Consent to transfer of personal data
PRINCIPLES AND TERMS OF PERSONAL DATA PROCESSING
Federal Law of 27 July 2006 N 152-FZ ON PERSONAL DATA
Adopted by the State Duma on 8 July 2006Approved by the Federation Council on 14 July 2006
(edition of Federal Laws от 25.11.2009 N 266-FZ,
от 27.12.2009 N 363-FZ, от 28.06.2010 N 123- FZ,
от 27.07.2010 N 204- FZ, от 27.07.2010 N 227- FZ,
от 29.11.2010 N 313- FZ от 23.12.2010 N 359- FZ,
от 04.06.2011 N 123- FZ, от 25.07.2011 N 261- FZ).
CHAPTER 1. GENERAL PROVISIONS
Article 1. Scope of Application of the Federal Law
1. This Federal Law regulates activities related to the processing of personal data by federal state government bodies, state government bodies of constituent entities of the Russian Federation and other state bodies (hereinafter referred to as "state bodies"), by local government bodies (hereinafter referred to as "municipal bodies"), by legal entities and physical persons, both automatically, including in data telecommunications networks, and manually, provided that manual data processing is by its nature similar to automatic data processing, i.e. allows users to search personal data recorded in tangible medium or contained in card-catalogues or other systematized collections of personal data in accordance with the specified algorithm and (or) to have access to such personal data.
2. This Federal Law does not apply to activities related to:
1) personal data processing by individuals exclusively for personal or family needs, provided that such processing does not infringe upon the rights of individuals whose data are being processed;
2) storage, arrangement, registration and use of personal data contained in the files kept by the State Archives of the Russian Federation and in other archive files as envisaged by the Russian laws on the archive system;
3) ceased to be in force on 1 July, 2011;
4) processing of personal data which are referred to state secrecy according to the established procedure.
5) provision by authorised bodies of information on the activities of courts in the Russian Federation in accordance with the Federal law of 22 December, 2008 N 262-FZ “About provision of access to the information on courts’ activities in the Russian Federation”.
Article 2. Purpose of the Federal Law
The purpose of this Federal Law is to procure the protection of a person's rights and liberties while processing his/her personal data, including the right to privacy, personal and family secrecy.
Article 3. Basic Terms of the Federal Law
In this Federal Law the following main terms are used:
1) personal data – any information referring directly or indirectly to a particular or identified individual (hereinafter referred to as "personal data subject");
2) operator – state agency, municipal authority, legal entity or individual who independently or in cooperation with other entities organizes and/or processes personal data as well as determines the purposes and scope of personal data processing;
3) personal data processing – any action (operation) or a combination of actions (operations) performed both automatically and manually with personal data, including collection, recording, arrangement, accumulation, storage, specification (updating, changing), extraction, use, distribution (including transfer), anonymizing, blocking and destruction of personal data;
4) automated personal data processing - personal data processing by means of computer technology;
5) distribution of personal data – actions related to making the data available to indefinite range of persons;
6) provision of personal data – actions related to making the data available to a definite person or a definite range of persons;
7) blocking of personal data – the temporary cessation of personal data processing (except for the cases when the processing is needed for personal data specification);
8) destruction of personal data – actions performed on personal data contained in the respective database that prevent such data from being restored and (or) actions aimed at the physical destruction of the tangible medium of personal data;
9) anonymization of personal data – actions performed on personal data that do not permit the identity of the individual concerned to be verified solely from such anonymized data;
10) personal data information system – a database that contains personal data as well as information technologies and hardware used for data processing;
11) cross-border transfer of personal data – cross-border transfer of personal data to a foreign state agency, foreign legal entity or individual located in a foreign state.
Article 4. Legislative Grounds for Protection of Personal Data in the Russian Federation
1. The Russian legislation on data protection is based on the Constitution of the Russian Federation and international treaties entered into by the Russian Federation and comprises this Federal Law and other federal laws which regulate particular issues related to personal data processing.
See the Convention of European Council on protection of individuals whose data are being processed automatically. (Strasburg, 28 January 1981).
2. On the grounds of and pursuant to the federal laws, state agencies, the Bank of Russia, local authorities may, within their scope of their competence, adopt regulatory legal acts, normative acts, legislative acts (hereinafter referred to as regulations) with respect to particular issues related to personal data processing. Such regulations shall not include the provisions that would restrict personal data subjects’ rights, place limitations, which are not provided by federal laws, on operators’ activities or imposing responsibilities, which are not provided by federal laws, on operators, and shall be subject to official publishing.
3. The specific features of personal data manual processing may be prescribed by federal laws and other regulations of the Russian Federation with account of the provisions of this Federal Law.
4. If international treaties entered into by the Russian Federation establish regulations different from those provided by this Federal Law, the regulations of such international treaties shall be applied.
Chapter 2. Principles and Conditions of Personal Data Processing
Article 5. Principles of processing personal data
1. The processing of personal data must be carried out in a lawful and fair manner.
2. Processing of personal data must be limited to the achievement of specific, pre-determined and legitimate purposes. It is not allowed to process personal data incompatible with the purposes of collecting personal data.
3. It is not allowed to combine databases containing personal data, processing of which is carried out for purposes incompatible with each other.
4. Processing is subject only to personal data, which meet the objectives of their processing.
5. The content and volume of processed personal data must correspond to the stated processing objectives. Processed personal data should not be redundant in relation to the stated purposes of their processing.
6. When processing personal data, the accuracy of personal data, their sufficiency, and, if necessary, the relevance to the purposes of processing personal data must be ensured. The operator must take the necessary measures or ensure their acceptance for the removal or refinement of incomplete or inaccurate data.
7. The storage of personal data must be in the form allowing to determine the subject of personal data, no longer than the purpose of processing personal data, unless the period of storage of personal data is established by a federal law, a contract to which the beneficiary or guarantor is a subject of personal Data. The processed personal data shall be destroyed or depersonalized upon the achievement of the processing objectives or in the event of the loss of the need to achieve these goals, unless otherwise provided by federal law.
Article 6. Conditions for processing personal data
1. The processing of personal data must be carried out in compliance with the principles and rules provided for by this Federal Law. Processing of personal data is allowed in the following cases:
1) the processing of personal data is carried out with the consent of the subject of personal data to the processing of his personal data;
2) the processing of personal data is necessary to achieve the objectives stipulated by the international treaty of the Russian Federation or the law for the implementation and performance of functions, powers and duties imposed by the legislation of the Russian Federation on the operator;
3) the processing of personal data is necessary for the administration of justice, the enforcement of a judicial act, an act of another body or official subject to enforcement in accordance with the law of the Russian Federation on enforcement proceedings (hereinafter - the execution of a judicial act);
4) the processing of personal data is necessary for the exercise of the powers of federal executive bodies, bodies of state extra-budgetary funds, executive bodies of state power of the subjects of the Russian Federation, local self-government bodies and the functions of organizations participating in the provision of state and municipal services, respectively, provided for by the Federal Law of the Russian Federation of 27 July 2010 № 210-FZ "On the organization of the provision of state and municipal services", including Single registration of the subject of personal data on a single portal of public and municipal services and (or) regional portals of state and municipal services;
5) the processing of personal data is necessary for the performance of a contract to which the subject of personal data or a beneficiary or guarantor is a party, as well as for the conclusion of a contract on the initiative of a personal data subject or a contract whereby the personal data subject will be a beneficiary or a guarantor;6) processing of personal data is necessary to protect the life, health or other vital interests of the subject of personal data, if obtaining the consent of the subject of personal data is impossible;
7) the processing of personal data is necessary for the exercise of the rights and legitimate interests of the operator or third parties, including in the cases provided for by the Federal Law "On the Protection of Rights and Legal Interests of Individuals in the Activities of Return of Overdue Indebtedness and on Amending the Federal Law" On microfinance activities and microfinance organizations ", or to achieve socially significant goals, provided that this does not violate the rights and freedoms of the subject of personal data;
8) the processing of personal data is necessary to carry out the professional activities of a journalist and (or) lawful activity of a mass media or scientific, literary or other creative activity, provided that the rights and lawful interests of the subject of personal data are not thereby violated;
9) processing of personal data is carried out for statistical or other research purposes, with the exception of the purposes specified in Article 15 of this Federal Law, subject to obligatory depersonalization of personal data;
10) processing of personal data, access of an unlimited circle of persons to which is provided by the subject of personal data or at his request (hereinafter - personal data made by a public entity of personal data);
11) processing of personal data subject to publication or mandatory disclosure in accordance with federal law.
2. The peculiarities of processing special categories of personal data, as well as biometric personal data, are established in accordance with Articles 10 and 11 of this Federal Law.
3. The operator has the right to entrust the processing of personal data to another person with the consent of the personal data subject, unless otherwise stipulated by federal law, on the basis of a contract concluded with this person, including a state or municipal contract, or by passing a relevant act by the state or municipal body - the instruction of the operator). A person carrying out the processing of personal data on behalf of the operator is obliged to comply with the principles and rules for the processing of personal data provided for by this Federal Law. In the instruction of the operator, a list of actions (operations) with personal data that will be performed by the person processing personal data and the purpose of processing should be determined, it must be established that such a person must respect the confidentiality of personal data and ensure the safety of personal data when processing them, and Must specify the requirements for the protection of personal data processed in accordance with Article 19 of this Federal Law.
4. A person carrying out the processing of personal data on behalf of the operator is not obliged to obtain the consent of the personal data subject to processing his personal data.
5. In the event that the operator instructs the processing of personal data to another person, the operator is liable to the personal data subject for the actions of the specified person. The person carrying out the processing of personal data on behalf of the operator is responsible to the operator.
Article 7. Confidentiality of personal data
Operators and other persons who have access to personal data must not disclose to third parties or disseminate personal data without the consent of the personal data subject, unless otherwise provided by federal law.
Article 8. Public sources of personal data
1. For the purposes of information support, public sources of personal data (including directories, address books) can be created. In the public sources of personal data with the written consent of the personal data subject may include his surname, first name, patronymic, year and place of birth, address, subscriber number, information about the profession and other personal data reported by the subject of personal data.
2. Information on the subject of personal data must be deleted at any time from publicly available personal data sources at the request of the personal data subject or by a court or other authorized government agency.
Article 9. Consent of the subject of personal data to the processing of his personal data
1. The subject of personal data makes a decision to provide his personal data and agrees to their processing freely, by his own will and in his interest. Consent to the processing of personal data must be specific, informed and conscious. Consent to the processing of personal data may be given by the subject of personal data or his representative in any form that allows to confirm the fact of its receipt, unless otherwise provided by federal law. In case of consent to the processing of personal data from the representative of the personal data subject, the authority of this representative to consent in the name of the subject of personal data is checked by the operator.
2. Consent to the processing of personal data may be withdrawn by the subject of personal data. In the event that a subject withdraws personal data from consent to the processing of personal data, the operator is entitled to continue processing personal data without the consent of the personal data subject in the presence of grounds specified in clauses 2 to 11 of Part 1 of Article 6, part 2 of Article 10 and part 2 of Article 11 of this Federal Law.
3. The obligation to provide evidence of the consent of the subject of personal data to the processing of his personal data or evidence of the grounds specified in clauses 2 to 11 of part 1 of Article 6, part 2 of Article 10 and part 2 of Article 11 of this Federal Law is vested in the operator.
4. In cases provided for by federal law, the processing of personal data is carried out only with the consent of the subject of personal data in writing. Equivalent containing the personal signature of the subject of personal data, consent in writing on paper is acknowledged as consent in the form of an electronic document signed in accordance with federal law by an electronic signature. Consent in writing the subject of personal data to the processing of his personal data must include, in particular:
1) the surname, first name, patronymic, address of the personal data subject, the number of the main document certifying his identity, information on the date of issue of the said document and the issuing body;
2) the surname, name, patronymic, address of the representative of the personal data subject, the number of the main document certifying his identity, information on the date of issue of the said document and the issuing body, requisites of the power of attorney or other document confirming the authority of that representative (upon obtaining consent from the representative of the entity Personal data);
3) the name or surname, name, patronymic and address of the operator receiving the consent of the personal data subject;
4) the purpose of processing personal data;
5) the list of personal data, for the processing of which the consent of the subject of personal data is given;
6) the name or surname, name, patronymic and address of the person carrying out the processing of personal data on behalf of the operator, if processing is entrusted to such person;
7) a list of actions with personal data, on the fulfillment of which consent is given, a general description of the methods used by the operator for processing personal data;
8) the period during which the consent of the subject of personal data is in force, as well as the manner of his recall, unless otherwise provided by federal law;
9) signature of the subject of personal data.
5. The procedure for obtaining the consent of the subject of personal data in the form of an electronic document for the processing of his personal data for the purpose of providing state and municipal services, as well as services that are necessary and mandatory for the provision of state and municipal services, is established by the Government of the Russian Federation.
6. In the case of the incapacity of the subject of personal data, consent to the processing of his personal data is given by the legal representative of the subject of personal data.
7. In the event of the death of a personal data subject, the heirs of the personal data subject shall consent to the processing of his personal data, unless such consent was given by the subject of personal data during his life.
8. Personal data may be received by the operator from a person who is not a subject of personal data, provided that the operator is provided with evidence of the grounds specified in clauses 2-11 of part 1 of Article 6, part 2 of Article 10 and part 2 of Article 11 of this Federal Law.
Article 10. Special categories of personal data
1. Processing of special categories of personal data relating to race, nationality, political views, religious or philosophical beliefs, health status, intimate life is not allowed, except as provided for in part 2 of this article.
2. Processing of special categories of personal data specified in subsection (1) of this section shall be permitted in cases where:
1) the subject of personal data has given his consent in writing to the processing of his personal data;
2) personal data is made publicly available to the subject of personal data;2.1) processing of personal data is necessary in connection with the implementation of international treaties of the Russian Federation on readmission;
2.2) processing of personal data is carried out in accordance with the Federal Law of the Russian Federation of January 25, 2002 No. 8-FZ "On the All-Russian Population Census";
2.3) processing of personal data is carried out in accordance with the legislation on state social assistance, labor legislation, pension legislation of the Russian Federation;
3) the processing of personal data is necessary to protect the life, health or other vital interests of the subject of personal data or the life, health or other vital interests of others and obtaining the consent of the personal data subject is impossible;
4) the processing of personal data is carried out for medical and preventive purposes, with a view to establishing a medical diagnosis, the provision of medical and medico-social services, provided that the processing of personal data is carried out by a person professionally engaged in medical activities and obliged in accordance with the legislation of the Russian Federation to keep medical secrecy;
5) the processing of personal data of members (members) of a public association or religious organization is carried out by the relevant public association or religious organization acting in accordance with the legislation of the Russian Federation to achieve legitimate aims stipulated in their constituent documents, provided that personal data will not be distributed without Consent in writing to the subjects of personal data;
6) the processing of personal data is necessary to establish or implement the rights of the subject of personal data or third parties, as well as in connection with the implementation of justice;
7) the processing of personal data is carried out in accordance with the legislation of the Russian Federation on defense, on security, on countering terrorism, on transport security, on countering corruption, on operational search activities, on enforcement proceedings, and on penal enforcement legislation of the Russian Federation;
7.1) the processing of personal data obtained in the cases established by the legislation of the Russian Federation is carried out by the prosecutor's office in connection with the exercise of the prosecutor's supervision by them;
8) processing of personal data is carried out in accordance with the legislation on compulsory types of insurance, with insurance legislation;
9) the processing of personal data is carried out in cases provided for by the legislation of the Russian Federation, state bodies, municipal bodies or organizations with a view to the placement of children left without parental care, for the education of citizens in families;
10) the processing of personal data is carried out in accordance with the legislation of the Russian Federation on the citizenship of the Russian Federation.
3. Processing of personal data on a criminal record can be carried out by state bodies or municipal authorities within the limits of the powers granted to them in accordance with the legislation of the Russian Federation, as well as by other persons in cases and in the manner determined in accordance with federal laws.
4. Processing of special categories of personal data, carried out in the cases provided for in subsections (2) and (3) of this section, shall be immediately terminated if the reasons for the processing are eliminated, unless otherwise provided for by federal law.
Article 11. Biometric personal data
1. Information that characterizes the physiological and biological characteristics of a person on the basis of which it is possible to establish his identity (biometric personal data) and which are used by the operator to establish the identity of the subject of personal data can be processed only if there is agreement in writing to the subject of personal data, Cases provided for by Part 2 of this Article.
2. Processing of biometric personal data may be carried out without the consent of the subject of personal data in connection with the implementation of international treaties of the Russian Federation on readmission, in connection with the implementation of justice and the execution of judicial acts, as well as in cases provided for by the defense legislation of the Russian Federation, Counteracting terrorism, transport security, countering corruption, operational search activities, public service, criminal executive akonodatelstvom the Russian Federation, the Russian Federation on the procedure of exit from the Russian Federation and entry into the Russian Federation, of the Russian Federation citizenship.
Article 12. Transboundary transfer of personal data
1. The cross-border transfer of personal data on the territory of foreign states that are parties to the Council of Europe Convention on the Protection of Individuals with Automatic Processing of Personal Data and other foreign countries that provide adequate protection for the rights of subjects of personal data is carried out in accordance with this Federal Law and may be Is prohibited or restricted in order to protect the foundations of the constitutional order of the Russian Federation, morality, health, rights and legitimate interests of the state dan, national defense and state security.
2. The authorized body for the protection of the rights of personal data subjects approves the list of foreign states that are not parties to the Council of Europe Convention on the Protection of Individuals with regard to the automated processing of personal data and which provide adequate protection for the rights of subjects of personal data. A State that is not a party to the Council of Europe Convention on the Protection of Individuals with Automatic Processing of Personal Data may be included in the list of foreign States that adequately protect the rights of subjects of personal data, provided that the provisions of this Convention comply with the applicable law and the applicable security measures Personal data.
3. The operator must ensure that the foreign state to which the personal data is transferred is adequately protected by the rights of personal data subjects, prior to the commencement of cross-border transfer of personal data.
4. Transboundary transfer of personal data on the territory of foreign states that do not provide adequate protection of the rights of subjects of personal data can be carried out in the following cases:
1) the consent in writing of the subject of personal data to the transboundary transfer of his personal data;
2) stipulated by international treaties of the Russian Federation;
3) provided for by federal laws, if necessary in order to protect the foundations of the constitutional system of the Russian Federation, ensure the country's defense and state security, and ensure the safety of the stable and safe functioning of the transport complex, protect the interests of the individual, society and the state in the transport complex from acts of unlawful Interventions;
4) performance of the contract to which the subject of personal data is a party;
5) protection of life, health, other vital interests of the subject of personal data or other persons when it is impossible to obtain consent in writing to the subject of personal data.
Article 13. Features of personal data processing in state or municipal information systems of personal data
1. State bodies and municipal bodies shall create, within the limits of their powers, established in accordance with federal laws, state or municipal information systems of personal data.
2. Federal laws may establish the features of accounting for personal data in state and municipal information systems of personal data, including the use of different ways to indicate the belonging of personal data contained in the relevant state or municipal information system of personal data to a specific subject of personal data.
3. Rights and freedoms of a person and a citizen can not be limited for reasons related to the use of various methods of processing personal data or the identification of the ownership of personal data contained in the state or municipal information systems of personal data to a specific personal data subject. It is not allowed to use insulting feelings of citizens or humiliating methods of denying the belonging of personal data contained in the state or municipal information systems of personal data to a specific subject of personal data.
4. In order to ensure the realization of the rights of subjects of personal data in connection with the processing of their personal data in the state or municipal information systems of personal data, a state register of the population whose legal status and the procedure for work with which it is established by federal law may be created.
CHAPTER 3. RIGHTS OF A PERSONAL DATA SUBJECT
Article 14. The right of the subject of personal data to access his personal data
1. The subject of personal data has the right to receive the information specified in part 7 of this article, with the exception of cases provided for in part 8 of the present article. The subject of personal data has the right to demand from the operator the specification of his personal data, their blocking or destruction in the event that personal data are incomplete, outdated, inaccurate, illegally obtained or not necessary for the stated purpose of processing, and also take legal measures to protect their rights .
2. The information specified in subsection (7) of this section shall be provided to the personal data subject by the operator in an accessible form and shall not contain personal data relating to other personal data subjects, unless there are legitimate reasons for disclosing such personal Data.
3. The information specified in subsection (7) of this section shall be provided to the personal data subject or its representative by the operator upon request or upon receipt of a request from the personal data subject or his representative. The request must contain the number of the main document certifying the identity of the personal data subject or its representative, information on the date of issue of the specified document and the issuing body, information confirming the participation of the personal data subject in the relations with the operator (contract number, contract date, conditional verbal designation and (Or) other information), or information that otherwise confirms the fact of the processing of personal data by the operator, the signature of the subject of personal data or his representative. The request can be sent in the form of an electronic document and signed by an electronic signature in accordance with the legislation of the Russian Federation.
4. In the event that the information specified in subsection (7) of this section, as well as the personal data being processed, have been provided to the personal data subject at the request of the subject, the personal data subject may reapply to the operator or send him a second request in order to obtain the information specified In part 7 of this article, and acquaintance with such personal data not earlier than thirty days after the initial request or the sending of the initial request, if the shorter term is not applicable A federal law, a normative legal act adopted in accordance with it, or a contract to which the subject of personal data is either a beneficiary or a guarantor.
5. The subject of personal data has the right to apply again to the operator or send him a second request in order to obtain the information specified in part 7 of this article, and also for the purpose of acquaintance with the processed personal data before the expiration of the period specified in subsection (4) of this section, if Such information and / or processed personal data were not provided to him for examination in full by the results of consideration of the initial request. A repeated request along with the information specified in subsection (3) of this section shall contain justification for the direction of the repeated request.
6. The operator has the right to refuse to the subject of personal data in the execution of a repeated request that does not meet the conditions stipulated in parts 4 and 5 of this article. Such refusal should be motivated. The obligation to provide evidence of the reasonableness of the refusal to perform a second request lies with the operator.
7. The subject of personal data has the right to receive information concerning the processing of his personal data, including:
1) confirmation of the fact of personal data processing by the operator;
2) legal grounds and purposes for processing personal data;
3) the purposes and methods of processing personal data used by the operator;
4) the name and location of the operator, information on persons (with the exception of the operator's employees) who have access to personal data or who can disclose personal data on the basis of a contract with the operator or on the basis of a federal law;
5) the processed personal data relating to the relevant personal data subject, the source of their receipt, unless another procedure for the submission of such data is provided for by federal law;
6) the terms of processing of personal data, including the terms of their storage;
7) the procedure for the subject of personal data to exercise the rights provided for by this Federal Law;
8) information on the carried out or expected transboundary data transfer;
9) the name or surname, name, patronymic and address of the person carrying out the processing of personal data on behalf of the operator, if the processing is entrusted or will be entrusted to such person;
10) other information provided for by this Federal Law or other federal laws.
8. The right of the subject of personal data to access his personal data may be restricted in accordance with federal laws, including if:
1) the processing of personal data, including personal data obtained as a result of operational search, counterintelligence and intelligence activities, is carried out for the purposes of national defense, state security and law and order protection;
2) the processing of personal data is carried out by the bodies that detained the personal data subject on suspicion of committing a crime, or charged the subject of personal data with a criminal case, or applied the preventive measure to the subject of personal data before being charged, with the exception of the criminal procedural legislation of the Russian Federation If the suspect or accused is acquainted with such personal data;
3) the processing of personal data is carried out in accordance with the legislation on combating the legalization (laundering) of proceeds from crime and the financing of terrorism;
4) the access of the personal data subject to his personal data violates the rights and legitimate interests of third parties;
5) the processing of personal data is carried out in cases provided for by the legislation of the Russian Federation on transport security in order to ensure the stable and safe operation of the transport complex, protect the interests of the individual, society and the state in the transport complex from acts of unlawful interference.
Article 15. Rights of subjects of personal data when processing their personal data in order to promote goods, works, services on the market, and also for the purposes of political agitation
1. Processing of personal data for the purpose of promoting goods, works, services on the market by making direct contacts with a potential consumer through communication means, and also for the purposes of political agitation is allowed only with the prior consent of the subject of personal data. This processing of personal data is considered to be carried out without the prior consent of the subject of personal data, unless the operator proves that such consent was obtained.
2. The operator must immediately stop, at the request of the subject of personal data, the processing of his personal data specified in part 1 of this article.
Article 16. Rights of subjects of personal data in making decisions based on the exclusively automated processing of their personal data
1. It shall be prohibited for making decisions which give rise to legal consequences for a personal data subject or otherwise affect his rights and legitimate interests to be taken solely on the basis of the automated processing of personal data, except in the instances envisaged by part 2 of this Article.
2. A decision which gives rise to legal consequences for a personal data subject or otherwise affects his rights and legitimate interests may be taken solely on the basis of the automated processing of his personal data only if the subject of the personal data has given his written consent or in instances envisaged by federal laws which also establish measures to safeguard the rights and legitimate interests of the subject of the personal data.
3. An operator shall be obliged to make clear to a personal data subject the procedure whereby a decision is taken solely on the basis of the automated processing of his personal data and the possible legal consequences of such a decision, to allow him the opportunity to present an objection against such a decision, and to explain the means by which the personal data subject may protect his rights and legitimate interests.
4. An operator shall be obliged to consider an objection such as is referred to in part 3 of this Article within thirty days from the day of receiving it, and to notify the personal data subject of the results of the consideration of that objection.
Article 17. Right to appeal against actions or omissions of the operator
1. Where a personal data subject believes that an operator is processing his personal data not in compliance with the requirements of this Federal Law or is otherwise violating his rights and freedoms, the personal data subject shall have the right to appeal against the actions or inaction of the operator to the authorized body for the protection of the personal data subjects’ rights or through the courts.
2. A personal data subject shall have the right to protection of his rights and legal interests, including the right to reimbursement for losses and (or) compensation for moral injury through the courts.
Chapter 4. OBLIGATIONS OF THE OPERATOR
Article 18. Obligations of the operator when collecting personal data
1. When collecting personal data, the operator is obliged to provide the subject of personal data at his request with information provided for in part 7 of article 14 of this Federal Law.
2. If the provision of personal data is mandatory in accordance with federal law, the operator is required to explain to the subject of personal data the legal consequences of refusing to provide his personal data.
3. If the personal data is not received from the personal data subject, the operator, except for the cases provided for in subsection (4) of this section, shall, before processing such personal data, provide the personal data subject with the following information:
1) the name or surname, name, patronymic and address of the operator or his representative;
2) the purpose of processing personal data and its legal basis;
3) prospective users of personal data;
4) the rights of the subject of personal data established by this Federal Law;
5) the source of receipt of personal data.
4. The operator is relieved from the duty to provide the subject of personal data with the information specified in part 3 of this article, in cases where:1) the subject of personal data is notified of the processing of his personal data by the relevant operator;
2) the personal data was received by the operator on the basis of a federal law or in connection with the performance of a contract to which the subject of personal data is a party or a beneficiary or guarantor for which;
3) personal data is made publicly available to the subject of personal data or obtained from a public source;
4) the operator carries out the processing of personal data for statistical or other research purposes, for the professional activities of a journalist or for scientific, literary or other creative activity, provided that the rights and lawful interests of the personal data subject are not violated;
5) the provision to the subject of personal data of the information specified in part 3 of this article, violates the rights and legitimate interests of third parties.
5. When collecting personal data, including through the information and telecommunication network "Internet", the operator must ensure the recording, systematization, accumulation, storage, updating (updating, modification), extraction of personal data of citizens of the Russian Federation using databases located on Territory of the Russian Federation, except for the cases specified in clauses 2, 3, 4, 8 of part 1 of Article 6 of this Federal Law.
Article 18.1. Measures aimed at ensuring that the operator fulfills the obligations provided for by this Federal Law
1. The operator is obliged to take measures that are necessary and sufficient to ensure the fulfillment of the duties provided for by this Federal Law and the normative legal acts adopted in accordance therewith. The operator independently determines the composition and the list of measures necessary and sufficient to ensure the fulfillment of the obligations provided for by this Federal Law and regulatory legal acts adopted in accordance with it, unless otherwise provided by this Federal Law or other federal laws. Such measures may include, in particular:
1) appointment by the operator, being a legal entity, responsible for organizing the processing of personal data;
2) the issuance by the operator, being a legal entity, of documents defining the operator's policy regarding the processing of personal data, local acts on the processing of personal data, and local acts establishing procedures aimed at preventing and detecting violations of the legislation of the Russian Federation, eliminating the consequences of such violations;
3) application of legal, organizational and technical measures to ensure the security of personal data in accordance with Article 19 of this Federal Law;
4) implementation of internal control and (or) audit of compliance of personal data processing with this Federal Law and regulatory legal acts adopted in accordance with it, requirements for the protection of personal data, operator's policy regarding the processing of personal data, local acts of the operator;
5) an assessment of the harm that may be caused to the subjects of personal data in the event of a violation of this Federal Law, the ratio of this harm and measures taken by the operator aimed at ensuring the fulfillment of the obligations provided for by this Federal Law;
6) familiarize employees of the operator directly processing personal data with the provisions of the legislation of the Russian Federation on personal data, including requirements for the protection of personal data, documents defining the operator's policy regarding the processing of personal data, local acts on the processing of personal data, and (Or) training of these workers.
2. The operator is obliged to publish or otherwise provide unrestricted access to the document determining his policy regarding the processing of personal data to information on the requirements for the protection of personal data. An operator collecting personal data using information and telecommunications networks is required to publish in a relevant information and telecommunications network a document defining its policy regarding the processing of personal data and information on the current requirements for the protection of personal data, as well as to provide access to the specified document Using the means of the relevant information and telecommunications network.
3. The Government of the Russian Federation shall establish a list of measures aimed at ensuring the fulfillment of the duties provided for by this Federal Law and regulatory acts adopted in accordance with it, by operators that are state or municipal bodies.
4. The operator is obliged to submit the documents and local acts specified in subsection (1) of this section and (or) otherwise confirm the adoption of the measures specified in subsection (1) of this section upon the request of the authorized body for the protection of the rights of subjects of personal data.
Article 19. Measures to ensure the safety of personal data during processing
1. The operator, when processing personal data, must take the necessary legal, organizational and technical measures or ensure their acceptance to protect personal data from unauthorized or accidental access to them, destruction, modification, blocking, copying, provision, dissemination of personal data, as well as from other Illegal actions against personal data.
2. Ensuring the security of personal data is achieved, in particular:
1) the definition of threats to the security of personal data when processing them in information systems of personal data;
2) use of organizational and technical measures to ensure the safety of personal data when processing them in personal data information systems required to meet the requirements for the protection of personal data, the fulfillment of which is ensured by the levels of protection of personal data established by the Government of the Russian Federation;
3) the use of procedures that passed in the established procedure for assessing the compliance of information protection means;
4) evaluation of the effectiveness of measures taken to ensure the security of personal data prior to commissioning of the personal data information system;
5) the account of computer carriers of personal data;
6) detection of unauthorized access to personal data and taking measures;
7) restoration of personal data, modified or destroyed due to unauthorized access to them;
8) establishing rules for access to personal data processed in the personal data information system, as well as ensuring registration and recording of all actions performed with personal data in the personal data information system;
9) control over the measures taken to ensure the security of personal data and the level of security of information systems of personal data.
3. The Government of the Russian Federation, taking into account the possible harm to the subject of personal data, the scope and content of the personal data being processed, the type of activity in which personal data are processed, the urgency of threats to the security of personal data is established by:
1) the levels of protection of personal data when processing them in information systems of personal data, depending on the threats to the security of these data;
2) the requirements for the protection of personal data when processing them in information systems of personal data, the implementation of which provides established levels of protection of personal data;
3) requirements for material carriers of biometric personal data and technologies for storing such data outside of personal data information systems.
4. The composition and content of the requirements for the protection of personal data established by the Government of the Russian Federation in accordance with Part 3 of this Article for each of the levels of protection, organizational and technical measures to ensure the safety of personal data when processed in personal data information systems are established by the federal body Executive authority, authorized in the field of security, and the federal executive authority, are authorized in countering technical intelligence and technical protection of information within their authority.
5. Federal bodies of executive power that carry out functions to develop state policy and regulatory and legal regulation in the established sphere of activity, state authorities of the constituent entities of the Russian Federation, the Bank of Russia, state extra-budgetary funds, other state bodies, within their authority, adopt normative legal acts, In which the threats to the security of personal data are determined, relevant for the processing of personal data in information systems. Personnel The data used in the implementation of the relevant activities, taking into account the content of personal data, the nature and methods of processing them.
6. Along with threats to the security of personal data defined in regulatory legal acts adopted in accordance with Part 5 of this article, associations, unions and other associations of operators with their decisions have the right to determine additional threats to the security of personal data relevant to the processing of personal data in personal information systems Data maintained in the performance of certain activities by members of such associations, unions and other operators' associations, taking into account the content of the Persian tional data, the nature and methods of their processing.
7. The drafts of normative legal acts specified in part 5 of this article shall be subject to agreement with the federal executive authority authorized in the field of ensuring security and by the federal executive authority authorized in the field of countering technical intelligence and technical protection of information. The draft decisions specified in part 6 of this article are subject to agreement with the federal executive authority authorized in the field of security and the federal executive body authorized to counter technical intelligence and technical protection of information in accordance with the procedure established by the Government of the Russian Federation. The decision of the federal executive body authorized in the field of security and the federal executive body authorized in the field of countering technical intelligence and technical protection of information, on refusal to agree on draft decisions specified in part 6 of this article, should be motivated.
8. The control and supervision of the implementation of organizational and technical measures to ensure the security of personal data established in accordance with this article, when processing personal data in the state information systems of personal data are carried out by the federal executive body authorized in the field of security and the federal executive body Authorities authorized in the field of countering technical intelligence and technical protection of information, within their mochy and without the right to get acquainted with the personal data processed in the information systems of personal data.
9. The federal body of executive power authorized in the field of security and the federal executive body authorized to counter technical intelligence and technical protection of information, the decision of the Government of the Russian Federation, taking into account the significance and content of the processed personal data, may be vested with the authority to monitor compliance Organizational and technical measures to ensure the security of personal data, established in accordance with this hundred During their processing in information systems of personal data operated in the performance of certain types of activities and not being state information systems of personal data, without the right to familiarize themselves with personal data processed in personal data information systems.
10. The use and storage of biometric personal data outside the personal data information systems can only be carried out on such material carriers of information and with the use of such storage technology that protects these data from unauthorized or accidental access to them, their destruction, modification, blocking, copying , Provision, distribution.
11. For the purposes of this article, threats to the security of personal data are understood to mean a set of conditions and factors that create the danger of unauthorized access to personal data, including accidental access, to personal data, which can result in the destruction, modification, blocking, copying, provision, dissemination of personal data, and Also other illegal actions when processing them in the personal data information system. Under the level of protection of personal data is understood a complex indicator that characterizes the requirements, the implementation of which ensures the neutralization of certain threats to the security of personal data when processing them in information systems of personal data.
Article 20. Obligations of an operator Upon the Application of or Upon Receipt of a Request from a personal data subject or His Representative, or from the Authorized Body for the Protection of the personal data subjects’ rights
1. An operator shall be obliged to communicate to a personal data subject or his representative in the manner laid down in Article 14 of this Federal Law information on the possession of personal data relating to that data subject, and to make those personal data available for inspection upon application of the personal data subject or his representative or within thirty days from the date of receipt of a request from the personal data subject or his representative.
2. In the event of a refusal to provide information on the possession of personal data relating to a particular data subject or to provide such personal data to that data subject or his representative upon their application or upon receipt of a request from the personal data subject or his representative, the operator shall be obliged to give a reasoned reply in writing, containing a reference to the provision of part 8 of Article 14 of this Federal Law or of another federal law which is the basis for that refusal, within a period not exceeding thirty days from the day of the application of the personal data subject or his representative or from the date of receipt of the request from the personal data subject or his representative.
3. An operator shall be obliged to make personal data relating to a particular data subject available for inspection by that data subject or his representative free of charge. Within a period not exceeding seven working days from the day on which a subject of personal data or his representative presents evidence that the personal data are incomplete, inaccurate or out-of-date, the operator shall be obliged to make necessary amendments to those personal data. Within a period not exceeding seven working days from the day on which a subject of personal data or his representative presents evidence that the personal data were unlawfully obtained or are not needed for the stated purpose of the processing, the operator shall be obliged to destroy those personal data. The operator shall be obliged to notify the personal data subject or his representative of amendments made and measures taken and to take reasonable measures to notify third parties to whom personal data of that data subject have been transferred.
4. An operator shall be obliged, upon the request of the authorized body for the protection of the personal data subjects’ rights, to supply necessary information to that body within thirty days from the date of receipt of that request.
Article 21. Obligations of an operator to Remedy Violations of Legislation Committed in the Processing of Personal Data, and to Rectify, Block and Destroy Personal Data
1. In the event that personal data are found to be unlawfully processed, upon the application of the personal data subject or his representative or upon the request of the personal data subject or his representative or of the authorized body for the protection of the personal data subjects’ rights the operator shall be obliged to block unlawfully processed personal data relating to that data subject or to arrange for them to be blocked (if the processing of personal data is carried out by another person acting on the operator’s instructions) from the moment of such application or the moment of the receipt of such request for the period needed for an inspection. In the event that personal data are found to be inaccurate, upon the application of the personal data subject or his representative or upon their request or a request of the authorized body for the protection of the personal data subjects’ rights the operator shall be obliged to block personal data relating to that data subject or to arrange for them to be blocked (if the processing of personal data is carried out by another person acting on the operator’s instructions) from the moment of such application or from the moment of the receipt of such request for the period needed for an inspection, provided that the blocking of personal data does not violate the rights and legitimate interests of the personal data subject or of third parties.
2. In the event that personal data are confirmed as inaccurate, the operator shall be obliged, on the basis of information presented by the personal data subject or his representative or the authorized body for the protection of the personal data subjects’ rights or other necessary documents, to rectify the personal data or to arrange for them to be rectified (if the processing of personal data is carried out by another person acting on the operator’s instructions) within seven working days from the date of presentation of that information, and to remove the block on the personal data.
3. In the event that it is discovered that personal data are being unlawfully processed by an operator or a person acting on the instructions of an operator, the operator shall be obliged, within a period not exceeding three working days from the date of that discovery, to cease the unlawful processing of the personal data or to arrange for the unlawful processing of the personal data to be terminated by the person acting on the operator’s instructions. In the event that it is impossible for the processing of personal data to be made lawful, the operator shall be obliged, within a period not exceeding ten working days from the date of discovery of the unlawful processing of personal data, to destroy those personal data or to arrange for them to be destroyed. The operator shall be obliged to notify the remedying of the violations committed or the destruction of the personal data to the personal data subject or his representative and, if the application of the personal data subject or his representative or the request of the authorized body for the protection of the personal data subjects’ rights were sent by the authorized body for the protection of the personal data subjects’ rights, to that body.
4. Where the purpose of the processing of personal data has been achieved, the operator shall be obliged to cease the processing of personal data or arrange for it to be terminated (if the processing of personal data is carried out by another person acting on the operator’s instructions) and to destroy the personal data or arrange for them to be destroyed (if the processing of personal data is carried out by another person acting on the operator’s instructions) within a period not exceeding thirty days from the date of the achievement of the purpose for which the personal data were processed, unless otherwise provided by a contract to which the personal data subject is a party or under which it is a beneficiary or surety or by another agreement between the operator and the personal data subject or unless the operator has the right to process the personal data without the consent of the personal data subject on grounds provided for in this Federal Law or other federal laws.
5. In the event that a personal data subject withdraws its consent to the processing of his personal data, the operator shall be obliged to cease the processing of the personal data or arrange for it to be terminated (if the processing of personal data is carried out by another person acting on the operator’s instructions) and, if the personal data no longer need to be kept for the purposes of the processing of the personal data, to destroy the personal data or arrange for them to be destroyed (if the processing of personal data is carried out by another person acting on the operator’s instructions) within a period not exceeding thirty days from the date of receipt of the above-mentioned withdrawal, unless otherwise provided by a contract to which the personal data subject is a party or under which it is a beneficiary or surety or by another agreement between the operator and the personal data subject or unless the operator has the right to process the personal data without the consent of the personal data subject on grounds provided for in this Federal Law or other federal laws.
6. Where it is impossible for personal data to be destroyed within the time period specified in parts 3 to 5 of this Article, the operator shall block the personal data or arrange for them to be blocked (if the processing of personal data is carried out by another person acting on the operator’s instructions) and ensure that the personal data are destroyed within a period not exceeding six months, unless a different time period is established by federal laws.
Article 22. Notification of the Processing of Personal Data
1. Prior to commencing the processing of personal data, an operator shall be obliged to notify the authorized body for the protection of data subjects of its intention to carry out the processing of personal data, except in the instances envisaged by part 2 of this Article.
2. An operator shall have the right to carry out without notifying the authorized body for the protection of data subjects the processing of personal data:
1) which are processed in accordance with labour legislation;
2) which were obtained by the operator in connection with the conclusion of an agreement to which the subject of the personal data is party, if the personal data are not disseminated, are not supplied to third parties without the consent of the subject of the personal data and are used by the operator solely for the purpose of the performance of that agreement and the conclusion of agreements with the subject of the personal data;
3) which relate to members (participants) of a social association or a religious organization and are processed by the social association or religious organization in question acting in accordance with the legislation of the Russian Federation for the purpose of the achievement of lawful objectives which are provided for by their foundation documents, provided that the personal data are not disseminated or disclosed to third parties without the written consent of the subjects of the personal data;
4) which have been made public by the personal data subject;
5) which include only surnames, first names and patronymics of the subjects of the personal data;
6) which are needed for the one-off admission of a personal data subject onto premises where the operator is situated, or for other similar purposes;
7) which have been included in personal data filing systems which have the status of state automated filing systems in accordance with federal laws, and in state personal data filing systems which were created for the purpose of protecting the security of the state and public order;
8) which are processed without the use of automated equipment in accordance with federal laws or other normative legal acts of the Russian Federation which establish requirements for ensuring the security of personal data when they are being processed and for safeguarding the personal data subjects’ rights;
9) which are processed in cases provided for in transport safety legislation of the Russian Federation for the purpose of ensuring the stable and safe operation of the transport complex and protecting the interests of the individual, society and the state in the transport sphere against acts of unlawful interference.
3. The notification provided for in part 1 of this Article shall be sent in the form of a paper document or in the form of an electronic document and shall be signed by an authorized person. The notification shall contain the following information:
1) the name (surname, first name and patronymic) and address of the operator;
2) the purpose of the processing of personal data;
3) the categories of personal data;
4) the categories of data subjects whose personal data are to be processed;
5) the legal basis of the processing of personal data;
6) a list of actions to be performed in relation to personal data and a general description of the methods of processing personal data which are to be used by the operator;
7) a description of the measures provided for in Articles 18.1 and 19 of this Federal Law, including information on the availability of encoding (encryption) tools and the names of those tools;
7.1) the surname, first name and patronymic of the physical person or the name of the organization responsible for organizing the processing of personal data, and their contact telephone numbers, postal addresses and electronic mail addresses;
8) the date on which the processing of personal data is to begin;
9) the period or condition of termination of the processing of personal data;
10) information on whether or not the cross-border transfer of personal data occurs in the course of the processing of personal data;
11) information on measures taken to ensure the security of personal data in accordance with requirements established by the Government of the Russian Federation for the protection of personal data.
4. The authorized body for the protection of the personal data subjects’ rights shall, within thirty days from the date of receipt of a notification of the processing of personal data, enter the details referred to in part 3 of this Article and details of the date on which the notification was sent in the register of operators. Information contained in the register of operators, with the exception of information concerning means of ensuring the security of personal data when they are being processed, shall be publicly available.
5. An operator may not be charged for expenses incurred in connection with the examination of a notification of the processing of personal data by the authorized body for the protection of the personal data subjects’ rights or in connection with the entry of details in the register of operators.
6. In the event that details supplied according to part 3 of this Article are found to be incomplete or inaccurate, the authorized body for the protection of the personal data subjects’ rights shall have the right to require the operator to rectify the details supplied before they are entered in the register of operators.
7. In the event that changes occur in information which is referred to in part 3 of this Article or the processing of personal data is terminated, the operator shall be obliged to notify the authorized body for the protection of the personal data subjects’ rights of this within ten working days from the date on which those changes arise or from the date on which the processing of personal data ceases.
Article 22.1 Persons Responsible for Organizing the Processing of Personal Data at Organizations
1. An operator which is a legal entity shall appoint a person responsible for organizing the processing of personal data.
2. The person responsible for organizing the processing of personal data shall receive instructions directly from the executive body of the organization which is the operator and shall be accountable to that body.
3. An operator shall be obliged to give the person responsible for organizing the processing of personal data the information referred to in part 3 of Article 22 of this Federal Law.
4. A person responsible for organizing the processing of personal data shall be obliged, in particular:
1) to exercise internal control over compliance by the operator and its employees with the legislation of the Russian Federation concerning personal data, including requirements relating to the protection of personal data;
2) to make employees of the operator aware of the provisions of the legislation of the Russian Federation concerning personal data, of by-laws on the processing of personal data and of requirements relating to the protection of personal data;
3) to organize the acceptance and processing of applications and requests from data subjects or their representatives and (or) to exercise control over the acceptance and processing of such applications and requests.
CHAPTER 5. CONTROL AND SUPERVISION OVER THE PROCESSING OF PERSONAL DATA. LIABILITY FOR VIOLATION OF REQUIREMENTS OF THIS FEDERAL LAW
Article 23 The Authorized Body for the Protection of the personal data subjects’ rights
1. The authorized body for the protection of the personal data subjects’ rights, which shall be charged with providing for control and supervision over the conformity of the processing of personal data to the requirements of this Federal Law, shall be the federal executive body which carries out control and supervision functions in the sphere of information technology and communications.
See the Administrative Order of Roscomnadzor on providing the state function regarding performance of the state supervision over compliance of personal data processing to the requirements of the legislation of the Russian Federation in the field of personal data, which was approved by Decree N 312 issued by Ministry of Telecom & Mass Communications on 14 November 2011.
2. The authorized body for the protection of the personal data subjects’ rights shall examine claims brought by a personal data subject concerning the compatibility of the content of personal data and the methods of processing thereof with the purposes for which they are processed, and shall adopt an appropriate decision.
3. The authorized body for the protection of the personal data subjects’ rights shall have the right:
1) to request from physical persons or legal entities information which is needed in order to exercise its powers, and to receive such information free of charge;
2) to check information contained in a notification of the processing of personal data, or to engage other state bodies to perform such checks within the limits of their powers;
3) to require an operator to rectify, block or destroy inaccurate or unlawfully obtained personal data;
4) to take measures in accordance with the procedure established by the legislation of the Russian Federation to suspend or terminate any processing of personal data which is carried out not in compliance with the requirements of this Federal Law;
5) to file statements of claim with a court in defence of the personal data subjects’ rights, including in defence of the rights of the general public, and to represent the interests of data subjects in court;
5.1) to send the information referred to in clause 7 of part 3 of Article 22 of this Federal Law to the federal executive body in charge of security and the federal executive body in charge of technical counter-intelligence and technical protection of information in line with their sphere of activity;
6) to send a petition to the body which licenses the activities of an operator to consider the possibility of taking measures to suspend or annul the relevant license in accordance with the procedure which is established by the legislation of the Russian Federation if one of the conditions of the license to carry out such activities is a prohibition on the transfer of personal data to third parties without the written consent of the personal data subject;
7) to send materials to public prosecution bodies and other law enforcement bodies in order for a decision to be taken on whether to institute criminal proceedings based on the elements of crimes associated with the violation of the personal data subjects’ rights, according to the authority which is appropriate for a particular case;
8) to submit to the Government of the Russian Federation proposals for improving normative legal regulation of the protection of rights of data subjects;
9) to take administrative action against persons guilty of violating this Federal Law.
4. The confidentiality of personal data shall be ensured in relation to personal data which have become known to the authorized body for the protection of the personal data subjects’ rights in the course of its activities.
5. The authorized body for the protection of the personal data subjects’ rights shall be obliged:
1) to organize protection of the personal data subjects’ rights in accordance with the requirements of this Federal Law and other federal laws;
2) to consider appeals and claims from citizens and legal entities on matters relating to the processing of personal data, and to take decisions based on the consideration of those appeals and claims within the limits of its powers;
3) to maintain a register of operators;
4) to carry out other measures aimed at improving protection of the personal data subjects’ rights;
5) to take measures in accordance with the procedure established by the legislation of the Russian Federation, on a submission from the federal executive body in charge of ensuring security or the federal executive body in charge of technical counterintelligence and technical protection of information, to bring about the suspension or termination of the processing of personal data;
6) to keep state bodies and data subjects informed, in response to their applications and requests, of the state of affairs with respect to the protection of the personal data subjects’ rights;
7) to perform other duties envisaged by the legislation of the Russian Federation.
5.1 The authorized body for the protection of the personal data subjects’ rights shall co- operate with authorized bodies for the protection of the personal data subjects’ rights in foreign states, and in particular shall engage in the international exchange of information relating to the protection of the personal data subjects’ rights and approve a list of foreign states which provide adequate protection for the personal data subjects’ rights.
6. Decisions of the authorized body for the protection of the personal data subjects’ rights may be appealed against through the courts.
7. The authorized body for the protection of the personal data subjects’ rights shall send a report on its activities on an annual basis to the President of the Russian Federation, the Government of the Russian Federation and the Federal Assembly of the Russian Federation. That report shall be published in mass media.
8. The authorized body for the protection of the personal data subjects’ rights shall be financed from federal budget resources.
9. There shall be created under the authorized body for the protection of the personal data subjects’ rights a voluntary advisory board, the procedure for the formation of which and procedures for the activities of which shall be determined by the authorized body for the protection of the personal data subjects’ rights.
Article 24 Liability for Violation of the Requirements of This Federal Law
2. Moral damage caused to a personal data subject as a result of the violation of his rights or the violation of rules for the processing of personal data which are established by this Federal Law and requirements relating to the protection of personal data which have been established in accordance with this Federal Law shall be compensated in accordance with the legislation of the Russian Federation. Compensation for moral damage shall be provided irrespective of whether compensation is provided for material damage and losses suffered by the personal data subject.
CHAPTER 6. FINAL PROVISIONS
Article 25 Final Provisions
1. This Federal Law shall enter into force upon the expiration of one hundred and eighty days after the day of its official publication.
2. After the day of the entry into force of this Federal Law, the processing of personal data which were included in personal data filing systems prior to the day of its entry into force shall be carried out in accordance with this Federal Law.
2.1 Operators which carried out the processing of personal data prior to 1 July2011 shall be obliged to present the information referred to in clauses 5, 7.1, 10 and 11 of part 3 of Article 22 of this Federal Law to the authorized body for the protection of the personal data subjects’ rights not later than 1 January 2013.
3. Ceased to be in force on 1 July, 2011.
4. Operators which carry out the processing of personal data prior to the entry into force of this Federal Law and continue to carry out such processing after its entry into force shall be obliged, except in the instances envisaged by part 2 of Article 22 of this Federal Law, to send the notification which is envisaged by part 3 of Article 22 of this Federal Law to the authorized body for the protection of the personal data subjects’ rights no later than 1 January 2008.
President of the Russian Federation V.Putin
Moscow, Kremlin
27 July, 2006
№ 152-FZ