Русский flag Русский

Data localization: why old schemes no longer work and how to avoid multimillion fines

Published on 2025-11-27

If your business works with users from Russia, the question of where personal data is stored concerns you directly. Phones, names, email addresses, form submissions, employee data — all of this falls under strict localization requirements.

Many companies have lived for years in a “gray area”: data seemed to be stored both in Russia and abroad, and responsibility was blurred. But as of July 1, 2025 the rules changed so much that many common technical schemes are now considered a direct violation of the law.

Below is a detailed description of what changed, which myths lead to fines, and how to build your infrastructure to avoid blocking and multi-million payouts.

What changed: from soft recommendations to a strict ban

Requirements to localize personal data of RF citizens appeared back in 2015. But for many years the situation remained flexible:

  • used “parallel writing” of data to Russian and foreign servers;
  • used a Russian server as a “pipe” (proxying);
  • stored temporary data in foreign clouds.

Roskomnadzor often limited itself to orders or warnings. However, practice gradually hardened: the blocking of LinkedIn was the first high-profile case, later Facebook and Twitter were fined.

As of July 1, 2025 the regulations came into force that closed any loopholes.

A strict rule now applies:

Personal data of citizens of the Russian Federation must be initially collected, recorded, and stored on a server physically located in Russia. Only after the completion of this process is it permitted to transfer or copy the data abroad.

Simply put, the technical scheme should look like this:

  1. the user submits a form;
  2. the data arrives at a server in Russia;
  3. the data is saved in a Russian database;
  4. only then may it be transferred to foreign systems (CRM, Helpdesk, ERP, etc.).

No parallel streams, transit, or immediate writing abroad.

Three dangerous myths that make companies lose money

To comply with the law, it’s not enough to have a Russian server. It’s important to correctly understand terms that are interpreted differently than in IT practice.

Myth 1. “A database is a big server in a data center”

In fact a database is any structured storage.

This can be:

  • an Excel file;
  • Google Sheets;
  • an HR manager’s contact list;
  • a table in Notion;
  • a CRM in a foreign cloud.

If a file with personal data of Russians is stored on a foreign server — it’s a violation, regardless of company size or data volume.

Myth 2. “We collect data, but we don’t store it”

The moment a user clicked “Submit,” data processing begins.

If this data immediately goes to a foreign server via API or form — it’s a violation, even if you say: “we don’t store it.”

The first point of entry must be a server in Russia.

Myth 3. “Parallel collection of data in Russia and abroad is allowed”

Previously many companies used this approach: data was sent simultaneously to a Russian server and to a foreign one.

This is now strictly prohibited. Any scheme of parallel collection is considered an attempt to circumvent the law.

Cost of a mistake: how much improper localization costs

Fines for violating the rules for processing personal data are among the highest.

Fine amounts:

  • First violation: from 1 to 6 million rubles.
  • Repeat violation: from 6 to 18 million rubles.

And if the regulator deems the actions gross or intentional, sanctions can be even higher.

Practice shows: courts almost always side with Roskomnadzor. Appeals and cassation proceedings are generally useless. The fact of the violation is technically recorded, and it is extremely difficult to refute.

In addition to fines, possible consequences include:

  • website blocking;
  • prohibition on data processing;
  • audits of the entire business.

Data localization is not only a task for DevOps or the system administrator. It’s a process at the intersection of law, infrastructure, and internal regulations.

Below is a complete action plan.

1. Audit infrastructure and processes

Analyze:

  • website forms;
  • CRM systems;
  • e-mail marketing systems;
  • cloud services;
  • backups;
  • logs and monitoring.

Check the entire data flow: from the click on a form to archived backups.

2. Implement a “Russia First” architecture

The technical scheme must guarantee that:

  • data first arrives at a Russian server;
  • it is written to a Russian database;
  • only then does the data go to foreign services.

This can be implemented through:

  • a Russian backend/API gateway;
  • a Russian message broker (RabbitMQ, Kafka);
  • a Russian reverse-proxy that writes to local storage.

3. Document your method for determining citizenship

The law protects citizens of the Russian Federation.

If you do not determine users’ citizenship, the regulator may consider all clients to be Russian citizens.

Approaches:

  • a mandatory “Citizenship” field in forms;
  • geolocation + Russian phone number + Russian passport service;
  • separate rules for B2B and B2C.

Document the chosen methodology.

4. Review and update contracts with partners

If you transfer data to:

  • a foreign parent company,
  • a CRM abroad,
  • a contractor with an office outside Russia,

you need to legally correctly formalize the transfer.

It is often safer to transfer data as an independent operator, rather than by assignment. This way you make the partner responsible for their part of the work, and do not bear all the responsibility yourself.

5. Choose hosting that confirms placement in the RF

To comply with the law, the server must be physically located in Russia.

The provider should:

  • have a data center in the Russian Federation;
  • have documents confirming the servers’ location;
  • provide for responsibility for the security of the infrastructure.

6. Notify Roskomnadzor

After setting up localization you need to:

  • submit a new notification, or
  • update an existing one.

The notification must indicate the specific Russian addresses of data storage and processing.

Summary

Data localization is no longer a formality or a “paper” task. It is a basic requirement for everyone who works with Russian users.

Old technical schemes no longer work. Parallel collection is prohibited. Liability is strict and costly.

Rebuilding processes now will be cheaper than fines and blocking in the future.

To receive a compliance checklist - submit an application!

Tags: #data localization #152-FZ #personal data #Russia #DevOps #security

Need help?

Get in touch with me and I'll help solve the problem

Kwork LinkedIn Email Telegram Upwork GitHub

Related Posts