152-FZ in 2025: New Fines, Requirements, and a Step-by-Step Compliance Plan
March 20, 2025 · 11 min read · System Networks
Since 2024, fines for violating Russia's personal data law have increased by 10–30x. A single data breach without proper Roskomnadzor notification can now cost a company up to ₽15 million. If your business operates in Russia or processes data of Russian citizens, this concerns you directly.
Who Must Comply with 152-FZ
152-FZ applies to any organisation that processes personal data of Russian citizens — regardless of where the company is incorporated. This includes:
New Fine Schedule (from 2024)
| Violation | First offence | Repeat / aggravated |
|---|---|---|
| Processing without legal basis / consent | ₽100,000 – ₽500,000 | ₽500,000 – ₽1,500,000 |
| Data breach without Roskomnadzor notification (72h) | ₽1,000,000 – ₽3,000,000 | ₽5,000,000 – ₽15,000,000 |
| Illegal cross-border data transfer | ₽1,000,000 – ₽6,000,000 | Up to ₽18,000,000 |
| Failure to respond to data subject requests | Up to ₽300,000 | Up to ₽1,000,000 |
| Storing data without required technical measures | Up to ₽1,000,000 | Up to ₽3,000,000 |
Core Requirements: What You Must Do
Data localisation
Primary databases with personal data of Russian citizens must be stored on servers physically located in Russia. Copies may be kept abroad. Violation can result in website blocking by Roskomnadzor.
Register as a data operator
Most organisations must notify Roskomnadzor that they process personal data. The register is public. Failure to register is a separate violation.
Obtain valid consent
Consent must be specific, informed, and freely given. Pre-ticked boxes are not valid. Consent must be documented and stored for 3 years after data deletion.
Implement technical security measures
Depending on the data category and volume, implement access controls, encryption, logging, and regular security assessments. The specific level depends on the "protection level" (UZ) classification.
Breach notification within 72 hours
Any personal data breach must be reported to Roskomnadzor within 24 hours of discovery, with a full incident report within 72 hours. Missing this deadline is a separate, heavily fined violation.
Respond to data subject requests
Individuals have the right to access, correct, and delete their personal data. Requests must be responded to within 30 days.
Compliance Checklist
152-FZ compliance and data localisation
IT infrastructure audit and 152-FZ compliance support →Data mapping · DPO services · Technical measures · Roskomnadzor registration
Frequently Asked Questions
What is 152-FZ?
Federal Law No. 152-FZ "On Personal Data" is Russia's primary data protection law. It regulates how organisations collect, store, process and transfer personal data of Russian citizens. Any company operating in Russia or processing data of Russian citizens must comply.
What are the fines for violating 152-FZ in 2025?
Since 2024, fines increased dramatically. Processing without consent: up to ₽500,000. Data breach without notification: up to ₽3,000,000 for first breach, ₽15,000,000 for repeated. Illegal cross-border transfer: up to ₽6,000,000.
Where must personal data of Russian citizens be stored?
Primary databases containing personal data of Russian citizens must be stored on servers physically located in Russia. Companies may maintain copies abroad, but the primary database must be in Russia. Violation can result in website blocking.