Website compliance with 152-FZ (Russian personal data law)

Our company is engaged in the development, support and maintenance of sites of any complexity. From simple one-page sites to large-scale cluster systems built on micro services. Experience of developers is confirmed by certificates from vendors.
8+Years of work900+Completed projects100+In house employees19+Partners
Development and maintenance of all types of websites:
Informational websites or web applications
Business card websites, landing pages, corporate websites, online catalogs, quizzes, promo websites, blogs, news resources, informational portals, forums, aggregators
E-commerce websites or web applications
Online stores, B2B portals, marketplaces, online exchanges, cashback websites, exchanges, dropshipping platforms, product parsers
Business process management web applications
CRM systems, ERP systems, corporate portals, production management systems, information parsers
Electronic service websites or web applications
Classified ads platforms, online schools, online cinemas, website builders, portals for electronic services, video hosting platforms, thematic portals

These are just some of the technical types of websites we work with, and each of them can have its own specific features and functionality, as well as be customized to meet the specific needs and goals of the client.

Offered services
Showing 1 of 1 servicesAll 2065 services
Website compliance with 152-FZ (Russian personal data law)
Medium
~3-5 business days
FAQ
Our competencies:
Development stages
Latest works
  • image_web-applications_feedme_466_0.webp
    Development of a web application for FEEDME
    1161
  • image_ecommerce_furnoro_435_0.webp
    Development of an online store for the company FURNORO
    1041
  • image_crm_enviok_479_0.webp
    Development of a web application for Enviok
    822
  • image_crm_chasseurs_493_0.webp
    CRM development for Chasseurs
    847
  • image_website-sbh_0.png
    Website development for SBH Partners
    999
  • image_website-_0.png
    Website development for Red Pear
    451
Show more works

Ensuring website compliance with 152-FZ requirements

Federal Law "On Personal Data" No. 152-FZ obligates personal data operators to perform a set of organizational and technical measures. For most commercial websites collecting user names, emails, and phone numbers, specific technical requirements arise.

What is personal data under 152-FZ

Personal data is any information directly or indirectly identifying a natural person. In practice: full name, phone, email, address, IP address (debatable, but case law tends toward yes), cookies with identifier.

Technical requirements for basic level (УЗ-4)

Data localization (Art. 18.1): Personal data of Russian citizens must be collected and stored on servers in RF. Replication abroad is permitted, but primary storage must be in RF.

Encryption in transit:

  • HTTPS mandatory on all pages where personal data is collected
  • TLS 1.2 minimum, TLS 1.3 recommended

Access control: Access to personal data only for employees who need it for job duties.

class PersonalDataPolicy
{
    public function view(User $authUser, User $targetUser): bool
    {
        return $authUser->hasPermissionTo('view-personal-data')
            && $authUser->department === 'support';
    }
}

Mandatory website elements

Privacy Policy: Must contain: processing purposes, legal basis, data list, retention period, third-party transfer info, data subject rights.

Consent to processing: Explicit, informed, specific. Checkbox "I agree with policy" without unchecking option doesn't meet requirements.

Breach notification: Upon data breach discovery — notify Roskomnadzor within 24 hours, data subjects within 72 hours.

class DataBreachNotificationService
{
    public function notifyRkn(DataBreach $breach): void
    {
        // Submit to RKN via pd.rkn.gov.ru (API or email)
        // Deadline: 24 hours from discovery
    }

    public function notifyAffectedUsers(DataBreach $breach): void
    {
        $affectedUsers = $this->getAffectedUsers($breach);
        // Mass mailing with breach description
        // Deadline: 72 hours
    }
}

Personal Data Processing Registry

Operators processing personal data must maintain internal registry:

class ProcessingActivityRegistry
{
    private array $activities = [
        [
            'name'          => 'User registration',
            'purpose'       => 'Service access provision',
            'legal_basis'   => 'Consent (Art. 6.1 152-FZ)',
            'data_types'    => ['Full name', 'email', 'phone'],
            'storage_period'=> '5 years after account deletion',
            'third_parties' => ['Sendgrid (email, DPA signed)'],
            'server_location'=> 'RF (Selectel, Moscow)',
        ],
    ];
}

Roskomnadzor notification

Before personal data processing begins, operator must notify RKN. Submit via pd.rkn.gov.ru.

Exceptions (no notification required): employee data, one-time contract data, publicly disclosed data.

Technical measures by FStek Order No. 21

For УЗ-4 (most commercial websites):

  • User identification and authentication
  • Access management (role-based model)
  • Security event logging
  • Antivirus protection
  • Intrusion detection (IDS/WAF)
  • Software updates

DPA agreements with contractors

When transferring personal data to third parties (cloud services, email providers, analytics), DPA (Data Processing Agreement) must be signed.

Implementation Timeline

  • Audit of current state + gap analysis: 2–3 days
  • Privacy Policy + consents: 3–5 days
  • Technical measures (encryption, logging, access): 5–10 days
  • RKN notification + registry: 1–2 days