The year 2025 fundamentally changed the rules for handling personal data in Russia. Fines increased tenfold, turnover-based penalties of up to 500 million rubles were introduced for repeat data leaks, and entrusting data to a contractor no longer relieves the operator of responsibility. We analyze the key changes and their implications for businesses.
What Has Changed Since 2025
Over the past year, several sets of amendments have come into force. Since May 2025, fines for data leaks have been tightened: for the loss of data of 1 to 10 thousand subjects — 3–5 million rubles; 10 to 100 thousand — 5–10 million rubles; over 100 thousand — 10–15 million rubles. A repeat leak threatens a turnover-based fine of 0.1% to 3% of annual revenue (minimum 15 million, maximum 500 million rubles).
Since July 2025, the requirement for primary recording of Russians' data on servers located in the Russian Federation has been in effect. Since September, consent for data processing must be formalized as a separate document, not hidden within a contract or offer. Pre-checked boxes are prohibited. The fine for incorrect documentation is 300–700 thousand rubles, and up to 1.5 million for a repeat offense.
On January 1, 2026, new FSTEC requirements for state bodies and institutions came into force.
Criminal Liability
Federal Law No. 421-FZ introduced Article 272.1 into the Criminal Code, which provides punishment for the illegal collection, storage, use, and dissemination of personal data. The maximum penalty is imprisonment for up to 10 years with a fine of up to 3 million rubles.
The Supreme Court's Position: The Operator is Responsible for Everything
In January 2026, the Supreme Court issued an important ruling in the case concerning a fine imposed on the Ministry of Labor for the leak of 1,400 records. The Ministry cited a contractor being hacked, but the courts at all instances took a firm stance:
the operator is obliged to control the contractor; the contract does not shift responsibility but rather imposes a duty to supervise;
failure to provide evidence of taking necessary protective measures is an independent violation;
untimely notification of Roskomnadzor about the leak is an additional violation.
The Supreme Court confirmed: the operator's fault lies in its own inaction, not in the actions of the contractor.
What This Means for Businesses
The position of the highest judicial authority will apply to all companies. This means:
the operator will be responsible for the contractor;
a system for monitoring data processing and incident tracking is necessary;
the contract with the contractor must contain clear security requirements, but supervising their fulfillment is the operator's responsibility.
Action Plan in Case of a Leak
In the event of an incident, you must act quickly:
Isolate the threat and block access.
Form a working group (InfoSec, IT, legal).
Notify Roskomnadzor within 24 hours.
Conduct an investigation and determine the causes.
Submit a report to Roskomnadzor within 72 hours, including the causes and a remedial action plan.
Acsour Experts Are Ready To:
audit your personal data processing procedures;
review contracts with contractors and establish supervision;
develop policies, consent forms, and local regulations.
Contact us — we will conduct a risk assessment and help you avoid multi-million ruble fines.