Skip to main content
T TON Adoption
RU
← Glossary
NODE/03 · Term

152-FZ

Russia's federal law "On Personal Data" of 27 July 2006. Governs collection, storage, processing, and cross-border transfer of personal data of Russian citizens. Conceptually similar to the EU's GDPR, with its own regime.

Aliases: 152-fz, fz 152, russia data protection law, russia pii law

152-FZ is Russia’s main data-protection law. Adopted in 2006 and amended many times (notably after 2014 when localisation of Russian citizens’ data on Russian servers became mandatory), it governs the processing of any data that can identify a specific individual.

What counts as personal data

The 152-FZ definition is broad: surname, given name and patronymic, date of birth, passport data, taxpayer ID, address, phone, email, photo, biometrics, geolocation, IP address in some cases — all qualify.

A crypto wallet by itself is not personal data, but the link between a specific person and a wallet address (e.g. in an exchange’s KYC database) does fall under the law.

Core obligations

Any operator processing Russian citizens’ personal data must:

  1. Register with Roskomnadzor as an operator (with carve-outs for employment relations and notary operations).
  2. Obtain consent from the data subject — explicit, informed, revocable.
  3. Localise the data. Collection, recording, systematisation, and storage must happen on servers physically in Russia (since 2014).
  4. Protect the data through technical and organisational measures.
  5. Notify breaches to Roskomnadzor — mandatory notification was introduced in 2022.
  6. Delete on request when the subject demands processing to stop.

Crypto-wallet relevance

Non-custodial wallets (Tonkeeper, MyTonWallet) generally do not collect personal data — the user is anonymous, no documents are requested. 152-FZ does not apply to them directly.

Custodial services and exchanges serving Russian users do fall under the law if they run KYC. This implies Roskomnadzor registration, data localisation, and user consent. Many international exchanges sidestep the question by restricting service to Russian residents.

Penalties

Fines have grown substantially in 2022-2024:

  • Data leaks — turnover-based fines (up to 3% of revenue for serious breaches).
  • Failure to localise — fines plus service blocking.
  • Lack of consent — administrative liability.

Comparison with GDPR

GDPR (EU) and 152-FZ are conceptually similar — both require consent, processing purposes, and subject rights to access and deletion. Key differences: 152-FZ requires physical server localisation inside Russia, GDPR does not; GDPR has extraterritorial reach (applies to any processing of EU residents’ data anywhere in the world).

This is general information for international compliance and journalist audiences, not legal advice.

Related terms