Hosting in accordance with Federal Law 152. Which hosting to choose - Russian or foreign - so as not to violate the Law on Personal Data? What is the process of providing services

Since the server is not located at your home, you do not have access to it, and certainly cannot in any way influence the policy of the data center, you simply do not have the opportunity to fulfill a number of legal requirements. There is only one thing left to do, find a hosting that meets the requirements of the law.

I'm not Beget now, I wrote them a letter about their FSTEC license for protection confidential information. They answered vaguely, like I'm not me and the house is not mine, we're just these and in general we shouldn't... To summarize, they don't have a license, which means, by and large, a site that collects personal data cannot be kept there.

License for activities for the development and (or) production of means of protecting confidential information
LICENSE No. 0917 dated September 20, 2011

License to operate technical protection confidential information
LICENSE No. 1594 dated September 20, 2011
Copyright holder: Joint Stock Company "Regional Network Information Center"
License validity period: unlimited

Amendments to the federal law came into force on September 1, 2015 “On personal data” (Law 152 Federal Law).
According to the law, the data that the client enters on your website must be stored in the Russian Federation.
And that is not all. Read about who this law will affect and what to do in our article.

On September 1, 2015, amendments to the Law “On Personal Data” came into force.
According to this law, all data that the client enters on your website and which is specifically personal data (passport details, addresses, including e-mail, payment information, etc.) must be stored on the territory of the Russian Federation.

HERE IS AN EXCERPT FROM LAW 152 on the protection of personal data

“When collecting personal data, including through the information and telecommunications network Internet, the operator is obliged to ensure recording, systematization, accumulation, storage, clarification (updating, changing), retrieval of personal data of citizens of the Russian Federation using databases located on the territory of the Russian Federation , except for the cases specified in paragraphs 2, 3, 4, 8 of part 1 of article 6 of this Federal Law" (part 5 of article 18 of the Federal Law “On Personal Data”).”

The term “Operator” should be understood all companies, in particular e-commerce, on whose websites customers provide personal information.

Well, that's not all. In February 2017, further amendments were made to the law on the protection of personal data. These amendments oblige all website owners and online stores (Operators) to notify users that when entering personal data on the website, they consent to their collection, processing and storage.

If you ignore these amendments to the law, you risk receiving a fine of up to 75,000 rubles for one violation. And if there are more of them, then the amount of the fine will increase (on violation of the legislation of the Russian Federation in the field of personal data - Article 13.11 of the Code of Administrative Offenses of the Russian Federation)


We have already talked about considerable fines. This can affect everyone. And don’t think that this is not about you :) Look at the judicial practice and you will understand that this is not a joke. Here, for example, is the sensational case of the Tambov law firm (Resolution No. 4A-288/2016 of October 4, 2016 in case No. 4A-288/2016), which was fined for violations in the field of storing personal data. The amount of the fine is insignificant, but you need to keep in mind that since July 1, 2017, fines have increased significantly.

In addition to administrative liability, there may also be criminal liability. So if you cause moral harm to a user whose personal data, for example, fell into the wrong hands.
Well, for such violations, Roskomnadzor can block the site and add you to the so-called “black list”.
And then be prepared for additional checks from Roskomnadzor.


  1. The first thing to do is notify users about the processing of personal data. If you haven't done this yet, now is the time. Develop and post on the website a document on the processing of personal data, and also obtain users’ consent to such processing (for example, by placing a checkbox with information under each registration form).
    In general, this can be done in different ways, depending on your goals and business characteristics. For example, Ozone publishes a privacy policy on the website and, when registering a user, takes consent to process personal data. Or you can post information about the collection of PD as part of a public offer, as Lamoda does, and also collect consent to processing during registration. Or like SberBank, which places such information in the agreement.
  2. Prepare internal documents regulating the rules for the implementation of this law. These include orders, instructions and appointments of persons responsible for storing personal information.
  3. It is very important to make sure that the data is stored in Russia (on Russian servers).
    This is required by the law on the protection of user information (Part 5 of Article 18 of the Federal Law “On Personal Data”).
    Therefore, check with your hosting provider for the address of the location of the servers on which your site is hosted and enter into an agreement with it, where this address will be indicated. You will need this address to fill out a notification to Roskomnadzor. If you have your own server, be sure to save documents on it. They may be required by Roskomnadzor during a possible inspection. The same is true for a contract with a hosting provider.

    If your hosting provider places its servers in a Russian Data Center, then everything is fine.
    This is the easiest way to satisfy legal requirements by purchasing hosting from a domestic provider.

    There is another method called cross-border data transfer. This is not prohibited by law. Storage of personal data abroad is allowed, but with some reservations. So, in any case, the company, in addition to storing personal data abroad, must have such a database on the territory of the Russian Federation. But at the same time, the database should be as complete and up-to-date as possible. The scheme here is this: the entire database with personal data is collected, systematized and stored on the territory of the Russian Federation, and then the data can be transferred abroad. It is important to understand here that the primary source is a base on the territory of the Russian Federation.

  4. After this, prepare and send a notification to Roskomnadzor.
    This can be done through the electronic form on the website:

    There is no need to submit a notice if:

      you only process employee data;

      you enter into an agreement with a specific person and the data specified in the agreement is used only for the execution of this agreement, i.e. information is not published or transferred to third parties without the consent of the subject of personal data (this point is ambiguous, since questions may arise due to the specifics of the business. It is important to correctly draw up an agreement, taking into account all the nuances that meet the requirements of the law. Therefore, we recommend consulting with lawyer. And if there is no definite answer, then it is better to submit a notice.);

      if the collected data includes only the full name of users;

      if the user himself has made his personal data publicly available.

note, that we are talking only about cases when a notification does not need to be submitted. The above data is still personal and the user must be notified about it.


There is no need to be afraid of this law. It also regulates our rights as individuals. Each of us at least once purchased goods via the Internet and left our personal data. Now you and I have grounds to defend our rights legally if our rights are violated.

For website owners, the most important thing is to arrange everything correctly. By doing this, you will protect yourself from fines and other liability and gain the trust of your clients.
Small note: We advise you not to make a carbon copy, for example, like your competitors - each has its own specifics. It’s better to spend time developing documentation specifically for your business than to pay fines later. And if you still have questions, Seek help from your lawyer, as this article is not a substitute for a specialist, which will help you do everything as needed and specifically for your goals and objectives.

Read the List of regulatory legal acts establishing mandatory requirements for carrying out activities legal entities and individual entrepreneurs for compliance of the processing of personal data with the requirements of the legislation of the Russian Federation in the field of personal data at the link.

Frequently asked questions (FAQ)

1. What is the essence of your Federal Law-152 service?
We have built a secure circuit in our data center that has been certified for security requirements in accordance with Federal Law-152 and received a certificate of compliance for the protection of personal data up to and including the 1st level of security. And we help our clients close the issue of compliance from a technical point of view. Government institutions may also be interested in the Certificate of Compliance of the 1st class for state information systems (in accordance with the 17th order of the FSTEC) and the certificate for the protection of confidential information in class 1G (in accordance with STR-K).

2. Why do we need this?
Since you are a personal data processor, the effect of Federal Law No. 152 automatically applies to you. And government agencies that own state information systems are also subject to the 17th order of the FSTEC.

3. How much does it cost?
The cost is calculated individually for the customer, taking into account the volume, level of security, and timing of placement.

4. Can you help prepare documentation?
Yes, we can (we provide ready-made templates or take on the entire turnkey preparation process).

5. How is the data transmission channel organized?
A channel encrypted according to Russian GOST is used through a VipNet coordinator.

If you have not found the answer to your question, go to ours, ask our consultants on the website using online chat, or write a support request using.

  • Federal Law "On Personal Data" dated July 27, 2006 N 152-FZ


Since September 2015, a regulation on the localization of personal data storage has come into effect in the Russian Federation (242-FZ dated July 21, 2014). This innovation, of course, turned out to be one of the main drivers in the Russian hosting and cloud computing market, forcing both personal data operators and hosting providers to once again think about how to ensure compliance with such a seemingly simple entity as website, the requirements of the legislation on personal data.

Despite the fact that Federal Law No. 152-FZ of July 27, 2006 “On Personal Data” was adopted quite a long time ago, not everyone has adapted to it and learned to implement it. Partly due to the large number of regulatory documents and regularly issued changes to them. Today they come from four departments: the Government, Roskomnadzor, FSTEC and the FSB. And also thanks to the rather balanced position of the regulator, who, instead of the policy of driving in nails, chose a strategy of smooth but inevitable tightening of the screws.

If large businesses and government bodies, as the most disciplined market participants, have, for the most part, already brought their personal data information systems (PDIS) into compliance with the law, then medium and small businesses are only now beginning to realize that for their further existence and development, they need everything -we will still have to come out of the shadows, including in terms of the implementation of legislation on personal data, especially since this very shadow remains less and less and is already beginning to be not enough for everyone.

What should the owner of a website where users’ personal data is collected and stored (for example, in the personal account of an online store)? Let's try to figure this out together.

If a website collects personal data, then it is a personal data information system and is subject to 152-FZ

Here is what Roskomnadzor itself says about this: “According to clause 9 of Art. 3 of the Federal Law “On Personal Data”, a personal data information system is a set of personal data contained in databases and ensuring their processing information technologies and technical means. If the website meets the specified requirements, it is an information system.”

We all intuitively know what personal data is, but it is important to understand what it is from a legal point of view. According to paragraph 1 of Article 3 of Federal Law No. 152-FZ, personal data is any information relating directly or indirectly to a specific or identifiable individual. That is, this is almost anything: from tax identification number to hair color and shoe size, not to mention the phone number and address, be it email or postal.

Thus, an online store or just a website where there is a personal account or user registration, online ordering, booking, payment, delivery, etc. etc., in terms of 152-FZ, all this is a personal data information system (ISPD), and its owner is a personal data operator.

The law on personal data takes into account trends in cloud computing and outsourcing

A lot has already been said and written about the relevance and prospects of IT outsourcing, especially for companies in the small and medium-sized enterprise sector, so in this article I will not agitate the reader “for the clouds.” Moreover, we all know very well that most sites on the Internet are hosted on public web servers of hosting service providers.

There are many reasons for this, but the most important is, of course, the common sense desire of companies to save money and get a cheap web service with high availability. Creating your own computing infrastructure with reliability at least comparable to a Tier-III standard data center costs millions of rubles. Firstly, you need an appropriate room: not a corridor, not a basement, not an attic, so that it does not flood and so that strangers do not have access there. Ventilation and air conditioning are needed, and with a certain redundancy. It is necessary to organize autonomous and backup power supply. To do this, you need to install a diesel generator set somewhere. Finally, physical security and maintenance personnel are needed. In addition, to guarantee service availability, you will have to buy a full set of spare parts for server and network equipment. That is, instead of one server, you actually have to buy two.

Naturally, with the development of cloud computing, virtualization technologies and a clear trend towards outsourcing, more and more companies from the SMB sector are seeking to transfer their information systems from “under-desk” system units to cloud computing resources located in computer centers that meet modern industrial standards.

IN information systems any enterprise is stored and processed a certain amount of personal data. This can be both personal data of company employees and data of clients or counterparties. Corporate information systems are quite diverse, both functionally and technologically. This could be an accounting automation system, for example, 1C and a website with personal account user and online store. At the same time, these information systems, as a rule, are interconnected - they transmit information to each other, including personal data.

According to clause 3 of Article 3 of 152-FZ, the processing of personal data is any action (operation) or set of actions (operations) performed using automation tools, or without the use of such tools with personal data, including collection, recording, systematization, accumulation , storage, clarification (updating, changing), extraction, use, transfer (distribution, provision, access), depersonalization, blocking, deletion, destruction of personal data.

Thus, placing an ISPD on the provider’s server is nothing more than outsourcing, at a minimum, such functions for processing personal data as recording, storage, reading (retrieval), transfer and deletion.

According to clause 2 of Article 3 of 152-FZ, the operator (of personal data) is a legal or individual, independently or jointly with other persons, organizing and (or) carrying out the processing of personal data, as well as determining the purposes of processing personal data, the composition of personal data to be processed, actions (operations) performed with personal data.

Accordingly, the hosting provider, which has assumed the functions of storing and transmitting personal data, is their operator, along with the owner of the site (the information system processing this personal data) and, according to the law, is obliged to take certain measures to ensure their security. In fact, everything is not so bad and we must pay tribute to the authors of the Law “On Personal Data” No. 152-FZ and Government Resolution No. 1119 of November 1, 2012, which provided for the transfer by the operator of personal data of part of the functions for their processing to outsourcing to third-party organizations.

Legislative regulation of hosting websites that process personal data on hosting provided by a third party

The personal data operator has the right to entrust the processing of personal data to another person with the consent of the personal data subject, on the basis of an agreement (instruction) concluded with this person. The person processing personal data on behalf of the operator is obliged to comply with the principles and rules for processing personal data provided for by current legislation. The operator’s order must define a list of actions with personal data that will be performed by the person processing personal data and the purposes of processing, must establish the obligation of such a person to maintain the confidentiality of personal data and ensure the security of personal data during their processing, and must also indicate requirements for the protection of processed personal data (Clause 3, Article 6 152-FZ).

Thus, the hosting provider, like the site owner, is the operator of personal data processed on the site and is responsible for its availability, safety and security. With only one difference - the site owner is responsible to the subjects of personal data, and, in cases provided for by law, is obliged to obtain permission from the subjects to process personal data, and the hosting provider, as an authorized person, is responsible to the site owner and receives personal data from him and stores them, but is not responsible for obtaining permission from the subjects.

In general, the topic of obtaining the consent of subjects for the processing of their personal data is very large and interesting and, of course, deserves a separate article.

Delineation of the areas of responsibility of the hosting provider and the site owner for compliance with personal data protection requirements

Agree, it would be unfair to shift all responsibility for the security of personal data to the hosting provider. After all, often he has no idea who, how and what the site hosted on his server is written on. What passwords are used to authorize access to personal data, in what form they are stored, and whether they are used at all.

According to Government Decree No. 1119 (clauses 13 - 16), in order to ensure the required level of security of personal data when processed in information systems, the following requirements must be met:

Requirement PP 1119

Required level of security

Area of ​​responsibility

Organization of a security regime for premises in which the information system is located


Hosting provider;

Ensuring the safety of personal data carriers

Hosting provider;

Approval by the head of the operator of the list of persons with access rights to personal data

Use of certified information security tools (that have undergone the assessment of compliance with legal requirements)

Hosting provider;

Appointment of an official responsible for ensuring the security of personal data


Site owner; Hosting provider;

Access to the contents of the electronic message log is only possible for persons who have the appropriate access rights


Site owner; Hosting provider;

Automatic registration in electronic journal security of changing the powers of the operator’s employees to access personal data


Website owner, hosting provider

Creation of a structural unit responsible for ensuring the security of personal data

Website owner, Hosting provider

The hosting provider must have a license from Roskomnadzor to provide communication services

As you know, to provide communication services, a Roskomnadzor license is required. This follows, for example, from paragraph 36 of Article 12 of the Federal Law of May 4, 2011 No. 99-FZ “On licensing of certain types of activities.”

According to the list of names of communication services included in licenses for carrying out activities in the field of providing communication services, approved by Decree of the Government of the Russian Federation of February 18, 2005 No. 87), licensed communication services include, among other things:

  • Telematic communication services (this includes hosting);
  • Communication services for data transmission, with the exception of communication services for data transmission for the purpose of transmitting voice information.

To host sites that process personal data, the hosting provider must have a FSTEC license

The Federal Service for Technical and Export Control (FSTEC of Russia) regulates activities related to the technical protection of information, deals with issues of state policy in this area of ​​legislation, standardization, licensing, and also conducts relevant inspections.

Since the hosting provider, as a person authorized under the assignment agreement, is an operator of personal data, he is obliged to take technical measures to protect them, that is, to provide services for the technical protection of information, which, in accordance with the provision on licensing activities for the technical protection of confidential information , approved by Decree of the Government of the Russian Federation of February 3, 2012 N 79, relate to licensed types of activities.

The organizational and technical measures to ensure the security of personal data, approved by FSTEC Order No. 21 dated February 18, 2013, include:

  • identification and authentication of access subjects and access objects;
  • access control of access subjects to access objects;
  • limitation of the software environment;
  • protection of computer storage media;
  • security event logging;
  • antivirus protection;
  • intrusion detection (prevention);
  • control (analysis) of the security of personal data;
  • ensuring the integrity of the information system and personal data;
  • ensuring the availability of personal data;
  • protecting the virtualization environment;
  • protection of technical means;
  • protection of the information system, its communications and data transmission systems;
  • identifying incidents and responding to them;
  • configuration management of ISPDn and SZPDn.

To carry out work to ensure the security of personal data, it is allowed to engage on a contractual basis third-party organizations that have a license to operate in the technical protection of confidential information (clause 2, paragraph 2 of FSTEC Order No. 21).

A number of measures to ensure the security of personal data require the hosting provider to have an FSB license

The measures to ensure an appropriate level of protection of personal data, according to FSTEC Order No. 21, include the following measures:

  • Implementation of protected remote access subjects of access to access objects through external information and telecommunication networks (UPD.13);
  • Ensuring the protection of personal data from disclosure, modification and imposition (entering false information) during its transmission (preparation for transmission) via communication channels that extend beyond the controlled area, including wireless communication channels (ZIS.3);
  • Ensuring Authenticity network connections(interaction sessions), including for protection against substitution of network devices and services (ZIS.11);

Based on the essence of these measures, it is clear that their implementation requires the use of funds cryptographic protection information (CIPF). As is known, issues related to the use of CIPF in the Russian Federation are regulated by the Federal Security Service (FSB of Russia).

According to the regulations on licensing activities for the development, production, distribution of encryption (cryptographic) tools, approved by Decree of the Government of the Russian Federation of April 16, 2012 No. 313, the list of works that constitute licensed activities includes:

  • Development of secure information and telecommunication systems using cryptographic tools;
  • Installation, installation, adjustment of cryptographic means and information and telecommunication systems protected with their use;
  • Work on maintenance of cryptographic means;
  • Transfer of cryptographic means and information and telecommunication systems protected with their use;
  • Providing information encryption services.

The computing center of the hosting provider must be located on the territory of the Russian Federation

On September 1, 2015, the Russian Federation came into effect on the localization of storage and certain processes of processing personal data, defined in Federal Law No. 242 of July 21, 2014 “On amendments to certain legislative acts of the Russian Federation in terms of clarifying the procedure for processing personal data in information and telecommunication networks”, according to clause 1 of Article 2 of which, when collecting personal data, including through the information and telecommunications network Internet, the operator is obliged to ensure recording, systematization, accumulation, storage, clarification (updating, changing), retrieval personal data of citizens of the Russian Federation using databases located on the territory of the Russian Federation.

At the same time, it is important to note that the cross-border transfer of personal data, as such, is not prohibited, but is regulated by law. You can read more about this in Art. 12 152-FZ.

Briefly about the main thing

So, let's summarize the above.

A website is a personal data information system if its functionality allows you to enter, store or view personal data. A good example would be almost any website with a personal account, the ability to make online reservations, order or purchase with delivery, etc.

Processing personal data of clients online is not only a necessity of modern e-commerce, but also broad opportunities for marketing, the description of which deserves a separate article.

The owner of a website that is an ISPD is required to submit a notification to Roskomnadzor, indicating: what personal data it stores and processes, where the servers on which the ISPD operates are physically located. You can read about this in my article “How to submit a notification to the RKN and not get into trouble.”

Agreement with the hosting provider, in addition to quantitative and quality characteristics computing resources, must necessarily contain an order for the processing of personal data, indicating a specific list of actions that will be performed with them; it must indicate the purposes and procedure for processing personal data, requirements for their protection, and must also establish the responsibility of the provider for the security of personal data.

In addition to the standard Roskomnadzor licenses for hosting companies for the provision of telematic communication services, in order to protect personal data processed on client sites, the hosting provider must have a FSTEC license for activities related to the technical protection of confidential information and a FSB license for the provision of services related to the use of encryption (cryptographic) ) funds.

And finally, the provider’s server on which personal data is physically stored must be located on the territory of the Russian Federation.

So, this article discusses many, but by no means all, aspects of placing an ISPD on the computing resources of cloud service providers. More detailed information can be obtained from the following documents and information resources:


  • Decree of the Government of the Russian Federation of November 1, 2012 N 1119 "On approval of requirements for the protection of personal data during their processing in personal data information systems"
  • Order of the FSTEC of Russia dated February 18, 2013 No. 21 On approval of the composition and content of organizational and technical measures to ensure the security of personal data during their processing in personal data information systems

