access control products was particularly significant.

This increase in demand is justified against the background of tougher penalties for violations regarding PD processing, especially after the introduction of fines of up to RUB 500 million (approx. USD 5,771,550 or EUR 5,498,100) for repeated PD leaks. Although the changes in terms of liability will take effect only on 30 May 2025, we recommend that you prepare for them now by analyzing the main PD processes in your company for compliance with the current regulations.

Notably, in the past, companies focused more on the formal fulfillment of Roskomnadzor’s requirements, such as the need to obtain written consent and the establishment of local policies on various aspects of PD processing. Today, businesses are paying more attention to actual protection of PD, taking both organizational and technological measures to prevent leaks.