On May 30, 2025, significant amendments to Russia’s Personal Data Law (Federal Law No. 152-FZ) will come into effect. Introduced by Federal Law No. 420-FZ dated November 30, 2024, the changes tighten regulatory oversight and drastically increase penalties for non-compliance. In serious cases — especially data breaches — fines may reach up to RUB 500 million (appr. EUR 5 million).

There’s still time to prepare. Here’s what companies should do before the end of May.

  1. File your notification with Roskomnadzor

Even if your organization has been processing personal data for years, but still have not submitter a notification to Roskomnadzor, Russia’s data protection authority, you still must do it. This applies to all companies, including those processing only employee data.

There are three types of notifications:

  • Start of personal data processing
  • Amendments to an existing notification
  • Termination of data processing

Notifications can be submitted online via pd.rkn.gov.ru or in paper form.

 

  1. Review and update consent documentation

Processing personal data requires documented consent from the data subject. While penalties for missing consent remain unchanged, they are still substantial — up to RUB 700,000 (EUR 7,000) for a first-time offense.

Exceptions: Separate consent is not required when transferring data to government bodies as mandated by law. However, if you outsource HR or accounting functions to a third party, explicit consent is required.

Note: Currently, consent may be included in an employment contract. But this may change — a draft law (No. 679980-8) would require consent to be a standalone document.

 

  1. Audit and clean up stored personal data

Keep only what is necessary. Dispose of:

  • Outdated or unnecessary document copies
  • Data of former employees
  • Information where consent has expired or been withdrawn

Deletion must be documented in a formal data destruction report, which should be retained for three years.

 

  1. Prepare for potential data breaches

Companies must take adequate measures to protect personal data. Currently, the maximum fine for a breach is RUB 300,000 (EUR 3,000). From May 30, fines will be scaled based on the severity and volume of leaked data.

In the event of repeated breaches, turnover-based fines will apply — from 1% to 3% of annual revenue, but not less than RUB 20 million (EUR 200,000), and not more than RUB 500 million (EUR 5 million).

If a breach occurs, you must notify Roskomnadzor within 24 hours of detection. A full incident report must follow within 72 hours.

* * *

We recommend reviewing your company’s data handling practices now:

  • Submit your Roskomnadzor notification
  • Update consent procedures
  • Conduct a personal data audit
  • Ensure your breach response plan is in place