вторник, 27 сентября 2016 г.

Federal Law of 27 July 2006 N 152-FZ ON PERSONAL DATA

Текст взят с официального сайта РОСКОМНАДЗОРа
Обратите внимание, что текст Федерального закона обновлен только до 25.07.2011


 Federal Law of 27 July 2006 N 152-FZ ON PERSONAL DATA

Adopted by the State Duma on 8 July 2006
Approved by the Federation Council on 14 July 2006

(edition of Federal Laws от 25.11.2009 N 266-FZ,
от 27.12.2009 N 363-FZ, от 28.06.2010 N 123- FZ,
от 27.07.2010 N 204- FZ, от 27.07.2010 N 227- FZ,
от 29.11.2010 N 313- FZ от 23.12.2010 N 359- FZ,
от 04.06.2011 N 123- FZ, от 25.07.2011 N 261- FZ)

 

Chapter 1. General Provisions


Article 1. Scope of Application of the Federal Law

1. This Federal Law regulates activities related to the processing of personal data by federal state government bodies, state government bodies of constituent entities of the Russian Federation and other state bodies (hereinafter referred to as "state bodies"), by local government bodies (hereinafter referred to as "municipal bodies"), by legal entities and physical persons, both automatically, including in data telecommunications networks, and manually, provided that manual data processing is by its nature similar to automatic data processing, i.e. allows users to search personal data recorded in tangible medium or contained in card-catalogues or other systematized collections of personal data in accordance with the specified algorithm and (or) to have access to such personal data.
2. This Federal Law does not apply to activities related to:
1) personal data processing by individuals exclusively for personal or family needs, provided that such processing does not infringe upon the rights of individuals whose data are being processed;
2) storage, arrangement, registration and use of personal data contained in the files kept by the State Archives of the Russian Federation and in other archive files as envisaged by the Russian laws on the archive system;
3) ceased to be in force on 1 July, 2011;
4) processing of personal data which are referred to state secrecy according to the established procedure.

5) provision by authorised bodies of information on the activities of courts in the Russian Federation in accordance with the Federal law of 22 December, 2008 N 262-FZ “About provision of access to the information on courts’ activities in the Russian Federation”.


Article 2. Purpose of the Federal Law

The purpose of this Federal Law is to procure the protection of a person's rights and liberties while processing his/her personal data, including the right to privacy, personal and family secrecy.

Article 3. Basic Terms of the Federal Law

In this Federal Law the following main terms are used:
1)   personal data – any information referring directly or indirectly to a particular or identified individual (hereinafter referred to as "personal data subject");
2)   operator – state agency, municipal authority, legal entity or individual who independently or in cooperation with other entities organizes and/or processes personal data as well as determines the purposes and scope of personal data processing;
3)   personal data processing – any action (operation) or a combination of actions (operations) performed both automatically and manually with personal data, including collection, recording, arrangement, accumulation, storage, specification (updating, changing), extraction, use, distribution (including transfer), anonymizing, blocking and destruction of personal data;
4)   automated personal data processing - personal data processing by means of computer technology;
5)   distribution of personal data – actions related to making the data available to indefinite range of persons;
6)   provision of personal data – actions related to making the data available to a definite person or a definite range of persons;
7)   blocking of personal data – the temporary cessation of personal data processing (except for the cases when the processing is needed for personal data specification);
8)   destruction of personal data – actions performed on personal data contained in the respective database that prevent such data from being restored and (or) actions aimed at the physical destruction of the tangible medium of personal data;
9)   anonymization of personal data – actions performed on personal data that do not permit the identity of the individual concerned to be verified solely from such anonymized data;
10) personal data information system – a database that contains personal data as well as information technologies and hardware used for data processing;
11) cross-border transfer of personal data – cross-border transfer of personal data to a foreign state agency, foreign legal entity or individual located in a foreign state.

 

Article 4. Legislative Grounds for Protection of Personal Data in the Russian Federation

1. The Russian legislation on data protection is based on the Constitution of the Russian Federation and international treaties entered into by the Russian Federation and comprises this Federal Law and other federal laws which regulate particular issues related to personal data processing.
See the Convention of European Council on protection of individuals whose data are being processed automatically. (Strasburg, 28 January 1981)
2. On the grounds of and pursuant to the federal laws, state agencies, the Bank of Russia, local authorities may, within their scope of their competence, adopt regulatory legal acts, normative acts, legislative acts (hereinafter referred to as regulations) with respect to particular issues related to personal data processing. Such regulations shall not include the provisions that would restrict personal data subjects’ rights, place limitations, which are not provided by federal laws, on operators’ activities or imposing responsibilities, which are not provided by federal laws, on operators, and shall be subject to official publishing.
3. The specific features of personal data manual processing may be prescribed by federal laws and other regulations of the Russian Federation with account of the provisions of this Federal Law.

4. If international treaties entered into by the Russian Federation establish regulations different from those provided by this Federal Law, the regulations of such international treaties shall be applied.

 

Chapter 2. Principles and Conditions of Personal Data Processing

 

Article 5. Principles of Personal Data Processing

1. Personal data shall be processed on a legal and equitable basis.
2. Personal data processing shall be restricted by achieving specific pre-determined and legal purposes. It is not allowed to process personal data for the purpose incompatible with that one of personal data collection.
3. It is not allowed to combine the data bases containing personal data to be processed for incompatible purposes.
4. There shall be processed only personal data that comply with the purposes of their processing.
5. The scope and character of personal data to be processed shall comply with the intended purposes of such data processing. The personal data to be processed shall not be irrelevant to the declared purposes of their processing.
6. In the course of personal data processing it shall be necessary to ensure the personal data accuracy, their sufficiency and in case of need their adequacy for processing purposes. Operators shall take the required measures or ensure their adoption to delete or specify incomplete or inaccurate data.
7. Personal data shall be stored in a form that allows verification of the identity of personal data subjects only to the extent necessary for processing purposes unless the personal data storage time is not established by federal laws, agreements concluded with personal data subjects as a beneficiary or guarantor party. Personal data shall be destroyed or depersonalized upon achieving the set goals as well as when such goals cease to be relevant unless otherwise stipulated by federal laws.

 

Article 6. Conditions of Personal Data Processing

1. Personal data processing shall be subject to compliance with the principles and rules stipulated by the Federal law. Personal data processing shall be allowed in the following cases:
1)   processing of personal data is carried out with the consent of the data subject to the processing of his personal data;
2)   personal data processing is required for achieving the purposes stipulated by an international agreement of the Russian Federation or by a law, or for exercise and fulfillment of functions, powers and obligations imposed on operators by the Russian Federation law.
3)   personal data processing is required for administration of justice or enforcement of a judicial act or an act of another body or official which are enforceable in accordance with the legislation of the Russian Federation concerning enforcement proceedings (hereinafter referred to as “enforcement of a judicial act);
4)   personal data processing is required for rendering state or municipal services in accordance with the Federal law of 27 July 2010 N 210-FZ “About provision of state and municipal services”, for ensuring the provision of this service or for registration of personal data subjects on the uniform portal of state and municipal services; 
5)   personal data processing is required for performance of an agreement to which a personal data subject is a party or under which the data subject is a beneficiary or surety, or for conclusion of an agreement on the initiative of a personal data subject or an agreement under which a personal data subject shall be a beneficiary or surety;
6)   personal data processing is required for protection of life, health or other vital interests of the personal data subject in case it is not possible to obtain his/her consent;
7)   processing of personal data is required for realization of the rights and legitimate interests of an operator or third parties or for the attainment of socially significant objectives, provided that this not cause the rights and freedoms of the personal data subject to be violated;
8)   processing of personal data is required for the purposes of professional activities of a journalist and (or) the legitimate activities of a mass medium or for the purposes of scientific, literary or other creative activity, provided that this not cause the rights and freedoms of the personal data subject to be violated;
9)   processing of personal data is carried out for statistical or other research purposes, with the exception of the purposes specified in Article 15 of this Federal Law, on the condition of compulsory depersonalization of the personal data;
10) public access to the personal data being processed has been granted by or at the request of the personal data subject (hereinafter referred to as “personal data made public by the personal data subject”);

11) the personal data being processed are subject to publication or compulsory disclosure in accordance with federal laws.


2.   Particular considerations relating to the processing of special categories of personal data and the processing of biometric personal data are established by Articles 10 and 11 of this Federal Law respectively.
3.   An operator shall have the right to assign the processing of personal data to another person with the consent of a personal data subject, except as otherwise provided by federal laws, on the basis of a contract concluded with that person, including a state or municipal contract, or by means of adoption of an appropriate act by a state or municipal body (hereinafter referred to as “instruction of an operator”). A person carrying out the processing of personal data on the instruction of an operator shall be obliged to comply with the principles and rules for the processing of personal data which are stipulated by this Federal Law. The operator’s instruction shall set out a list of actions (operations) to be performed with personal data by the person carrying out the processing of personal data and the purposes of the processing, shall establish the obligation of that person to observe the confidentiality of personal data and to ensure that the personal data remain secure while being processed, and shall specify the requirements relating to protection of processed personal data in accordance with Article 19 of this Federal Law.
4. A person carrying out the processing of personal data on the instruction of an operator shall not be obliged to obtain the consent of the data subject to the processing of his personal data.
5. Where an operator assigns the processing of personal data to another person, liability to the personal data subject for the actions of that person shall be borne by the operator. A person carrying out the processing of personal data on the instruction of an operator shall be liable to the operator.

 

Article 7. Confidentiality of Personal Data

Operators and other persons who have obtained an access to personal data shall be obliged to refrain from disclosing to third parties or disseminating those personal data without the consent of the personal data subject, except as otherwise provided by federal laws.

Article 8. Publicly Accessible Sources of Personal Data
1. Publicly accessible sources of personal data (including directories and address books) may be created for the purposes of information provision. Subject to the written consent of a personal data subject, the surname, first name and patronymic, year and place of birth, address, subscriber number, occupation details of that data subject and other personal data communicated by the personal data subject may be included in publicly accessible sources of personal data.
2. Details of a personal data subject shall at any time be excluded from publicly accessible sources of personal data at the request of the personal data subject or by decision of a court or other authorized state bodies.
Article 9        Consent of a Personal Data Subject to the Processing of His Personal Data
1. A personal data subject shall decide whether or not to provide his personal data and shall give consent to the processing thereof freely, of his own will and in his own interest. Consent to the processing of personal data shall be specific, informed and conscious.  Consent to the processing of personal data may be given by the personal data subject or his representative in any form which provides evidence of its receipt, except as otherwise established by federal laws.  Where consent to the processing of personal data is received from a representative of the personal data subject, the authority of that representative to give consent on behalf of the personal data subject shall be verified by the operator. 
2.  Consent to the processing of personal data may be withdrawn by the personal data subject. In the event that a personal data subject withdraws his consent to the processing of personal data, the operator shall have the right to continue the processing of personal data without the consent of the personal data subject if any of the grounds set out in clauses 2 to 11 of part 1 of Article 6, part 2 of Article 10 and part 2 of Article 11 of this Federal Law exist. 
3.  The obligation to provide a proof of the receipt of the consent of a personal data subject to the processing of his personal data or a proof of the existence of grounds specified in clauses 2 to 11 of part 1 of Article 6, part 2 of Article 10 and part 2 of Article 11 of this Federal Law shall be assigned to the operator. 
4. In cases provided for in federal laws, the processing of personal data shall be carried out only with the written consent of the personal data subject. A consent in the form of an electronic document signed with an electronic signature in accordance with a federal law shall be deemed equivalent to a written consent on paper containing the handwritten signature of the personal data subject. The written consent of a personal data subject to the processing of his personal data shall contain, in particular: 
1)    surname, first name and patronymic and the address of the personal data subject, the number of his principal identification document and information as to the date of issue of that document and the body which issued it; 
2)    surname, first name and patronymic and the address of the representative of the personal data subject, the number of his principal identification document, information as to the date of issue of that document and the body which issued it and details of the power of attorney or other document confirming the representatives authority (where consent is received from a representative of a data subject); 
3)    name or surname, first name and patronymic and the  address of the operator which is receiving the consent of the personal data subject; 
4)    the purpose of personal data processing; 
5)    a list of personal data to the processing of which the consent of the personal data subject is given;  
6)    name or surname, first name and patronymic and the  address of the person who is to carry out the processing of the personal data on the instruction of the operator, if the processing is to be assigned to such a person; 
7)    a list of actions involving personal data to the performance of which consent is given, and a general description of the methods of personal data processing which are to be used by the operator; 
8)    the period for which the consent of a personal data subject is given, and the procedure for withdrawal of that consent, except as otherwise established by federal laws; 
9)    the signature of the personal data subject. 
5.    The procedure for the receipt in the form of an electronic document of the consent of a personal data subject to the processing of his personal data for the purpose of the provision of state and municipal services and services which are necessary and essential for the provision of state and municipal services shall be determined by the Government of the Russian Federation. 
6.    Where a personal data subject is legally incapable, the consent to the processing of his personal data shall be given by a legal representative of the personal data subject.
7.    Where a personal data subject has died, the consent to the processing of his personal data shall be given by the heirs of the personal data subject, unless the personal data subject gave such consent while he was alive. 
8.    The personal data may be obtained by an operator from a person who is not the personal data subject on condition of the provision to the operator of a confirmation of the existence of grounds specified in clauses 2 to 11 of part 1 of Article 6, part 2 of Article 10 and part 2 of Article 11 of this Federal Law. 
Article 10       Special Categories of Personal Data 
1.    The processing of special categories of personal data concerning racial or ethnic origin, political opinions, religious or philosophical beliefs, health or sexual life shall not be permitted except in the instances envisaged by part 2 of this Article. 
2.    The processing of the special categories of personal data referred to in part 1 of this Article shall be permitted in instances where: 
1)    the subject of the personal data has given his written consent to the processing of his personal data; 
2)    the personal data have been made public by the personal data subject; 
2.1) the processing of personal data is necessary in connection with the implementation of international agreements of the Russian Federation on readmission; 
2.2) the processing of personal data is carried out in accordance with Federal Law No. 8-FZ of 25 January 2002 Concerning the Russian Census”;
2.3) the processing of personal data is carried out in accordance with the legislation concerning state social assistance, labour legislation or the legislation of the Russian Federation concerning state-provided pensions and retirement pensions; 
3)    the processing of personal data is necessary to protect the life, health or other vital interests of the personal data subject or the life, health or other vital interests of other persons and it is impossible to obtain the consent of the personal data subject; 
4)    the processing of personal data is carried out for the purposes of preventative medicine, medical diagnosis or the provision of medical and social care services, provided that the processing of personal data is carried out by a person who is professionally involved in medical activities and has a duty in accordance with the legislation of the Russian Federation to maintain medical confidentiality; 
5)    the processing of personal data of members (participants) of a social association or a religious organization is carried out by the social association or religious organization in question acting in accordance with the legislation of the Russian Federation for the purpose of the achievement of legitimate goals which are provided for by their foundation documents, provided that the personal data are not disseminated without the written consent of the personal data subjects; 
6)    the processing of personal data is necessary in order to enable the rights of the personal data subject or of third parties to be established or exercised, and in connection with the administration of justice; 
7)    the processing of personal data is carried out in accordance with the legislation of the Russian Federation concerning defence, security, counter-terrorism, transport safety, anti-corruption measures, investigative activities and enforcement proceedings and the penal legislation of the Russian Federation; 
8)    the processing of personal data is carried out in accordance with legislation concerning compulsory types of insurance and insurance legislation; 
9)    the processing of personal data is carried out in cases provided for in the legislation of the Russian Federation by state bodies, municipal bodies or organizations for the purpose of placing children deprived of parental care in the care of families of citizens. 
3.    The processing of personal data concerning criminal convictions may be carried out by state bodies or municipal bodies within the limits of the powers conferred on them in accordance with the legislation of the Russian Federation, and by other persons in instances and according to procedures to be determined in accordance with federal laws.  
4.    The processing of special categories of personal data which has been carried out in the instances envisaged by parts 2 and 3 of this Article shall be immediately terminated if the circumstances by reason of which that processing was carried out have been eliminated, except as otherwise established by federal laws. 
Article 11       Biometric Personal Data 
1.    Information concerning a persons physiological and biological characteristics from which he/she may be identified (biometric personal data) and which is used by an operator to establish the identity of a personal data subject may be processed only subject to the written consent of the personal data subject, except in the cases provided for in part 2 of this Article. 
2.    The processing of biometric personal data may be carried out without the consent of the personal data subject in connection with the implementation of international agreements of the Russian Federation on readmission, in connection with the administration of justice and the enforcement of judicial acts and in cases provided for in the legislation of the Russian Federation concerning defence, security, counter-terrorism, transport safety, anti- corruption measures, investigative activities and state service, the penal legislation of the Russian Federation and the legislation of the Russian Federation concerning the procedure for exit from the Russian Federation and entry into the Russian Federation. 
 Article 12      Cross-Border Transfer of Personal Data 
1.    The cross-border transfer of personal data into the territories of foreign states which are the parties to the Council of Europe Convention on the Protection of Individuals with Regard to Automatic Processing of Personal Data, as well as other foreign states providing adequate protection of the data subjects’ rights shall be carried out in accordance with this Federal Law and may be prohibited or restricted for the purposes of protecting the foundations of the constitutional order of the Russian Federation, public morality and health, rights and legitimate interests of citizens and providing for national defence and state security. 
2.    The authorized body for the protection of the personal data subjects’ rights shall approve a list of foreign states which are not the parties to the Council of Europe Convention on the Protection of Individuals with Regard to Automatic Processing of Personal Data and ensure adequate protection of the data subjects’ rights. A state which is not a party to the Council of Europe Convention on the Protection of Individuals with Regard to Automatic Processing of Personal Data may be included in the list of foreign states which provide adequate protection of the personal data subjects’ rights if the current legal rules of the relevant state and measures taken for the security of personal data conform to the provisions of the above-mentioned Convention. 
3.    An operator shall be obliged to satisfy itself that the foreign state into whose territory personal data are to be transferred provides adequate protection of the personal data subjects’ rights before commencing the cross-border transfer of personal data. 
4.    The cross-border transfer of personal data into the territories of foreign states which do not provide an adequate protection of the personal data subjects’ rights may be carried out in the following cases:
1)    where the personal data subject has given his/her consent to the cross-border transfer of his/her personal data; 
2)    in cases provided for in agreements of the Russian Federation; 
3)    in cases provided for in federal laws where this is necessary to protect the foundations of the constitutional order of the Russian Federation, to provide for national defence and state security, to secure the stable and safe operation of the transport complex and to protect the interests of the individual, society and the state in the transport sphere against acts of unlawful interference; 
4)    for the purpose of the performance of a contract to which the personal data subject is a party; 
5)    for the purpose of protecting life, health and other vital interests of a personal data subject or of other persons where it is impossible to obtain the written consent of the personal data subject. 
 
Article 13       Special Provisions Relating to the Processing of Personal Data in State or Municipal Personal Data Filing Systems 
1.    State bodies and municipal bodies shall, within the limits of their powers as established in accordance with federal laws, create state or municipal personal data filing systems. 
2.    Federal laws may establish special provisions relating to the recording of personal data in state and municipal personal data filing systems, including the use of various methods of designating personal data contained in a particular state or municipal filing system as relating to a particular data subject. 

3.    Human and civil rights and freedoms may not be limited for reasons relating to the use of various methods of processing of personal data and of designating personal data contained in state or municipal personal data filing systems as relating to a particular data subject.  It shall not be permissible to use methods of designating personal data contained in state or municipal personal data filing systems as relating to a particular data subject which injure the feelings of individual citizens or degrade human dignity. 
4.    For the purpose of providing for the exercise of the personal data subjects’ rights in connection with the processing of their personal data in state or municipal personal data filing systems, there may be created a state public register, the legal status of which and procedure for the use of which shall be established by a federal law.
 
 CHAPTER 3. RIGHTS OF A PERSONAL DATA SUBJECT  
 
Article 14       Right of Access of a Personal Data Subject to His Personal Data 
1.    A personal data subject shall have the right to receive information referred to in part 7 of this Article except in cases provided for in part 8 of this Article.  A personal data subject shall have the right to request an operator to rectify, block or destroy his personal data in the event that the personal data are incomplete, out-of-date, inaccurate or unlawfully obtained or are not needed for the stated purpose of the processing, and shall have the right to take measures provided for by law to protect his rights. 
2.    The information referred to in part 7 of this Article shall be provided to a personal data subject by an operator in an accessible form, and shall not contain personal data relating to other data subjects, except where there are lawful grounds for the disclosure of such personal data. 
3.    The information referred to in part 7 of this Article shall be provided to a personal data subject or his representative by an operator upon application or upon receipt of a request from the personal data subject or his representative. A request shall contain the number of the principal identification document of the personal data subject or of his legal representative, information as to the date of issue of that document and the body which issued it, information evidencing the personal data subject’s relationship with the operator (number of contract, date of conclusion of contract, reference designation and (or) other information) or information which otherwise confirms the processing of the personal data by the operator, and the signature of the personal data subject or of his representative. A request may be sent in the form of an electronic document and signed with an electronic signature in accordance with the legislation of the Russian Federation. 
4.    Where the information referred to in part 7 of this Article and processed personal data have been provided to a personal data subject for inspection upon the personal data subject’s request, the personal data subject may make a further application or present a further request to the operator for the purpose of receiving information referred to in part 7 of this Article and inspecting such personal data not earlier than thirty days after the initial application or the sending of the initial request, unless a shorter time period is established by a federal law, a normative legal act adopted in accordance with a federal law or a contract to which the personal data subject is a party or under which it is a beneficiary or surety. 
5.    A personal data subject shall also have the right to make a further application or present a further request to the operator for the purpose of receiving information referred to in part 7 of this Article and for the purpose of inspecting processed personal data before the time period specified in part 4 of this Article has elapsed in the event that such information and (or) processed personal data were not provided to it for inspection in full following the consideration of the initial application.  A repeat request shall contain, in addition to the  information referred to in part 3 of this Article, an explanation for the sending of the repeat request. 
6.    An operator shall have the right to refuse to satisfy a repeat request from a personal data subject if that request does not meet the conditions set forth in parts 4 and 5 of this Article. Such a refusal shall be reasoned. The obligation to provide evidence of the legitimacy of a refusal to satisfy a repeat request shall lie with the operator. 
7.    A personal data subject shall have the right to receive information concerning the processing of his personal data, including information containing: 
1)    confirmation of the processing of personal data by the operator; 
2)    the legal grounds for and purposes of the processing of the personal data; 
3)    the purposes and methods used by the operator for the processing of personal data; 
4)    the name and location of the operator and information on persons (other than employees of the operator) who have access to personal data or to whom personal data may be disclosed on the basis of a contract with the operator or on the basis of a federal law; 
5)    the processed personal data relating to the personal data subject in question and the source from which they were obtained, unless a different procedure for the presentation of such data is prescribed by a federal law; 
6)    the period of the processing of the personal data, including the period for which they are kept; 
7)    the procedure for the exercise by the personal data subject of the rights provided for in this Federal Law; 
8)    information on any actual or planned cross-border transfer of personal data; 
9)    name or surname, first name and patronymic and the address of the person carrying out the processing of personal data on the instruction of the operator, if the processing has been or is intended to be assigned to such a person; 
10)  other information provided for in this Federal Law or other federal laws. 
8.    The right of access of a personal data subject to his personal data may be restricted in accordance with federal laws, including where: 
1)    the processing of personal data, including personal data obtained as a result of investigative, counter-intelligence and intelligence activities, is carried out for the purposes of national defence, state security and the maintenance of public order;  
2)    the processing of personal data is carried out by the bodies which have detained the personal data subject on suspicion of committing a crime, or have brought a criminal charge against the personal data subject, or have imposed a measure of restraint against the personal data subject prior to bringing charges, except in cases provided for in the criminal procedure legislation of the Russian Federation where a suspect or accused person is permitted to inspect such personal data; 
3)    the processing of personal data is carried out in accordance with the legislation concerning the countering of the legitimization (laundering) of proceeds of crime and the financing of terrorism; 
4)    the access of a personal data subject to his personal data would violate the rights and legitimate interests of other persons; 


5)    the processing of personal data is carried out in cases provided for by the legislation of the Russian Federation concerning transport safety for the purpose of ensuring the stable and safe operation of the transport complex and protecting the interests of the individual, society and the state in the transport sphere against acts of unlawful interference. 
 
Article 15   Rights of Data Subjects Where Their Personal Data Are Processed for the Purpose of the Market Promotion of Goods,
Work and Services or for Purposes of Political Campaigning 
1.    The processing of personal data for the purpose of the market promotion of goods, work and services by means of making direct contact with a potential consumer with the aid of communications facilities, and for purposes of political campaigning, shall be permitted only on condition of the prior consent of the subject of the personal data.  Such processing of personal data shall be deemed to be carried out without the prior consent of the personal data subject unless the operator is able to prove that such consent was obtained. 
2.    An operator shall be obliged, upon the request of a data subject, immediately to terminate the processing of his personal data which is referred to in part 1 of this Article. 
 Article 16      Rights of Data Subjects in Relation to Decision-Taking Solely on the Basis of Automated Processing of Their Personal Data 
1.    It shall be prohibited for making decisions which give rise to legal consequences for a personal data subject or otherwise affect his rights and legitimate interests to be taken solely on the basis of the automated processing of personal data, except in the instances envisaged by part 2 of this Article. 
2.    A decision which gives rise to legal consequences for a personal data subject or otherwise affects his rights and legitimate interests may be taken solely on the basis of the automated processing of his personal data only if the subject of the personal data has given his written consent or in instances envisaged by federal laws which also establish measures to safeguard the rights and legitimate interests of the subject of the personal data. 
3.    An operator shall be obliged to make clear to a personal data subject the procedure whereby a decision is taken solely on the basis of the automated processing of his personal data and the possible legal consequences of such a decision, to allow him the opportunity to present an objection against such a decision, and to explain the means by which the personal data subject may protect his rights and legitimate interests. 
4.    An operator shall be obliged to consider an objection such as is referred to in part 3 of this Article within thirty days from the day of receiving it, and to notify the personal data subject of the results of the consideration of that objection. 
  Article 17     Right to Appeal Against Actions or Inaction of an operator 
1.    Where a personal data subject believes that an operator is processing his personal data not in compliance with the requirements of this Federal Law or is otherwise violating his rights and freedoms, the personal data subject shall have the right to appeal against the actions or inaction of the operator to the authorized body for the protection of the personal data subjects’ rights or through the courts. 
2.    A personal data subject shall have the right to protection of his rights and legal interests, including the right to reimbursement for losses and (or) compensation for moral injury through the courts.

CHAPTER 4. OBLIGATIONS OF AN OPERATOR

Article 18       Obligations of an Operator in Collecting Personal Data 
1.    When collecting personal data, an operator shall be obliged to provide to the personal data subject, upon his request, the information which is provided for in part 7 of Article 14 of this Federal Law. 
2.    Where the provision of personal data is compulsory in accordance with federal laws, the operator shall be obliged to explain to the personal data subject the legal consequences of refusing to provide his personal data. 
3.    Where personal data have been obtained other than from the personal data subject, the operator shall be obliged, except in cases provided for in part 4 of this Article, to provide the following information to the personal data subject before beginning to process the personal data: 
1)    name or surname, first name and patronymic and the address of the operator or its representative; 
2)    the purpose and legal basis of the processing of the personal data;  
3)    the expected users of the personal data; 
4)    the rights of the personal data subject as established by this Federal Law; 
5)    the source from which the personal data were obtained. 
4.    An operator shall be exempt from the obligation to provide the information specified in part 3 of this Article to a personal data subject where: 
1)    the personal data subject has been notified of the processing of his personal data by the operator in question; 
2)    the personal data have been received by the operator on the basis of a federal law or in connection with the performance of a contract to which the personal data subject is a party or under which it is a beneficiary or surety; 
3)    the personal data have been made public by the personal data subject or have been obtained from a public source; 
4)    the operator is processing the data for statistical or other research purposes, for the purposes of the professional activities of a journalist or for the purposes of scientific, literary or other creative activities, provided that this does not cause the rights and legitimate interests of the personal data subject to be violated; 
5)    the provision of the information provided for in part 3 of this Article to the personal data subject would violate the rights and legitimate interests of third parties. 
Article 18.1    Measures to Ensure the Fulfillment by an operator of the Obligations Laid Down in This Federal Law 
1.         An operator shall be obliged to take such measures as are necessary and sufficient to ensure the fulfillment of the obligations laid down in this Federal Law and normative legal acts adopted in accordance with this Federal Law.  An operator shall independently determine the composition and range of measures which are necessary and sufficient to ensure the fulfillment of the obligations laid down in this Federal Law and normative legal acts adopted in accordance with this Federal Law, except as otherwise provided by this Federal Law or other federal laws.  Such measures shall include, in particular: 
1)    the appointment by an operator which is a legal entity of a person responsible for organizing the processing of personal data; 
2)    the issuance by an operator which is a legal entity of documents setting out the operator’s policies in regard to the processing of personal data, by-laws on the processing of personal data and by-laws establishing procedures aimed at the prevention and detection of violations of the legislation of the Russian Federation and the remediation of the consequences of such violations; 
3)    the application of legal, organizational and technical measures to ensure the security of personal data in accordance with Article 19 of this Federal Law;  
4)    the conduct of internal control and (or) auditing of the conformity of the processing of personal data to this Federal Law and normative legal acts adopted in accordance with this Federal Law, requirements relating to the protection of personal data, the operator’s policies in relation to the processing of personal data and the operator’s by-laws; 
5)    evaluating damage which may be caused to data subjects in the event of the violation of this Federal Law and correlating that damage with measures taken by the operator to ensure the fulfillment of the obligations laid down in this Federal Law; 
6)    ensuring that employees of the operator who are directly involved in the processing of personal data are made aware of the provisions of the legislation of the Russian Federation concerning personal data, including requirements relating to the protection of personal data, documents setting out the operator’s policies in relation to the processing of personal data and by-laws on the processing of personal data, and (or) providing training to those employees. 
2.    An operator shall be obliged to publish or otherwise provide unlimited access to the document setting out its policies in relation to the processing of personal data and to information concerning requirements to be fulfilled with respect to the protection of personal data.  An operator which collects personal data using data networks shall be obliged to publish in the appropriate data network a document setting out its policies in relation to the processing of personal data and information concerning requirements to be fulfilled with respect to the protection of personal data, and to make that document available through the appropriate data network. 
3.    The Government of the Russian Federation shall establish a range of measures aimed at ensuring that obligations laid down in this Federal Law and normative legal acts adopted in accordance with this Federal Law are fulfilled by operators which are state or municipal bodies. 
4.    An operator shall be obliged to present documents and by-laws such as are referred to in part 1 of this Article and (or) to provide other evidence of the taking of the measures referred to in part 1 of this Article upon the request of the authorized body for the protection of the personal data subjects’ rights. 
Article 19       Measures to Ensure the Security of Personal Data While They Are Being Processed 
1.         An operator shall be obliged, when processing data, to take or arrange for the taking of such legal, organizational and technical measures as are necessary to protect personal data against unlawful or accidental access to and destruction, alteration, blocking, copying, provision or dissemination of personal data and against other unlawful actions in relation to personal data.
See Federal Tax Service Decree No. ММВ-7-4/959@ of the Russian Federation of 21 December 2011 concerning protection of personal data when they are processed in automated data systems of tax authorities.
See Regulation on Methods and Ways of Information Protection in Personal Data Systems, which was approved by Decree N 58 issued by the Federal Service for Technical and Export Control Russia on 5 February, 2010.
2.    The security of personal data shall be achieved, in particular:  
1)    by identifying threats to the security of personal data while they are being processed in personal data filing systems; 
2)    by applying such organizational and technical measures for ensuring the security of personal data while they are being processed in personal data filing systems as are necessary to meet the requirements relating to the protection of personal data which shall be fulfilled in order to ensure the levels of protection of personal data which are established by the Government of the Russian Federation; 
3)    by applying means of data protection which have duly undergone conformity assessment procedures; 
4)    by assessing the effectiveness of measures taken to ensure the security of personal data prior to the commissioning of a personal data filing system; 
5)    by keeping records of media containing personal data; 
6)    by detecting instances of unauthorized access to personal data and taking measures; 
7)    by restoring personal data which have been modified or destroyed as a result of unauthorized access; 
8)    by establishing rules for access to personal data being processed in a personal data filing system and providing for the registration and recording of all actions performed on personal data in a personal data filing system; 
9)    by monitoring measures taken to ensure the security of personal data and the level of protection of personal data filing systems. 

3.    The Government of the Russian Federation shall, taking into account potential damage to a data subject, the extent and content of personal data being processed, the type of activity in the context of which personal data are processed and the presence of threats to the security of personal data, establish: 
1)    levels of protection for personal data while they are being processed in personal data filing systems based on threats to the security of those data; 
2)    requirements relating to the protection of personal data while they are being processed in personal data filing systems which shall be met in order for the established levels of protection for personal data to be provided; 
See the Instruction on organizing the protection of personal data contained in information systems of internal affairs bodies of the Russian Federation, which was approved by the Decree №678 issued by the Ministry of Internal Affairs of the Russian Federation on 6 July 2012.
See the Standard requirements on organizing and providing the functioning of cryptographic facilities intended for protection of information not containing the data classified as state secret in case of their usage for providing protection of personal data when they are processed in personal data systems, which were approved by the Decree N 149/6/6-622 issued by the Federal Security Service of the Russian Federation on 21 February 2008
See the Guidelines on providing protection for personal data when they are automatically processed in personal data systems with the help of cryptographic facilities, which were approved by the Decree N 149/54-144 issued by the Federal Security Service of the Russian Federation on 21 February 2008
3)      requirements relating to physical media for the storage of biometric personal data and relating to technologies for the storage of such data outside personal data filing systems. 
4.      The composition and content of organizational and technical measures for ensuring the security of personal data while they are being processed in personal data filing systems which are necessary in order to fulfill the personal   data protection requirements established by the Government of the Russian Federation in accordance with part 3 of this Article for each level of protection shall be established by the federal executive body in charge of security and the federal executive body in charge of technical counter-intelligence and technical protection of information within the limits of their powers. 
5.      Federal executive bodies which carry out functions involving the formulation of state policy and normative legal regulation in the designated sphere of activity, state government bodies of constituent entities of the Russian Federation, the Bank of Russia, bodies of state non-budgetary funds and other state bodies shall, within the limits of their powers, adopt normative legal acts in which they identify what threats to the security of personal data are present in connection with the processing of personal data in personal data filing systems used in particular types of activity, taking into account the content of personal data and the nature and methods of the processing of personal data. 
6.      In addition to the threats to the security of personal data which are identified in normative legal acts adopted in accordance with part 5 of this Article, associations, unions and other amalgamations of operators may issue decisions identifying further threats to the security of personal data which are present in connection with the processing of personal data in personal data filing systems used in particular types of activity by members of those associations, unions and other amalgamations of operators, taking into account the content of personal data and the nature and methods of the processing of personal data. 
7.      Drafts of normative legal acts such as are referred to in part 5 of this Article shall be agreed with the federal executive body in charge of security and the federal executive body in charge of technical counter-intelligence and technical protection of information. Drafts of decisions such as are referred to in part 6 of this Article shall be agreed with the federal executive body in charge of security and the federal executive body in charge of technical counter- intelligence and technical protection of information in accordance with the procedure established by the Government of the Russian Federation.  A decision of the federal executive body in charge of security and the federal executive body in charge of technical counter-intelligence and technical protection of information not to approve drafts of decisions such as are referred to in part 6 of this Article shall be reasoned. 
8.      Control and supervision over the performance of organizational and technical measures for ensuring the security of personal data which have been established in accordance with this Article in regard to the processing of personal data in state personal data filing systems shall be exercised by the federal executive body in charge of security and the federal executive body in charge of technical counter-intelligence and technical protection of information within the limits of their powers and without the right to inspect personal data which are processed in the personal data filing systems. 
9.      The federal executive body in charge of security and the federal executive body in charge of technical counter-intelligence and technical protection of information may, in consideration of the importance and content of personal   data being processed, be vested by a decision of the Government of the Russian Federation with powers to monitor the performance of organizational and technical measures for ensuring the security of personal data which have been established in accordance with this Article in regard to the processing of personal data in personal data filing systems which are used in the context of particular activities and which are not state personal data filing systems, without the right to inspect personal data which are processed in the personal data filing systems. 
10.       Biometric personal data may be used and stored outside personal data filing systems only on such physical data storage media and with the use of such storage technology as ensure the protection of those data against unlawful or accidental access, destruction, alteration, blocking, copying, provision and dissemination. 
11.       For the purposes of this Article, threats to the security of personal data shall be understood to mean the aggregate of conditions and factors which create a danger of unauthorized, including accidental, access to personal data, which may result in the destruction, alteration, blocking, copying, provision or dissemination of personal data or in other unlawful actions in connection with the processing of those personal data in a personal data filing system.  The level of protection for personal data shall be understood to mean an aggregate indicator reflecting the requirements which shall be met in order to neutralize identified threats to the security of personal data while they are being processed in personal data information systems. 
 
Article 20     Obligations of an operator Upon the Application of or Upon Receipt of a Request from a personal data subject or
His Representative, or from the Authorized Body for the Protection of the personal data subjects’ rights 
1.    An operator shall be obliged to communicate to a personal data subject or his representative in the manner laid down in Article 14 of this Federal Law information on the possession of personal data relating to that data subject, and to make those personal data available for inspection upon application of the personal data subject or his representative or within thirty days from the date of receipt of a request from the personal data subject or his representative. 
2.    In the event of a refusal to provide information on the possession of personal data relating to a particular data subject or to provide such personal data to that data subject or his representative upon their application or upon receipt of a request from the personal data subject or his representative, the operator shall be obliged to give a reasoned reply in writing, containing a reference to the provision of part 8 of Article 14 of this Federal Law or of another federal law which is the basis for that refusal, within a period not exceeding thirty days from the day of the application of the personal data subject or his representative or from the date of receipt of the request from the personal data subject or his representative. 
3.    An operator shall be obliged to make personal data relating to a particular data subject available for inspection by that data subject or his representative free of charge. Within a period not exceeding seven working days from the day on which a subject of personal data or his representative presents evidence that the personal data are incomplete, inaccurate or out-of-date, the operator shall be obliged to make necessary amendments to those personal data.  Within a period not exceeding seven working days from the day on which a subject of personal data or his representative presents evidence that the personal data were unlawfully obtained or are not needed for the stated purpose of the processing, the operator shall be obliged to destroy those personal data.  The operator shall be obliged to notify the personal data subject or his representative of amendments made and measures taken and to take reasonable measures to notify third parties to whom personal data of that data subject have been transferred. 
4.    An operator shall be obliged, upon the request of the authorized body for the protection of the personal data subjects’ rights, to supply necessary information to that body within thirty days from the date of receipt of that request. 
 


Article 21     Obligations of an operator to Remedy Violations of Legislation Committed in the Processing of Personal Data, and to Rectify, Block and Destroy Personal Data 
1.    In the event that personal data are found to be unlawfully processed, upon the application of the personal data subject or his representative or upon the request of the personal data subject or his representative or of the authorized body for the protection of the personal data subjects’ rights the operator shall be obliged to block unlawfully processed personal data relating to that data subject or to arrange for them to be blocked (if the processing of personal data is carried out by another person acting on the operator’s instructions) from the moment of such application or the moment of the receipt of such request for the period needed for an inspection.  In the event that personal data are found to be inaccurate, upon the application of the personal data subject or his representative or upon their request or a request of the authorized body for the protection of the personal data subjects’ rights the operator shall be obliged to block personal data relating to that data subject or to arrange for them to be blocked (if the processing of personal data is carried out by another person acting on the operator’s instructions) from the moment of such application or from the moment of the receipt of such request for the period needed for an inspection, provided that the blocking of personal data does not violate the rights and legitimate interests of the personal data subject or of third parties. 
2.    In the event that personal data are confirmed as inaccurate, the operator shall be obliged, on the basis of information presented by the personal data subject or his representative or the authorized body for the protection of the personal data subjects’ rights or other necessary documents, to rectify the personal data or to arrange for them to be rectified (if the processing of personal data is carried out by another person acting on the operator’s instructions) within seven working days from the date of presentation of that information, and to remove the block on the personal data. 
3.    In the event that it is discovered that personal data are being unlawfully processed by an operator or a person acting on the instructions of an operator,   the operator shall be obliged, within a period not exceeding three working days from the date of that discovery, to cease the unlawful processing of the personal data or to arrange for the unlawful processing of the personal data to be terminated by the person acting on the operator’s instructions.  In the event that it is impossible for the processing of personal data to be made lawful, the operator shall be obliged, within a period not exceeding ten working days from the date of discovery of the unlawful processing of personal data, to destroy those personal data or to arrange for them to be destroyed.  The operator shall be obliged to notify the remedying of the violations committed or the destruction of the personal data to the personal data subject or his representative and, if the application of the personal data subject or his representative or the request of the authorized body for the protection of the personal data subjects’ rights were sent by the authorized body for the protection of the personal data subjects’ rights, to that body.
4.    Where the purpose of the processing of personal data has been achieved, the operator shall be obliged to cease the processing of personal data or arrange for it to be terminated (if the processing of personal data is carried out by another person acting on the operator’s instructions) and to destroy the personal data or arrange for them to be destroyed (if the processing of personal data is carried out by another person acting on the operator’s instructions) within a period not exceeding thirty days from the date of the achievement of the purpose for which the personal data were processed, unless otherwise provided by a contract to which the personal data subject is a party or under which it is a beneficiary or surety or by another agreement between the operator and the personal data subject or unless the operator has the right to process the personal data without the consent of the personal data subject on grounds provided for in this Federal Law or other federal laws. 
5.    In the event that a personal data subject withdraws its consent to the processing of his personal data, the operator shall be obliged to cease the processing of the personal data or arrange for it to be terminated (if the processing of personal data is carried out by another person acting on the operator’s instructions) and, if the personal data no longer need to be kept for the purposes of the processing of the personal data, to destroy the personal data or arrange for them to be destroyed (if the processing of personal data is carried out by another person acting on the operator’s instructions) within a period not exceeding thirty days from the date of receipt of the above-mentioned withdrawal, unless otherwise provided by a contract to which the personal data subject is a party or under which it is a beneficiary or surety or by another agreement between the operator and the personal data subject or unless the operator has the right to process the personal data without the consent of the personal data subject on grounds provided for in this Federal Law or other federal laws. 
6.    Where it is impossible for personal data to be destroyed within the time period specified in parts 3 to 5 of this Article, the operator shall block the personal data or arrange for them to be blocked (if the processing of personal data is carried out by another person acting on the operator’s instructions) and ensure that the personal data are destroyed within a period not exceeding six months, unless a different time period is established by federal laws.  

Article 22       Notification of the Processing of Personal Data 
1.    Prior to commencing the processing of personal data, an operator shall be obliged to notify the authorized body for the protection of data subjects of its intention to carry out the processing of personal data, except in the instances envisaged by part 2 of this Article. 
2.    An operator shall have the right to carry out without notifying the authorized body for the protection of data subjects the processing of personal data: 
1)    which are processed in accordance with labour legislation; 
2)    which were obtained by the operator in connection with the conclusion of an agreement to which the subject of the personal data is party, if the personal data are not disseminated, are not supplied to third parties without the consent of the subject of the personal data and are used by the operator solely for the purpose of the performance of that agreement and the conclusion of agreements with the subject of the personal data; 
3)    which relate to members (participants) of a social association or a religious organization and are processed by the social association or religious organization in question acting in accordance with the legislation of the Russian Federation for the purpose of the achievement of lawful objectives which are provided for by their foundation documents, provided that the personal data are not disseminated or disclosed to third parties without the written consent of the subjects of the personal data; 
4)    which have been made public by the personal data subject; 
5)    which include only surnames, first names and patronymics of the subjects of the personal data; 
6)    which are needed for the one-off admission of a personal data subject onto premises where the operator is situated, or for other similar purposes; 
7)    which have been included in personal data filing systems which have the status of state automated filing systems in accordance with federal laws, and in state personal data filing systems which were created for the purpose of protecting the security of the state and public order; 
8)    which are processed without the use of automated equipment in accordance with federal laws or other normative legal acts of the Russian Federation which establish requirements for ensuring the security of personal data when they are being processed and for safeguarding the personal data subjects’ rights; 

9)    which are processed in cases provided for in transport safety legislation of the Russian Federation for the purpose of ensuring the stable and safe operation of the transport complex and protecting the interests of the individual, society and the state in the transport sphere against acts of unlawful interference.  
3.    The notification provided for in part 1 of this Article shall be sent in the form of a paper document or in the form of an electronic document and shall be signed by an authorized person.  The notification shall contain the following information: 
1)    the name (surname, first name and patronymic) and address of the operator; 
2)    the purpose of the processing of personal data; 
3)    the categories of personal data; 
4)    the categories of data subjects whose personal data are to be processed; 
5)    the legal basis of the processing of personal data; 
6)    a list of actions to be performed in relation to personal data and a general description of the methods of processing personal data which are to be used by the operator; 
7)    a description of the measures provided for in Articles 18.1 and 19 of this Federal Law, including information on the availability of encoding (encryption) tools and the names of those tools; 
7.1)   the surname, first name and patronymic of the physical person or the name of the organization responsible for organizing the processing of personal data, and their contact telephone numbers, postal addresses and electronic mail addresses; 
8)    the date on which the processing of personal data is to begin; 
9)    the period or condition of termination of the processing of personal data; 
10)  information on whether or not the cross-border transfer of personal data occurs in the course of the processing of personal data; 
11)  information on measures taken to ensure the security of personal data in accordance with requirements established by the Government of the Russian Federation for the protection of personal data. 
4.    The authorized body for the protection of the personal data subjects’ rights shall, within thirty days from the date of receipt of a notification of the processing of personal data, enter the details referred to in part 3 of this Article and details of the date on which the notification was sent in the register of operators. Information contained in the register of operators, with the exception of information concerning means of ensuring the security of personal data when they are being processed, shall be publicly available. 
5.    An operator may not be charged for expenses incurred in connection with the examination of a notification of the processing of personal data by the authorized body for the protection of the personal data subjects’ rights or in connection with the entry of details in the register of operators.  
 6.   In the event that details supplied according to part 3 of this Article are found to be incomplete or inaccurate, the authorized body for the protection of the personal data subjects’ rights shall have the right to require the operator to rectify the details supplied before they are entered in the register of operators. 
7.    In the event that changes occur in information which is referred to in part 3 of this Article or the processing of personal data is terminated, the operator shall be obliged to notify the authorized body for the protection of the personal data subjects’ rights of this within ten working days from the date on which those changes arise or from the date on which the processing of personal data ceases. 
 
Article 22.1    Persons Responsible for Organizing the Processing of Personal Data at Organizations 
1.    An operator which is a legal entity shall appoint a person responsible for organizing the processing of personal data. 
2.    The person responsible for organizing the processing of personal data shall receive instructions directly from the executive body of the organization which is the operator and shall be accountable to that body. 
3.    An operator shall be obliged to give the person responsible for organizing the processing of personal data the information referred to in part 3 of Article 22 of this Federal Law. 
4.    A person responsible for organizing the processing of personal data shall be obliged, in particular: 
1)    to exercise internal control over compliance by the operator and its employees with the legislation of the Russian Federation concerning personal data, including requirements relating to the protection of personal data; 
2)    to make employees of the operator aware of the provisions of the legislation of the Russian Federation concerning personal data, of by-laws on the processing of personal data and of requirements relating to the protection of personal data; 
3)    to organize the acceptance and processing of applications and requests from data subjects or their representatives and (or) to exercise control over the acceptance and processing of such applications and requests.  

CHAPTER 5. CONTROL AND SUPERVISION OVER THE PROCESSING OF PERSONAL DATA. LIABILITY FOR VIOLATION OF REQUIREMENTS OF THIS FEDERAL LAW 
 
Article 23       The Authorized Body for the Protection of the personal data subjects’ rights 
1.    The authorized body for the protection of the personal data subjects’ rights, which shall be charged with providing for control and supervision over the conformity of the processing of personal data to the requirements of this Federal Law, shall be the federal executive body which carries out control and supervision functions in the sphere of information technology and communications. 
See the Administrative Order of Roscomnadzor on providing the state function regarding performance of the state supervision over compliance of personal data processing to the requirements of the legislation of the Russian Federation in the field of personal data, which was approved by Decree N 312 issued by Ministry of Telecom & Mass Communications on 14 November 2011.
2.    The authorized body for the protection of the personal data subjects’ rights shall examine claims brought by a personal data subject concerning the compatibility of the content of personal data and the methods of processing thereof with the purposes for which they are processed, and shall adopt an appropriate decision. 
3.         The authorized body for the protection of the personal data subjects’ rights shall have the right: 
1)    to request from physical persons or legal entities information which is needed in order to exercise its powers, and to receive such information free of charge; 
2)    to check information contained in a notification of the processing of personal data, or to engage other state bodies to perform such checks within the limits of their powers; 
3)    to require an operator to rectify, block or destroy inaccurate or unlawfully obtained personal data; 
4)    to take measures in accordance with the procedure established by the legislation of the Russian Federation to suspend or terminate any processing of personal data which is carried out not in compliance with the requirements of this Federal Law; 
5)    to file statements of claim with a court in defence of the personal data subjects’ rights, including in defence of the rights of the general public, and to represent the interests of data subjects in court; 
5.1) to send the information referred to in clause 7 of part 3 of Article 22 of this Federal Law to the federal executive body in charge of security and the federal executive body in charge of technical counter-intelligence and technical protection of information in line with their sphere of activity; 
6)    to send a petition to the body which licenses the activities of an operator to consider the possibility of taking measures to suspend or annul the relevant license in accordance with the procedure which is established by the legislation of the Russian Federation if one of the conditions of the license to carry out such activities is a prohibition on the transfer of personal data to third parties without the written consent of the personal data subject;
7)    to send materials to public prosecution bodies and other law enforcement bodies in order for a decision to be taken on whether to institute criminal proceedings based on the elements of crimes associated with the violation of the personal data subjects’ rights, according to the authority which is appropriate for a particular case; 
8)    to submit to the Government of the Russian Federation proposals for improving normative legal regulation of the protection of rights of data subjects; 
9)    to take administrative action against persons guilty of violating this Federal Law. 
4.    The confidentiality of personal data shall be ensured in relation to personal data which have become known to the authorized body for the protection of the personal data subjects’ rights in the course of its activities. 
5.    The authorized body for the protection of the personal data subjects’ rights shall be obliged: 
1)    to organize protection of the personal data subjects’ rights in accordance with the requirements of this Federal Law and other federal laws; 
2)    to consider appeals and claims from citizens and legal entities on matters relating to the processing of personal data, and to take decisions based on the consideration of those appeals and claims within the limits of its powers; 
3)    to maintain a register of operators; 

See the Administrative Order of Roscomnadzor on providing the state service “Maintainance of a Register of Operators Processing Personal Data”, which was approved by Decree N 346 issued by Ministry of Telecom & Mass Communications on 21 December 2011.
4)    to carry out other measures aimed at improving protection of the personal data subjects’ rights; 
5)    to take measures in accordance with the procedure established by the legislation of the Russian Federation, on a submission from the federal executive body in charge of ensuring security or the federal executive body in charge of technical counterintelligence and technical protection of information, to bring about the suspension or termination of the processing of personal data; 
6)    to keep state bodies and data subjects informed, in response to their applications and requests, of the state of affairs with respect to the protection of the personal data subjects’ rights; 
7)        to perform other duties envisaged by the legislation of the Russian Federation. 
5.1  The authorized body for the protection of the personal data subjects’ rights shall co- operate with authorized bodies for the protection of the personal data subjects’ rights in foreign states, and in particular shall engage in the international exchange of information relating to the protection of the personal data subjects’ rights and approve a list of foreign states which provide adequate protection for the personal data subjects’ rights. 
6.   Decisions of the authorized body for the protection of the personal data subjects’ rights may be appealed against through the courts. 
7.   The authorized body for the protection of the personal data subjects’ rights shall send a report on its activities on an annual basis to the President of the Russian Federation, the Government of the Russian Federation and the Federal Assembly of the Russian Federation.  That report shall be published in mass media. 
8.   The authorized body for the protection of the personal data subjects’ rights shall be financed from federal budget resources. 
9.   There shall be created under the authorized body for the protection of the personal data subjects’ rights a voluntary advisory board, the procedure for the formation of which and procedures for the activities of which shall be determined by the authorized body for the protection of the personal data subjects’ rights. 
 
Article 24      Liability for Violation of the Requirements of This Federal Law 
1.   Persons guilty of violating the requirements of this Federal Law shall bear the liability provided for by the legislation of the Russian Federation. 
2.   Moral damage caused to a personal data subject as a result of the violation of his rights or the violation of rules for the processing of personal data which are established by this Federal Law and requirements relating to the protection of personal data which have been established in accordance with this Federal Law shall be compensated in accordance with the legislation of the Russian Federation.  Compensation for moral damage shall be provided irrespective of whether compensation is provided for material damage and losses suffered by the personal data subject.

 



CHAPTER 6. FINAL PROVISIONS

Article 25      Final Provisions 
1.    This Federal Law shall enter into force upon the expiration of one hundred and eighty days after the day of its official publication. 
2.    After the day of the entry into force of this Federal Law, the processing of personal data which were included in personal data filing systems prior to the day of its entry into force shall be carried out in accordance with this Federal Law.  

2.1 Operators which carried out the processing of personal data prior to 1 July2011 shall be obliged to present the information referred to in clauses 5, 7.1, 10 and 11 of part 3 of Article 22 of this Federal Law to the authorized body for the protection of the personal data subjects’ rights not later than 1 January 2013.

3. Ceased to be in force on 1 July, 2011
4. Operators which carry out the processing of personal data prior to the entry into force of this Federal Law and continue to carry out such processing after its entry into force shall be obliged, except in the instances envisaged by part 2 of Article 22 of this Federal Law, to send the notification which is envisaged by part 3 of Article 22 of this Federal Law to the authorized body for the protection of the personal data subjects’ rights no later than 1 January 2008.

President of the Russian Federation                             V.Putin
Moscow, Kremlin
27 July, 2006
№ 152-FZ


Автор: на
Ярлыки: ,

Комментариев нет:

Отправить комментарий

Подписаться на: Комментарии к сообщению (Atom)