Share via


Russian Personal Data Localization Requirements

As of September 1, 2015, organizations that are considered personal data operators must ensure that, when collecting personal data, Russian citizens' personal data recording, systematization, accumulation, storage, clarification (updating, changing), and extraction are performed through the databases located in Russia ('personal data localization requirement').1

Microsoft services available to organizations (including but not limited to educational institutions) (hereinafter referred to as 'customer'), including those enabling personal data processing such as Microsoft Azure, Microsoft 365, Dynamics 365, and Power Platform, are provided from data processing centers located outside of Russia (for more information visit the Microsoft Trust Center).

Based on the type and content of information processed by customer information systems, such systems, including those using Microsoft cloud products, may be deemed a personal data information system ('PDIS', 'ISPD'). In cases where the customer would like to use Microsoft services in a system that qualifies as PDIS through its architecture and types of information processed, Microsoft invites its customers to consider, amongst other things, available solutions specified below. All the scenarios provided are available for customers as an additional option to standard business offerings.

It should be noted that it is the customer as personal data operator of PDIS who is in charge of compliance and shall analyze and assess applicable legal requirements for personal data localization, and at its own discretion, independently determine sufficient measures to ensure that personal data processing in PDIS complies with the Russian personal data law.2

Subscribing to Microsoft services

Microsoft ID Management

Microsoft invites customers to consider subscribing to Microsoft services; Microsoft Azure, Microsoft 365, Dynamics 365, and Power Platform—via a Microsoft Cloud Solution Provider (CSP) partner. For more information, see this list of CSP partners.

Managing User Identity and Access for Microsoft services

For Microsoft services such as Microsoft Azure, Microsoft 365, Dynamics 365, and Power Platform, user verification and access management are performed through Microsoft Entra ID. In cases where a Microsoft customer uses a local identification management system for Microsoft cloud services (such as the Windows Server Active Directory (AD) or any other ID management system), the customer has an opportunity to swiftly integrate such system with the Microsoft Entra ID through Microsoft Entra Connect. For more information, see the Microsoft Entra Connect. Microsoft customers may also consider using applications and solutions of third-party vendors for managing their users and integrating their local identification system with the Microsoft Entra ID.

Use Microsoft Purview Compliance Manager to assess your risk

Microsoft Purview Compliance Manager is a feature in the Microsoft Purview compliance portal to help you understand your organization's compliance posture and take actions to help reduce risks. Compliance Manager offers a premium template for building an assessment for this regulation. Find the template in the assessment templates page in Compliance Manager. Learn how to build assessments in Compliance Manager.

Questions and support

For technical and billing questions, refer to the Microsoft Support resources below. For additional questions or clarifications, contact the Microsoft privacy team.

Microsoft Azure

Microsoft 365

  • Toll Free: 8 10 800 2548 1044
  • Local Call: 499 922 8623
  • Online support: Submit queries via the Admin Center

Dynamics 365

  • Toll Free: 8 10 800 2548 1044
  • Local Call: 499 922 8623
  • Online support: Submit queries via the Dynamics Support portal

Power Platform

  • Toll Free: 8 10 800 2548 1044
  • Local Call: 499 922 8623
  • Online support: Submit queries via the Power Platform Support

Note

1 Federal Law No. 242-FZ (edition dated 12.31.2014) 'On entering amendments into certain legislative acts of the Russian Federation about clarifying the procedure for personal data processing in information and telecommunication networks' dated 07.21.2014
2 Federal Law No. 152-FZ on Personal data as of 07.27. 2006