Page 1

Federal Law of July 27, 2006 N 152-FZ "On Personal Data" (with
changes and additions)
With changes and additions from:
November 25, December 27, 2009, June 28, July 27, November 29, December 23, 2010, June 4, July 25
2011, April 5, July 23, December 21, 2013, June 4, July 21, 2014, July 3, 2016, February 22,
1, 29 July, 31 December 2017, 27 December 2019, 24 April, 8, 30 December 2020

Adopted by the State Duma on July 8, 2006
Approved by the Federation Council on July 14, 2006
GUARANTEE:

See comments to this Federal Law

Chapter 1. General Provisions
Article 1 . Scope of this Federal Law
GUARANTEE:

See comments to Article 1 of this Federal Law
Information about changes:

Federal Law No. 261-FZ of July 25, 2011, part 1 of Article 1 of this
Of the Federal Law is set out in a new edition, which applies to
legal relations arising from July 1, 2011
See the text of the part in the previous edition
1. This Federal Law regulates relations related to
processing of personal data carried out by federal authorities
state authorities, state authorities of the constituent entities of the Russian
Federation, other state bodies (hereinafter - state bodies),
local government bodies, other municipal bodies (hereinafter municipal bodies), legal entities and individuals with
the use of automation tools, including information and
telecommunication networks, or without the use of such means, if the processing
personal data without the use of such means corresponds to the nature
actions (operations) performed with personal data using funds
automation, that is, it allows you to carry out in accordance with a given algorithm
search for personal data recorded on a tangible medium and
contained in card files or other systematized collections of personal
data, and / or access to such personal data.
2. This Federal Law does not apply to relations
arising from:
1) the processing of personal data by individuals solely for
personal and family needs, if this does not violate the rights of subjects of personal
data;
2) the organization of storage, acquisition, accounting and use of containing
personal data of documents of the Archival Fund of the Russian Federation and others
archival documents in accordance with the legislation on archiving in
Russian Federation;
3) became invalid from July 1, 2011;
Information about changes:

Page 2

See text paragraph 3 of part 2
4) the processing of personal data classified in accordance with the established procedure to
information constituting state secrets ;
5) invalidated from August 10, 2017 - Federal Law of July 29, 2017 N 223FZ
Information about changes:

See previous edition
Article 1 is supplemented by part 3 from August 10, 2017 - Federal Law of July 29
2017 N 223-FZ
3. Providing, distributing, transmitting and receiving information about
activities of courts in the Russian Federation containing personal data,
maintenance and use of information systems and information
telecommunication networks in order to create conditions for access to the specified
information are carried out in accordance with the Federal Law of December 22
2008 N 262-FZ "On providing access to information on the activities of courts
In Russian federation".
Article 2 . Purpose of this Federal Law
GUARANTEE:

See comments to Article 2 of this Federal Law
The purpose of this Federal Law is to ensure the protection of the rights and
freedoms of a person and citizen when processing his personal data, including
protection of the rights to privacy, personal and family secrets.
Information about changes:

Federal Law of July 25, 2011 N 261-FZ, Article 3 of this Federal
of the law is set out in a new edition, which applies to legal relations,
arising from July 1, 2011
See the text of the article in the previous edition
Article 3 . Basic concepts used in this Federal Law
GUARANTEE:

See comments to Article 3 of this Federal Law
For the purposes of this Federal Law, the following basic
concepts:
1) personal data - any information relating directly to or
indirectly determined or determined by an individual (subject of personal
data);
Information about changes:

Article 3 is supplemented with clause 1.1 from March 1, 2021 - Federal Law of December 30
2020 N 519-FZ
1.1) personal data permitted by the personal data subject
for distribution, - personal data, access of an unlimited number of persons to
which is provided by the subject of personal data by giving consent to
processing of personal data permitted by the subject of personal data for
spreading in the manner prescribed by this Federal Law;
2) operator - a state body, municipal body, legal or

Page 3

an individual who independently or jointly with other persons organizes and
(or) carrying out the processing of personal data, as well as determining the goals
processing of personal data, the composition of personal data to be processed,
actions (operations) performed with personal data;
3) processing of personal data - any action (operation) or
a set of actions (operations) performed using funds
automation or without using such tools with personal data,
including collection, recording, systematization, accumulation, storage, clarification (updating,
modification), extraction, use, transfer (distribution, provision,
access), depersonalization, blocking, deletion, destruction of personal data;
4) automated processing of personal data - processing
personal data using computer technology;
5) dissemination of personal data - actions aimed at
disclosure of personal data to an indefinite circle of persons;
6) provision of personal data - actions aimed at
disclosure of personal data to a specific person or a specific circle of persons;
7) blocking of personal data - temporary termination of processing
personal data (unless the processing is necessary for
clarification of personal data);
8) destruction of personal data - actions as a result of which
it becomes impossible to restore the content of personal data in
information system of personal data and (or) as a result of which
material carriers of personal data are destroyed;
9) depersonalization of personal data - actions as a result of which
it becomes impossible without using additional information to determine
the ownership of personal data by a specific subject of personal data;
10) personal data information system - a set
contained in the databases of personal data and ensuring their processing
information technology and technical means;
11) cross-border transfer of personal data - transfer of personal
data to the territory of a foreign state to the authority of a foreign
state, foreign individual or foreign legal entity.
Article 4 . The legislation of the Russian Federation in the field of personal
data
GUARANTEE:

See comments to Article 4 of this Federal Law
1. Legislation of the Russian Federation in the field of personal data
based on the Constitution of the Russian Federation and international treaties
Of the Russian Federation and consists of this Federal Law and other
determining the cases and features of the processing of personal data by federal
laws...
GUARANTEE:

See the Council of Europe Convention for the Protection of Natural Persons under Automated
the processing of personal data (Strasbourg, 28 January 1981)
Information about changes:

Federal Law No. 261-FZ of July 25, 2011 Part 2 of Article 4 of this
Of the Federal Law is set out in a new edition, which applies to

Page 4

legal relations arising from July 1, 2011
See the text of the part in the previous edition
2. On the basis of and in pursuance of federal laws, state bodies,
The Bank of Russia, local governments, within the limits of their powers, may
adopt normative legal acts, normative acts, legal acts (hereinafter regulatory legal acts) on specific issues related to processing
personal data. Such acts may not contain provisions limiting
the rights of subjects of personal data that establish not provided
federal laws restrictions on the activities of operators or imposing on
operators not provided for by federal laws obligations, and are subject to
official publication.
3. Features of the processing of personal data, carried out without
use of automation tools may be established by federal
laws and other regulatory legal acts of the Russian Federation, taking into account
provisions of this Federal Law.
4. If an international treaty of the Russian Federation establishes other
rules than those provided for by this Federal Law,
the rules of the international treaty apply.
Information about changes:

Article 4 is supplemented with part 5 from December 8, 2020 - Federal Law of December 8
2020 N 429-FZ
5. Decisions of interstate bodies adopted on the basis of the provisions
international treaties of the Russian Federation in their interpretation, contrary to
Of the Constitution of the Russian Federation, are not subject to execution in the Russian
Federation. Such a contradiction can be established in the orderdefined
federal constitutional law.
Chapter 2. Principles and conditions for the processing of personal data

Information about changes:

Federal Law of July 25, 2011 N 261-FZ, Article 5 of this Federal
of the law is set out in a new edition, which applies to legal relations,
arising from July 1, 2011
See the text of the article in the previous edition
Article 5 . Principles of processing personal data
GUARANTEE:

See comments to Article 5 of this Federal Law
1. The processing of personal data must be carried out on a legal and
fair basis.
2. The processing of personal data should be limited to achieving
specific, predetermined and legitimate purposes. Processing is not allowed
personal data incompatible with the purposes of collecting personal data.
3. It is not allowed to combine databases containing personal data,
the processing of which is carried out for purposes incompatible with each other.
4. Only personal data that meets their goals are subject to processing.
processing.
5. The content and volume of processed personal data must
comply with the stated processing objectives. Processed personal data

Page 5

should not be excessive in relation to the stated purposes of their processing.
6. When processing personal data, accuracy must be ensured
personal data, their sufficiency, and, if necessary, the relevance of
in relation to the purposes of processing personal data. The operator must accept
necessary measures or ensure their adoption to remove or clarify
incomplete or inaccurate data.
7. The storage of personal data should be carried out in a form that allows
identify the subject of personal data, no longer than required by the purpose
processing of personal data, if the period of storage of personal data is not
established by federal law, an agreement, a party to which,
beneficiary or guarantor for which the subject of personal
data. The processed personal data must be destroyed or
depersonalization upon achievement of the processing goals or in case of loss of the need for
achievement of these goals, unless otherwise provided by federal law.
Information about changes:

Federal Law of July 25, 2011 N 261-FZ, Article 6 of this Federal
of the law is set out in a new edition, which applies to legal relations,
arising from July 1, 2011
See the text of the article in the previous edition
Article 6. Conditions for processing personal data
GUARANTEE:

See comments to Article 6 of this Federal Law
1. The processing of personal data must be carried out in compliance with
principles and rules stipulated by this Federal Law. Treatment
personal data is allowed in the following cases:
1) the processing of personal data is carried out with the consent of the subject
personal data for the processing of his personal data;
2) the processing of personal data is necessary to achieve the goals,
provided for by an international treaty of the Russian Federation or by law, for
implementation and implementation of the laws of the Russian Federation
on the operator of functions, powers and duties;
Information about changes:

Clause 3 amended from August 10, 2017 - Federal Law of July 29, 2017 N 223-FZ
See previous edition
3) the processing of personal data is carried out in connection with the participation of the person in
constitutional, civil, administrative, criminal proceedings,
legal proceedings in arbitration courts;
Information about changes:

Part 1 is supplemented with clause 3.1 from August 10, 2017 - Federal Law of July 29
2017 N 223-FZ
3.1) the processing of personal data is necessary for the execution of a judicial act,
act of another body or official, subject to execution in accordance with
the legislation of the Russian Federation on enforcement proceedings (hereinafter execution of a judicial act);
Information about changes:

Federal Law No. 43-FZ of April 5, 2013 to Clause 4 of Part 1 of Article 6
of this Federal Law amended

Page 6

See the text of the paragraph in the previous edition
4) the processing of personal data is necessary for the exercise of powers
federal executive bodies, bodies of state extra-budgetary
funds, executive bodies of state power of the constituent entities of the Russian
Federation, local authorities and functions of organizations participating in
provision of state and municipal services, respectively,
stipulated by the Federal Law of July 27, 2010 N 210-FZ "On
organizing the provision of state and municipal services ", including
registration of the subject of personal data on a single portal of state and
municipal services and (or) regional portals of state and municipal
services;
Information about changes:

Federal Law No. 231-FZ of July 3, 2016 to Clause 5 of Part 1 of Article 6
of this Federal Law, amendments have been made that enter into force on January 1
2017 Nov.
See the text of the paragraph in the previous edition
5) the processing of personal data is necessary for the performance of the contract,
party to which or the beneficiary or guarantor of which is
the subject of personal data, as well as to conclude an agreement on the initiative
the subject of personal data or an agreement, according to which the subject of personal data
will be the beneficiary or guarantor;
6) the processing of personal data is necessary to protect life, health or
other vital interests of the subject of personal data, if obtaining
the consent of the subject of personal data is impossible;
Information about changes:

Federal Law No. 231-FZ of July 3, 2016 to Clause 7 of Part 1 of Article 6
of this Federal Law, amendments have been made that enter into force on January 1
2017 Nov.
See the text of the paragraph in the previous edition
7) the processing of personal data is necessary for the exercise of rights and
the legitimate interests of the operator or third parties, including in cases provided for
Federal Law "On the Protection of the Rights and Legal Interests of Individuals in
carrying out activities for the return of overdue debts and on making
amendments to the Federal Law "On Microfinance Activities and
microfinance organizations ", or to achieve socially significant goals
provided that this does not violate the rights and freedoms of the subject of personal
data;
GUARANTEE:

On the constitutional and legal meaning of the provisions of paragraph 8 of part 1 of Article 6, see Art.
Resolution of the Constitutional Court of the Russian Federation of May 25, 2021 N 22-P
8) the processing of personal data is necessary to carry out
professional activities of a journalist and (or) legal activities of the means
mass media or scientific, literary or other creative activity
provided that this does not violate the rights and legitimate interests of the subject
personal data;
9) the processing of personal data is carried out in statistical or other
research purposes, with the exception of the purposes specified in article 15 of this
Federal law, subject to the mandatory depersonalization of personal data;
Information about changes:

Page 7

Part 1 is supplemented with clause 9.1 from July 1, 2020 - Federal Law of April 24
2020 N 123-FZ
9.1) processing of personal data obtained as a result of anonymization
personal data is carried out in order to improve efficiency
state or municipal administration, as well as for other purposes,
stipulated by the Federal Law "On Conducting an Experiment to Establish
special regulation in order to create the necessary conditions for the development and
introduction of artificial intelligence technologies in the constituent entity of the Russian Federation the city of federal significance Moscow and amendments to Articles 6 and 10
Federal Law "On Personal Data", in the manner and on the terms that
provided for by the specified Federal Law;
10) became invalid from March 1, 2021 - Federal Law of December 30, 2020 N
519-FZ
Information about changes:

See previous edition
11) processing of personal data subject to publication is carried out
or mandatory disclosure in accordance with federal law.
Information about changes:

Federal Law No. 148-FZ of July 1, 2017, Article 6 of this Federal
of the law supplemented with part 1.1
1.1. Processing of personal data of objects of state protection and members
their families is carried out taking into account the specifics provided by the Federal
Law of May 27, 1996 N 57-FZ "On State Protection".
2. Features of processing special categories of personal data, as well as
biometric personal data are established respectively by Articles 10 and
11 of this Federal Law.
3. The operator has the right to entrust the processing of personal data to another person with
consent of the subject of personal data, unless otherwise provided by federal
by law, on the basis of an agreement concluded with this person, including
state or municipal contract, or by adopting a state
or by the municipal authority of the relevant act (hereinafter - the instruction of the operator).
The person who processes personal data on behalf of the operator,
is obliged to comply with the principles and rules for the processing of personal data,
provided for by this Federal Law. The operator's order must
a list of actions (operations) with personal data, which
will be committed by the person processing personal data, and the purpose
processing, the obligation of such person to comply with
confidentiality of personal data and ensure the safety of personal
data during their processing, as well as the requirements for protection
processed personal data in accordance with Article 19 of this
Federal law.
4. The person carrying out the processing of personal data on behalf of
operator is not obliged to obtain the consent of the personal data subject for processing
his personal data.
5. In the event that the operator entrusts the processing of personal data to another
a person, responsibility to the subject of personal data for the actions of the specified
face is borne by the operator. The person who processes personal data on
on behalf of the operator, is responsible to the operator.

Page 8

Information about changes:

Federal Law of July 25, 2011 N 261-FZ, Article 7 of this Federal
of the law is set out in a new edition, which applies to legal relations,
arising from July 1, 2011
See the text of the article in the previous edition
Article 7 . Confidentiality of personal data
GUARANTEE:

See comments to Article 7 of this Federal Law
Operators and other persons who have gained access to personal data are obliged not to
disclose to third parties and not distribute personal data without consent
the subject of personal data, unless otherwise provided by federal law.
Article 8 . Publicly available sources of personal data
GUARANTEE:

See comments to Article 8 of this Federal Law
Information about changes:

Federal Law No. 261-FZ of July 25, 2011 to part 1 of Article 8 of this
Federal Law, amendments have been made that apply to legal relations,
arising from July 1, 2011
See the text of the part in the previous edition
1. For the purpose of information support, publicly available
sources of personal data (including directories, address books). IN
publicly available sources of personal data with the written consent of the subject
personal data may include his last name, first name, patronymic, year and place
birth, address, subscriber number, information about the profession and other personal
data communicated by the subject of personal data.
Information about changes:

Federal Law No. 261-FZ of July 25, 2011 to part 2 of Article 8 of this
Federal Law, amendments have been made that apply to legal relations,
arising from July 1, 2011
See the text of the part in the previous edition
2. Information about the subject of personal data must be available at any time
excluded from publicly available sources of personal data on demand
the subject of personal data or by a court decision or other authorized
government agencies.
Information about changes:

Federal Law of July 25, 2011 N 261-FZ, Article 9 of this Federal
of the law is set out in a new edition, which applies to legal relations,
arising from July 1, 2011
See the text of the article in the previous edition
Article 9 . Consent of the subject of personal data to the processing of it
personal data
GUARANTEE:

See comments to Article 9 of this Federal Law
1. The subject of personal data decides to provide it
personal data and agrees to their processing freely, by his own will and in his

Page 9

interest. Consent to the processing of personal data must be specific,
informed and conscientious. Consent to the processing of personal data may
be given by the subject of personal data or his representative in any
allowing to confirm the fact of its receipt in the form, unless otherwise established
federal law. In case of obtaining consent to the processing of personal data
from the representative of the subject of personal data, the powers of this representative to
consent on behalf of the personal data subject is checked by the operator.
2. Consent to the processing of personal data can be revoked by the subject
personal data. If the subject of personal data withdraws consent to
processing of personal data, the operator has the right to continue processing personal
data without the consent of the subject of personal data if there are grounds specified
in clauses 2 - 11 of part 1 of article 6, part 2 of article 10 and part 2 of article 11 of this
Federal law.
3. Obligation to provide proof of consent of the subject
personal data for the processing of his personal data or evidence
the existence of the grounds specified in clauses 2 - 11 of part 1 of article 6, part 2 of article 10 and
Part 2 of Article 11 of this Federal Law is assigned to the operator.
4. In the cases provided for by federal law, the processing of personal
data is carried out only with the consent in writing of the subject of personal
data. Equivalent to containing the personal signature of the subject of personal
given consent in writing on paper, consent is recognized in
the form of an electronic document signed in accordance with federal law
electronic signature. Consent in writing of the subject of personal data to
the processing of his personal data should include, in particular:
1) last name, first name, patronymic, address of the subject of personal data, number
the main document proving his identity, information on the date of issue
the specified document and the issuing authority;
2) last name, first name, patronymic, address of the representative of the personal data subject,
number of the main document proving his identity, information on the date of issue
of the specified document and the issuing authority, details of the power of attorney or other
document confirming the authority of this representative (upon receipt of consent
from a representative of the subject of personal data);
3) the name or surname, name, patronymic and address of the operator receiving
consent of the subject of personal data;
4) the purpose of the processing of personal data;
5) a list of personal data for the processing of which consent is given
the subject of personal data;
6) the name or surname, name, patronymic and address of the person carrying out
processing of personal data on behalf of the operator, if the processing is
entrusted to such a person;
7) a list of actions with personal data, for the performance of which it is given
consent, a general description of the methods used by the operator for processing personal
data;
8) the period during which the consent of the subject of personal data is valid, and
also the method of its withdrawal, unless otherwise provided by federal law;
9) the signature of the personal data subject.
5. The procedure for obtaining the consent of the subject in the form of an electronic document
personal data for the processing of his personal data in order to provide
state and municipal services, as well as services that are
necessary and obligatory for the provision of state and municipal

Page 10

services established by the Government of the Russian Federation.
6. In case of incapacity of the subject of personal data, consent to
the processing of his personal data is provided by the legal representative of the subject
personal data.
7. In the event of the death of the subject of personal data, consent to the processing of it
personal data are given by the heirs of the personal data subject, if such
consent was not given by the subject of personal data during his lifetime.
8. Personal data can be obtained by the operator from a person who is not
being the subject of personal data, subject to the provision of the operator
confirmation of the existence of the grounds specified in clauses 2 - 11 of part 1 of article 6, part 2
Articles 10 andPart 2 of Article 11 of this Federal Law.
Information about changes:

Article 9 is supplemented with part 9 from March 1, 2021 - Federal Law of December 30
2020 N 519-FZ
9. Requirements for the content of consent to the processing of personal data,
allowed by the subject of personal data for distribution, are established
the authorized body for the protection of the rights of subjects of personal data.
Article 10 . Special categories of personal data
GUARANTEE:

See comments to Article 10 of this Federal Law
Information about changes:

Part 1 modified from July 1, 2020 - Federal Law of April 24, 2020 N 123-FZ
See previous edition
1. Processing of special categories of personal data related to racial,
nationality, political views, religious or philosophical
beliefs, health conditions, intimate life are not allowed, except
cases provided for in parts 2 and 2.1 of this article.
2. Processing of the special categories specified in part 1 of this article
personal data is allowed in cases where:
1) the subject of personal data has given consent in writing to the processing
your personal data;
Information about changes:

Clause 2 amended from March 1, 2021 - Federal Law of December 30, 2020 N 519-FZ
See previous edition
2) processing of personal data permitted by the personal data subject
for distribution, subject to the prohibitions and conditions,
envisaged Article 10.1 of this Federal Law;
Information about changes:

Federal Law No. 266-FZ of November 25, 2009, part 2 of Article 10 of this
Federal Law supplemented with clause 2.1
2.1) the processing of personal data is necessary in connection with the implementation
international agreements of the Russian Federation on readmission;
Information about changes:

Federal Law No. 204-FZ of July 27, 2010, part 2 of Article 10 of this
Federal Law supplemented with clause 2.2
2.2) the processing of personal data is carried out in accordance with
Federal Law of January 25, 2002 N 8-FZ "On the All-Russian Census

Page 11

population ";
Information about changes:

Federal Law No. 216-FZ of July 21, 2014 to Clause 2.3 of Part 2 of Article 10
of this Federal Law, amendments have been made that enter into force on January 1
2015
See the text of the paragraph in the previous edition
2.3) the processing of personal data is carried out in accordance with
legislation on state social assistance, labor
legislation , pension legislation of the Russian Federation;
Information about changes:

Federal Law No. 261-FZ of July 25, 2011, Clause 3 of Part 2 of Article 10
of this Federal Law is set out in a new edition, which applies to
legal relations arising from July 1, 2011
See the text of the paragraph in the previous edition
3) the processing of personal data is necessary to protect life, health or
other vital interests of the subject of personal data or life, health
or other vital interests of others and obtaining the consent of the subject
personal data is impossible;
4) the processing of personal data is carried out in medical and preventive
purposes, in order to establish a medical diagnosis, provide medical and medical
social services, provided that the processing of personal data is carried out
a person who is professionally engaged in medical activities and is obliged to
keep medical confidentiality in accordance with the legislation of the Russian Federation;
5) processing of personal data of members (participants) of the public
association or religious organization is carried out by the appropriate
public association or religious organization operating in
in accordance with the legislation of the Russian Federation, in order to achieve legal
purposes stipulated by their constituent documents, provided that
personal data will not be disseminated without written consent
subjects of personal data;
Information about changes:

Federal Law No. 261-FZ of July 25, 2011, Clause 6 of Part 2 of Article 10
of this Federal Law is set out in a new edition, which applies to
legal relations arising from July 1, 2011
See the text of the paragraph in the previous edition
6) the processing of personal data is necessary to establish or
the exercise of the rights of the subject of personal data or third parties, as well as in connection with
administration of justice;
Information about changes:

Federal Law No. 261-FZ of July 25, 2011, Clause 7 of Part 2 of Article 10
of this Federal Law is set out in a new edition, which applies to
legal relations arising from July 1, 2011
See the text of the paragraph in the previous edition
7) the processing of personal data is carried out in accordance with
the legislation of the Russian Federation on defense , on security , on
countering terrorism , transport security , countering
corruption, on operational-search activities , on enforcement proceedings ,
the criminal-executive legislation of the Russian Federation;

Page 12

Information about changes:

Federal Law No. 205-FZ of July 23, 2013, part 2 of Article 10 of this
Federal Law supplemented with clause 7.1
7.1) processing received in accordance with the legislation of the Russian
Federation of cases of personal data is carried out by the prosecution authorities in
connections with the implementation of prosecutorial supervision by them;
Information about changes:

Federal Law No. 261-FZ of July 25, 2011, Clause 8 of Part 2 of Article 10
of this Federal Law is set out in a new edition, which applies to
legal relations arising from July 1, 2011
See the text of the paragraph in the previous edition

8) the processing of personal data is carried out in accordance with
legislation on compulsory types of insurance, with insurance
legislation ;
Information about changes:

Federal Law No. 261-FZ of July 25, 2011, part 2 of Article 10 of this
Federal Law was supplemented with clause 9, which applies to legal relations,
arising from July 1, 2011
9) the processing of personal data is carried out in the cases provided for
the legislation of the Russian Federation, state bodies,
municipal authorities or organizations for the purpose of placing children left behind
without parental care, to be raised in families of citizens;
Information about changes:

Federal Law No. 142-FZ of June 4, 2014, part 2 of Article 10 of this
Of the Federal Law was supplemented with clause 10, which shall enter into force upon the expiration of
sixty days after the day of the official publication of the said Federal
the law
10) the processing of personal data is carried out in accordance with
the legislation of the Russian Federation on the citizenship of the Russian Federation.
Information about changes:

Article 10 is supplemented with part 2.1 from July 1, 2020 - Federal Law of April 24
2020 N 123-FZ
2.1. The processing of personal data related to health conditions,
obtained as a result of anonymization of personal data is allowed for the purpose
improving the efficiency of state or municipal administration, as well as
for other purposes stipulated by the Federal Law "On Conducting an Experiment on
the establishment of special regulation in order to create the necessary conditions for
development and implementation of artificial intelligence technologies in the subject of the Russian
Federation - a city of federal significance Moscow and amendments to Articles 6 and
10 of the Federal Law "On Personal Data", in the manner and on conditions that
provided by the specified Federal Law.
3. The processing of personal data on criminal records can be carried out
state bodies or municipal bodies within the limits of authority,
provided to them in accordance with the legislation of the Russian Federation, and
also by other persons in cases and in the manner that are determined in accordance with
federal laws.
Information about changes:

Federal Law No. 261-FZ of July 25, 2011 to part 4 of Article 10 of this

Page 13

Federal Law, amendments have been made that apply to legal relations,
arising from July 1, 2011
See the text of the part in the previous edition
4. Processing of special categories of personal data, carried out in
the cases provided for in parts 2 and 3 of this article must be
immediately terminated if the reasons due to which
processing was carried out, unless otherwise provided by federal law.
Information about changes:

Federal law was supplemented with article 10.1 from March 1, 2021 - Federal Law of 30
December 2020 N 519-FZ
Article 10.1. Features of the processing of personal data permitted
the subject of personal data for dissemination
GUARANTEE:

Cm. comments to Article 10.1 of this Federal Law
1. Consent to the processing of personal data permitted by the subject
personal data for distribution, is drawn up separately from other consents
the subject of personal data for the processing of his personal data. The operator is obliged
provide the subject of personal data with the opportunity to determine the list
personal data for each category of personal data specified in the consent
for the processing of personal data permitted by the subject of personal data for
distribution.
2. In case of disclosure of personal data to an indefinite circle of persons themselves
the subject of personal data without providing the operator with consent,
provided for in this article, the obligation to provide evidence
the legality of the subsequent distribution or other processing of such personal
data lies with each person who disseminated or otherwise processed them.
3. In the event that personal data turned out to be disclosed to uncertain
circle of persons due to an offense, crime or circumstances of insuperable
force, the obligation to provide evidence of the legality of the subsequent
distribution or other processing of such personal data lies with each
the person who distributed or otherwise processed them.
4. In the event that from the consent provided by the subject of personal data
for the processing of personal data permitted by the subject of personal data for
distribution, it does not follow that the subject of personal data agreed with
the dissemination of personal data, such personal data is processed
the operator to whom they are provided by the subject of personal data, without the right
distribution.
5. In the event that from the consent provided by the subject of personal data
for the processing of personal data permitted by the subject of personal data for
distribution, it does not follow that the subject of personal data has not established prohibitions and
conditions for the processing of personal data provided for in part 9 of this
article, or if such consent provided by the personal data subject does not
the categories and list of personal data for the processing of which the subject
personal data sets the conditions and prohibitions in accordance with part 9
of this article, such personal data is processed by the operator who
they are provided by the subject of personal data, without transfer (distribution,
provision, access) and the possibility of taking other actions with
personal data to an unlimited number of persons.

Page 14

6. Consent to the processing of personal data permitted by the subject
personal data for distribution can be provided to the operator:
1) directly;
GUARANTEE:

Point 2 comes into force on July 1, 2021.
2) using the information system of the authorized body for protection
rights of subjects of personal data.
7. Rules for the use of the information system of the authorized body
protection of the rights of subjects of personal data, including the procedure for interaction
the subject of personal data with the operator, are determined by the authorized body
to protect the rights of subjects of personal data.
8. Silence or inaction of the personal data subject under any circumstances
circumstances cannot be considered as consent to the processing of personal data,
allowed by the subject of personal data for distribution.
9.In consent to the processing of personal data permitted by the subject
personal data for dissemination, the subject of personal data has the right
establish bans on the transfer (except for providing access) of these personal
data by the operator to an unlimited number of persons, as well as prohibitions on processing or
processing conditions (except for obtaining access) of these personal data
an unlimited circle of persons. The operator's refusal to establish personal
these prohibitions and conditions provided for in this article are not allowed.
10. The operator is obliged no later than three working days from the date of receipt
appropriate consent of the subject of personal data to publish information
on the processing conditions and on the existence of prohibitions and conditions for processing unlimited
circle of persons of personal data permitted by the subject of personal data for
distribution.
11. Prohibitions on transfer established by the subject of personal data (except
granting access), as well as processing or processing conditions (except
access) of personal data permitted by the subject of personal
data for dissemination, do not apply to cases of processing personal
data in the state, public and other public interests, determined
the legislation of the Russian Federation.
12. Transfer (distribution, provision, access) of personal data,
allowed by the subject of personal data for dissemination, must be
terminated at any time at the request of the subject of personal data. This
the requirement must include the last name, first name, patronymic (if any), contact
information (phone number, e-mail or postal address) of the subject
personal data, as well as a list of personal data, the processing of which
is subject to termination. The personal data specified in this requirement may
processed only by the operator to whom it is directed.
13. The effect of the consent of the subject of personal data to the processing of personal
data permitted by the subject of personal data for dissemination,
terminates from the moment the operator receives the request specified in part 12
of this article.
14. The subject of personal data has the right to request to terminate
transfer (distribution, provision, access) of their personal data, previously
allowed by the subject of personal data for distribution, to any person,
processing his personal data, in case of non-compliance with the provisions
of this article or apply to the court with such a request. This person is obliged
stop the transfer (distribution, provision, access) of personal data to

Page 15

within three working days from the receipt of the request of the subject of personal
data or within the time period specified in the court decision that has entered into legal force, and if
such a period is not specified in the court decision, then within three working days from the moment
the entry into force of the court decision.
15. The requirements of this article do not apply in the case of processing
personal data in order to fulfill the requirements imposed by the legislation of the Russian
Federation to federal executive bodies, executive bodies
authorities of the constituent entities of the Russian Federation, local government functions,
powers and responsibilities.
Information about changes:

Federal Law No. 261-FZ of July 25, 2011, Article 11 of this
Of the Federal Law is set out in a new edition, which applies to
legal relations arising from July 1, 2011
See the text of the article in the previous edition
Article 11 . Biometric personal data
GUARANTEE:

See comments to Article 11 of this Federal Law
1. Information that characterizes physiological and biological
characteristics of a person, on the basis of which it is possible to establish his identity
(biometric personal data) and which are used by the operator for
establishing the identity of the subject of personal data, can only be processed
subject to the written consent of the personal data subject, for
except as provided part 2 of this article.
Information about changes:

Part 2 amended from December 29, 2020 - Federal Law of December 27, 2019 N
480-FZ
See previous edition
2. Processing of biometric personal data can be carried out without
consent of the subject of personal data in connection with the implementation of international
readmission agreements of the Russian Federation in connection with the administration of justice
and the execution of judicial acts in connection with the compulsory state
fingerprint registration, as well as in cases provided for
the legislation of the Russian Federation on defense , on security , on
countering terrorism , transport security , countering
corruption , on operational-search activities, about civil service ,
the criminal-executive legislation of the Russian Federation,
the legislation of the Russian Federation on the procedure for leaving the Russian Federation and
and entry into the Russian Federation , on the citizenship of the Russian Federation ,
the legislation of the Russian Federation on notaries.
GUARANTEE:

See the clarifications of Roskomnadzor dated August 30, 2013 on the issues of attribution of photos,
video images, fingerprint data and other information to
biometric personal data and features of their processing

Information about changes:

Federal Law No. 261-FZ of July 25, 2011, Article 12 of this

Page 16

Of the Federal Law is set out in a new edition, which applies to
legal relations arising from July 1, 2011
See the text of the article in the previous edition
Article 12. Cross-border transfer of personal data
GUARANTEE:

See comments to Article 12 of this Federal Law
1. Cross-border transfer of personal data on the territory of foreign
states party to the Council of Europe Convention for the Protection of Natural Persons
in the automated processing of personal data, as well as other foreign
states that provide adequate protection of the rights of subjects of personal data,
carried out in accordance with this Federal Law and may be
prohibited or limited in order to protect the foundations of the constitutional order of the Russian
Federation, morality, health, rights and legitimate interests of citizens,
ensuring the country's defense and state security.
2. The authorized body for the protection of the rights of subjects of personal data
approves the list of foreign states that are not parties to the Convention
Council of Europe on the protection of natural persons with regard to automated processing
personal data and ensuring adequate protection of the rights of subjects
personal data. State not party to the Council of Europe Convention
on the protection of individuals in the automated processing of personal data,
can be included in the list of foreign states that provide adequate
protection of the rights of subjects of personal data, subject to compliance with the provisions
the specified Convention of the rules of law in force in the respective state and
applied security measures of personal data.
3. The operator is obliged to make sure that the foreign country, on
the territory of which the transfer of personal data is carried out is provided
adequate protection of the rights of subjects of personal data, prior to the commencement of the implementation
cross-border transfer of personal data.
4. Cross-border transfer of personal data on the territory of foreign
states that do not provide adequate protection of the rights of subjects of personal
data can be carried out in the following cases:
1) there is a written consent of the personal data subject to
cross-border transfer of his personal data;
2) provided for by international treaties of the Russian Federation;
3) provided for by federal laws, if necessary for the purpose
protection of the foundations of the constitutional system of the Russian Federation, defense
country and state security, as well as ensuring the security of a sustainable and
safe functioning of the transport complex, protecting the interests of the individual,
society and the state in the field of the transport complex from acts of illegal
interference;
4) the performance of a contract to which the subject of personal
data;
5) protection of life, health, other vital interests of the subject
personal data or other persons if it is impossible to obtain consent in
written form of the subject of personal data.
Article 13 . Features of the processing of personal data in state or
municipal information systems of personal data
GUARANTEE:

Page 17

See comments to Article 13 of this Federal Law
1. State bodies, municipal bodies create within their
powers established in accordance with federal laws, state
or municipal personal data information systems.
2. Federal laws may establish accounting features
personal data in state and municipal information systems
personal data, including the use of various means of designation
ownership of personal data contained in the relevant
state or municipal information system of personal data,
specific subject of personal data.
3. Human and civil rights and freedoms cannot be limited for reasons
associated with the use of various methods of processing personal data or
designation of ownership of personal data contained in state
or municipal information systems of personal data, specific
to the subject of personal data. The use of offending feelings is not allowed
citizens or degrading human dignity ways of designating
ownership of personal data contained in state or
municipal information systems of personal data, a specific subject
personal data.
4. In order to ensure the implementation of the rights of subjects of personal data in connection
with the processing of their personal data in state or municipal
information systems of personal data can be created by a state
population register, the legal status of which and the procedure for working with which
are established federal law .
Chapter 3. Rights of the personal data subject

Information about changes:

Federal Law No. 261-FZ of July 25, 2011, Article 14 of this
Of the Federal Law is set out in a new edition, which applies to
legal relations arising from July 1, 2011
See the text of the article in the previous edition
Article 14 . The right of the subject of personal data to access his personal
data
GUARANTEE:

See comments to Article 14 of this Federal Law
1. The subject of personal data has the right to receive information specified in
part 7 of this article, except for the cases provided for in part 8
of this article. The subject of personal data has the right to demand from the operator
clarification of his personal data, their blocking or destruction if
personal data is incomplete, outdated, inaccurate, illegal
received or are not necessary for the stated purpose of the processing, and
take measures provided by law to protect their rights.
2. The information specified in part 7 of this article must be provided
to the subject of personal data by the operator in an accessible form, and they should not
contain personal data relating to other subjects of personal
data, unless there is a legal basis for disclosing
such personal data.

Page 18

3. The information specified in part 7 of this article is provided to the subject
personal data or its representative by the operator when contacting or when
receiving a request from the subject of personal data or his representative. Inquiry
must contain the number of the main identity document of the subject
personal data or his representative, information on the date of issue of the specified
document and the issuing authority, information confirming the participation of the subject
personal data in relations with the operator (contract number, date of conclusion
agreement, conventional verbal designation and (or) other information), or information, other
in a way confirming the fact of processing personal data by the operator, signature
the subject of personal data or his representative. The request can be directed to
form of an electronic document and signed with an electronic signature in accordance with
the legislation of the Russian Federation.
4. If the information specified in part 7 of this article, as well as
the processed personal data were provided for review
to the subject of personal data at his request, the subject of personal data has the right
contact the operator again or send him a repeated request in order to
obtaining the information specified in part 7 of this article, and familiarization with such
personal data no earlier than thirty days after the initial
applying or sending an initial request, if a shorter period is not
established by federal law, adopted in accordance with it by the regulatory
legal act or contract, a party to which is either a beneficiary or
the guarantor of which is the subject of personal data.
5. The subject of personal data has the right to contact the operator again or
send him a second request in order to obtain the information specified in part 7
of this article, as well as in order to get acquainted with the processed personal
data before the expiration of the period specified in part 4 of this article, if
such information and (or) processed personal data were not provided
to him for review in full according to the results of the consideration of the initial
treatment. A repeated request along with the information specified in part 3 of this
articles, should contain the justification for sending a repeated request.
6. The operator has the right to refuse the subject of personal data to fulfill
re-request that does not meet the conditions provided for in parts 4 and 5
of this article. Such a refusal must be motivated. Duty
submission of evidence of the validity of the refusal to fulfill the repeated request
lies with the operator.
7. The subject of personal data has the right to receive information,
concerning the processing of his personal data, including containing:
1) confirmation of the fact of processing of personal data by the operator;
2) legal grounds and purposes of personal data processing;
3) the purposes and methods of processing personal data used by the operator;
4) the name and location of the operator, information about persons (for
excluding operator's employees) who have access to personal data
or to whom personal data may be disclosed on the basis of an agreement with
by the operator or on the basis of federal law;
5) processed personal data related to the relevant
to the subject of personal data, the source of their receipt, if a different procedure
the submission of such data is not provided for by federal law;
6) the terms of processing personal data, including the terms of their storage;
7) the procedure for the exercise by the subject of personal data of rights,
provided for by this Federal Law;

Page 19

8) information on carried out or expected cross-border
data transmission;
9) the name or surname, name, patronymic and address of the person carrying out
processing of personal data on behalf of the operator, if the processing is entrusted or
will be entrusted to such a person;
10) other information provided for by this Federal Law or
other federal laws.
8. The right of the subject of personal data to access his personal data
may be limited in accordance with federal laws, including if:
1) processing of personal data, including personal data obtained in
as a result of operational-search, counterintelligence and intelligence
activities carried out for the purpose of national defense, state security and
law enforcement;
2) the processing of personal data is carried out by the bodies that carried out
detention of the subject of personal data on suspicion of committing a crime,
or who have brought charges against the subject of personal data in a criminal case,
or applied a preventive measure to the subject of personal data prior to presentation
charges, with the exception of those provided for by the criminal procedure
the legislation of the Russian Federation in cases where it is allowed to familiarize
a suspect or accused with such personal data;
3) the processing of personal data is carried out in accordance with
legislation on combating the legalization (laundering) of income received
crime and terrorist financing;
4) the access of the personal data subject to his personal data violates
rights and legitimate interests of third parties;
5) the processing of personal data is carried out in the cases provided for
the legislation of the Russian Federation on transport safety, in order
ensuring the stable and safe functioning of the transport complex,
protecting the interests of the individual, society and the state in the field of the transport complex
from acts of unlawful interference.
Article 15 . Rights of subjects of personal data when processing their personal
data in order to promote goods, works, services on the market, as well as in
political agitation
GUARANTEE:

See comments to Article 15 of this Federal Law
1. Processing of personal data in order to promote goods, works, services on
market by making direct contacts with a potential consumer with
using means of communication, as well as for the purposes of political agitation is allowed only when
subject to the prior consent of the subject of personal data. The specified
processing of personal data is recognized as carried out without prior
consent of the subject of personal data, if the operator does not prove what consent is
was received.
2. The operator is obliged to immediately terminate at the request of the subject
personal data processing of his personal data specified in part 1
of this article.
Article 16 . The rights of subjects of personal data when making decisions on
based solely on automated processing of them
personal data

Page 20

GUARANTEE:

See comments to Article 16 of this Federal Law
1. It is prohibited to accept on the basis of solely automated
processing of personal data of decisions that give rise to legal consequences in
in relation to the subject of personal data or otherwise affecting his rights
and legitimate interests, with the exception of cases provided for in part 2 of this
articles.
2. A decision giving rise to legal consequences in relation to the subject
personal data or otherwise affecting his rights and legitimate interests,
can be taken on the basis of solely automated processing of it
personal data only with the consent in writing of the subject
personal data or in cases provided for by federal laws,
also establishing measures to ensure the observance of rights and legitimate interests
the subject of personal data.
3. The operator is obliged to explain to the subject of personal data the procedure for accepting
decisions based solely on automated processing of his personal
data and possible legal consequences of such a decision, provide
the opportunity to object to such a decision, as well as to clarify the procedure
protection by the subject of personal data of his rights and legitimate interests.
Information about changes:

Federal Law No. 261-FZ of July 25, 2011 to part 4 of Article 16 of this
Federal Law, amendments have been made that apply to legal relations,
arising from July 1, 2011
See the text of the part in the previous edition
4. The operator is obliged to consider the objection specified in part 3 of this
article, within thirty days from the date of its receipt and notify the subject
personal data on the results of considering such an objection.
Article 17 . The right to appeal against actions or omissions of the operator
GUARANTEE:

See comments to Article 17 of this Federal Law
1. If the subject of personal data believes that the operator carries out
processing of his personal data in violation of the requirements of this
Federal law or otherwise violates its rights and freedoms, the subject
personal data has the right to appeal against the actions or inaction of the operator in
the authorized body for the protection of the rights of subjects of personal data or in court
okay.
2. The subject of personal data has the right to protect his rights and legal
interests, including compensation for losses and (or) compensation for moral damage in
judicial procedure.
Chapter 4. Obligations of the operator

Information about changes:

Federal Law No. 261-FZ of July 25, 2011, Article 18 of this
Of the Federal Law is set out in a new edition, which applies to
legal relations arising from July 1, 2011
See the text of the article in the previous edition

Page 21

Article 18 . Obligations of the operator when collecting personal data
GUARANTEE:

See comments to Article 18 of this Federal Law
1. When collecting personal data, the operator is obliged to provide the subject
personal data at his request the information provided for in part 7 of article 14
of this Federal Law.
2. If the provision of personal data is mandatory in
in accordance with federal law, the operator is obliged to explain to the subject
personal data legal consequences of refusal to provide his personal data
data.
3. If the personal data is not received from the subject of personal data,
operator, with the exception of the cases provided for in part 4 of this article, until
the beginning of the processing of such personal data is obliged to provide the subject
personal data the following information:
1) the name or surname, name, patronymic and address of the operator or his
representative;
2) the purpose of the processing of personal data and its legal basis;
3) prospective users of personal data;
4) the rights of the subject of personal
data;
5) the source of receipt of personal data.
4. The operator is released from the obligation to provide the subject with personal
data provided by part 3 of this article, in cases where:
1) the subject of personal data is notified of the processing of his
personal data by the respective operator;
2) personal data was obtained by the operator on the basis of federal law
or in connection with the performance of a contract, a party to which or a beneficiary
or the guarantor of which is the subject of personal data;
Information about changes:

Clause 3 amended from March 1, 2021 - Federal Law of December 30, 2020 N 519-FZ
See previous edition
3) processing of personal data permitted by the personal data subject
for distribution, subject to the prohibitions and conditions,
envisaged Article 10.1 of this Federal Law;
4) the operator processes personal data for statistical
or other research purposes, for the implementation of professional
activities of a journalist or scientific, literary or other creative
activities, if this does not violate the rights and legitimate interests of the subject
personal data;
5) providing the subject of personal data with the information provided for
part 3 of this article, violates the rights and legitimate interests of third parties.
Information about changes:

Federal Law No. 242-FZ of July 21, 2014, Article 18 of this
Federal law supplemented by part 5, effective from September 1, 2015
5. When collecting personal data, including through information and
telecommunication network "Internet", the operator is obliged to provide a record,
systematization, accumulation, storage, clarification (update, change), extraction
personal data of citizens of the Russian Federation using databases,
located on the territory of the Russian Federation, with the exception of cases

Page 22

specified in paragraphs 2 ,3 , 4, 8 of part 1 of article 6 of this Federal Law.
Information about changes:

Federal Law of July 25, 2011 N 261-FZ this Federal Law
supplemented by article 18.1, which applies to legal relations arising from July 1
2011 r.
Article 18.1 . Measures to ensure operator compliance
duties provided for by this Federal Law
GUARANTEE:

See comments to Article 18.1 of this Federal Law
1. The operator is obliged to take measures necessary and sufficient to
ensuring the fulfillment of the obligations provided for by this Federal
the law and the regulatory legal acts adopted in accordance with it. Operator
independently determines the composition and list of measures necessary and sufficient for
ensuring the fulfillment of the obligations provided for by this Federal
the law and the regulatory legal acts adopted in accordance with it, unless otherwise
is not provided for by this Federal Law or other federal
laws. Such measures may include, in particular:
1) the appointment by the operator, which is a legal entity, responsible for
organizing the processing of personal data;
2) the publication by the operator, which is a legal entity, of documents,
defining the operator's policy regarding the processing of personal data,
local acts on the processing of personal data, as well as local
acts establishing procedures aimed at preventing and detecting
violations of the legislation of the Russian Federation, elimination of the consequences of such
violations;
3) the application of legal, organizational and technical measures to ensure
security of personal data in accordance with Article 19 of this
Federal Law;
4) implementation of internal control and (or) audit of processing compliance
personal data to this Federal Law and adopted in accordance with
to them regulatory legal acts, requirements for the protection of personal data,
the operator's policy regarding the processing of personal data, local acts
operator;
5) assessment of the harm that may be caused to the subjects of personal data in
in the event of violation of this Federal Law, the ratio of the specified harm and
measures taken by the operator to ensure the fulfillment of duties,
provided for by this Federal Law;
6) familiarization of the operator's employees directly carrying out
processing of personal data, with the provisions of the legislation of the Russian
Federation on personal data, including requirements for the protection of personal
data, documents defining the operator's policy regarding the processing
personal data, local acts on the processing of personal
data, and (or) training of these workers.
2. The operator is obliged to publish or otherwise provide unlimited
access to the document defining its policy regarding the processing of personal
data, to information about the implemented requirements for the protection of personal data.
The operator collecting personal data using
information and telecommunication networks, must publish in the appropriate
information and telecommunications network document defining its policy in

Page 23

regarding the processing of personal data, and information on the implemented requirements for
protection of personal data, as well as ensure the ability to access the specified
document using the means of the appropriate information and
telecommunication network.
3. The Government of the Russian Federation establishes the list of measures ,
aimed at ensuring the fulfillment of the obligations provided for by this
Federal law and the regulatory legal
acts, operators that are state or municipal bodies.
4. The operator is obliged to submit documents and local acts specified in part
1 of this article, and (or) otherwise confirm the adoption of the measures specified in part
1 of this article, at the request of the authorized body for the protection of the rights of subjects
personal data.
Information about changes:

Federal Law No. 261-FZ of July 25, 2011, Article 19 of this
Of the Federal Law is set out in a new edition, which applies to
legal relations arising from July 1, 2011
See the text of the article in the previous edition
Article 19 . Measures to ensure the security of personal data during their
processing
GUARANTEE:

See comments to Article 19 of this Federal Law
1. When processing personal data, the operator is obliged to take the necessary
legal, organizational and technical measures or ensure their adoption to
protection of personal data from unauthorized or accidental access to them,
destruction, modification, blocking, copying, provision,
distribution of personal data, as well as from other illegal actions in
regarding personal data.
GUARANTEE:

On the approval of the requirements for ensuring the security of personal data in
customs authorities of the Russian Federation, organizations under the jurisdiction of the FCS of Russia, with their
processing in information systems of personal data of customs authorities of the Russian Federation
cm. order of the Federal Customs Service of Russia dated August 11, 2015 N 1611
On the organization and implementation of work to ensure the safety of personal
data when processing personal data in information systems in Rosreestr
cm. Rosreestr order of January 29, 2013 N P / 31
On ensuring the security of personal data during their processing in

automated information systems of tax authorities see order of the Federal Tax Service
Russia of December 21, 2011 N ММВ-7-4 / 959 @
2. Ensuring the security of personal data is achieved, in particular:
1) determination of threats to the security of personal data during their processing in
personal data information systems;
2) the use of organizational and technical measures to ensure
security of personal data during their processing in information systems
personal data necessary to fulfill the requirements for the protection of personal
data, the execution of which is ensured by the established by the Government of the Russian
Federation levels of protection of personal data;
3) the application of the assessment procedure passed in the prescribed manner
compliance of information protection means;

Page 24

4) an assessment of the effectiveness of the measures taken to ensure safety
personal data before the commissioning of the information system of personal
data;
5) taking into account the machine carriers of personal data;
Information about changes:

Clause 6 amended from January 10, 2021 - Federal Law of December 30, 2020 N 515FZ
See previous edition
6) detection of facts of unauthorized access to personal data
and taking measures, including measures to detect, prevent and eliminate
the consequences of computer attacks on personal data information systems and
on responding to computer incidents in them;
7) restoration of personal data, modified or destroyed
due to unauthorized access to them;
8) establishing the rules for access to personal data processed in
information system of personal data, as well as ensuring registration and
accounting for all actions performed with personal data in the information
personal data system;
9) control over the measures taken to ensure safety
personal data and the level of security of information systems of personal
data.
3. The Government of the Russian Federation, taking into account the possible harm to the subject
personal data, the volume and content of the processed personal data,
the type of activity in the implementation of which personal data is processed,
the relevance of threats to the security of personal data is established by:
1) the levels of protection of personal data during their processing in
personal data information systems depending on security threats
this data;
2) requirements for the protection of personal data during their processing in
personal data information systems, the execution of which is ensured
the established levels of protection of personal data;
GUARANTEE:

See the Instructions for organizing the protection of personal data contained in
information systems of the internal affairs bodies of the Russian Federation, approved by order of the Ministry of Internal Affairs
RF dated July 6, 2012 N 678
3) requirements for tangible carriers of biometric personal data and
technologies for storing such data outside of personal data information systems.
4. The composition and content of the necessary for the implementation of the established
By the Government of the Russian Federation in accordance with part 3 of this article
personal data protection requirements for each of the security levels,
organizational and technical measures to ensure the security of personal data
when processing them in personal data information systems,
federal executive body authorized in the field of ensuring
security, and the federal executive body authorized in
the field of countering technical intelligence and technical protection of information, in
within their powers.
5. Federal executive bodies performing functions of
the development of public policy and legal regulation in
the established field of activity, public authorities of the subjects

Page 25

Of the Russian Federation, the Bank of Russia, bodies of state off-budget funds,
other state bodies, within the limits of their powers, adopt regulatory
legal acts that define threats to the security of personal data,
relevant when processing personal data in information systems
personal data used in the implementation of the corresponding types
activities, taking into account the content of personal data, the nature and methods of their
processing.
6. Along with the threats to the security of personal data identified in
regulatory legal acts adopted in accordance with part 5 of this article,
associations, unions and other associations of operators, by their decisions, have the right
identify additional threats to the security of personal data that are relevant when
processing of personal data in personal data information systems,
operated in the implementation of certain types of activities by members of such
associations, unions and other unions of operators, taking into account the content
personal data, the nature and methods of their processing.
7. Draft regulatory legal acts specified in part 5 of this article,
are subject to agreement with the federal executive body,
authorized in the field of security, and the federal body
executive power, authorized in the field of countering technical
intelligence and technical protection of information. Draft decisions referred to in part 6
of this article are subject to agreement with the federal executive body
the security authority and the federal agency
executive power, authorized in the field of countering technical
intelligence and technical protection of information, in the manner prescribed
By the Government of the Russian Federation. Decision of the federal executive body
the security authority and the federal agency
executive power, authorized in the field of countering technical
intelligence and technical protection of information, on refusal to approve projects
decisions specified in part 6 of this article must be motivated.
8. Control and supervision over the implementation of organizational and technical measures for
ensuring the security of personal data established in accordance with
this article, when processing personal data in state
information systems of personal data are carried out by the federal
an executive body authorized in the field of security,
and the federal executive body authorized in the area
countering technical intelligence and technical protection of information, in
within their powers and without the right to familiarize themselves with personal data,
processed in personal data information systems.
9. Federal executive body authorized in the field
security, and the federal executive body,
authorized in the field of countering technical intelligence and technical
information protection, by the decision of the Government of the Russian Federation, taking into account
the significance and content of the processed personal data can be endowed
powers to control the implementation of organizational and technical measures for
ensuring the security of personal data established in accordance with
this article, when they are processed in information systems of personal
data used in the implementation of certain activities and not
which are state information systems of personal data, without
the right to familiarize yourself with personal data processed in information
personal data systems.

Page 26

10. Use and storage of biometric personal data outside
information systems of personal data can only be carried out on such
material carriers of information and using such technology for its storage,
which protect this data from unauthorized or accidental access to
him, their destruction, modification, blocking, copying, provision,
distribution.
11. For the purposes of this article, under threats to the security of personal data
is understood as a set of conditions and factors that create a hazard
unauthorized, including accidental, access to personal data,
which can result in destruction, modification, blocking, copying,
provision, dissemination of personal data, as well as other illegal
actions during their processing in the personal data information system. Under
the level of protection of personal data is understood as a complex indicator,
characterizing the requirements, the fulfillment of which ensures neutralization
certain threats to the security of personal data during their processing in
personal data information systems.
Information about changes:

Federal Law No. 261-FZ of July 25, 2011, Article 20 of this
Of the Federal Law is set out in a new edition, which applies to
legal relations arising from July 1, 2011
See the text of the article in the previous edition
Article 20 . Obligations of the operator when the subject of personal
data either upon receipt of a request from the subject of personal data or
his representative, as well as the authorized body for the protection of rights
subjects of personal data
GUARANTEE:

See comments to Article 20 of this Federal Law
1. The operator is obliged to inform in the manner prescribed by article 14 of this
Federal law, the subject of personal data or his representative
information on the availability of personal data related to the relevant
the subject of personal data, as well as provide an opportunity to get acquainted with
these personal data when the subject of personal data or his
representative or within thirty days from the date of receipt of the subject's request
personal data or his representative.
2. In case of refusal to provide information on the availability of personal data
about the relevant subject of personal data or personal data to the subject
personal data or his representative when contacting them or when receiving
request of the subject of personal data or his representative, the operator is obliged to give in
a written reasoned response containing a reference to the provision of part 8
Article 14 of this Federal Law or other federal law,
which is the basis for such a refusal, within a period not exceeding thirty days from
the day of the appeal of the subject of personal data or his representative, or from the date
receiving a request from the subject of personal data or his representative.
3. The operator is obliged to provide free of charge to the subject of personal data
or his representative the opportunity to get acquainted with personal data,
relating to this personal data subject. Within a period not exceeding seven
working days from the date the subject provides personal data or
a representative of information confirming that personal data is

Page 27

incomplete, inaccurate or irrelevant, the operator is obliged to enter the necessary
changes. Within a period not exceeding seven working days from the date of submission
the subject of personal data or his representative of information confirming
that such personal data is illegally obtained or is not
necessary for the stated purpose of processing, the operator is obliged to destroy such
Personal Information. The operator is obliged to notify the subject of personal data or
his representative on the changes and measures taken and to take reasonable
measures to notify third parties to whom the personal data of this subject were
transferred.
4. The operator is obliged to inform the authorized body for the protection of the rights of subjects
personal data at the request of this body the necessary information within
thirty days from the date of receipt of such a request.
Information about changes:

Federal Law No. 261-FZ of July 25, 2011, Article 21 of this
Of the Federal Law is set out in a new edition, which applies to
legal relations arising from July 1, 2011
See the text of the article in the previous edition
Article 21. Obligations of the operator to eliminate violations of the law,
admitted in the processing of personal data, for clarification,
blocking and destruction of personal data
GUARANTEE:

See comments to Article 21 of this Federal Law
1. In case of unlawful processing of personal data when
application of the subject of personal data or his representative, or upon request
the subject of personal data or his representative or an authorized body for
the operator is obliged to protect the rights of subjects of personal data
blocking of unlawfully processed personal data related to
to this subject of personal data, or to ensure their blocking (if the processing
personal data is carried out by another person acting on behalf of
operator) from the moment of such appeal or receipt of the specified request for a period
checks. In case of revealing inaccurate personal data when contacting the subject
personal data or his representative either at their request or upon request
the authorized body for the protection of the rights of subjects of personal data operator
is obliged to block personal data related to this subject
personal data, or ensure their blocking (if the processing of personal
data is carried out by another person acting on behalf of the operator) with
the moment of such an appeal or receipt of the specified request for the verification period, if
blocking of personal data does not violate the rights and legitimate interests of the subject
personal data or third parties.
2. In case of confirmation of the fact of inaccuracy of personal data, the operator on
on the basis of information provided by the subject of personal data or his
a representative or an authorized body for the protection of the rights of subjects of personal
data, or other necessary documents is obliged to clarify personal data or
ensure their clarification (if the processing of personal data is carried out by another
by a person acting on behalf of the operator) within seven working days from the date
submission of such information and remove the blocking of personal data.
3. In case of unlawful processing of personal data,
carried out by the operator or a person acting on behalf of the operator,

Page 28

the operator, within a period not exceeding three working days from the date of this identification, is obliged
stop unlawful processing of personal data or ensure
termination of unlawful processing of personal data by a person acting on
on behalf of the operator. In the event that the legality of the processing is ensured
personal data is impossible, the operator within a period not exceeding ten working
days from the date of detection of illegal processing of personal data, is obliged
destroy such personal data or ensure their destruction. About elimination
committed violations or the destruction of personal data, the operator is obliged
notify the subject of personal data or his representative, and if
appeal of the subject of personal data or his representative or request
the authorized body for the protection of the rights of subjects of personal data were
sent by the authorized body for the protection of the rights of subjects of personal data,
also said body.
4. If the purpose of processing personal data is achieved, the operator is obliged
stop processing personal data or ensure its termination (if
the processing of personal data is carried out by another person acting on
on behalf of the operator) and destroy personal data or provide them
destruction (if the processing of personal data is carried out by another person,
acting on behalf of the operator) within a period not exceeding thirty days from the date
achieving the purpose of processing personal data, unless otherwise provided
an agreement, the party to which, the beneficiary or the guarantor of which
is the subject of personal data, another agreement between the operator and
the subject of personal data or if the operator is not entitled to process
personal data without the consent of the subject of personal data on the grounds,
provided for by this Federal Law or other federal
laws.
5. If the subject of personal data withdraws consent to the processing of it
personal data, the operator is obliged to stop their processing or ensure
termination of such processing (if the processing of personal data is carried out
by another person acting on behalf of the operator) and in the event that the preservation
personal data is no longer required for the purposes of processing personal data,
destroy personal data or ensure their destruction (if processing
personal data is carried out by another person acting on behalf of
operator) within a period not exceeding thirty days from the date of receipt of the specified
revocation, unless otherwise provided by the contract, the party to which,
beneficiary or guarantor for which the subject of personal
data, another agreement between the operator and the subject of personal data, or
if the operator is not entitled to process personal data without consent
the subject of personal data on the grounds provided for by this
Federal law or other federal laws.
6. In the absence of the possibility of destruction of personal data during
deadline specified in parts 3 - 5 of this article, the operator carries out blocking
such personal data or ensures their blocking (if the processing
personal data is carried out by another person acting on behalf of
operator) and ensures the destruction of personal data within a period not exceeding
six months, unless another period is established by federal laws.
Article 22 . Personal data processing notice
GUARANTEE:

See comments to Article 22 of this Federal Law

Page 29

1. The operator is obliged to notify before the start of the processing of personal data
the authorized body for the protection of the rights of subjects of personal data about their
the intention to process personal data, except in cases where
envisaged part 2 of this article.
GUARANTEE:

See Methodological recommendations for notifying the authorized body about the beginning
processing of personal data and on making changes to previously submitted
information approved by order of Roskomnadzor dated May 30, 2017 N 94
2. The operator has the right to carry out without notifying the authorized body on
protection of the rights of subjects of personal data processing of personal data:
Information about changes:

Federal Law No. 261-FZ of July 25, 2011, Clause 1 of Part 2 of Article 22
of this Federal Law is set out in a new edition, which applies to
legal relations arising from July 1, 2011
See the text of the paragraph in the previous edition
1) processed in accordance with labor legislation;
2) received by the operator in connection with the conclusion of an agreement, a party to which
is the subject of personal data, if the personal data is not
distributed, and also not provided to third parties without the consent of the subject
personal data and are used by the operator solely for the execution
the specified agreement and the conclusion of agreements with the subject of personal data;
Information about changes:

Federal Law No. 261-FZ of July 25, 2011 to clause 3 of part 2 of article 22
hereof amended propagated on
legal relations arising from July 1, 2011
See the text of the paragraph in the previous edition
3) relating to members (participants) of a public association, or
religious organization and processed by the relevant public
association or religious organization acting in accordance with
the legislation of the Russian Federation, in order to achieve legitimate goals,
provided for by their constituent documents, provided that personal
the data will not be disseminated or disclosed to third parties without the consent of the
the written form of the subjects of personal data;
Information about changes:

Clause 4 amended from March 1, 2021 - Federal Law of December 30, 2020 N 519-FZ
See previous edition
4) permitted by the subject of personal data for dissemination when
subject to the operator's compliance with the prohibitions and conditions provided for in article 10.1
this Federal Law;
5) including only the surnames, names and patronymics of the subjects of personal
data;
6) necessary for the purpose of a one-time pass of the subject of personal data to
the territory in which the operator is located, or for other similar purposes;
Information about changes:

Federal Law No. 261-FZ of July 25, 2011 to Clause 7 of Part 2 of Article 22
hereof amended propagated on
legal relations arising from July 1, 2011
See the text of the paragraph in the previous edition

Page 30

7) included in the information systems of personal data, having in
in accordance with federal laws, the status of state automated
information systems, as well as into state information systems
personal data created in order to protect the security of the state and
public order;
8) processed without the use of automation tools in accordance with
federal laws or other regulatory legal acts of the Russian
Federation establishing requirements for ensuring the security of personal
data during their processing and to the observance of the rights of subjects of personal data;
Information about changes:

Federal Law No. 261-FZ of July 25, 2011, part 2 of Article 22 of this
Federal Law was supplemented with clause 9, which applies to legal relations,
arising from July 1, 2011
9) processed in cases stipulated by the legislation of the Russian
Federation on transport security, in order to ensure sustainable and
safe functioning of the transport complex, protecting the interests of the individual,
society and the state in the field of the transport complex from acts of illegal
interference.
Information about changes:

Federal Law No. 261-FZ of July 25, 2011 to part 3 of Article 22 of this
Federal Law, amendments have been made that apply to legal relations,
arising from July 1, 2011
See the text of the part in the previous edition
3. The notification provided for in part 1 of this article shall be sent to
in the form of a document on paper or in the form of an electronic document and
signed by an authorized person. The notice must contain the following
intelligence:
1) name (surname, name, patronymic), address of the operator;
2) the purpose of processing personal data;
3) categories of personal data;
4) the categories of subjects whose personal data are processed;
5) the legal basis for the processing of personal data;
6) a list of actions with personal data, a general description of the used
the operator of the methods of processing personal data;
7) a description of the measures provided for by Articles 18.1 and 19 of this Federal
of the law, including information on the availability of encryption (cryptographic) means and
the names of these funds;
7.1) surname, name, patronymic of an individual or name of a legal entity
persons responsible for organizing the processing of personal data, and their numbers
contact phone numbers, postal addresses and e-mail addresses;
8) the date of the beginning of the processing of personal data;
9) the term or condition for the termination of the processing of personal data;
10) information on the presence or absence of cross-border transfer of personal
data in the course of their processing;
Information about changes:

Federal Law No. 242-FZ of July 21, 2014, part 3 of Article 22 of this
Federal Law supplemented with Clause 10.1, which shall enter into force on September 1, 2015.
10.1) information about the location of the information database containing
personal data of citizens of the Russian Federation;

Page 31

11) information on ensuring the security of personal data in accordance with
the requirements for the protection of personal data established by the Government
Russian Federation.
4. The authorized body for the protection of the rights of subjects of personal data in
within thirty days from the date of receipt of the notification about the processing of personal
data enters the information specified in part 3 of this article, as well as information about
the date of sending the said notification to the register of operators. Intelligence,
contained in the register of operators, with the exception of information about funds
ensuring the security of personal data during their processing, are
publicly available.
5. The operator cannot be charged the costs of considering
notifications about the processing of personal data by the authorized body for protection
rights of subjects of personal data, as well as in connection with entering information into the register
operators.
6. In case of providing incomplete or inaccurate information specified in
part 3 of this article, the authorized body for the protection of the rights of subjects
personal data has the right to require the operator to clarify the provided
information prior to their entry into the register of operators.
Information about changes:

Federal Law No. 261-FZ of July 25, 2011, part 7 of Article 22 of this
Of the Federal Law is set out in a new edition, which applies to
legal relations arising from July 1, 2011
See the text of the part in the previous edition
7. In the event of a change in the information specified in part 3 of this article, as well as in
in case of termination of the processing of personal data, the operator is obliged to notify
this is the authorized body for the protection of the rights of subjects of personal data during
ten working days from the date such changes occur or from the date of termination
processing of personal data.
GUARANTEE:

See Recommended Forms for Notification of Changes to Information
operator in the Register (Information Letter) and termination statements
operator of personal data processing, approved by order of Roskomnadzor
dated May 30, 2017 N 94
Information about changes:

Federal Law of July 25, 2011 N 261-FZ, Chapter 4 of this Federal
of the law was supplemented by Article 22.1, which applies to legal relations arising from
July 1, 2011
Article 22.1. Persons responsible for organizing the processing of personal
data in organizations
GUARANTEE:

See comments to Article 22.1 of this Federal Law
1. The operator, which is a legal entity, appoints a person responsible for
organization of personal data processing.
2. The person responsible for organizing the processing of personal data receives
instructions directly from the executive body of the organization that is
operator, and is accountable to him.
3. The operator is obliged to provide the person responsible for the organization
processing of personal data, the information specified in part 3 of Article 22 of this

Page 32

Federal law.
4. The person responsible for organizing the processing of personal data in
in particular, is obliged:
1) exercise internal control over compliance by the operator and its
employees of the legislation of the Russian Federation on personal data, including
the number of requirements for the protection of personal data;
2) bring to the attention of the operator's employees the provisions of the legislation
Of the Russian Federation on personal data, local acts on processing
personal data, requirements for the protection of personal data;
3) organize the reception and processing of requests and requests from subjects
personal data or their representatives and (or) monitor the reception
and the processing of such appeals and inquiries.
Information about changes:

Federal Law No. 16-FZ of February 22, 2017, the title of Chapter 5
of this Federal Law is set out in a new edition, which shall enter into force from 1
March 2017
See the text of the name in the previous edition
Chapter 5. State control and supervision over the processing of personal data.
Responsibility for violation of the requirements of this Federal Law
Article 23 . The authorized body for the protection of the rights of subjects of personal
data
GUARANTEE:

See comments to Article 23 of this Federal Law
Information about changes:

Federal Law No. 16-FZ of February 22, 2017, part 1 of Article 23 of this
Federal Law is set out in a new version, which comes into force on March 1, 2017.
See the text of the part in the previous edition
1. The authorized body for the protection of the rights of subjects of personal data
is the federal executive body that carries out the functions of
control and supervision over the compliance of the processing of personal data with the requirements
legislation of the Russian Federation in the field of personal data.
GUARANTEE:

See the Administrative Regulations for the Execution by Roskomnadzor of the State
functions of exercising state control (supervision) over compliance
processing of personal data to the requirements of the legislation of the Russian Federation in the field
personal data approved by order of the Ministry of Telecom and Mass Communications of Russia dated November 14
2011 N 312
Information about changes:

Federal Law No. 16-FZ of February 22, 2017, Article 23 of this
Federal Law supplemented with part 1.1, which shall enter into force on March 1, 2017.
1.1. Authorized body for the protection of the rights of subjects of personal data
provides, organizes and exercises state control and supervision over
compliance of the processing of personal data with the requirements of this Federal
of the law and regulatory legal acts adopted in accordance with it (state
control and supervision over the processing of personal data). Organization and
conducting inspections of legal entities and individual entrepreneurs,

Page 33

being operators, an authorized body for the protection of the rights of subjects
personal data, as well as the procedure for organizing and implementing state
control and supervision over the processing of personal data by other persons who are
operators, established by the Government of the Russian Federation.
2. The authorized body for the protection of the rights of subjects of personal data
considers appeals of the subject of personal data on the compliance of the content
personal data and methods of their processing for the purposes of their processing and accepts
appropriate solution.
3. The authorized body for the protection of the rights of subjects of personal data has
right:
1) request from individuals or legal entities the information necessary
to exercise their powers, and receive such information free of charge;
2) check the information contained in the processing notification
personal data, or involve other
state bodies within the limits of their powers;
3) require the operator to clarify, block or destroy
inaccurate or unlawfully obtained personal data;
Information about changes:

Federal Law No. 242-FZ of July 21, 2014, part 3 of Article 23 of this
Federal Law supplemented with clause 3.1, coming into force on September 1, 2015.
3.1) restrict access to information processed in violation
the legislation of the Russian Federation in the field of personal data, in the order ,
established by the legislation of the Russian Federation;
4) take in the manner prescribed by the legislation of the Russian Federation
measures to suspend or terminate the processing of personal data,
carried out in violation of the requirements of this Federal Law;
Information about changes:

Federal Law No. 261-FZ of July 25, 2011 to Clause 5 of Part 3 of Article 23
hereof amended propagated on
legal relations arising from July 1, 2011
See the text of the paragraph in the previous edition
5) apply to the court with statements of claim in defense of the rights of subjects
personal data, including in the protection of the rights of an indefinite circle of persons, and
represent the interests of subjects of personal data in court;
Information about changes:

Federal Law No. 261-FZ of July 25, 2011, part 3 of Article 23 of this
Federal Law was supplemented with clause 5.1, which applies to
legal relations arising from July 1, 2011
5.1) send to the federal executive body authorized in
areas of security, and the federal executive body,
authorized in the field of countering technical intelligence and technical
protection of information, in relation to the scope of their activities, the information specified in
Clause 7 of Part 3 of Article 22 of this Federal Law;
6) send an application to the body that carries out licensing of activities
operator to consider taking action to suspend or
cancellation of the relevant license in accordance with the legislation
The Russian Federation, if the condition of the license for the implementation of such
activity is a ban on the transfer of personal data to third parties without
written consent of the subject of personal data;

Page 34

7) send to the prosecutor's office, other law enforcement agencies
materials for resolving the issue of initiating criminal cases on the basis of
crimes related to the violation of the rights of subjects of personal data, in
according to the jurisdiction;
8) submit proposals to the Government of the Russian Federation on
improving the legal regulation of the protection of the rights of subjects
personal data;
9) bring to administrative responsibility the persons guilty of violating
of this Federal Law.
4. With regard to personal data that has become known to the authorized person
body for the protection of the rights of subjects of personal data in the course of the exercise of his
activities, the confidentiality of personal data must be ensured.
5. The authorized body for the protection of the rights of subjects of personal data is obliged to:
1) organize in accordance with the requirements of this Federal
law and other federal laws protection of the rights of subjects of personal data;
2) consider complaints and appeals of citizens or legal entities on
issues related to the processing of personal data, as well as to accept within
their powers to decide on the results of consideration of these complaints and
appeals;
3) keep a register of operators;
GUARANTEE:

See Methodological recommendations for notifying the authorized body about the beginning
processing of personal data and on making changes to previously submitted
information approved by order of Roskomnadzor dated May 30, 2017 N 94
4) take measures aimed at improving the protection of rights
subjects of personal data;
Information about changes:

Federal Law No. 148-FZ of July 1, 2017 to paragraph 5 of part 5 of Article 23
of this Federal Law amended
See the text of the paragraph in the previous edition
5) take in the manner prescribed by the legislation of the Russian Federation
on the proposal of the federal executive body authorized in
the field of security, the federal executive body in
the area of ​state protection or the federal executive body,
authorized in the field of countering technical intelligence and technical
information protection, measures to suspend or terminate processing
personal data;
6) inform state bodies, as well as subjects of personal
data on their requests or inquiries about the state of affairs in the field of protection of rights
subjects of personal data;
7) comply with other stipulated by the legislation of the Russian Federation
responsibilities.
Information about changes:

Federal Law No. 261-FZ of July 25, 2011, Article 23 of this
Federal law supplemented with part 5.1, extending to legal relations,
arising from July 1, 2011
5.1. Authorized body for the protection of the rights of subjects of personal data
cooperates with bodies authorized to protect the rights of subjects
personal data in foreign countries, in particular international exchange

Page 35

information on the protection of the rights of subjects of personal data, approves the list
foreign states that provide adequate protection of the rights of subjects
personal data.
6. Decisions of the authorized body for the protection of the rights of subjects of personal

6. Decisions of the authorized body for the protection of the rights of subjects of personal
data can be challenged in court.
7. The authorized body for the protection of the rights of subjects of personal data
annually sends a report on its activities to the President of the Russian Federation, in
The Government of the Russian Federation and the Federal Assembly of the Russian
Federation. The specified report is subject to publication in the mass media.
information.
8. Financing of the authorized body for the protection of the rights of subjects
personal data is carried out at the expense of the federal budget.
9. Under the authorized body for the protection of the rights of subjects of personal data
an advisory council is created on a voluntary basis, the procedure for the formation and
the order of activity of which is determined by the authorized body for the protection of rights
subjects of personal data.
Information about changes:

Federal Law No. 261-FZ of July 25, 2011 into Article 24 of this
Federal Law, amendments have been made that apply to legal relations,
arising from July 1, 2011
See the text of the article in the previous edition
Article 24 . Responsibility for violation of the requirements of this Federal
the law
GUARANTEE:

See comments to Article 24 of this Federal Law
1. Persons guilty of violating the requirements of this Federal Law,
bear responsibility stipulated by the legislation of the Russian Federation.
2. Moral harm caused to the subject of personal data due to
violation of his rights, violation of the rules for the processing of personal data established
this Federal Law, as well as requirements for the protection of personal data,
established in accordance with this Federal Law, is subject to
compensation in accordance with the legislation of the Russian Federation. Reimbursement
non-pecuniary damage is carried out regardless of compensation for property damage and
losses incurred by the subject of personal data.
Chapter 6. Final Provisions
Article 25 . Final provisions
GUARANTEE:

See comments to Article 25 of this Federal Law
1. This Federal Law shall enter into force upon the expiration of one hundred and eighty
days after his day official publication .
2. After the date of entry into force of this Federal Law, processing
personal data included in personal data information systems before
the day of its entry into force, is carried out in accordance with this Federal
law.
Information about changes:

Page 36

Federal Law No. 261-FZ of July 25, 2011, Article 25 of this
Federal law supplemented with part 2.1, extending to legal relations,
arising from July 1, 2011
2.1. Operators who processed personal data before July 1
2011, are obliged to submit to the authorized body for the protection of the rights of subjects
personal data the information specified in clauses 5 , 7.1 , 10 and 11 of part 3 of article 22
of this Federal Law, no later than January 1, 2013.
3. Abolished from July 1, 2011.
Information about changes:

See text part 3 of article 25
4. Operators who process personal data until the day
the entry into force of this Federal Law and continue to exercise such
processing after the day of its entry into force, must be sent to the authorized body
to protect the rights of subjects of personal data, except in cases where
provided for in part 2 of article 22 of this Federal Law, notification,
provided for in part 3 of article 22 of this Federal Law, no later than 1
January 2008.
Information about changes:

Federal Law No. 43-FZ of April 5, 2013, Article 25 of this
Federal law supplemented with part 5
5. Relationships associated with the processing of personal data carried out
state bodies, legal entities, individuals at
the provision of state and municipal services, the execution of state and
municipal functions in a constituent entity of the Russian Federation - a city of federal
values ​of Moscow are governed by this Federal Law, unless otherwise
stipulated by the Federal Law "On the Specifics of Regulation of Certain
legal relations in connection with the accession to the subject of the Russian Federation - the city
of federal significance to Moscow territories and on amendments to certain
legislative acts of the Russian Federation ".
President of Russian Federation
Moscow Kremlin
July 27, 2006
N 152-FZ

V. Putin

