Shermet Kurbanov, Senior Associate and Co-head of Intellectual Property and Digital Law at SL LEGAL, commented for the special Pravo.ru Year in Review issue on key developments in privacy regulation in Russia in 2025. These are:
This, Shermet explains, will require many organisations to conduct thorough legal and technical audits of their existing processes – particularly those relying on cloud infrastructure or foreign-based service providers.
Shermet warns that if these proposals move forward, businesses with international operations or foreign partners will need to account for this when reviewing existing and assessing new cross-border data transfer procedures.
From a business perspective, the most impactful changes relate to breaches involving special categories of data and biometric information. Unlike other types of personal data, there is no “progressive” penalty scale for these categories. This means even a first-time breach can result in fines ranging from RUB 10 to 20m (EUR 109k – EUR 218k).
According to Shermet, these heightened risks have made data security and internal control a top priority for management – highlighting that merely formal compliance measures are no longer sufficient.
Shermet points out that whether a company can benefit from mitigating circumstances depends largely on whether it has established documented incident response procedures and robust data protection measures in place.
For the full analysis of these and other developments in personal data regulation, see the special Pravo.ru Year in Review issue via the link >> (available in Russian).
- Stricter data localisation requirements. Since 1 July 2025, companies are now prohibited from storing the personal data of Russian citizens in foreign databases.
This, Shermet explains, will require many organisations to conduct thorough legal and technical audits of their existing processes – particularly those relying on cloud infrastructure or foreign-based service providers.
- Further uncertainty raises from a potential revision of the list of “adequate” jurisdictions for cross-border data transfers. A bill currently under review in the State Duma seeks to tighten the criteria for adequacy, reflecting concerns that some listed countries do not, in practice, guarantee sufficient protection for data subjects’ rights.
Shermet warns that if these proposals move forward, businesses with international operations or foreign partners will need to account for this when reviewing existing and assessing new cross-border data transfer procedures.
- A major legislative shift this year has been the introduction of stricter liability for violations in personal data processing. The amendments have established new administrative offenses – such as failing to notify regulators about processing activities and data breaches –and have also significantly increased fines for existing violations. For example, under the general provision (Art. 13.11(1) of the Administrative Code), the maximum penalty has risen to RUB 300,000 (EUR 3,300).
From a business perspective, the most impactful changes relate to breaches involving special categories of data and biometric information. Unlike other types of personal data, there is no “progressive” penalty scale for these categories. This means even a first-time breach can result in fines ranging from RUB 10 to 20m (EUR 109k – EUR 218k).
According to Shermet, these heightened risks have made data security and internal control a top priority for management – highlighting that merely formal compliance measures are no longer sufficient.
- Fines for breaches of “ordinary” personal data have also risen sharply. A repeat incident involving 10,000 identifiers or the data of at least 1,000 individuals now carries a turnover-based fine of up to 3% of annual revenue – capped between RUB 20m and RUB 500m (EUR 218k – EUR 5.4m).
Shermet points out that whether a company can benefit from mitigating circumstances depends largely on whether it has established documented incident response procedures and robust data protection measures in place.
For the full analysis of these and other developments in personal data regulation, see the special Pravo.ru Year in Review issue via the link >> (available in Russian).
Contacts:
- Shermet Kurbanov, Senior Associate and Co-head of Intellectual Property and Digital Law at SL LEGAL, shermet.kurbanov@sl-legal.ru