Federal Law No. 242-FZ of July 21, 2014 on Amending Some Legislative Acts of the Russian Federation in as Much as It Concerns Updating the Procedure for Personal Data Processing in Information-Telecommunication Networks (with Amendments and Additions

RUSSIAN FEDERATION

FEDERAL LAW

ON AMENDMENTS
TO CERTAIN LEGISLATIVE ACTS OF THE RUSSIAN FEDERATION
TO CLARIFY THE PROCEDURE OF PERSONAL DATA PROCESSING
IN INFORMATION AND TELECOMMUNICATION NETWORKS

Adopted
by the State Duma
on July 4, 2014

Approved
by the Federation Council
on July 9, 2014

Article 1

The following amendments shall be made to Federal Law dated July 27, 2006 No. 149-FZ On Information, Information Technology and Information Security (Code of Laws of the Russian Federation 2006, No. 31, Article 3448; 2010, No. 31, Article 4196; 2011, No. 15, Article 2038; No. 30, Article 4600; 2012, No. 31, Article 4328; 2013, No. 14, Article 1658; No. 23, Article 2870; No. 27, Article 3479; No. 52, Article 6961, 6963; 2014, No. 19, Article 2302):
1) Article 15.5 shall be supplemented to read as follows:

"Article 15.5. Restriction of access to information processed in breach of personal data laws of the Russian Federation

1. To restrict access to information on the Internet, which is processed in breach of personal data laws of the Russian Federation, The Register of Infringers of the Rights of Personal Data Subjects (hereinafter referred to as "the Register of Infringers"), an automated IT system, is being introduced.
2. The Register of Infringers shall include:
1) domain names and/or links to web-pages of Internet sites containing information processed in breach of personal data laws of the Russian Federation;
2) network addresses identifying Internet sites containing information processed in breach of personal data laws of the Russian Federation;
3) a reference to an effective judicial act;
4) information about rectification of the breaches of personal data laws of the Russian Federation;
5) the date when the communication operator submitted information about the relevant information resource to restrict access to the given resource.
3. The Register of Infringers shall be established, created and maintained by the federal executive authority that exercises control and supervision in the field of mass media, mass communications, information technology and telecommunications in accordance with the procedure stipulated by the Government of the Russian Federation.
4. Subject to the criteria set by the Government of the Russian Federation, the federal executive authority that exercises control and supervision in the field of mass media, mass communications, information technology and telecommunications may engage a register operator, i.e. an organization registered in the Russian Federation, to create and maintain the Register of Infringers.
5. The information set forth in part 2 of this Article may be included in the Register of Infringers, provided that there is a relevant effective judicial decision.
6. A personal data subject may apply to the federal executive authority that exercises control and supervision in the field of mass media, mass communications, information technology and telecommunications with a request to take measures to restrict access to information processed in breach of personal data laws of the Russian Federation, provided that there is a relevant effective judicial act. The form of such application shall be approved by the federal executive authority that exercises control and supervision in the field of mass media, mass communications, information technology and telecommunications.
7. Within three days after receipt of such effective judicial act, the federal executive authority that exercises control and supervision in the field of mass media, mass communications, information technology and telecommunications, guided by such decision, shall:
1) identify the hosting provider or another person that processes information in any information and telecommunication network, including the Internet, in breach of personal data laws of the Russian Federation;
2) send to the hosting provider or other person referred to in clause 1 of this part an electronic notice, in Russian and in English, about breach of personal data laws of the Russian Federation and with details about the relevant effective judicial decision, domain name and network address identifying the Internet site where information is processed in breach of personal data laws of the Russian Federation, as well as with links to the web-pages of the Internet site which make it possible to identify such information, and such notice shall request to take measures to rectify the breaches of personal data laws of the Russian Federation, which breaches are specified in the judicial decision;
3) record, in the Register of Infringers, the date and time of such notice to the hosting provider or other person referred to in clause 1 of this part.
8. Within one working day following a notice referred to in clause 2 of part 7 of this Article, the hosting provider or other person referred to in clause 1 of part 7 of this Article shall notify the owner of the information resource, to which they provide services, and inform the owner that it must take prompt measures to rectify the breach of personal data laws of the Russian Federation, which is specified in the notice, or restrict access to the information processed in breach of personal data laws of the Russian Federation.
9. Within one working day after receipt of a notice from the hosting provider or other person referred to in clause 1 of part 7 of this Article that the breach of personal data laws of the Russian Federation must be rectified, the information resource owner shall take measures to rectify the breach set out in the notice. In case of refusal or failure by the information resource owner to take such measures, the hosting provider or other person referred to in clause 1 of part 7 of this Article shall restrict access to the relevant information within three working days after receipt of the notice referred to in clause 2 of part 7 of this Article.
10. In case the hosting provider or other person referred to in clause 1 of part 7 of this Article and/or information resource owner fails to take measures set out in parts 8 and 9 of this Article, the domain name of the relevant Internet site, its network address and links to the web-pages of the Internet site, which make it possible to identify information processed in breach of personal data laws of the Russian Federation, as well as other data about such site and information shall be sent through the automated IT system to the communication operators to restrict access to the given information resource, including the network address, domain name, and links to web-pages of the relevant Internet site.
11. The federal executive authority that exercises control and supervision in the field of mass media, mass communications, information technology and telecommunications or the operator of the Register of Infringers engaged by such federal executive authority in accordance with part 4 of this Article shall delete the domain name, link to the web-page of the Internet site or network address, which make it possible to locate the site on the Internet, from the register upon application of the Internet site owner, hosting provider or communication operator within three days after such application, provided that measures have been taken to rectify the breach of personal data laws of the Russian Federation or if there is an effective judicial act cancelling the previous judicial decision.
12. The procedure for interaction between the operator of the Register of Infringers and the hosting provider and for obtaining access to information in such register by the communication operator shall be determined by the federal executive authority empowered by the Government of the Russian Federation."

2) clause 7 shall be added to part 4 of Article 16 to read as follows:
"7) location, within the Russian Federation, of databases used to collect, record, systematize, accumulate, store, clarify (update or modify), and retrieve personal data of citizens of the Russian Federation.".

Article 2

The following amendments shall be made to Federal Law dated July 27, 2006 No. 152-FZ On Personal Data (Code of Laws of the Russian Federation, 2006, No. 31, Article 3451; 2011, No. 31, Article 4701):
1) part 5 shall be added to Article 18 to read as follows:
"5. During personal data collection, inter alia, through the Internet, the operator shall ensure that databases located within the Russian Federation are used to record, systematize, accumulate, store, clarify (update or modify) and retrieve personal data of citizens of the Russian Federation, except for cases specified in clauses 2, 3, 4, 8 of part 1 of Article 6 of this Federal Law."
2) clause 10.1 shall be added to part 3 of Article 22 to read as follows:
"10.1) information about the location of database containing personal data of citizens of the Russian Federation;";
3) clause 3.1 shall be added to part 3 of Article 23 to read as follows:
"3.1) restrict access to information processed in breach of personal data laws of the Russian Federation, in accordance with the procedure stipulated by legislation of the Russian Federation;".

Article 3

Clauses 19 and 20 shall be added to part 3.1 of Article 1 of Federal Law dated December 26, 2008 No. 294-FZ On the Protection of Rights of Legal Entities and Individual Entrepreneurs During Governmental Control (Supervision) and Municipal Control (Code of Laws of the Russian Federation, 2008, No. 52, Article 6249; 2009, No. 18, Article 2140; No. 29, Article 3601; No. 52, Article 6441; 2010, No. 17, Article 1988; No. 31, Article 4160, 4193; 2011, No. 17, Article 2310; No. 30, Article 4590; No. 48, Article 6728; 2012, No. 26, Article 3446; 2013, No. 27, Article 3477; No. 30, Article 4041; No. 52, Article 6961, 6979, 6981; Rossiyskaya Gazeta, June 25, 2014):
"19) control of compliance with requirements arising out of distribution of information on the Internet;
20) control and supervision over personal data processing.".

Article 4

This Federal Law shall enter into force on September 1, 2016.

President
of the Russian Federation
V. PUTIN


Moscow, The Kremlin
July 21, 2014
No. 242-FZ

 

Federal Law No. 242-FZ of July 21, 2014 on Amending Some Legislative Acts of the Russian Federation in as Much as It Concerns Updating the Procedure for Personal Data Processing in Information-Telecommunication Networks (with Amendments and Additions) (English version) (Федеральный закон от 21 июля 2014 г. N 242-ФЗ "О внесении изменений в отдельные законодательные акты Российской Федерации в части уточнения порядка обработки персональных данных в информационно-телекоммуникационных сетях" Англ. версия)

 

Время публикации: 23.05.2016 12:17
Последнее изменение: 23.05.2016 12:24

Портал персональныеданные.дети