IDC Names Securiti a Worldwide Leader in Data Privacy


Russia FLPD

Law N 152-FZ on Personal Data

Last Updated on November 16, 2023

Privacy Center
Fully Functional In Minutes

Elegant Consumer Frontend, Fully Automated Backend, Privacy Regulation Intelligent Everywhere.


Issued on 27 July 2006, the Russian Federal Law on Personal Data (No. 152-FZ) remains one of the oldest data protection laws in effect today. Moreover, it is one of the few laws enacted before the EU's landmark General Data Protection Regulation (GDPR).

Since 2006, various amendments to the law have introduced provisions such as personal data localization requirements and, most critically, data subject rights related to data processing. The recent amendments to the Federal Law on Personal Data require the data subject’s consent for making personal data available to the public and for any subsequent dissemination as well as data localization requirements.

The Russian Federal Law on Personal Data (No. 152-FZ) applies to  federal government bodies, government bodies of the constituent entities of the Russian Federation, other government bodies, local government bodies, and other municipal bodies, legal entities and individuals that use automation tools or if the processing is similar to automated processing. It applies to any legal entity including any foreign entity with a legal presence in Russia that collects personal data in Russia.

The Solution

By offering features that include PI data discovery, DSR automation, documented accountability, and AI-process automation, among others, Securiti offers you seamless compliance with Russian Federal Law N 152-FZ.

Russian Federal Law Compliance Solution

With its state-of-the-art artificial intelligence and machine-learning-based tools, Securiti is a market leader in providing data governance and compliance solutions.

Request a demo today to learn how Securiti can aid you and your organization's compliance efforts.


Automate Consumer Data Access Request Handling

Articles 14, 14(7)

Automation of the data access requests allows you to ensure the entire process is seamlessly compliant with the law while also freeing up critical human resources to be used elsewhere.

Russian Federal Law DSR Workbench
dsr requests

Secure Fulfillment of Data Access Requests

Articles 14, 14(7)

A centralized portal allows you to keep track of all data access requests being made and monitor how efficient your fulfillment of these requests is.

Automate Processing of Rectification Requests

Article 14(1)

All rectification requests received can be processed automatically via the central portal.

data rectify request
data erasure request

Automate Erasure Requests

Article 14(1)

All erasure requests received can be processed automatically via the central portal.

Monitor & Track Consent

Articles 9, 10, 12(1)(4), 15

Using the central portal, you can keep a real-time track of all data subjects' given consent related to various permissions. Additionally, the portal allows you to ensure compliance with all consent requirements and avoid any illegal transfers, sharing, or selling of data not consented by the users.

personal data monitoring tracking
Russian Federal Law Readiness Assessment

Assess Readiness

Articles 7, 19

You can ensure regular assessments of your internal practices to achieve complete compliance with the law. These assessments can highlight any gaps or deficiencies in internal practices. You can then remedy these accordingly.

Assess Third Parties

Article 12

You can extend these readiness assessments to your third parties and vendors and their business practices to ensure they're fully compliant with the law's stipulations as well.

Third Party Internal Assessment Automation
Data Flow Mapping

Map Data Flows

Articles 9, 10, 12(1) (4), 15

Easily track and monitor all incoming and outgoing data transfers in real-time, especially cross-border data transfers, to ensure data processing activities are compliant with the law.

Meet Cookie Compliance

Article 9

Monitor all first-party and third-party cookies your organization uses via the central portal and ensure they are fully compliant with the law.

Cookie Consent Compliance
Vendor Risk Management Dashboard

Manage Vendor Risk

Article 22

Keep track of all your vendors' data processing activities related to your database to ensure their practices are compliant with the law.

Key Rights Under Federal Law N 152-FZ

Like all major data protection laws in effect today, the Russian Federal Law N 152-FZ ensures all users have certain rights, such as the following:

Right of Access of a Personal Data Subject to His Personal Data

All data subjects have the right to request access to all data collected on them by a data controller.

Other information the data subject may receive includes the following:

  • Confirmation of the data processing by the operator;
  • Legal grounds and the purpose behind the data processing by the operator;
  • Methods used in data processing by the operator;
  • Contact information of the operator;
  • Source of the data collected on the data subject;
  • The period of the data processing including the period for which they are kept;
  • The procedure for the exercise of data subject rights;
  • Information on any cross-border data transfers;
  • Contact information of the person carrying out the data processing on behalf of the operator.

Rights to Rectification and Erasure of Personal Data

Data subjects have the right to request an operator to rectify, block or destroy their personal data if the personal data is incomplete, out-of-date, inaccurate, unlawfully obtained, or is not needed for the stated purpose of the processing.

Right of Data Subjects Where Their Personal Data Are Processed for the Purpose of the Market Promotion of Goods

The processing of personal data for direct marketing purposes is allowed under the strict condition that the data subject has given prior consent. Direct marketing may include the processing of data in order to promote goods, works, services on the market by making direct contacts with a potential consumer using communication means, as well as for the purposes of political campaigning.

A data subject has the right to request an operator to cease sending them promotions of this sort, and the operator must comply with such a request immediately.

Right to withdraw consent

In consent-based data processing, the data subject has a right to withdraw consent at any time. In the case of consent withdrawal, controllers must cease the processing of the personal data or arrange for it to be terminated (if the processing is carried out by another person acting on behalf of the controller) and if the storage is no longer required for the purposes of processing data, destroy the data or ensure its destruction within a period not exceeding thirty days from the date of receipt of the said revocation.

Rights in relation to publicly disseminated data

Publicly disseminated data is a category of personal data, access to which an unlimited number of persons is provided by the data subject by giving consent to the processing of personal data for distribution. Data subject’s consent is required to distribute or allow the personal data to be disseminated.

Rights of Data Subjects in Relation to Decision-Taking Solely on the Basis of Automated Processing of Their Personal Data

Data subjects have the right to request to prohibit the use of automated decision-making based on their collected data if it affects their rights or interests.

An operator may only proceed with automated decision-making with the data subject's prior consent and must cease this activity if the data subject requests an end to it.

Facts Related to Federal Law N 152-FZ


The Federal Law 152-FZ requires data operators that collect personal data of Russian citizens to ensure that recording, systematization, accumulation, storage, clarification and extraction of personal data is done using databases located in Russia.


The Federal Service for Supervision of Communications, Information Technology, and Mass Media (Roskomnadzor) is the relevant supervisory body.


Federal Law N 152-FZ requires all data processing organizations to appoint a data protection officer (DPO).


Federal Law 152-FZ provides compensation for moral harm and administrative and regulatory fines. The fine of citizens may be in the amount of four thousand to twelve thousand rubles for any violation of the data protection legislation.

Forrester Names Securiti a Leader in the Privacy Management Wave Q4, 2021

Read the Report
Forrester Wave

Securiti named a Leader in the IDC MarketScape for Data Privacy Compliance Software

Read the Report
IDC MarketScape

At Securiti, our mission is to enable enterprises to safely harness the incredible power of data and the cloud by controlling the complex security, privacy and compliance risks.


Gartner Cool Vendor Award Forrester Badge IAPP Innovation award 2020 IDC Worldwide Leader RSAC Leader CBInsights Forbes Security Forbes Machine Learning G2 Users Most Likely To Recommend