Russia FZ-152

Russia

21 domains

26 controls

Russia Federal Law 152-FZ On Personal Data, including amendments via 266-FZ.

Verified

Framework summaries on this platform are AI-assisted interpretations for educational and compliance planning purposes. They do not reproduce or replace the official standards. Refer to the authoritative source for the definitive text. Framework names and trademarks belong to their respective organisations.

Framework Domains (21)

Biometrics

1 controls

Controls in the Biometrics domain of Russia FZ-152 — 1 controls
Code	Title	Description
FZ152-ART11	Biometric Personal Data	Biometric data characterising physiological and biological features and used to establish identity may be processed only...

Consent

2 controls

Controls in the Consent domain of Russia FZ-152 — 2 controls
Code	Title	Description
FZ152-ART9	Consent Requirements	Consent must be specific, informed and conscious. It may be given in any form allowing proof, but written consent is req...
FZ152-PUBLICDISSEM	Consent for Public Dissemination	Personal data may be made publicly available only with separate consent from the subject specifying the conditions and l...

Cross-border

1 controls

Controls in the Cross-border domain of Russia FZ-152 — 1 controls
Code	Title	Description
FZ152-SBORDER	Sanctions and Counter-Sanction Considerations	Operators must observe Russian counter-sanction measures and Presidential decrees restricting transfers to certain juris...

Cross-border transfer

1 controls

Controls in the Cross-border transfer domain of Russia FZ-152 — 1 controls
Code	Title	Description
FZ152-ART12	Cross-Border Data Transfers	Cross-border transfers require prior notification to Roskomnadzor. Transfers to states providing adequate protection (Co...

Data localisation

1 controls

Controls in the Data localisation domain of Russia FZ-152 — 1 controls
Code	Title	Description
FZ152-ART18-5	Data Localisation Requirement	When collecting personal data of Russian citizens, including via the internet, the operator must ensure recording, syste...

Data subject rights

1 controls

Controls in the Data subject rights domain of Russia FZ-152 — 1 controls
Code	Title	Description
FZ152-ART14	Data Subject Rights of Access and Correction	Subjects have the right to information about processing of their data including operator identity, purposes, legal basis...

Enforcement

1 controls

Controls in the Enforcement domain of Russia FZ-152 — 1 controls
Code	Title	Description
FZ152-PENALTIES	Administrative Penalties under CAO Art 13.11	Code of Administrative Offences Art 13.11 sets fines for personal data violations escalated significantly through 2022-2...

Governance

2 controls

Controls in the Governance domain of Russia FZ-152 — 2 controls
Code	Title	Description
FZ152-ART22-1	Data Protection Officer Role	Operators (other than individuals) must appoint a person responsible for organising processing of personal data. The res...
FZ152-ART5	Principles of Personal Data Processing	Processing must be lawful, fair, limited to specific predetermined and legitimate purposes, and consistent with those pu...

HR

1 controls

Controls in the HR domain of Russia FZ-152 — 1 controls
Code	Title	Description
FZ152-EMPLOYEE	Employee Data Processing under Labour Code Chapter 14	Processing of employee personal data is regulated by 152-FZ together with Labour Code Chapter 14 (Articles 85 to 90), wh...

Incident response

3 controls

Controls in the Incident response domain of Russia FZ-152 — 3 controls
Code	Title	Description
FZ152-BREACH-24H	Breach Notification to Roskomnadzor (24 hours)	Following the 2022 FZ-266 amendments effective 2022-09-01, operators must notify Roskomnadzor within 24 hours of an inci...
FZ152-BREACH-72H	Breach Investigation Report (72 hours)	Within 72 hours of an incident the operator must submit the results of internal investigation including identified perso...
FZ152-INCIDENT-REGISTER	Internal Incident Register and GosSOPKA Linkage	Operators must maintain internal records of personal data incidents and, where they operate critical information infrast...

Lawful basis

1 controls

Controls in the Lawful basis domain of Russia FZ-152 — 1 controls
Code	Title	Description
FZ152-ART6	Legal Basis for Processing	Processing is permitted only on one of the grounds listed in Art 6: data subject consent, performance of a contract to w...

Marketing

1 controls

Controls in the Marketing domain of Russia FZ-152 — 1 controls
Code	Title	Description
FZ152-ART15	Direct Marketing and Automated Decisions	Direct marketing including by automated means is permitted only with the subject's prior consent. The operator must ceas...

Programme governance

2 controls

Controls in the Programme governance domain of Russia FZ-152 — 2 controls
Code	Title	Description
FZ152-ART18-1	Operator Obligations and Internal Controls	The operator must adopt measures including appointing a person responsible for personal data processing, internal docume...
FZ152-REPRESENTATIVE	Local Representative for Foreign Operators	Foreign operators processing personal data of Russian citizens via the internet on the basis of contract or consent must...

Regulator interaction

1 controls

Controls in the Regulator interaction domain of Russia FZ-152 — 1 controls
Code	Title	Description
FZ152-ART23	Roskomnadzor Supervisory Powers	Roskomnadzor conducts scheduled and unscheduled inspections, demands documents and access to information systems, issues...

Regulator notification

1 controls

Controls in the Regulator notification domain of Russia FZ-152 — 1 controls
Code	Title	Description
FZ152-ART22	Roskomnadzor Notification of Intent to Process	Before commencing processing, the operator must notify Roskomnadzor, except in limited cases (employment relations, sing...

Retention

1 controls

Controls in the Retention domain of Russia FZ-152 — 1 controls
Code	Title	Description
FZ152-ART21	Destruction and Retention	Personal data must be destroyed within 30 days after achievement of the processing purpose or withdrawal of consent unle...

Security

1 controls

Controls in the Security domain of Russia FZ-152 — 1 controls
Code	Title	Description
FZ152-ART19	Security Measures	Operators must take legal, organisational and technical measures to protect personal data from unlawful access, destruct...

Sensitive data

1 controls

Controls in the Sensitive data domain of Russia FZ-152 — 1 controls
Code	Title	Description
FZ152-ART10	Special Categories of Personal Data	Processing of data on race, nationality, political views, religious or philosophical beliefs, health, intimate life and...

Special categories

1 controls

Controls in the Special categories domain of Russia FZ-152 — 1 controls
Code	Title	Description
FZ152-CHILDREN	Processing of Minors' Data	Processing of personal data of minors requires consent of a parent or legal representative. Operators directing services...

Third-party management

1 controls

Controls in the Third-party management domain of Russia FZ-152 — 1 controls
Code	Title	Description
FZ152-PROCESSOR	Engagement of Data Processors	An operator may entrust processing to another party (processor) with consent of the subject unless otherwise provided by...

Transparency

1 controls

Controls in the Transparency domain of Russia FZ-152 — 1 controls
Code	Title	Description
FZ152-DSAR-NOTICE	Privacy Notice and Transparency	Operators must provide subjects with information including operator name and address, purpose of processing, legal basis...

Frequently Asked Questions

What is Russia FZ-152?

Russia FZ-152 is a compliance framework from Russia with 21 domains and 26 controls. Russia Federal Law 152-FZ On Personal Data, including amendments via 266-FZ. It is used by organisations to establish and maintain compliance with industry standards and regulatory requirements.

How many controls does Russia FZ-152 have?

Russia FZ-152 has 26 controls organised across 21 domains. The largest domains are Incident response (3 controls), Consent (2 controls), Governance (2 controls). Each control defines specific requirements that organisations must implement to achieve compliance.

What frameworks does Russia FZ-152 map to?

Russia FZ-152 does not currently have cross-framework mappings in our system. Check back as we continuously expand our mapping database.

How do I get started with Russia FZ-152 compliance?

Start your Russia FZ-152 compliance journey by running a self-assessment on our platform to identify your current compliance posture. Our AI advisory can answer specific questions about Russia FZ-152 requirements, and cross-framework mapping helps you leverage existing controls from other frameworks you may already comply with. Create a free account to access all 26 controls and track your progress.

Start Your Compliance Journey

Create a free account to run self-assessments, get AI advisory, and track your compliance progress across 769 frameworks.

Get Started Free →

Free forever — no credit card required