Companies are required to store personal data in Russia as of September 1, 2015.
On September 1, 2015 a requirement to localize the processing of personal data of citizens of Russia takes effect. In this regard, companies that process personal data of citizens of Russia, for example, hotels, internet shops and other organizations, including those using online technologies for payment and reservation of services and goods, will be required to use databases located in Russia for processing the personal data of citizens of Russia. According to the Ministry of Communications, these requirements apply to foreign companies that do not have a presence in Russia, if their activity is aimed at Russia. The requirement on localization also applies to companies that handle a relatively small number of personal data limited to employees and contact persons of their existing and potential customers (e.g., CRM).
Please note that the law provides for a number of exceptions to this requirement when the processing of personal data of Russian citizens abroad can be carried out without data localization in Russia. For example, the requirement to use a server in Russia does not apply to the processing of personal data of Russian citizens if such processing is necessary to fulfill functions, powers and duties imposed on the operator by Russian legislation, or to achieve the goals of an international treaty.
To fulfill the requirement of Russian localization of personal data processed in electronic form, companies can:
- Buy, install and maintain a server in Russia at their premises;
- Buy, install and maintain a server in Russia at the premises of a data center (collocation);
- Rent a physical server at a data center in Russia;
- Rent a virtual server at a data center in Russia;
- Purchase a hosting website from a hosting provider in Russia.
We believe that a server in Russia can be used as a separate and independent server, and as a mirror server, when besides the server in Russia processing personal data of citizens of Russia is also carried out by a second server located abroad, and between these servers there is a constant exchange of data. It is important that the data is located on the foreign server are always available in Russia.
As of the date the law goes into effect, companies that intend to carry out the processing of personal data of citizens of Russia and who have not previously submitted a notification of the processing of personal data to the regulatory authority in the field of personal data protection (Roskomnadzor), are obliged to submit, it specifying the location of the databases used in Russia.
In connection with the entry into force of the law, companies processing personal data of citizens of Russia and which are not currently using a server with a database in Russia are recommended to:
- Study the changes in the legislation;
- By the time of entry into force of the law select one of the options for using a server with a database in Russia;
- Follow the official explanations of the Russian government bodies;
- Submit a notice of the processing of personal data to Roskomnadzor (if not already submitted).
- Conduct an audit of personal data in order to identify those which can be processed abroad, and conduct an audit of databases and IT systems in order to determine the location of personal data processing.
In the event of failure to comply with the law Roskomnadzor, by court decision, may restrict (block) access to the site of the company in Russia, and also enter the company’s website in a special register of violators. The legislation also provides for administrative liability for violation of the legislation on personal data .
We also encourage you to read the frequently asked questions related to the localization of personal data in Russia in our blog.
Specialists at BRICS Consulting will be happy to assist you in complying with the legal requirements, as well as answer any of your questions.
 Federal Law dated 21.07.2014 N 242-FZ “On amendments to certain legislative acts of the Russian Federation with regard to clarification of the processing of personal data in information and telecommunication networks” comes into force on September 1, 2016.
 See full list below.
 Register of violators of rights of subjects of personal data.
 Art. 13.11 Code of Administrative Offenses.