data-localization

Implementing Data Localization Requirements

Overview

Data localization laws require that personal data of a country's residents be stored, processed, or both within the territory of that country. These requirements exist independently of and in addition to transfer mechanism requirements under the GDPR. Organisations operating globally must map their data localization obligations by jurisdiction, design infrastructure architectures that comply with local storage mandates, and implement exemption procedures where cross-border transfer is permitted subject to conditions.

Country-Specific Requirements

Russia — Federal Law No. 242-FZ (Amendments to Federal Law No. 152-FZ)

Effective: 1 September 2015

Key requirements:

• Art. 18(5) of Federal Law 152-FZ (as amended by 242-FZ): When collecting personal data, including via the internet, the data operator must ensure that recording, systematisation, accumulation, storage, modification, extraction, and retrieval of personal data of citizens of the Russian Federation are carried out using databases located in the territory of the Russian Federation.
• The law applies to any organisation collecting personal data of Russian citizens, regardless of the organisation's location.
• Cross-border transfer is permitted after initial localization — the primary database must be in Russia, but copies may be transferred abroad subject to Federal Law 152-FZ cross-border transfer rules.

Enforcement:

• Roskomnadzor (Federal Service for Supervision of Communications) is the enforcement authority.
• Non-compliance can result in website blocking within Russia, fines (up to RUB 18 million for repeated violations under 2023 amendments), and criminal liability for certain violations.
• LinkedIn was blocked in Russia in 2016 for non-compliance with 242-FZ.

Athena Global Logistics implementation:

• Primary HR database for Russian employees hosted on servers in Moscow (OVHcloud Russia data centre, Bolshaya Nikitskaya 22).
• Customer data from Russian-origin shipments stored primarily in Moscow before replication to the Frankfurt analytics platform.
• Cross-border transfers from Moscow to Frankfurt covered by Russia's cross-border transfer rules (adequate countries list per Roskomnadzor Order No. 274 or consent of the data subject).

China — PIPL Art. 40 and CAC Measures

Personal Information Protection Law (PIPL) — Effective 1 November 2021

Key requirements:

• Art. 40: Critical Information Infrastructure Operators (CIIOs) and personal information processors handling personal information reaching the volume threshold specified by the Cyberspace Administration of China (CAC) must store personal information collected and generated within the territory of China domestically. Cross-border transfers require a CAC-administered security assessment.
• CAC Measures on Security Assessment of Outbound Data Transfers (effective 1 September 2022):
  • Security assessment mandatory for: (a) CIIOs; (b) processors handling personal information of over 1 million individuals; (c) processors that have cumulatively transferred personal information of over 100,000 individuals or sensitive personal information of over 10,000 individuals since 1 January of the preceding year.
  • Assessment conducted by the provincial-level CAC and reviewed by the national CAC.
  • Assessment valid for 2 years; must be re-conducted before expiry or upon material change.
• CAC Standard Contract Measures (effective 1 June 2023): Personal information processors not subject to the mandatory security assessment may use the CAC-published Standard Contract for cross-border transfers, filed with the provincial CAC within 10 working days of execution.
• PRC Data Security Law (DSL) Art. 31: Important data collected and generated by CIIOs must be stored domestically.

Athena Global Logistics implementation:

• China operations process personal information of approximately 15,000 individuals (below the 1 million threshold for mandatory security assessment).
• Localization: Chinese customer and employee data stored on Alibaba Cloud servers in the Shanghai region.
• Cross-border transfers: Athena uses the CAC Standard Contract filed with the Shanghai CAC for transfers of logistics data to the Frankfurt headquarters.
• Personal Information Impact Assessment (PIIA) completed before cross-border transfer per PIPL Art. 55.

India — Digital Personal Data Protection Act 2023 (DPDP Act)

Effective: Provisions being brought into force in phases from 2024.

Key requirements:

• Section 16(1): The Central Government may, by notification, restrict the transfer of personal data by a significant data fiduciary to any country or territory outside India.
• Section 16(2): The Central Government may prescribe conditions for cross-border transfer to specific countries.
• Blacklist approach: India adopts a "blacklist" model — transfers are permitted to all countries except those specifically restricted by government notification. As of March 2026, no blacklist notifications have been issued.
• Significant Data Fiduciary (SDF): Designation by the Central Government based on volume of data, sensitivity, risk to data principals, and other factors. SDFs face heightened obligations including mandatory DPO appointment and data protection audit.
• RBI data localization: The Reserve Bank of India mandates that payment system data be stored exclusively in India (RBI Circular DPSS.CO.OD.No.2785, April 2018). This applies to all payment data processed by payment system operators.

Athena Global Logistics implementation:

• Indian operations data stored on AWS Mumbai region (ap-south-1).
• Cross-border transfers permitted (no blacklist notification as of March 2026) but monitored for future restrictions.
• RBI payment localization: Indian payment transaction data processed through local payment gateways with primary storage in India.

Turkey — Law No. 6698 on the Protection of Personal Data (KVKK)

Key requirements:

• Art. 9: Personal data may be transferred abroad only with the explicit consent of the data subject, or if one of the conditions in Art. 5(2) or Art. 6(3) is met and: (a) the destination country provides adequate protection (per KVKK Board list); or (b) the data controllers in Turkey and the destination country provide a written undertaking of adequate protection and the KVKK Board grants permission.
• Data Localization: No explicit data localization mandate in KVKK, but the Board Regulation on Data Transfer Abroad (2024 amendment) introduced a notification-based system requiring data controllers to apply to the Board before transferring data to countries not on the adequate list.
• Practical localization: Many organisations maintain Turkish data in Turkey due to the complexity of the Board approval process for cross-border transfers.

Vietnam — Decree 13/2023/ND-CP on Personal Data Protection

Effective: 1 July 2023

Key requirements:

• Art. 25(4): Data controllers and processors transferring personal data abroad must prepare and maintain a transfer impact assessment dossier.
• Art. 26: The transfer impact assessment dossier must be submitted to the Ministry of Public Security within 60 days of processing.
• No strict localization: Vietnam does not mandate data localization for most personal data, but the Cybersecurity Law (2018) Art. 26(3) requires storage of certain data in Vietnam for companies providing services on telecommunications networks or the internet where the data relates to national security, social order, or cybersecurity.

Indonesia — Government Regulation No. 71/2019 (GR 71)

Key requirements:

• Art. 20: Public electronic system operators must place their electronic systems and data in Indonesia for the purpose of supervision, law enforcement, data access protection, and national security.
• Art. 21: Private electronic system operators may place their systems and data outside Indonesia, provided they grant access for supervision and law enforcement.
• Practical impact: Government and public sector data must be stored in Indonesia; private sector data may be stored abroad with access provisions.

Localization Architecture Design

Pattern 1: Primary Local Storage with Replication

┌───────────────────┐     Replication     ┌──────────────────┐
│ Local Data Centre  │ ─────────────────→  │ Central EU DC    │
│ (Country Required) │    (encrypted,      │ (Frankfurt)      │
│ Primary database   │     compliant       │ Analytics,       │
│ All CRUD operations│     transfer)       │ Reporting        │
└───────────────────┘                      └──────────────────┘

Use case: Russia (242-FZ), China (PIPL Art. 40 for CIIOs) Implementation: All create, read, update, delete operations occur on the local database. Encrypted replication to central EU systems for analytics and group reporting, subject to local cross-border transfer rules.

Pattern 2: Local Processing with Central Analytics

┌───────────────────┐     Aggregated/     ┌──────────────────┐
│ Local Instance     │     Anonymised     │ Central EU DC    │
│ Full processing    │ ─────────────────→ │ Only aggregated  │
│ in-country         │                    │ or anonymised    │
└───────────────────┘                     │ data received    │
                                          └──────────────────┘

Use case: Strict localization without cross-border transfer approval (pre-CAC filing in China) Implementation: All personal data processing occurs locally; only aggregated or anonymised data (not personal data) is transferred centrally.

Pattern 3: Hybrid Cloud with Data Residency Controls

┌───────────────────┐
│ Cloud Provider     │
│ Local Region       │ ← Data residency policy enforced
│ (e.g., AWS Mumbai) │   via cloud service configuration
│ Personal data      │
│ stored here only   │
└───────────────────┘
     │
     │ (API access from EU for administration; no data egress)
     │
┌───────────────────┐
│ Central EU DC      │
│ Application logic  │
│ No local PD stored │
└───────────────────┘

Use case: India (DPDP Act), Indonesia (GR 71 private sector) Implementation: Cloud provider's local region stores personal data; application logic may run centrally but personal data does not leave the local region.

Localization Compliance Checklist

Jurisdiction	Storage Requirement	Transfer Conditions	Filing/Approval	Enforcement Authority
Russia	Primary DB in Russia	Permitted after localization; subject to 152-FZ transfer rules	No filing required for localization	Roskomnadzor
China (CIIO/threshold)	Domestic storage	CAC security assessment or Standard Contract	Security assessment filed with CAC; Standard Contract filed within 10 days	CAC
India	No localization (yet)	Permitted except to blacklisted countries	No filing (monitor for future requirements)	Data Protection Board of India
India (RBI)	Payment data in India	Not permitted for payment data	RBI compliance reporting	Reserve Bank of India
Turkey	No explicit localization	Board approval or adequate country list	Board application for non-adequate countries	KVKK Board
Vietnam	Certain data in Vietnam	Impact assessment required	Dossier to Ministry of Public Security within 60 days	Ministry of Public Security
Indonesia (public)	In Indonesia	Limited exceptions	No specific filing	Ministry of Communication
Indonesia (private)	May be abroad	Access for supervision required	No specific filing	Ministry of Communication