Federal law on personal data of the Russian Federation
July 27, 2006 No. 152-FZAdopted by the State Duma on July 8, 2006
Approved by the Federation Council on July 14, 2006
(ed. Federal laws of 25.11.2009 No. 266-FZ,
from 27.12.2009 № 363-FZ, from 28.06.2010 № 123-FZ,
from 27.07.2010 № 204-FZ, from 27.07.2010 № 227-FZ,
from 29.11.2010 № 313-FZ from 23.12.2010 № 359-FZ,
from 04.06.2011 № 123-FZ, from 25.07.2011 № 261-FZ,
from 05.04.2013 № 43-FZ, from 23.07.2013 № 205-FZ,
from 21.12.2013 № 363-FZ, from 04.06.2014 № 142-FZ,
from 03.07.2016 № 231-FZ, from 22.02.2017 № 16-FZ),
from 01.07.2017 № 148-FZ, from 29.07.2017 № 223-FZ,
from 31.12.2017 № 498-FZ)
Chapter 1. General provisions
Article 1. Scope of this Federal law
1. This Federal law regulates relations connected with the processing of personal data carried out by Federal bodies of state power, bodies of state power of subjects of the Russian Federation, other state bodies (further - state bodies), local governments, other municipal bodies (hereinafter - municipal authorities), legal entities and individuals using automation tools, including in information and telecommunications networks, or without using such tools, if the processing of personal data without using such tools corresponds to the nature of actions (operations) performed with personal data using automation tools, that is, allows you to search for personal data in accordance with the specified algorithm, recorded on a physical medium and contained in card files or other systematic collections of personal data, and (or) access to such personal data.
(part 1 in ed. Federal law No. 261-FZ of 25.07.2011)
2. This Federal law shall not apply to relations arising from:
1) processing of personal data by individuals exclusively for personal and family needs, if this does not violate the rights of personal data subjects;
2) organization of storage, acquisition, accounting and use of documents containing personal data of the Archive Fund of the Russian Federation and other archival documents in accordance with the legislation on archival business in the Russian Federation;
3) no longer valid. - Federal law No. 261-FZ of 25.07.2011;
4) processing of personal data classified as a state secret in accordance with the established procedure;
5) no longer valid. - Federal law No. 223-FZ of 29.07.2017.
3. Providing, distributing, transmitting and receiving information about the activities of courts in the Russian Federation containing personal data, maintaining and using information systems and information and telecommunications networks in order to create conditions for access to this information shall be carried out in accordance with Federal law No. 262-FZ of December 22, 2008 "on ensuring access to information about the activities of courts in the Russian Federation".
(part 3 was introduced by Federal law No. 223-FZ of 29.07.2017)
Article 2. Purpose of this Federal law
The purpose of this Federal law is to ensure the protection of human and civil rights and freedoms when processing their personal data, including the protection of the rights to privacy, personal and family secrets.
Article 3. Basic concepts used in this Federal law
(ed. Federal law No. 261-FZ of 25.07.2011)
For the purposes of this Federal law, the following basic concepts are used:
1) personal data - any information relating directly or indirectly to a specific or identifiable individual (subject of personal data);
2) operator - a state body, municipal body, legal entity or individual who independently or jointly with other persons organizes and (or) performs the processing of personal data, as well as determines the purposes of processing personal data, the composition of personal data to be processed, actions (operations) performed with personal data;
3) personal data processing - any action (operation) or set of actions (operations) performed with or without the use of automation tools with personal data, including collection, recording, systematization, accumulation, storage, clarification (update, change), extraction, use, transfer (distribution, provision, access), depersonalization, blocking, deletion, destruction of personal data;
4) automated processing of personal data - processing of personal data using computer technology;
5) dissemination of personal data - actions aimed at disclosure of personal data to an indefinite circle of persons;
6) provision of personal data - actions aimed at disclosure of personal data to a certain person or a certain circle of persons;
7) blocking of personal data - temporary termination of processing of personal data (except for cases when processing is necessary to clarify personal data);
8) destruction of personal data - actions that make it impossible to restore the content of personal data in the personal data information system and (or) as a result of which the material carriers of personal data are destroyed;
9) depersonalization of personal data - actions that make it impossible to determine the identity of personal data to a specific personal data subject without using additional information;
10) personal data information system - a set of personal data contained in databases and information technologies and technical means that ensure their processing;
11) cross-border transfer of personal data - transfer of personal data to the territory of a foreign state to a foreign state authority, a foreign individual or a foreign legal entity.
Article 4. Legislation of the Russian Federation in the field of personal data
1. the Legislation of the Russian Federation in the field of personal data is based on the Constitution of the Russian Federation and international agreements of the Russian Federation and consists of this Federal law and other Federal laws defining the cases and features of personal data processing.
2. on the basis of and in pursuance of Federal laws, state bodies, the Bank of Russia, and local self - government bodies may, within their powers, adopt regulatory legal acts, regulations, and legal acts (hereinafter referred to as regulatory legal acts) on specific issues related to the processing of personal data. Such acts may not contain provisions restricting the rights of subjects of personal data, establish not provided by Federal laws limit the activities of the operators or imposing on operators not required by Federal law duties, and are subject to official publication.
(part 2 in ed. Federal law No. 261-FZ of 25.07.2011)
3. the Specifics of personal data processing performed without the use of automation tools may be established by Federal laws and other regulatory legal acts of the Russian Federation, taking into account the provisions of this Federal law.
4. If an international agreement of the Russian Federation establishes rules other than those provided for by this Federal law, the rules of the international agreement shall apply.
Chapter 2. Principles and conditions of personal data processing
Article 5. Principles of personal data processing
(as amended by Federal law No. 261-FZ of 25.07.2011)
1. the processing of personal data must be carried out on a legal and fair basis.
2. the Processing of personal data must be limited to the achievement of specific, predetermined and legitimate goals. Personal data processing that is incompatible with the purposes of personal data collection is not allowed.
3. it is Not allowed to combine databases containing personal data that are processed for purposes incompatible with each other.
4. The treatment shall be only personal data meeting the purposes of processing.
5. The content and scope of the personal data processed must correspond to the declared purpose of processing. The personal data processed must not be excessive in relation to the stated purposes of their processing.
6.when processing personal data, the accuracy of personal data, its sufficiency, and, if necessary, its relevance to the purposes of personal data processing must be ensured. The operator must take the necessary measures or ensure that they are taken to delete or clarify incomplete or inaccurate data.
7. the storage of personal data must be carried out in a form that allows determining the subject of personal data, no longer than the purposes of personal data processing require, unless the period for storing personal data is established by Federal law, an agreement to which the subject of personal data is a party, beneficiary or guarantor. The processed personal data is subject to destruction or depersonalization upon achievement of the processing goals or in case of loss of the need to achieve these goals, unless otherwise provided by Federal law.
Article 6. Terms of personal data processing
(ed. Federal law No. 261-FZ of 25.07.2011)
1. personal data Processing must be carried out in compliance with the principles and rules provided for by this Federal law. Personal data processing is allowed in the following cases:
1) personal data processing is carried out with the consent of the personal data subject to the processing of his personal data;