Adopted by the State Duma on July 8, 2006
Approved by the Federation Council on July 14, 2006

Chapter 1. General provisions

Article 1 Scope of this Federal Law

1. This Federal Law regulates relations related to the processing of personal data carried out by federal government bodies, government bodies of subjects Russian Federation, other state bodies (hereinafter referred to as state bodies), local authorities, municipal bodies (hereinafter referred to as municipal bodies) that are not part of the system of local self-government bodies, legal entities, individuals using automation tools or without using such tools, if the processing of personal data without the use of such means corresponds to the nature of the actions (operations) performed with personal data using automation tools.

2. This Federal Law does not apply to relations arising from:

1) processing of personal data by individuals solely for personal and family needs, if the rights of personal data subjects are not violated;

2) organization of storage, acquisition, accounting and use of documents containing personal data of the Archival Fund of the Russian Federation and other archival documents in accordance with the legislation on archiving in the Russian Federation;

3) processing to be included in a single State Register individual entrepreneurs of information about individuals, if such processing is carried out in accordance with the legislation of the Russian Federation in connection with the activities of an individual as an individual entrepreneur;

4) processing of personal data classified in accordance with the established procedure as information constituting a state secret.

Article 2 Purpose of this Federal Law

The purpose of this Federal Law is to ensure the protection of the rights and freedoms of a person and citizen in the processing of his personal data, including the protection of the rights to privacy, personal and family secrets.

Article 3 Basic concepts used in this Federal Law

For the purposes of this Federal Law, the following basic concepts are used:

1) personal data - any information relating to an individual identified or determined on the basis of such information (subject of personal data), including his last name, first name, patronymic, year, month, date and place of birth, address, family, social, property status, education, profession, income, other information;

2) operator - a state body, municipal body, legal or natural person organizing and (or) carrying out the processing of personal data, as well as determining the purposes and content of the processing of personal data;

3) processing of personal data - actions (operations) with personal data, including collection, systematization, accumulation, storage, clarification (updating, changing), use, distribution (including transfer), depersonalization, blocking, destruction of personal data;

4) dissemination of personal data - actions aimed at the transfer of personal data to a certain circle of persons (transfer of personal data) or to familiarization with personal data of an unlimited number of persons, including the disclosure of personal data in the media, placement in information and telecommunication networks or provision access to personal data in any other way;

5) use of personal data - actions (operations) with personal data performed by the operator in order to make decisions or perform other actions that give rise to legal consequences in relation to the subject of personal data or other persons or otherwise affect the rights and freedoms of the subject of personal data or other persons;

6) blocking of personal data - temporary suspension of the collection, systematization, accumulation, use, distribution of personal data, including their transfer;

7) destruction of personal data - actions as a result of which it is impossible to restore the content of personal data in the information system of personal data or as a result of which material carriers of personal data are destroyed;

8) depersonalization of personal data - actions as a result of which it is impossible to determine the ownership of personal data by a specific subject of personal data;

9) personal data information system - an information system, which is a collection of personal data contained in a database, as well as information technologies and technical means allowing the processing of such personal data with or without the use of automation tools;

10) confidentiality of personal data - a mandatory requirement for an operator or other person who has gained access to personal data to prevent their distribution without the consent of the subject of personal data or other legal grounds;

11) cross-border transfer of personal data - transfer of personal data by an operator across the State Border of the Russian Federation to an authority of a foreign state, an individual or legal entity of a foreign state;

12) publicly available personal data - personal data, access to which is granted to an unlimited number of persons with the consent of the subject of personal data or which, in accordance with federal laws, is not subject to the requirement of confidentiality.

Article 4 Legislation of the Russian Federation in the field of personal data

1. The legislation of the Russian Federation in the field of personal data is based on the Constitution of the Russian Federation and international treaties of the Russian Federation and consists of this Federal Law and other federal laws that determine the cases and features of the processing of personal data.

2. On the basis of and in pursuance of federal laws, state bodies, within their powers, may adopt regulatory legal acts on certain issues relating to the processing of personal data. Normative legal acts on certain issues related to the processing of personal data cannot contain provisions restricting the rights of subjects of personal data.

The specified regulatory legal acts are subject to official publication, with the exception of regulatory legal acts or certain provisions of such regulatory legal acts containing information, access to which is limited by federal laws.

3. Features of the processing of personal data carried out without the use of automation tools may be established by federal laws and other regulatory legal acts of the Russian Federation, subject to the provisions of this Federal Law.

4. If an international treaty of the Russian Federation establishes rules other than those provided for by this Federal Law, the rules of the international treaty shall apply.

Chapter 2 Principles and conditions for the processing of personal data

Article 5 Principles of personal data processing s

1. The processing of personal data should be carried out on the basis of the principles:

1) lawfulness of the purposes and methods of processing personal data and good faith;

2) compliance of the purposes of processing personal data with the purposes predetermined and declared during the collection of personal data, as well as the authority of the operator;

3) compliance of the volume and nature of the processed personal data, methods of processing personal data with the purposes of processing personal data;

4) the reliability of personal data, their sufficiency for the purposes of processing, the inadmissibility of processing personal data that is excessive in relation to the purposes stated when collecting personal data;

5) the inadmissibility of combining databases of personal data information systems created for mutually incompatible purposes.

2. The storage of personal data should be carried out in a form that allows to determine the subject of personal data, no longer than required by the purposes of their processing, and they are subject to destruction upon achievement of the purposes of processing or in case of loss of the need to achieve them.

Article 6 Conditions for the processing of personal data

1. The processing of personal data may be carried out by the operator with the consent of the subjects of personal data, with the exception of cases provided for in paragraph 2 of this article.

2. The consent of the subject of personal data, provided for in paragraph 1 of this article, is not required in the following cases:

1) the processing of personal data is carried out on the basis of a federal law that establishes its purpose, the conditions for obtaining personal data and the circle of subjects whose personal data is subject to processing, as well as determining the powers of the operator;

2) the processing of personal data is carried out in order to fulfill the contract, one of the parties to which is the subject of personal data;

3) the processing of personal data is carried out for statistical or other scientific purposes, subject to the mandatory depersonalization of personal data;

4) the processing of personal data is necessary to protect the life, health or other vital interests of the subject of personal data, if obtaining the consent of the subject of personal data is impossible;

5) the processing of personal data is necessary for the delivery postal items organizations postal service, for the implementation by telecommunication operators of settlements with users of communication services for the rendered communication services, as well as for consideration of claims of users of communication services;

6) the processing of personal data is carried out for the purposes of professional activity a journalist or for the purposes of scientific, literary or other creative activity, provided that this does not violate the rights and freedoms of the subject of personal data;

7) processing of personal data subject to publication in accordance with federal laws, including personal data of persons holding public positions, positions of the state civil service, personal data of candidates for elected state or municipal positions.

3. Features of the processing of special categories of personal data, as well as biometric personal data, are established respectively by Articles 10 and 11 of this Federal Law.

4. If the operator, on the basis of the contract, entrusts the processing of personal data to another person, the essential condition of the contract is the obligation of the said person to ensure the confidentiality of personal data and the security of personal data during their processing.

Article 7 Confidentiality of personal data

1. Operators and third parties gaining access to personal data must ensure the confidentiality of such data, except as provided for in paragraph 2 of this article.

2. Ensuring the confidentiality of personal data is not required:

1) in case of depersonalization of personal data;

2) in relation to publicly available personal data.

Article 8 Public sources of personal data

1. In order information support publicly available sources of personal data may be created (including directories, address books). Publicly available sources of personal data, with the written consent of the subject of personal data, may include his last name, first name, patronymic, year and place of birth, address, subscriber number, information about the profession and other personal data provided by the subject of personal data.

2. Information about the subject of personal data may be excluded from public sources of personal data at any time at the request of the subject of personal data or by decision of a court or other authorized state bodies.

Article 9 Consent of the subject of personal data to the processing of their personal data

1. The subject of personal data decides to provide his personal data and agrees to their processing by his own will and in his own interest, except for the cases provided for in paragraph 2 of this article. Consent to the processing of personal data may be withdrawn by the subject of personal data.

2. This Federal Law and other federal laws provide for cases of mandatory provision by the subject of personal data of their personal data in order to protect the foundations of the constitutional order, morality, health, rights and legitimate interests of others, to ensure the defense of the country and the security of the state.

3. The obligation to provide proof of obtaining the consent of the subject of personal data to the processing of his personal data, and in the case of processing publicly available personal data, the obligation to prove that the personal data being processed is publicly available, rests with the operator.

4. In the cases provided for by this Federal Law, the processing of personal data is carried out only with the consent in writing of the subject of personal data. The written consent of the subject of personal data to the processing of their personal data must include:

1) last name, first name, patronymic, address of the subject of personal data, number of the main document proving his identity, information about the date of issue of the specified document and the body that issued it;

2) name (last name, first name, patronymic) and address of the operator receiving the consent of the subject of personal data;

3) the purpose of processing personal data;

4) a list of personal data, for the processing of which the consent of the subject of personal data is given;

5) a list of actions with personal data for which consent is given, general description methods used by the operator for processing personal data;

6) the period during which the consent is valid, as well as the procedure for its withdrawal.

5. For the processing of personal data contained in the consent in writing of the subject to the processing of his personal data, additional consent is not required.

6. In case of incapacity of the subject of personal data, consent to the processing of his personal data is given in writing by the legal representative of the subject of personal data.

7. In the event of the death of the subject of personal data, consent to the processing of his personal data is given in writing by the heirs of the subject of personal data, if such consent was not given by the subject of personal data during his lifetime.

Article 10 Special categories of personal data

1. Processing of special categories of personal data relating to race, nationality, political views, religious or philosophical beliefs, health status, intimate life is not allowed, except as provided for in paragraph 2 of this article.

2. Processing of the special categories of personal data specified in paragraph 1 of this article is allowed in cases where:

1) the subject of personal data has given his consent in writing to the processing of his personal data;

2) personal data are publicly available;

3) personal data relate to the state of health of the subject of personal data and their processing is necessary to protect his life, health or other vital interests or the life, health or other vital interests of other persons, and obtaining the consent of the subject of personal data is impossible;

4) the processing of personal data is carried out for medical and preventive purposes, in order to establish a medical diagnosis, provide medical and medical and social services, provided that the processing of personal data is carried out by a person professionally engaged in medical activities and is obliged, in accordance with the legislation of the Russian Federation, to maintain medical secrecy ;

5) the processing of personal data of members (participants) of a public association or religious organization is carried out by the relevant public association or religious organization, acting in accordance with the legislation of the Russian Federation, in order to achieve the legitimate goals provided for by their constituent documents, provided that personal data will not be disseminated without written consent of personal data subjects;

6) the processing of personal data is necessary in connection with the administration of justice;

7) the processing of personal data is carried out in accordance with the legislation of the Russian Federation on security, on operational-search activities, as well as in accordance with the penitentiary legislation of the Russian Federation.

3. The processing of personal data on a criminal record may be carried out by state bodies or municipal bodies within the powers granted to them in accordance with the legislation of the Russian Federation, as well as by other persons in cases and in the manner determined in accordance with federal laws.

4. The processing of special categories of personal data, carried out in the cases provided for in parts 2 and 3 of this article, must be immediately terminated if the reasons for which the processing was carried out are eliminated.

Article 11 Biometric personal data

1. Information that characterizes the physiological characteristics of a person and on the basis of which his identity can be established (biometric personal data) can be processed only if there is a written consent of the subject of personal data, except for the cases provided for in paragraph 2 of this article.

2. The processing of biometric personal data may be carried out without the consent of the subject of personal data in connection with the administration of justice, as well as in cases provided for by the legislation of the Russian Federation on security, the legislation of the Russian Federation on operational-investigative activities, the legislation of the Russian Federation on public service, penitentiary the legislation of the Russian Federation, the legislation of the Russian Federation on the procedure for exit from the Russian Federation and entry into the Russian Federation.

Article 12 Cross-border transfer of personal data

1. Prior to the commencement of cross-border transfer of personal data, the operator is obliged to make sure that the foreign state, to whose territory the transfer of personal data is carried out, provides adequate protection of the rights of subjects of personal data.

2. Cross-border transfer of personal data on the territory of foreign states that provide adequate protection of the rights of subjects of personal data is carried out in accordance with this Federal Law and may be prohibited or limited in order to protect the foundations of the constitutional order of the Russian Federation, morality, health, rights and legitimate interests of citizens , ensuring the defense of the country and the security of the state.

3. Cross-border transfer of personal data on the territory of foreign states that do not provide adequate protection of the rights of subjects of personal data may be carried out in the following cases:

1) the consent in writing of the subject of personal data;

2) provided for by international treaties of the Russian Federation on the issuance of visas, as well as international treaties of the Russian Federation on the provision of legal assistance in civil, family and criminal cases;

3) provided for by federal laws, if this is necessary in order to protect the foundations of the constitutional order of the Russian Federation, to ensure the defense of the country and the security of the state;

4) execution of an agreement to which the subject of personal data is a party;

5) protection of life, health, other vital interests of the subject of personal data or other persons if it is impossible to obtain consent in writing from the subject of personal data.

Article 13. Features of the processing of personal data in state or municipal information systems of personal data

1. State bodies, municipal bodies create, within their powers established in accordance with federal laws, state or municipal information systems of personal data.

2. Federal laws may establish the specifics of accounting for personal data in state and municipal information systems of personal data, including the use various ways designation of the belonging of personal data contained in the relevant state or municipal information system of personal data to a specific subject of personal data.

3. The rights and freedoms of a person and a citizen cannot be limited for reasons related to the use of various methods of processing personal data or to designate the ownership of personal data contained in state or municipal information systems of personal data to a specific subject of personal data. It is not allowed to use methods that offend the feelings of citizens or degrade human dignity to indicate the ownership of personal data contained in state or municipal information systems of personal data to a specific subject of personal data.

4. In order to ensure the exercise of the rights of subjects of personal data in connection with the processing of their personal data in state or municipal information systems of personal data, a state register of the population may be created, the legal status of which and the procedure for working with which are established by federal law.

Chapter 3 Rights of the subject of personal data

Article 14 The right of the subject of personal data to access their personal data

1. The subject of personal data has the right to receive information about the operator, his location, whether the operator has personal data relating to the relevant subject of personal data, as well as to get acquainted with such personal data, except for the cases provided for by paragraph 5 of this article . The subject of personal data has the right to demand from the operator the clarification of his personal data, their blocking or destruction if the personal data is incomplete, outdated, unreliable, illegally obtained or not necessary for the stated purpose of processing, as well as take measures provided by law to protect their rights .

2. Information about the availability of personal data must be provided to the subject of personal data by the operator in an accessible form, and they should not contain personal data related to other subjects of personal data.

3. Access to your personal data is provided to the subject of personal data or his legal representative by the operator when applying or upon receiving a request from the subject of personal data or his legal representative. The request must contain the number of the main document proving the identity of the subject of personal data or his legal representative, information about the date of issue of the specified document and the authority that issued it, and a handwritten signature of the subject of personal data or his legal representative. The request can be submitted electronically and signed electronically. digital signature in accordance with the legislation of the Russian Federation.

4. The subject of personal data has the right to receive, upon application or upon receipt of a request, information regarding the processing of his personal data, including containing:

1) confirmation of the fact of processing personal data by the operator, as well as the purpose of such processing;

2) methods of processing personal data used by the operator;

3) information about persons who have access to personal data or who may be granted such access;

4) a list of processed personal data and the source of their receipt;

5) terms of personal data processing, including terms of their storage;

6) information about what legal consequences for the subject of personal data may entail the processing of his personal data.

5. The right of the subject of personal data to access their personal data is limited if:

1) the processing of personal data, including personal data obtained as a result of operational-search, counterintelligence and intelligence activities, is carried out for the purposes of national defense, state security and law enforcement;

2) the processing of personal data is carried out by bodies that detained the subject of personal data on suspicion of committing a crime, or charged the subject of personal data in a criminal case, or applied a measure of restraint to the subject of personal data before bringing charges, with the exception of those provided for by the criminal procedure legislation of the Russian Federation cases where it is allowed to familiarize the suspect or the accused with such personal data;

3) the provision of personal data violates the constitutional rights and freedoms of other persons.

Article 15

1. The processing of personal data in order to promote goods, works, services on the market by making direct contacts with a potential consumer using means of communication, as well as for the purposes of political campaigning, is allowed only with the prior consent of the subject of personal data. The specified processing of personal data is recognized as being carried out without the prior consent of the subject of personal data, unless the operator proves that such consent has been obtained.

2. The operator is obliged to immediately stop, at the request of the subject of personal data, the processing of his personal data, specified in part 1 of this article.

Article 16. Rights of personal data subjects when making decisions based solely on automated processing their personal data

1. It is prohibited to make decisions on the basis of exclusively automated processing of personal data that give rise to legal consequences in relation to the subject of personal data or otherwise affect his rights and legitimate interests, except for the cases provided for in paragraph 2 of this article.

2. A decision that gives rise to legal consequences in relation to the subject of personal data or otherwise affects his rights and legitimate interests can be made on the basis of exclusively automated processing of his personal data only with the consent in writing of the subject of personal data or in cases provided for by federal laws that also establish measures to ensure the observance of the rights and legitimate interests of the subject of personal data.

3. The operator is obliged to explain to the subject of personal data the procedure for making a decision on the basis of exclusively automated processing of his personal data and the possible legal consequences of such a decision, to provide an opportunity to object to such a decision, and also to explain the procedure for protecting the personal data subject of his rights and legitimate interests.

4. The operator is obliged to consider the objection specified in paragraph 3 of this article within seven working days from the date of its receipt and notify the subject of personal data of the results of consideration of such an objection.

Article 17 The right to appeal against the actions or omissions of the operator

1. If the subject of personal data believes that the operator processes his personal data in violation of the requirements of this Federal Law or otherwise violates his rights and freedoms, the subject of personal data has the right to appeal against the actions or inaction of the operator to the authorized body for the protection of the rights of subjects of personal data or to judicial order.

2. The subject of personal data has the right to protect his rights and legitimate interests, including compensation for losses and (or) compensation for moral damage in court.

Chapter 4 Operator Responsibilities

Article 18 Obligations of the operator when collecting personal data

1. When collecting personal data, the operator is obliged to provide the subject of personal data, at his request, with the information provided for by Part 4 of Article 14 of this Federal Law.

2. If the obligation to provide personal data is established by federal law, the operator is obliged to explain to the subject of personal data the legal consequences of a refusal to provide their personal data.

3. If personal data was not received from the subject of personal data, except in cases where personal data was provided to the operator on the basis of federal law or if personal data is publicly available, the operator, prior to the processing of such personal data, is obliged to provide the subject of personal data with the following information:

1) name (surname, name, patronymic) and address of the operator or his representative;

2) the purpose of processing personal data and its legal basis;

3) intended users of personal data;

4) the rights of the subject of personal data established by this Federal Law.

Article 19 Measures to ensure the security of personal data during their processing

1. When processing personal data, the operator is obliged to take the necessary organizational and technical measures, including the use of encryption (cryptographic) means, to protect personal data from unauthorized or accidental access to them, destruction, modification, blocking, copying, distribution of personal data, and also from other illegal actions.

2. The Government of the Russian Federation establishes requirements for ensuring the security of personal data during their processing in personal data information systems, requirements for material carriers of biometric personal data and technologies for storing such data outside personal data information systems.

3. Control and supervision over the fulfillment of the requirements established by the Government of the Russian Federation in accordance with part 2 of this article shall be carried out by the federal executive body authorized in the field of security and the federal executive body authorized in the field of countering technical intelligence and technical protection of information, within their powers and without the right to get acquainted with personal data processed in personal data information systems.

4. The use and storage of biometric personal data outside personal data information systems can be carried out only on such material media and using such storage technology that ensures the protection of these data from unauthorized or accidental access to them, destruction, modification, blocking, copying, distribution.

Article 20

1. The operator is obliged, in accordance with the procedure provided for in Article 14 of this Federal Law, to inform the subject of personal data or his legal representative of information about the availability of personal data relating to the relevant subject of personal data, as well as to provide an opportunity to familiarize themselves with them when contacting the subject of personal data or his legal representative. representative or within ten working days from the date of receipt of the request of the subject of personal data or his legal representative.

2. In case of refusal to provide the subject of personal data or his legal representative, upon contacting or upon receipt of a request from the subject of personal data or his legal representative, information about the availability of personal data about the relevant subject of personal data, as well as such personal data, the operator is obliged to give in writing a reasoned a response containing a reference to the provision of Part 5 of Article 14 of this Federal Law or another federal law, which is the basis for such a refusal, within a period not exceeding seven business days from the date of the request of the subject of personal data or his legal representative, or from the date of receipt of the request of the subject of personal data or his legal representative.

3. The operator is obliged to provide the subject of personal data or his legal representative free of charge with the opportunity to familiarize himself with the personal data relating to the relevant subject of personal data, as well as to make the necessary changes to them, destroy or block the relevant personal data upon the provision by the subject of personal data or his legal representative of the information confirming that the personal data related to the respective subject and processed by the operator are incomplete, outdated, unreliable, illegally obtained or not necessary for the stated purpose of processing. The operator is obliged to notify the subject of personal data or his legal representative and third parties to whom the personal data of this subject were transferred about the changes made and the measures taken.

4. The operator is obliged to inform the authorized body for the protection of the rights of subjects of personal data, at its request, the information necessary for the implementation of the activities of the said body, within seven working days from the date of receipt of such a request.

Article 21

1. In the event that inaccurate personal data or illegal actions with them by the operator are detected at the request or at the request of the subject of personal data or his legal representative or the authorized body for the protection of the rights of subjects of personal data, the operator is obliged to block personal data relating to the relevant subject of personal data, with the moment of such request or receipt of such request for the period of verification.

2. In case of confirmation of the fact of inaccuracy of personal data, the operator, on the basis of documents submitted by the subject of personal data or his legal representative or an authorized body for the protection of the rights of subjects of personal data, or other necessary documents, is obliged to clarify personal data and remove their blocking.

3. In case of detection of illegal actions with personal data, the operator, within a period not exceeding three working days from the date of such detection, is obliged to eliminate the violations committed. If it is impossible to eliminate the committed violations, the operator, within a period not exceeding three working days from the date of detection of illegal actions with personal data, is obliged to destroy personal data. The operator is obliged to notify the subject of personal data or his legal representative about the elimination of the violations committed or the destruction of personal data, and if the appeal or request was sent by the authorized body for the protection of the rights of subjects of personal data, also the specified body.

4. If the goal of processing personal data is achieved, the operator is obliged to immediately stop processing personal data and destroy the relevant personal data within a period not exceeding three working days from the date the goal of processing personal data is achieved, unless otherwise provided by federal laws, and notify the subject of personal data about this. data or his legal representative, and if the appeal or request was sent by the authorized body for the protection of the rights of subjects of personal data, also the specified body.

5. In the event that the subject of personal data withdraws consent to the processing of his personal data, the operator is obliged to stop processing personal data and destroy personal data within a period not exceeding three working days from the date of receipt of the said withdrawal, unless otherwise provided by an agreement between the operator and the subject of personal data. The operator is obliged to notify the subject of personal data about the destruction of personal data.

Article 22 Notice of personal data processing

1. Before the processing of personal data, the operator is obliged to notify the authorized body for the protection of the rights of subjects of personal data of his intention to process personal data, except for the cases provided for in part 2 of this article.

2. The operator has the right to carry out, without notifying the authorized body for the protection of the rights of subjects of personal data, the processing of personal data:

1) relating to personal data subjects who are associated with the operator by labor relations;

2) received by the operator in connection with the conclusion of an agreement to which the subject of personal data is a party, if personal data is not distributed, and is not provided to third parties without the consent of the subject of personal data and is used by the operator solely for the execution of the said agreement and the conclusion of contracts with the subject of personal data;

3) relating to members (participants) of a public association or religious organization and processed by the relevant public association or religious organization acting in accordance with the legislation of the Russian Federation to achieve the legitimate goals provided for by their constituent documents, provided that personal data will not be disseminated without written consent of personal data subjects;

4) being publicly available personal data;

5) including only last names, first names and patronymics of personal data subjects;

6) necessary for the purpose of a single pass of the subject of personal data to the territory where the operator is located, or for other similar purposes;

7) included in personal data information systems that, in accordance with federal laws, have the status of federal automated information systems, as well as in state personal data information systems created in order to protect state security and public order;

8) processed without the use of automation tools in accordance with federal laws or other regulatory legal acts of the Russian Federation that establish requirements for ensuring the security of personal data during their processing and for observing the rights of personal data subjects.

3. The notification provided for by paragraph 1 of this article must be sent in writing and signed by an authorized person or sent in electronic form and signed with an electronic digital signature in accordance with the legislation of the Russian Federation. The notice must contain the following information:

1) name (surname, name, patronymic), address of the operator;

2) the purpose of processing personal data;

5) legal basis for the processing of personal data;

6) a list of actions with personal data, a general description of the methods used by the operator to process personal data;

7) a description of the measures that the operator undertakes to take when processing personal data, to ensure the security of personal data during their processing;

8) date of commencement of personal data processing;

9) the term or condition for terminating the processing of personal data.

4. The authorized body for the protection of the rights of subjects of personal data, within thirty days from the date of receipt of the notification on the processing of personal data, enters the information specified in paragraph 3 of this article, as well as information on the date of sending the said notification to the register of operators. The information contained in the register of operators, with the exception of information about the means of ensuring the security of personal data during their processing, is publicly available.

5. The operator cannot be charged expenses in connection with the consideration of the notification of the processing of personal data by the authorized body for the protection of the rights of subjects of personal data, as well as in connection with the entry of information into the register of operators.

6. In case of provision of incomplete or unreliable information specified in paragraph 3 of this article, the authorized body for the protection of the rights of subjects of personal data has the right to require the operator to clarify the information provided before they are entered in the register of operators.

7. In case of changes in the information specified in part 3 of this article, the operator is obliged to notify the authorized body for the protection of the rights of personal data subjects of the changes within ten working days from the date of occurrence of such changes.

Chapter 5. Control and supervision of the processing of personal data. Responsibility for violation of the requirements of this Federal Law

Article 23 Authorized body for the protection of the rights of subjects of personal data

1. The authorized body for the protection of the rights of subjects of personal data, which is entrusted with ensuring control and supervision over the compliance of the processing of personal data with the requirements of this Federal Law, is the federal executive body exercising the functions of control and supervision in the field of information technology and communications.

2. The authorized body for the protection of the rights of subjects of personal data considers the appeals of the subject of personal data on the compliance of the content of personal data and methods of their processing with the purposes of their processing and makes an appropriate decision.

3. The authorized body for the protection of the rights of subjects of personal data has the right:

1) request from individuals or legal entities information necessary for the exercise of their powers, and receive such information free of charge;

2) verify the information contained in the notification on the processing of personal data, or involve other state bodies within their powers to carry out such verification;

3) require the operator to clarify, block or destroy false or illegally obtained personal data;

4) take measures in accordance with the procedure established by the legislation of the Russian Federation to suspend or terminate the processing of personal data carried out in violation of the requirements of this Federal Law;

5) apply to the court with statements of claim in defense of the rights of personal data subjects and represent the interests of personal data subjects in court;

6) send an application to the body licensing the activities of the operator to consider the issue of taking measures to suspend or cancel the relevant license in accordance with the procedure established by the legislation of the Russian Federation, if the condition of the license to carry out such activities is a prohibition on the transfer of personal data to third parties without the consent of the written form of the subject of personal data;

7) send materials to the prosecutor's office, other law enforcement agencies to resolve the issue of initiating criminal cases on the grounds of crimes related to violation of the rights of subjects of personal data, in accordance with jurisdiction;

8) submit proposals to the Government of the Russian Federation on improving the legal regulation of the protection of the rights of subjects of personal data;

9) bring to administrative responsibility persons guilty of violating this Federal Law.

4. With regard to personal data that became known to the authorized body for the protection of the rights of subjects of personal data in the course of its activities, the confidentiality of personal data must be ensured.

5. The authorized body for the protection of the rights of subjects of personal data is obliged to:

1) organize, in accordance with the requirements of this Federal Law and other federal laws, the protection of the rights of subjects of personal data;

2) consider complaints and appeals of citizens or legal entities on issues related to the processing of personal data, as well as make decisions within their powers based on the results of consideration of these complaints and appeals;

3) maintain a register of operators;

4) take measures aimed at improving the protection of the rights of subjects of personal data;

5) take, in accordance with the procedure established by the legislation of the Russian Federation, on the proposal of the federal executive body authorized in the field of security, or the federal executive body authorized in the field of countering technical intelligence and technical protection of information, measures to suspend or terminate the processing of personal data;

6) inform state bodies, as well as subjects of personal data on their requests or requests about the state of affairs in the field of protection of the rights of subjects of personal data;

7) perform other duties provided for by the legislation of the Russian Federation.

6. Decisions of the authorized body for the protection of the rights of subjects of personal data may be appealed in court.

7. The authorized body for the protection of the rights of subjects of personal data annually sends a report on its activities to the President of the Russian Federation, the Government of the Russian Federation and the Federal Assembly of the Russian Federation. The specified report is subject to publication in mass media.

8. Financing of the authorized body for the protection of the rights of subjects of personal data is carried out at the expense of the federal budget.

9. Under the authorized body for the protection of the rights of subjects of personal data, an advisory council is created on a voluntary basis, the procedure for the formation and operation of which are determined by the authorized body for the protection of the rights of subjects of personal data.

Article 24 Responsibility for violation of the requirements of this Federal Law

Persons guilty of violating the requirements of this Federal Law shall bear civil, criminal, administrative, disciplinary and other liability provided for by the legislation of the Russian Federation.

Chapter 6 Final provisions

Article 25 Final provisions

1. This Federal Law shall enter into force one hundred and eighty days after the day of its official publication.

2. After the day this Federal Law comes into force, the processing of personal data included in personal data information systems until the day it comes into force is carried out in accordance with this Federal Law.

3. Personal data information systems created prior to the effective date of this Federal Law must be brought into line with the requirements of this Federal Law no later than January 1, 2010.

4. Operators that process personal data before the date of entry into force of this Federal Law and continue to carry out such processing after the date of its entry into force are required to send to the authorized body for the protection of the rights of subjects of personal data, except for the cases provided for by Part 2 of Article 22 of this Federal Law, the notification provided for by Part 3 of Article 22 of this Federal Law, no later than January 1, 2008.

The president
Russian Federation
V. Putin

By posting information about themselves on social networks, not all of our citizens understand that it can be used to build their profile. The National Bureau of Credit Histories JSC (“NBKI”) was actively involved in the collection and processing of such information.

In May 2017, the Moscow Arbitration Court considered case No. A40-5250/17, in which the court had to assess the legality of processing such personal data.

The essence of the dispute

In August 2016, the Roskomnadzor Office for the Central Federal District conducted a scheduled on-site inspection of JSC National Bureau of Credit Histories (NBKI) in terms of compliance of personal data processing activities with legal requirements.

Based on the results of the audit, an audit report was drawn up and an order was issued to eliminate the identified violation.

Having assessed the prescription regarding the need to include in the notification of the authorized body the data of individuals (clients or potential clients of a financial organization) from open sources of information transmitted to a financial organization, obtained using the Double Data Social Link service - web link, search result about a client or potential client , and the Double Data Social Attributes service - processing the profile of the desired individual in open sources information (clause 1), as well as in terms of indicating a violation of the requirements of the law in the form of a lack of consent to the processing of personal data contained in open sources (social networks: VKontakte, Odnoklassniki, MoiMir, Instragram, Twitter; Internet portals Avito and Avto.ru) personal data a client or a potential client of a financial institution, as part of the provision of a service based on the “big data” service ( those. "big data") - illegal and violating the rights and legitimate interests of society in the field of entrepreneurial and other economic activities, the latter filed a claim with the arbitration court.

The position of the Arbitration Court of the city of Moscow

With regard to the present case, the court noted that the processing of personal data is allowed in particular in the following cases:

• PD processing is carried out with the consent of the PD subject to the processing of his personal data (clause 1 part 1);
• Processing of personal data is carried out, access of an unlimited number of persons to which is provided by the PD subject or at his request (personal data made public by the PD subject) (clause 10, part 1);

Thus, speaking about personal data made public by the PD subject, two conditions are necessary:

• Personal data is available to an indefinite circle of persons;
• Personal data provided directly by the subject.

Without the written consent of the PD subject, it is not possible to assert that they were provided to them.

According to the court, personal data made public by a PD subject can only be contained in publicly available PD sources.

The court concluded that information about the subject (including personal data) contained in social networks (on the Internet) cannot be classified as PD made public by the subject, since social networks are not a source of publicly available PD in relation to the provision of Article 8 of the Law.

The court also noted that the information posted by its owners on the Internet in a format that allows automated processing without prior modification by a person in order to reuse it is public information posted in the form of open data (Article 7 of the Federal Law of July 27, 2006 No. 149-FZ "On Information, Information Technologies and Information Protection").

My comment: Well, here the court is slightly "bent"; open data is a completely different story!

The court concluded that the personal data processed by JSC "NBKI" in social networks were not made publicly available by the PD subject, and therefore violations of part 3 of article 22 and paragraph 1 of part 1 of article 6 of the Federal Law of July 27, 2006 No. 152-FZ "On Personal Data".

The Arbitration Court refused in full to satisfy the application of NBKI JSC to invalidate paragraphs 1 and 4 of the instructions of the Roskomnadzor Office for the Central Federal District.

Position of the Ninth Arbitration Court of Appeal

The Ninth Arbitration Court of Appeal noted in July 2017 that the company was included in the register of operators processing personal data under the number 08-0031682.

As part of this type of activity, the company processes personal data of customers, potential customers of financial organizations contained in open sources (social networks: VKontakte, Odnoklassniki, MoiMir, Instragram, Twitter; Avito and Avto.ru Internet portals). The company does not have the consent of customers to the processing of such data.

The Company believes that it has the right to process personal data about persons without their consent. According to the court, the society did not take into account the following.

According to the Court of Appeal, personal data processed by the company contained in open sources (social networks: VKontakte, Odnoklassniki, MoiMir, Instragram, Twitter; Internet portals Avito and Avto.ru) are not publicly available. Within the meaning of the Law on Personal Data, the placement of personal data in these open sources does not automatically make them publicly available. Therefore, the processing of such data without the consent of the subject is not allowed.

The Ninth Arbitration Court of Appeal upheld the decision of the Moscow Arbitration Court and left the appeal unsatisfied.

Arbitration Court of the Moscow District in November 2017, left unchanged the decision of the Arbitration Court of the city of Moscow and the decision of the Ninth Arbitration Court of Appeal, and the cassation appeal was not satisfied.

Position of the Supreme Court of the Russian Federation

In January 2018, a judge of the Supreme Court of the Russian Federation (determination No. 305-KG17-21291) refused to transfer the cassation appeal to JSC National Bureau of Credit Histories for consideration in a judicial session of the Judicial Collegium for Economic Disputes of the Supreme Court of the Russian Federation.

My comment: Processing information from social networks- a widespread method of collecting and analyzing information about people and organizations, and now only lazy people are not engaged in collecting such information about their customers and counterparties. The harsh truth of life is that those who do not check their potential employees, clients and contractors in this way are not really exercising due business prudence. Those who are more cunning try to talk less about it in public, and, if possible, not pronounce the word “personal data”.

The collection of information about citizens inevitably entails the problem of the legality of such actions, since any information about citizens is their personal data.

I note that no matter what instructions Roskomnadzor issues, if obtaining such information allows commercial organizations to seriously reduce the risks of financial losses, its processing will still continue. Well, except that lawyers who come up with a legal “cover” for this activity will earn some extra money :)

Article 8. Publicly available sources of personal data

Commentary on Article 8

1. The commented article is devoted to the so-called public sources of personal data that are available to an indefinite circle of persons. Such sources include, in particular, directories (for example, persons living in an apartment building; employees of the operator, etc.) or address books. At the same time, the norms of this article apply only to those public sources that are created on the initiative of the operator, and not as part of the fulfillment by him of the requirements of the legislation on the disclosure or publication of certain information (clause 11, part 1, article 6 of the Personal Data Law). Thus, it does not apply to information contained in the Unified State Register of Legal Entities, as well as in other registers formed in accordance with the legislation of the Russian Federation (Decree of the Presidium of the Nizhny Novgorod Regional Court dated July 6, 2016 in case N 44g-49 / 2016; Appeal ruling of the Tambov Regional Court February 15, 2016 in case No. 33-500/2016). The mode of using and changing the information contained in this information is determined by the requirements of the legislation and is based on the principle of openness and reliability of data stored in state information systems. So, in accordance with part 9 of Art. 14 of the Law on Information, state bodies are obliged to ensure the reliability and relevance of the information contained in the state information system, access to this information in cases and in the manner prescribed by law, as well as protection of this information from unauthorized access, destruction, modification, blocking, copying, provision, distribution and other illegal actions.
2. The provisions contained in the commented article should be distinguished from the norms of paragraph 10 of part 1 of Art. 6 and paragraph 2, part 2 of Art. 10 of the Law on Personal Data, establishing the grounds for the processing of personal data in the absence of the consent of the subject. In the first case, we are talking about the conditions for the legitimacy of the initial distribution of personal data by the operator and giving them the status of publicly available, in the second case, about the processing by interested parties of personal data that already are publicly available, including by users of such publicly available sources.
3. The format and composition of data included in public sources of personal data are determined by the operator. At the same time, such personal data as last name, first name, patronymic, year and place of birth, address, subscriber number, information about the profession can be included in public sources based on the data available to the operator, and only the subject himself can act as a source of other types of personal data. , which is unambiguously indicated by the word "reported".
4. The main condition for the creation and use by the operator of a public source of personal data is to obtain consent to this from each subject whose personal data is included in such a source. At the same time, the Law does not make any exceptions from these provisions, in connection with which the inclusion by the operator of personal data that has already been made publicly available with the consent of their subject earlier in the source of public data created by such an operator still requires the consent of the subject. This is largely due to the fact that the creation of databases containing personal data in itself carries certain risks for their subjects, and therefore must be authorized by them. Such consent must meet the requirements set out in Art. 9 of the Law on Personal Data.
5. In accordance with part 2 of the commented article, the operator of a publicly available source of personal data is obliged to exclude information about the subject based on the application of such a subject, a court decision or the request of an authorized body (for example, the prosecutor's office or Roskomnadzor). The norm under consideration does not establish a period during which the operator must delete information that is personal data, in connection with which it is thought that the provisions of Part 1 of Art. 21 of the Law on Personal Data, by virtue of which the operator must block access to such data from the moment the subject requests it, i.e. immediately. As a result of these actions, the data ceases to be available to third parties and loses the status of public data, including for the purposes of applying the provisions of paragraph 10 of part 1 of Art. 6 of the Law on Personal Data on the admissibility of processing such data without the consent of the subject. The refusal of the operator to satisfy the requirements of the subject of personal data to exclude his data from a public source in the manner of Part 2 of Art. 8 of the Law on Personal Data gives the subject the right to appeal this refusal or inaction of the operator to Roskomnadzor or in court (see commentary to article 17 of this Law).
6. European legislation contains provisions governing subscriber directories (directories of subscribers). In accordance with Art. 12 Directive 2002/58/EC on the protection of privacy in telecommunications establishes the following requirements:
- subjects of personal data should be notified free of charge about the planned inclusion of their data in such directories with a description of the search mechanism in these directories;
- the subjects of personal data should be given the opportunity to make corrections to the information about them contained in such directories;
- in the case of using such directories for purposes other than searching for ordinary contact information, it is necessary to obtain the consent of the subject of personal data.
National legislation may impose more stringent requirements for operators to create such directories.

Not all information about a person and his life can be distributed and published in open sources. From the very beginning of Internet expansion, borders are erased and data that should be transmitted only with the permission of a person is literally “stealed” from him. Let us consider in more detail what personal data is, what this concept includes, how data marked “PD” is stored, what threatens for violating the law and unauthorized dissemination of personal information?

Normative base

List of personal data laws:

• Federal Law of the Russian Federation of July 27, 2006 N 149-FZ On Information, Information Technologies and Information Protection;
• Decree of the President of the Russian Federation of April 03, 1995 N 334;
• Decree of the President of the Russian Federation of March 17, 2008 N 351;
• Decree of the Government of the Russian Federation of 26.06.1995 On the certification of information security tools N 608;
• Decree of the Government of the Russian Federation of August 15, 2006 N 504 On licensing activities for the technical protection of confidential information;
• Decree of the Government of the Russian Federation of August 31, 2006 N 532 On licensing activities for the development and (or) production of means of protecting confidential information;
• Order of the Federal Security Service of the Russian Federation of February 9, 2005 N 66 “On approval of the Regulation on the development, production, sale and operation of encryption (cryptographic) information protection tools (Regulation PKZ-2005)”;
• Decree of the Government of the Russian Federation of November 17, 2007 N 781 Moscow “On approval of the Regulations on ensuring the security of personal data during their processing in information structures personal data;
• GOSTs according to information security and information protection;
• GOST R 34.10-2001 Information technology. Cryptographic protection of information;
• GOST R ISO 7498-2-99 Information technology. Information security architecture;
• GOST R 50739-95 Computer facilities. Protection against unauthorized access to information. General technical requirements;
• GOST R 50922-96 Information security. Basic terms and definitions;
• GOST R 52069.0-2003 Information security. The system of standards. Basic provisions.;
• GOST 28147-89 Information processing systems.

The Federal Law “On Personal Data” can be downloaded here:

Classification of personal data

According to the Federal Law “On Personal Data”, this is any information that directly or indirectly relates to the life of the subject. As regards personal data:

1. surname and passport data;
2. place and date of birth;
3. address of registration or residence;
4. marital status;
5. information about income and debts;
6. specialty, profession,
7. employment information;
8. income.

This may also include information about social connections, contacts, personal life, purchases of a citizen or members of his family.

According to part 1, article 85 of the Civil Code of the Russian Federation, the personal information of an employee of an enterprise includes all the information necessary for a manager to regulate all labor processes associated with a particular employee.

The phone number is personal information in the Russian Federation, as it is tied to passport data.

General PD

General data include those that are “on the surface”. Publicly available personal data is the name that can be seen on the badge of an employee of the company, his phone number in the questionnaire on the site, specialty and position. If a person himself distributes data that does not belong to the “General” section, this does not give citizens the right to dispose of it or publish it in open sources.

Biometric PD

This includes weight, height, hair and eye color, fingerprints, nationality, special signs. This data is used by intelligence officers to create orientations and search for criminals in databases.

Police and law enforcement agencies do not have the right to fingerprint citizens without a good reason and enter their information into the database.

Special PD

This includes race and nationality, political views, religious or philosophical beliefs, health status, intimate life. Distribution of this information is not allowed, with the exception of cases provided for by Part 2 of Federal Law-152.

No circumstances oblige a citizen to disclose this data to police officers or publicly. This request may be denied under legitimate circumstances.

Anonymized PD

This is the data whose ownership cannot be established. Anonymization is the process of "alienation" of data, which makes personal information public.

Example: An organization has 2 employees - a man and a woman. The man follows the dress code, and the woman wears a veil. If the employer submits statistics on the number of believers and / or religious people, and specifically - one atheist, one believer, it will be easy to figure out who is who.

Such a clumsy example is not a direct violation of the law, however, it transfers personal data (and, in addition, special) to third parties.

Processing of personal data

Protection personal information can be provided by several sources of law:

• The first source of protection is the Labor Code of the Russian Federation, which sets out guarantees, norms, rules for regulating the exchange and open publication of employee materials;
• The second source is the system of organizational and legal relations, the charter of the enterprise, the privacy policy generally accepted in this labor area;
• The third factor is the right to protection of personal information, guaranteed by the Constitution of the Russian Federation to each of its citizens.

The exchange of information and the use of personal data occur throughout the entire work process, between the employer and the employee, between employees, as well as third parties. The Labor Code of the Russian Federation has the highest priority in resolving conflict situations, followed by the statutory and legal norms of the organization, and then the right to protection guaranteed by the Constitution of the Russian Federation. An employer cannot simply require an employee to provide information. Only the information that is necessary for concluding an employment contract, drawing up regulatory documents, possible settlement of conflicts and disputes, a collective or corporate agreement with third parties is subject to disclosure (according to the text of Article 22 of the Labor Code of the Russian Federation).

Ways to protect personal information and precautions

Organizational:

• Limited access to repositories and archives of materials;
• Verification of the requester before providing information;
• Introductory format for providing information;
• Sanctions and penalties for breaking the rules.

Technical:

• Cryptography and data encryption;
• Creation of separate servers and communication channels;
• Destruction of irrelevant materials;
• Screening of premises and devices to protect against burglary.

An employee can exercise the right to protection of personal information through:

• Free access to documents containing his personal data (may require a copy of any regulatory document).
• The requirement in relation to the employer, which consists in the deletion or change of personal data, or part of it.
• By appealing the procedure for submitting, processing and publishing information by the organization.

Step-by-step instructions for protecting data in an organization:

• Development of a draft algorithm for processing personal information;
• Development of a system of consent and refusal to process personal materials;
• Development of a draft notification message on the inclusion of personal materials in the general stream;
• Designing a structure that undertakes to store information with limited access;
• Publishing house of the order on the introduction of materials of employees of the enterprise into the database, determining the procedure and method for processing and transmitting information, appointing those responsible, designating sanctions and fines for violation of the charter;
• Making changes or additions to the labor and job descriptions of employees who are responsible for the storage, provision and processing of personal information.

On the Internet, as well as other open sources, user data is also stored and processed. Since 2017, sites that use cookie technology are required to notify users of this. This technology will allow you to display relevant ads, optimize the work process, and speed up technical algorithms. However, they collect data about citizens:

• visit history;
• links and transitions (the site sees from which page the user got to it);
• which accounts are linked to account(if you log in to the site using a profile in a social network);
• search queries (not only on a specific resource. Google, Yandex and other tech giants collect all the information from users).

The collection, storage and processing of data is mandatory. If the user is against it, you need to leave the resource that collects information. By continuing to use the site, the user consents to the collection of data.

What to do if data is used without your consent

First of all, check whether they are special PD and whether their distribution is prohibited. If the law is violated, you must urgently contact the police with a statement, where you clearly indicate the circumstances and time of the theft. Refer to Article 137 of the Criminal Code of the Russian Federation. Depending on the classification and elements of the crime, you can count on compensation in the form of a payment in the amount of 1,000 - 50,000 rubles. For officials, the penalty is much higher. Criminal liability provides for imprisonment for up to 2 years (maximum preventive measure).

We hope that our article has helped the reader to understand the issues of PD. Remember that laws and human rights in the Russian Federation are violated daily, and only a few turn to law enforcement agencies for help. If the reader has become a victim or witness of the theft of personal information, one cannot remain silent. Today it is someone else's rights, tomorrow it is yours.

Commentary on the Federal Law of July 27, 2006 No. N 152-FZ "On personal data" Petrov Mikhail Igorevich

Article 8. Publicly available sources of personal data

Public sources of personal data

Commentary on Article 8

1. Within the meaning of the commented Law, sources of personal data are recognized as publicly available, access to which is not limited and does not require the prior consent of personal data subjects. Publicly available sources of personal data can be used by any person at their discretion, subject to the restrictions established by federal laws regarding the dissemination of such information.

The creation of publicly available sources of personal data is due to the need for information support. An analysis of the current legislation allows us to note that currently public sources of personal data include: directories, address books, encyclopedias, documents accumulated in open funds of libraries and archives, information systems of public authorities, local governments, public associations, organizations, representing the public interest or necessary for the realization of the rights, freedoms and duties of citizens. At the same time, modern science and practice have not yet been able to develop effective criteria by which it would be possible to clearly distinguish between public and confidential segments of information.

The creation of public sources of personal data, which should include the last name, first name, patronymic, year and place of birth, address, subscriber number, information about the profession and other personal data provided by the subject of personal data, is carried out with the obligatory consent of the latter. In addition, the subject of personal data has the right to require persons distributing such information to indicate themselves as the source of such information.

The use of personal data from public sources implies, in turn, the exclusion of the possibility of making a profit.

In the case of processing publicly available personal data, the obligation to prove that the personal data being processed is publicly available lies with the operator.

2. In order to protect the rights and legitimate interests of the subject of personal data, the legislator provides for the possibility of revoking personal data used in public sources. Their exclusion can be carried out both at the request of the subject of personal data, and by decision of the court or a specially authorized state body.

Article 74-1. Processing of personal data in violation of the legislation on the protection of personal data

Article 85. The concept of personal data of an employee. Processing of personal data of an employee Personal data of an employee is information required by the employer in connection with labor relations and relating to a particular employee. Processing of personal data of an employee

Article 88. Transfer of personal data of an employee When transferring personal data of an employee, the employer must comply with the following requirements: not to disclose the personal data of an employee to a third party without the written consent of the employee, except in cases

Article 5. Principles of processing personal data legal grounds. Latest

Article 6. Conditions for the processing of personal data

Article 7. Confidentiality of personal data

Article 9. Consent of the subject of personal data to the processing of their personal data The legislator emphasizes that

Article 10. Special categories of personal data Commentary on Article 101. The commented article identifies special categories of personal data and establishes a general prohibition on their processing. A special category of personal data includes information that discloses

Article 12. Cross-border transfer of personal data Comment to Article 121. The draft law defines the principles of cross-border transfer of personal data. These principles are harmonized with the main international legal acts in the field of personal data, which

Article 15

Article 16. Rights of personal data subjects when making decisions based solely on automated processing of their personal data

Article 20

Article 21. Obligations of the operator to eliminate violations of the law committed during the processing of personal data, as well as to clarify, block and destroy personal data

Article 22. Notification on the processing of personal data