[Last update: 8 October 2021]
☒ b) other laws that may require the retention and storage of personal data (including, for example, where such data is part of another type of record or dataset) in the local jurisdiction or otherwise prohibit the transfer or disclosure of the personal data outside of the local jurisdiction:
☒ national security laws
☐ anti-investigatory/blocking statutes that restrict any activity on local territory that aids a foreign government investigation
☐ tax or financial record laws
☐ employment laws
☒ export control laws
The Federal Law on Personal Data requires Russian and foreign companies that collect personal data of Russian citizens to use the databases located within the Russian territory for recording, systemization, accumulation, storage, correction (updating, modification) and retrieval of such personal data.
The requirement is very general and applies both to local and foreign data controllers collecting Russian citizens' data. This requirement is subject to several narrowly defined exceptions.
For example, an exception applies if processing personal data is necessary in order to execute an international treaty of the Russian Federation in accordance with Russian legislation. On these grounds, the booking of airline tickets by airlines was previously considered to be exempt from localization.
While the language of the requirements is still unclear, the regulator has published a non-binding opinion that duplication/mirror databases can be located outside Russia, provided the original (or master) databases are located in the Russian Federation and all other conditions for cross-border transfer of personal data are met (e.g., the consent of all data subjects has been obtained, there is a data transfer agreement with the receiving party setting out the scope and purposes of transfer, etc.).