FEDERAL STATUTE
of the Russian Federation
On personal data
Adopted by the State Duma
On 8 July 2006
Approved of by the Council of Federation
On 14 July 2006
Chapter 1. General provisions
Article 1. Competence of the present Federal Act
1. The present Federal Act shall regulate the relations connected with processing of personal data carried out by the federal bodies of state authorities, state authorities of the subjects of the Russian Federation, other state authorities (hereinafter referred to as state authorities), local self-government bodies not included in the system of self-government of municipal authorities (hereinafter referred to as municipal bodies), legal entities, natural persons, using automation devices or without them, if processing of personal data without these devices corresponds to the character of the actions (operations) performed with personal data involving the automation devices.
2. The present Federal Act shall not be applied to the relations arising in the following cases:
1) processing of personal data by natural persons only for personal and family purposes, if this does not breach the rights of the subjects of the personal data;
2) organization of storage, completion, accounting and usage of the document of the Archives Fund of the Russian Federation and other archives documents containing personal data, in accordance with the legislation on the archives business in the Russian Federation;
3) processing of data about natural persons to be included ion the united state registry of sole traders, if this processing is carried out in accordance with the legislation of the Russian Federation in connection with the activity of the natural person as sole trader;
4) processing of persona data referring to the state secret according to the established procedure.
Article 2. Goal of the present Federal Act
The present Federal Act shall be aimed at ensuring of protection of rights and liberties of man and citizen at processing of their personal data, as well as protection of rights to inviolability of their private life, personal and family secret.
Article 3. Basic concepts used in the present Federal Act
The following basic concepts shall be used for purposes of the present Federal Act:
1) personal data - any information referring to a certain natural person of the person identified on the basis of this information (subject of the personal data), including his surname, name, patronymic, year, month, date and place of birth, address, family, social, property status, education, profession, earnings, other information;
2) operator - state or municipal authority, legal entity or natural person organizing and (or) carrying out processing of personal data, as well as determining the goals and content thereof;
3) processing of personal data - actions (operations) with personal data including collection, systematization, accumulation, storage, verification (upgrading, change), usage, distribution (including transfer), depersonalization, blocking, elimination of personal data;
4) distribution of personal data - actions directed to transfer thereof to a certain range of persons (transfer of personal data) or acquaintance therewith of an unlimited range of persons, including publication of the personal data in the mass media, placement thereof in information-telecommunication networks or giving access thereto by any other way;
5) usage of personal data - actions (operations with personal data performed by the operator in order to make decisions or perform other actions generating legal consequences with reference to the subject of the personal data or other persons, or otherwise influencing the rights and liberties of the subject of the personal data or other persons;
6) blocking of personal data - temporary termination of collection, systematization, accumulation, usage, distribution of personal data, as well as transfer thereof;
7) elimination of personal data - actions as a result of which it is impossible to restore the content of the personal data in the information system of personal data, or as a result of which material carriers thereof are eliminated;
8) depersonalization of personal data - actions as a result of which it is impossible to determine reference of the personal data to a certain subject thereof;
9) information system of personal data - information system representing the aggregate of personal data containing in the database, as well as information technologies and technical means ensuring processing of these personal data using automation devices or without them;
10) confidentiality of personal data - an obligatory requirement for the operator or another person having access to personal data not to permit distribution thereof without consent of the subject of the personal data or another legal basis;
11) transboundary transfer of personal data - transfer of personal data by operator across the State Border of the Russian Federation to the state authority of the foreign state, natural person or legal entity of the foreign state;
12) generally accessible personal data - personal data access to which is permitted to an unlimited range of people with the consent of the subject of the personal data or to which the requirement of confidentiality is applied according to the federal acts.
Article 4. Legislation of the Russian Federation in the sphere of personal data
1. Legislation of the Russian Federation in the sphere of personal data is based on the Constitution of the Russian Federation and international treaties of the Russian Federation and consists of the present Federal Act and other federal acts determining the cases and specifics of personal data processing.
2. On the basis and to execution of federal acts the state authorities may adopt, within their competence, normative legal acts on certain questions concerning processing of personal data. Normative legal acts on certain questions concerning processing of personal data may not contain provisions limiting rights of subjects of the personal data.
The above-mentioned normative legal acts should be officially published, except for those or certain provisions of those containing data access to which is restricted by federal acts.
3. Specifics of processing of personal data performed without automation means may be established by federal acts and other normative legal acts of the Russian Federation with the account of the provisions of the present Federal Act.
4. If international treaties of the Russian Federation establish other rules than those provided by the present Federal Act, the rules of the international treaty shall be applied.
Chapter 2. Principles and terms of personal data processing
Article 5. Principles of personal data processing
1. Personal data processing should be carried out on the basis of the following principles:
1) legitimacy of the goals and methods of personal data processing and conscientiousness;
2) compliance of the goals of personal data processing with the goals predetermined and declared during personal data processing, as well as powers of the operator;
3) compliance of the volume and character of personal data under processing, methods of processing with the goals of processing;
4) reliability of personal data, sufficiency for goals of processing, inadmissibility of processing of personal data that are excessive with reference to the goals declared at personal data collection;
5) inadmissibility of combination of data bases of information systems of personal data created for incompatible purposes.
2. Storage of personal data should be ensured in the form making it possible to determine the subject of the personal data not longer than it is necessary for the goals of processing, and they should be eliminated upon achievement of the goals or loss of the necessity of achievement thereof.
Article 6. Terms of personal data processing
1. Processing of personal data may be carried out by the operator with the consent of the subject of the personal data, except for the cases provided by part 2 of the present article.
2. Consent of the subject of the personal data provided by part 1 of the present article shall not be required in the following cases:
1) personal data processing carried out on the basis of the federal act establishing the goal thereof, terms of obtaining of the personal data and the range of subjects whose personal data should be processed, as well as determining the powers of the operator;
2) personal data processing carried out for purposes of performance of a contract where the subject of the personal data is one of the sides;
3) personal data processing carried out for statistical and other scientific purposes subject to obligatory depersonalization of the personal data;
4) personal data processing necessary for protection of the life, health or other vital interests of the subject of the personal data, if it is impossible to obtain consent of the subject of the personal data;
5) personal data processing necessary for delivery of postal mailings by postal organizations, for making by operators of electric communication settlements with users of communication services for the rendered services;
6) personal data processing carried out for purposes of professional activity of journalists or scientific, literature or other creative activities, provided this does not breach the rights and liberties of the subject of the personal data;
7) processing of personal data to be published in accordance with federal acts, including personal data of persons taking state positions, positions of the state civil service, personal data of candidates for elected state or municipal positions.
3. Specifics of processing of special categories of personal data, as well as biometric personal data shall be established in accordance with articles 10 and 11 of the present Federal Act.
4. If on the basis of a contract the operator entrusts processing of personal data to another person, a sufficient term of the contract shall be an obligation to ensure confidentiality of the personal data and safety thereof when processed.
Article 7. Confidentiality of personal data
1. Operators and the third parties having access to personal data should ensure confidentiality of these data, except for the cases provided by part 2 of the present article.
1. Confidentiality of personal data shall not be required:
1) in the case of depersonalization of personal data;
2) with reference to generally accessible personal data.
Article 8. Generally accessible sources of personal data
1. To provide information supply one may create generally accessible sources of personal data (including reference systems and address books). With the written consent of the subject of personal data generally accessible sources of personal data may include his surname, name, patronymic, year and place of birth, address, subscriber’s number, information about profession and other personal data provided by the subject thereof.
2. At any time the data about the subject of personal data may be excluded from the generally accessible sources of personal data at the request of the subject thereof or by the judgement of the court or other empowered state authorities.
Article 9. Consent of the subject of personal data to processing of his personal data
1. The subject of personal data shall make a decision on presentation of his personal data and give consent to processing thereof by his own will and in his interest, except for the cases provided by part 2 of the present article. Consent to processing of the personal data may be recalled by the subject of the personal data.
2. The present Federal Act and other federal acts provide the cases of obligatory presentation of the personal data by the subject thereof for purposes of protection of bases of the constitutional system, morality, health, rights and legal interests of other persons, state defense and security.
3. The obligation of presentation of a proof of getting of a consent of the subject of personal data to processing thereof, and in the case of processing of generally accessible personal data the obligation of proving the fact that the personal data under processing are generally accessible shall be entrusted with the operator.
4. In the cases provided by the present Federal Act processing of personal data shall be carried out only with the written consent of the subject of the personal data. The written consent of the subject of personal data to processing thereof should include:
1) surname, name, patronymic, address of the subject of the personal data, number of the basic identification document, data on the date of issue of this document and the body which issued it;
2) the name (surname, name, patronymic) and address of the operator getting consent of the subject of the personal data;
3) purpose of processing of the personal data;
4) the list of the personal data for processing of which the subject thereof shall give a consent;
5) the list of actions with the personal data the consent is given for, general description of the methods of processing thereof used by the operator;
6) the term during which the consent is valid, as well as the procedure of recall.
5. No additional consent is required for processing of the personal data containing in the written consent of the subject thereof.
6. In the case of incapacity of the subject of personal data the consent to processing thereof shall be given by a legal representative of the subject of the personal data.
7. In the case of death of the subject of personal data the consent to processing thereof shall be given in writing by heirs of the subject of the personal data, if this consent was not given by the subject of the personal data when he was alive.
Article 10. Special categories of personal data
1. Processing of special categories of personal data concerning race, nationality, political, religious or philosophical convictions, health, intimate life shall not be permitted, except for the cases provided by part 2 of this article.
2. Processing of special categories of personal data specified in part 1 of this article shall be permitted in the following cases:
1) the subject of the personal data has given a written consent for performance of his personal data;
2) the personal data are generally accessible;
3) the personal data refer to the state of the health of the subject of the personal data and processing thereof is necessary for protection of his life, health or other vital interests or life, health or other vital interests of other persons, and it is impossible to obtain a consent of the subject of the personal data;
4) processing of the personal data is carried out for medical-preventive purposes, for purposes of establishment of the medical diagnosis, rendering of medical and medical-social services, provided the processing of the personal data is carried out by a person involved in medical activity, who must keep the medical secret in accordance with the legislation of the Russian Federation;
5) processing of the personal data of members (participants) of the public association or religious organization shall be carried out by the corresponding public organization or religious organization acting in accordance with the legislation of the Russian Federation for achieving legal goals provided by their founding documents, provided the personal data will not be distributed without a written consent of the subjects of the personal data;
6) processing of the personal data is necessary to administer justice;
7) processing of the personal data is carried out in accordance with the legislation of the Russian Federation on security, on operative-investigatory activity, as well as in accordance with criminal-executive legislation of the Russian Federation.
3. Processing of personal data on conviction may be carried out by state authorities or municipal bodies within their competence given thereto in accordance with the legislation of the Russian Federation, as well as other persons in the cases and according to the procedure determined according to the federal acts.
4. Processing of special categories of personal data carried out in the cases provided by parts 2 and 3 of this article should be immediately stopped, if the reasons are eliminated as a result of which the processing was carried out.
Article 11. Biometric personal data
1. Data which characterize physiological specifics of man on the basis of which one may establish his personality (biometric personal data) may be processed only with a written consent of the subject of the personal data, except for the cases provided by parts 2 and 3 of this article.
2. Processing of biometric personal data may be carried out without consent of the subject thereof due to administering of justice and in the cases provided by the legislation of the Russian Federation on security, legislation of the Russian Federation on operative-investigatory activity, legislation of the Russian Federation on civil service, criminal-executive legislation of the Russian Federation, legislation of the Russian Federation on the procedure of exit from the Russian Federation and entrance therein.
Article 12. Transboundary transfer of personal data
1. Before starting transboundary transfer of personal data the operator should be sure that the foreign state where the transfer of the personal data is to be carried out ensures adequate protection of rights of the subjects of the personal data.
2. Transboundary transfer of personal data to the territories of foreign states ensuring adequate protection of rights of the subjects of the personal data shall be carried out in accordance with the present Federal Act and may be banned or restricted for purposes of protection of bases of the constitutional system of the Russian Federation, morality, health, rights and legal interests of the citizens, provision of defense and security of the state.
3. Transboundary transfer of personal data to the territories of foreign states which do not ensure adequate protection of rights of the subjects of the personal data may be carried out in the following cases:
1) a written consent of the subject of the personal data;
2) cases provided by international treaties of the Russian Federation on issuance of visas and international treaties of the Russian Federation on rendering legal aid on civil, family and criminal cases;
3) cases provided by federal acts, if it is necessary for purposes of protection of bases of the constitutional system of the Russian Federation, provision of defense and security of the state;
4) performance of a contract where the subject of the personal data is one of the sides;
5) protection of life, health, other vital interests of the subject of the personal data or other persons, if it is impossible to obtain a written consent of the personal data.
Article 13. Specifics of processing of personal data in state or municipal information systems of personal data
1. State authorities, municipal bodies shall create state or municipal information systems of personal data within their competence established by federal acts.
2. Federal Acts may establish specifics of registration of personal data in state or municipal information systems of personal data, including usage of various methods of designation of the subject of personal data the personal data containing in the corresponding state or municipal information systems of personal data belong to.
3. Rights and liberties if man and citizen may not be restricted by the motives connected with usage of various methods of personal data processing or designation of the subject of personal data the personal data containing in the corresponding state or municipal information systems of personal data belong to. It shall not be permitted to use methods of designation of the subject of personal data the personal data containing in the corresponding state or municipal information systems of personal data belong to, which outrage the feelings of the citizens or humiliates human dignity.
4. In order to ensure execution of rights of subjects of personal data in connection with processing thereof in state or municipal information systems of personal data the state registry of the population may be created, the legal status of and procedure of work with which are established by the federal act.
Chapter 3. Rights of the subject of personal data
Article 14. Right of the subject of personal data to access to his personal data
1. The subject of personal data shall have the right to obtain the data about the operator, location thereof, operator’s possessing personal data referring to the corresponding subject of the personal data, to get acquainted with these personal data except the cases provided by part 5 of the present article. The subject of personal data shall have the right to require from the operator verification of his personal data blocking thereof or elimination if the personal data are not full, obsolete, unreliable, illegally obtained or are not necessary for the declared goal of processing, as well as to take legal measures to protect his rights.
2. The data on availability of the personal data should be presented to the subject thereof by the operator in accessible form, and they should not contain personal data referring to other subjects of personal data.
3. Access to the own personal data shall be given to the subject thereof or his legal representative by the operator when the subject of the personal data or his legal representative apply thereto or place his request. The request shall contain the number of the basic identification document of the subject of the personal data or his legal representative, data about the date of issue and the issuing body and the own signature of the subject of the personal data or his legal representative. The request may be sent by e-mail and signed by electronic digital signature in accordance with the legislation of the Russian Federation.
4. The subject of the personal data shall have the right to receive the information concerning processing of his personal data, including the following:
1) confirmation of the fact of processing of personal data by the operator and the purpose of this processing;
2) methods of processing of personal data used by the operator;
3) information about the people who have access to personal data or who may have it;
4) list of the personal data under processing and the source thereof;
5) dates of processing of personal data including the period of storage thereof;
6) data about legal consequences for the subject of the personal data resulting from the processing thereof.
5. The right of the subject of personal data to access to his own personal data shall be restricted in the following cases:
1) processing of the personal data including those obtained as a result of operative-investigatory, counter-intelligence and intelligence activity is carried out for purposes of defense, security of the state and protection of the legal order;
2) processing of the personal data is carried out by the bodies which arrested the subject thereof as suspected of a crime or accused the subject of the personal data of a crime or applied thereto a disciplinary measure before the accusation, except for the cases provided by the criminal-procedural legislation of the Russian Federation, if acquaintance of the suspect or accused with these personal data is permitted;
3) presentation of the personal data breaches the constitutional rights and liberties of other people.
Article 15. Rights of subjects thereof in the case of processing of their own personal data for purposes of promotion of goods, works, services on the market, as well as for purposes of political propaganda
1. Processing of personal data for purposes of promotion of goods, works, services on the market by exercising of direct contacts with potential consumers using communication means, as well as for purposes of political propaganda, shall be permitted only subject to preliminary consent of the subject of the personal data. The above-mentioned processing of the personal data shall be considered as carried out without preliminary consent of the subject of the personal data, if the operator does not prove that this consent was obtained.
2. The operator should promptly stop processing of the personal data specified in part 1 of this article at the request of the subject thereof.
Article 16. Rights of subjects of personal data in the case of making decisions on the basis of exceptionally automated processing of their personal data
1. It shall be prohibited to make decisions generating legal actions with reference to the subject of personal data or otherwise influencing his rights and legal interests on the basis of only automated processing of the personal data, except for the cases provided by part 2 of the present article.
2. The decisions generating legal actions with reference to the subject of personal data or otherwise influencing his rights and legal interests may be made on the basis of only automated processing of the personal data only in the availability of a written consent of the subject of the personal data or in the cases provided by federal acts, establishing also measures for ensuring observance of the rights and legal interests of the subject of the personal data.
3. The operator should explain the subject of personal data the procedure of the decision making on the basis of exclusively automated processing of his personal data and possible legal consequences of this decision, ensure a possibility of claiming against this decision, as well as explain the procedure of defense of the rights and legal interests by the subject of the personal data.
4. The operator should consider the claim specified in part 3 of the present article within 7 working days following the receipt thereof and notify the subject of the personal data on the results of consideration of the claim.
Article 17. Right for protesting against actions or inaction of operator
1. If the subject of personal data thinks that the operator carries out processing of his personal data breaching the requirements of the present Federal Act or otherwise breaches his rights and liberties, the subject of the personal data shall have the right to protest against the operator’s actions or inaction to the authorized body for protection of rights of subjects of personal data or in court.
2. The subject of personal data shall have the right to protection of his rights and legal interests, as well as to reimbursement of the losses and (or) compensation for the moral damage in court.
Chapter 4. Responsibilities of operator
Article 18. Responsibilities of operator in collection of personal data
1. While collecting personal data the operator should supply the information provided by part 4 of article 14 of the present Federal Act to the subject of the personal data, at the request of the latter.
2. If the responsibility of supplying personal data is established by the federal act, the operator should explain the subject of the personal data the legal consequences of the refusal thereof.
3. If the personal data were obtained not from the subject thereof, except for the cases when they were presented to the operator on the basis of a federal act, or if the personal data are generally acceptable, then, before starting processing these personal data, the operator should supply the subject of the personal data with the following information:
1) name (surname, name, patronymic) and address of the operator or his representative;
2) goal of processing of the personal data and its legal grounds;
3) supposed users of the personal data;
4) rights of the subject of the personal data established by the present Federal Act.
Article 19. Measures to provide safety of personal data at processing
1. When processing personal data, the operator should take the necessary organizational and technical measures, as well as use coding (cryptographic) devices to protect the personal data from illegitimate or occasional access thereto, elimination, change, blocking, copying, distribution thereof, as well as other illegitimate actions.
2. The Government of the Russian Federation shall establish the requirements to provision of safety of the personal data processed in the information systems of personal data, requirements to the material carriers of biometric personal data and technologies of storage of these data beyond the information systems of personal data.
3. Control and supervision over performance of the requirements established by the Government of the Russian Federation in accordance with part 2 of the present article shall be carried out by the federal executive authority in charge of provision of security and federal executive authority in charge of counteraction to technical intelligence and technical protection of information within their competence and without the right of acquaintance with the personal data processed in the information systems of data processing.
4. Usage and storage of biometric personal data beyond information systems of personal data may be carried out only on the material carriers of information and using such storage technology, which provide protection of these data from illegitimate or occasional access thereto, elimination, change, blocking, copying, distribution thereof.
Article 20. Responsibilities of the operator in the case of application for or obtaining of requests of subjects of personal data or their legal representatives, as well as of the authorized body for protection of rights of subjects of personal data
1. According to the procedure provided by article 14 of the present Federal Act, the operator should inform the subject of the personal data or his legal representative about the availability of the personal data referring to the corresponding subject thereof, as well as to give an opportunity of acquaintance therewith, if the subject of the personal data or his legal representative apply therefor within ten days following the date of receipt of the request of the subject of the personal data or his legal representative.
2. In the case of rejection of an application of the subject of personal data or his legal representative for the information on the presence of the personal data on the corresponding subject thereof and on the personal data themselves, the operator should give a motivated written reply including the reference to the provision of part 5 of article 14 of the present Federal Act or another federal act, which is the grounds for this rejection, within 7 working days following the date of application of the subject of the personal data or his legal representative or the date of receipt of the request of the subject of the personal data or his legal representative.
3. The operator should give, on a non-paid basis, the subject of the personal data or his legal representative an opportunity of getting acquainted with the personal data referring to the corresponding subject, as well as make the necessary changes therein, eliminate or block certain personal data according to the information provided by the subject thereof or his legal representative, which confirm that the personal data which refer to the corresponding subject and which are processed by the operator are not complete, obsolete, unreliable, illegally obtained or not necessary for the goals of processing. The operator should notify the subject of the personal data or his legal representative and the third parties, whom the personal data of this subject were passed, about the changes made and measures taken.
4. At the request of the authorized body for protection of rights of subjects of personal data the operator should pass there the information necessary for the above-mentioned body to perform his activities within 7 working days following the date of receipt of the request.
Article 21. Responsibilities of the operator for elimination of breaches of the legislation made while processing the personal data and for verification, blocking and elimination thereof
1. In the case of revelation of unreliable personal data or illegitimate actions therewith of the operator at a request of the subject of the personal data or his legal representative or the authorized body for protection of the rights of subjects of personal data, the operator should block the personal data referring to the corresponding subject since the date of the request for the inspection period.
2. In the case of confirmation of the fact of unreliability of personal data the operator should verify them and remove the block on the basis of the documents submitted by the subject of the personal data or his legal representative or the authorized body for protection of the rights of subjects of personal data.
3. In the case of revelation of illegitimate actions with personal data the operator should eliminate the breaches committed within 3 working days following the date of revelation. If the elimination is impossible he should eliminate the personal data within 3 working days following the date of revelation. The operator should notify the subject of the personal data or his legal representative about elimination of the committed breaches or elimination of the personal data, and if the application or request were sent by the authorized body for protection of the rights of subjects of personal data, the mentioned body.
4. As soon ass the goals of processing of the personal data are achieved the operator should immediately stop the processing thereof and eliminated these personal data within 3 working days following the date of achievement, unless otherwise provided by federal acts, and notify the subject of the personal data or his legal representative thereabout, and if the application or request were sent by the authorized body for protection of the rights of subjects of personal data, the mentioned body.
5. If the subject of personal data recalls the consent for processing thereof the operator should stop the processing and eliminate the personal data within 3 working days following the date of arrival of the above-mentioned recall, unless otherwise provided by the agreement between the operator and the subject of the personal data. The operator should notify the subject of the personal data on elimination thereof.
Article 22. Notification of processing of personal data
1. Before starting the processing of the personal data the operator should notify the authorized body for protection of the rights of subjects of personal data on its intention to carry out the processing thereof, except for the cases provided by part 2 of the present article.
2. The operator shall have the right to start processing of the personal data without notification of the authorized body for protection of the rights of subjects of personal data, if they:
1) refer to the subjects of personal data which have labour relations with the operator;
2) are received by the operator on the basis of a contract where the subject of the personal data is one of the sides, if the personal data are not distributed or presented to the third parties without consent of the subject thereof and used by the operator only for performance of this contract and making of contracts with the subject of the personal data;
3) refer to the members (participants) of a public association or religious organization and are processed by the corresponding public association or religious organization acting on the basis of the legislation of the Russian Federation for purposes of achievement of legal interests provided by their founding documents, provided these personal data will not be distributed without a written consent of the subject of the personal data;
4) are generally accessible personal data;
5) include only surnames, names, patronymics of the subjects of the personal data;
6) are necessary for purposes of single entrance of the subject of the personal data into the territory where the operator is located or for other purposes;
7) are included in the information systems of personal data having the status of automated information systems in accordance with the federal acts, as well as in state information systems of personal data created for purposes of security of the state and public order;
8) are processed without usage of the automation devices in accordance with the federal acts or other normative legal acts of the Russian Federation, establishing the requirements to ensuring of safety of personal data at processing and observance of the rights of the subjects of personal data.
3. The notification provided by part 1 should be sent in the written form and signed by a authorized person or by e-mail and signed by electronic digital signature in accordance with the legislation of the Russian Federation. The notification should contain the following data:
1) name (surname, name, patronymic), sender’s address;
2) goal of processing of the personal data;
3) category of the personal data;
4) categories of the subjects of the personal data under processing;
5) legal grounds of processing of the personal data;
6) list of actions with the personal data, general description of the methods of processing of the personal data used by the operator;
7) description of the measures which the operator should take while processing the personal data ro ensure safety thereof;
8) date of beginning of the processing of the personal data;
9) date or term of termination of the processing of the personal data.
4. Within 30 days following the receipt of the notification on processing of personal data the authorized body for protection of the rights of subjects of personal data shall enter the information specified in part 3 of the present article, a swell as the data on the date of sending of this notification into the registry of operators. The information included in the registry of operators, except for the data on the means of ensuring of safety of personal data at processing shall be generally accessible.
5. The operator should not incur losses connected with consideration of the notification on processing of personal data by the authorized body for protection of the rights of subjects of personal data, as well as connected with entering of the information into the registry of operators.
6. In the case of submission of incomplete or unreliable data specified in part 3 of the present article the authorized body for protection of the rights of subjects of personal data shall have the right to require verification of the submitted information before entering in the registry of operators.
7. In the case of change of the information specified in part 3 of the present article the operator should notify the authorized body for protection of the rights of subjects of personal data thereabout within ten working days following the date of making of the changes.
Chapter 5. Control and supervision over processing of personal data.
Responsibility for breach of the requirements of the present Federal Act
Article 23. Authorized body for protection of the rights of subjects of personal data
1. The authorized body for protection of the rights of subjects of personal data entrusted with provision of control and supervision over compliance of processing of personal data with the requirements of the present Federal Act shall be a federal executive authority for control and supervision in the sphere of information technologies and communication.
2. The authorized body for protection of the rights of subjects of personal data shall consider applications of subjects of personal data for compliance of the content and methods of processing thereof with the goals of processing and make corresponding decisions.
3. The authorized body for protection of the rights of subjects of personal data shall have the right:
1) to ask natural persons and legal entities for information necessary for realization of their powers and obtain this information on a non-paid basis;
2) to check the data included in the notification on processing of the personal data or attract other state authorities thereto within their competence;
3) to require from the operator verification, blocking or elimination of unreliable or illegally obtained personal data;
4) to take legally established measures for suspension or termination of processing of the personal data carried out with breach of the requirements of the present Federal Act;
5) to file an action for protection of rights of subjects of personal data and represent interests thereof in court;
6) to send applications to the body carrying out licensing of the operator’s activity for taking measures for suspension of the effect or annulment of a corresponding license according to the procedure established by the legislation of the Russian Federation, if the license provides ban for transfer of the personal data to the third parties without a written consent of the subject thereof;
7) to send materials to the public prosecutor and other law enforcement bodies to make decisions on initiation of criminal procedures following the signs of crimes connected with breach of the rights of subjects of personal data, in accordance with their competence;
8) to make proposals to the Government of the Russian Federation on improvement of normative legal regulation of protection of the rights of subjects of personal data;
9) to call persons guilty of breaching the present Federal Act to administrative responsibility.
4. Confidentiality should be ensured with reference to the personal data, which became known to the authorized body for protection of the rights of subjects of personal data during performance of its activities.
5. The authorized body for protection of the rights of subjects of personal data should:
1) organize protection of subjects of personal data in accordance with the requirements of the present Federal Act and other federal acts;
2) consider complaints and applications of citizens or legal entities referring to processing of personal data and make decisions on the results of consideration of the above complaints and applications within its competence;
3) keep the registry of operators;
4) take measures for improvement of protection of the rights of subjects of personal data;
5) take measures for suspension or termination of processing of personal data at presentation of the federal executive authority for provision of security or the federal executive authority for counteracting technical intelligence and technical protection of information, according to the legally established procedure;
6) inform state authorities and subjects of personal data, at their applications or requests, on the situation with protection of the rights of subjects of personal data;
7) perform other legally provided obligations.
6. The decisions of the authorized body for protection of the rights of subjects of personal data may be protested against in court.
7. The authorized body for protection of the rights of subjects of personal data shall send an annual report on its activity to the President of the Russian Federation, Government of the Russian Federation and Federal Assembly of the Russian Federation. This report should be published in the mass media.
8. The authorized body for protection of the rights of subjects of personal data shall be financed from the federal budget.
9. A consultative committee should be organized at the authorized body for protection of the rights of subjects of personal data on a public basis, whose procedure of formation and activities shall be determined by the authorized body for protection of the rights of subjects of personal data.
Article 24. Responsibility for breach of the requirements of the present Federal Act
Persons guilty of breaching the requirements of the present Federal Act shall bear civil, criminal, administrative, disciplinary and other legally provided responsibility.
Chapter 6. Final provisions
Article 25. Final provisions
1. The present Federal Act shall come into force upon expiration of 80 days after the date of its official publication.
2. After the date of enforcement of the present Federal Act processing of the personal data included in the information systems of personal data before the date of its enforcement shall be carried out in accordance with the present Federal Act.
3. information systems of personal data created before the date of enforcement of the present Federal Act should be brought in line with the requirements of the present Federal Act not later than 1 January 2010.
4. Operators which carry out processing of personal data before the enforcement of the present Federal Act and carry out this processing after the date of its enforcement should send a notification provided by part 3 of article 22 of the present Federal Act to the authorized body for protection of the rights of subjects of personal data not later than 1 January 2008, except for the cases provided by part 2 of article 22 of the present Federal Act.
President of the Russian Federation
V. Putin
Moscow, Kremlin
27 July 2006
N 152-FZ
Translated by the Institute for Information Freedom Development (www.svobodainfo.org)
Page URL: < http://www.svobodainfo.org/info/page/ENG?tid=633200060&nd=6365434 >