Register of violators of the rights of subjects of personal data. Register of violators of the rights of personal data subjects in action

Decree of the Government of the Russian Federation of August 19, 2015 N 857
"On the automated information system "Register of Violators of the Rights of Personal Data Subjects"

In accordance with parts 3 and 4 of Article 15.5 of the Federal Law "On Information, Information Technologies and Information Protection" the Government Russian Federation decides:

1. Approve the attached:

Rules for the creation, formation and maintenance of automated information system"Register of violators of the rights of subjects of personal data";

criteria for determining the operator of the automated information system "Register of Violators of the Rights of Personal Data Subjects" - an organization registered on the territory of the Russian Federation, in order to involve in the formation and maintenance of such a register.

Rules
creation, formation and maintenance of the automated information system "Register of violators of the rights of subjects of personal data"
(approved by resolution

With changes and additions from:

1. The automated information system "Register of violators of the rights of subjects of personal data" (hereinafter - the register) is created in order to restrict access to information in the information and telecommunication network "Internet" (hereinafter - the "Internet" network), processed in violation of the legislation of the Russian Federation in the field personal data (hereinafter referred to as information processed in violation of the law).

2. The creation, formation and maintenance of the register is carried out by the Federal Service for Supervision in the Sphere of Communications, information technologies and mass communications.

3. federal Service for Supervision in the Sphere of Communications, Information Technology and Mass Communications may involve in the formation and maintenance of the register an organization registered in the territory of the Russian Federation that meets the criteria for determining the operator of the automated information system "Register of Violators of the Rights of Personal Data Subjects" - an organization registered in the territory of the Russian Federation, in order to involve in the formation and maintenance of such a register, approved by Decree of the Government of the Russian Federation of August 19, 2015 N 857 "On the automated information system" Register of Violators of the Rights of Personal Data Subjects ".

4. The register includes:

a) domain names and (or) indexes of pages of sites on the Internet containing information processed in violation of the law (hereinafter referred to as domain names);

b) network addresses that allow identifying sites on the Internet that contain information processed in violation of the law (hereinafter, respectively - sites, network addresses);

c) an indication of a judicial act that has entered into force on taking measures to restrict access to information processed in violation of the law (hereinafter referred to as the act on restricting access), including the name of the court, the case number, the content of the violation of the legislation of the Russian Federation in the field of personal data, set forth in the operative part of the judicial act, the date of the issuance of the judicial act and the date of its entry into force;

d) the date and time when the Federal Service for Supervision in the Sphere of Communications, Information Technologies and Mass Media sends to telecom operators the information specified in subparagraphs "a" - "c" of this paragraph, for the implementation of measures restricting access to information processed in violation of the law;

5. Information on the elimination of violations of the legislation of the Russian Federation in the field of personal data includes:

a) the date and time of receipt by the Federal Service for Supervision in the Sphere of Communications, Information Technologies and Mass Media of the act on access restriction;

b) information about the hosting provider or other person providing the processing of information on the Internet in violation of the legislation of the Russian Federation in the field of personal data (hereinafter referred to as providers), including their names and email addresses;

c) the date and time of sending the provider a notification of a violation of the legislation of the Russian Federation in the field of personal data;

d) the date and time of entering the domain name into the registry;

e) date and time of entry network address to the register;

f) information about a judicial act that has entered into force on the annulment of a previously adopted judicial act on restriction of access (hereinafter referred to as the act on the abolition of an act on restriction of access), including the name of the court, the number of the case, the date of issuance of the judicial act and the date of its entry into force;

g) information about the decision of the Federal Service for Supervision in the Sphere of Communications, Information Technology and Mass Communications to exclude the domain name and network address from the register;

h) the date and time of entry into the registry of information about the exclusion of the domain name from the registry;

i) the date and time of entry into the register of information about the exclusion of the network address from the register.

7. The Federal Service for Supervision in the Sphere of Communications, Information Technology and Mass Communications, within 3 working days from the date of receipt of the act on restricting access, shall:

b) provider definition;

c) referral to the provider in Russian and English v in electronic format notifications of a violation of the legislation of the Russian Federation in the field of personal data with information regarding the act of restricting access, a domain name, a network address, as well as a requirement to take measures to eliminate violations of the legislation of the Russian Federation in the field of personal data specified in the act of restricting access;

8. The basis for inclusion in the register of the information specified in subparagraphs "h" and "i" of paragraph 5 of these Rules is the act on the abolition of the act on restricting access that has entered into force or the decision of the Federal Service for Supervision in the Sphere of Communications, Information Technology and Mass Media communications on the exclusion of a domain name and network address from the registry.

9. After 3 working days from the date of sending the notification to the provider, the Federal Service for Supervision in the Sphere of Communications, Information Technologies and Mass Communications checks the elimination of the violations specified in the access restriction act.

If there is no access to information processed in violation of the law, or if the violation specified in the access restriction act is eliminated, the Federal Service for Supervision of Communications, Information Technology and Mass Media makes a decision to exclude the domain name and network address from the register, as well as enters in the register the information specified in subparagraphs "g" and "h" of paragraph 5 of these Rules.

If there is access to information processed in violation of the law, the Federal Service for Supervision of Communications, Information Technology and Mass Media enters into the register the information specified in subparagraph "b" of paragraph 4 and subparagraph "e" of paragraph 5 of these Rules, and sends to operators connections Domain name, network address and information specified in subparagraph "c" of paragraph 4 of these Rules, in order to take measures to restrict access to information processed in violation of the law.

After receiving information processed in violation of the law, the telecom operator is immediately obliged to restrict access to information resource, including to the site on the Internet, on which information is processed in violation of the legislation of the Russian Federation in the field of personal data, except for the case provided for in paragraph three of paragraph 5.1 of Article 46 of the Federal Law "On Communications".

10. The Federal Service for Supervision in the Sphere of Communications, Information Technology and Mass Communications, within 3 working days from the date of receipt of the act on the abolition of the act on access restriction, shall:

b) notification of the provider and (or) telecom operators about the entry into the register of information about the exclusion of the domain name and network address from the register.

11. The Federal Service for Supervision of Communications, Information Technology and Mass Communications within 3 working days from the date of receipt from the site owner, provider or telecom operator of a notice about the elimination of a violation of the legislation of the Russian Federation in the field of personal data checks the information contained in it, as well as performs the following actions:

a) in case of elimination of the violation - decides to exclude the domain name and network address from the register, enters into the register the information specified in subparagraphs "g" - "i" of paragraph 5 of these Rules, and also notifies the site owner, provider and telecom operators about exclusion of a domain name and network address from the registry;

b) in case of failure to eliminate the violation - makes a decision to refuse to exclude the domain name and network address from the registry, and also notifies the site owner, provider or telecom operator of the decision.

Criteria
determination of the operator of the automated information system "Register of Violators of the Rights of Personal Data Subjects" - an organization registered on the territory of the Russian Federation, in order to involve in the formation and maintenance of such a register
(approved by Decree of the Government of the Russian Federation of August 19, 2015 N 857)

1. Availability of technical capability to receive requests from personal data subjects to take measures to restrict access to information processed in violation of the legislation of the Russian Federation in the field of personal data.

2. Availability of technical and organizational capabilities for maintaining the automated information system "Register of Violators of the Rights of Personal Data Subjects", including the possibility of interacting with hosting providers and telecom operators providing services for providing access to the Internet information and telecommunications network.

Some time ago I swore off commenting on draft laws and other normative legal acts, because sometimes they differ radically from the final version, if they are adopted at all.

But I decided to make an exception to the rule. A very surprising act is being prepared - bill No. 553424-6 “On Amendments to Certain Legislative Acts of the Russian Federation (in terms of clarifying the procedure for processing personal data in information and telecommunication networks)”.

Aleksey Lukatsky and Sergey Borisov have already posted about him, but there are nuances that I didn’t see in their comments and that I would like to draw attention to. Since what was born in the bowels of the State Duma is not subject to publication on the “Single portal for posting information on the development of draft regulatory legal acts by federal executive authorities and the results of their public discussion”, you have to use a personal blog for this very public discussion.

Many have already spoken about the essence of the law, it boils down to two fundamental points - the placement of databases with personal data of Russians only on the territory of Russia (with some allowable exceptions) and the creation of another register, now violators of the rights of personal data subjects. Everything else is a kind of binding to the implementation of these two main ideas.

Regarding the placement of databases of personal data of Russians in Russia. It is not the very idea of the sovereignty of bases that is surprising, there have been talks about this for a very long time, but just these very exceptions. It is assumed that everything will be on the territory of Russia, but something can be hosted outside its borders, namely, the websites of government agencies (paragraph 2 of part 1 of article 6 of 152-FZ, I will separately single out databases of bailiffs - paragraph 3 of part 1 of article .6 152-FZ), state off-budget funds, any authorities and self-government, as well as organizations providing state and municipal services (clause 4 of part 1 of article 6 152-FZ).

For some reason, it seemed to me that it should be exactly the opposite - let the merchants figure out with the clients themselves where their database servers are located, but government agencies, municipalities and organizations specially created to exercise their powers - no way abroad. At first I couldn't believe my eyes, I re-read Article 1 of the bill ten times - for sure, they can. Those. a personalized accounting system created in accordance with the Federal Law "On Compulsory Medical Insurance", or a website of public services or municipal services of the city of Verkhnevoltovsk to host somewhere in Germany or Latvia - this, please, but the ABS database and the website of the bank - a wholly-owned subsidiary of a foreign one, or booking .com, where the Russians had the imprudence to book a hotel or rent a car - please transfer to Russia . I'm not joking about booking.com and I'm not mistaken - the constant demands of deputies and senators to check Google, Twitter or Facebook for compliance with Russian legislation indicate that legislators raise the issue in this way. Otherwise, block, period. Another interesting question is how the operator should determine whether the Russian sent him personal data or not. For the vast majority of sites, it is not necessary to indicate citizenship or passport data.

Regarding the inclusion of the operator in the register of violators of the rights of subjects of personal data and the blocking of the resource. In accordance with the bill, getting into the register occurs on the basis of a judicial act that has entered into legal force. And now - a question in the studio. Which act? About what? In accordance with Article 2 of the draft law, the registry is created "in order to restrict access to information on the Internet, processed in violation of the legislation of the Russian Federation in the field of personal data" I.e. Are we talking about a judicial act that determines the perpetrator of violating such legislation? Or about a judicial act that directly requires the site to be blocked? If about an act indicating the perpetrator - is it only Article 13.11 of the Code of Administrative Offenses in the current edition, or in general any violation related to this legislation? I can suggest offhand a whole set of the same cases:

Article 5.27 of the Code of Administrative Offenses (Violation of labor and labor protection legislation) - if we are talking about a violation of the requirements of chapter 14 of the Labor Code “Protection of personal data”, for example, personal data of employees are published on the site without their written consent;

Article 5.39 of the Code of Administrative Offenses (Refusal to provide information to a citizen) - if the operator did not respond to the subject's request submitted through the site;

Article 13.12 of the Code of Administrative Offenses (Violation of information protection rules, part 6) - if uncertified information protection tools are used to protect the site or firewall costs not the security class specified in the Order of the FSTEC No. 21, and the site channel is not encrypted with a certified cryptographic information protection system;

· Article 13.13 of the Code of Administrative Offenses (Illegal activities in the field of information protection) - if the operator built the protection of his site himself, but he does not have a license for TZKI;

Article 19.7 of the Code of Administrative Offenses (Failure to provide information (information)) - if the operator processes personal data on the site, and Roskomnadzor did not notify about the processing;

Article 137 of the Criminal Code of the Russian Federation (Violation of privacy) - if information about private life is collected and posted on the site, and the court considered it illegal;

Article 138 of the Criminal Code of the Russian Federation (Violation of the secrecy of correspondence, telephone conversations, postal, telegraphic or other messages) - if the operator, for example, posted a private letter, SMS message or protocol on the website telephone connection;

· And with some stretch - article 140 of the Criminal Code of the Russian Federation (Refusal to provide information to a citizen), if article 5.39 of the Code of Administrative Offenses seemed not enough.

Another issue in the bill is how will Roskomnadzor find out about the entry into force of a court decision on violation of the law? The obligation of the courts to do this is not laid down in the bill, as well as a direct court decision to block. A somewhat exotic path is proposed - the right of the subject to apply to Roskomnadzor with a statement on taking measures to restrict access to information processed in violation of the legislation in the field of personal data on the basis of a judicial act that has entered into force in the form approved by Roskomnadzor. And if the subject does not apply, how will the supervisory authority perform the functions assigned to it by law? Some unanswered questions...

And one more small but significant point. A number of operators are required by law to disclose certain information on their official website on the Internet. For example, Order of the Federal Financial Markets Service No. 06-117/pz-n dated January 10, 2006 “On approval of the regulation on information disclosure by issuers of issue valuable papers”describes in detail the procedure for disclosing information on the website provided for by the Law “On the Securities Market”, obliging to provide users with “free and easy access” to it and provide this access “within the time limits established by regulatory legal acts, on one page on the Internet”. And for violation, by the way, a fine of 700 thousand to a million rubles. Or Ordinance of the Bank of Russia No. 1379-U dated January 16, 2004 “On assessing the financial stability of a bank in order to recognize it as sufficient for participation in the deposit insurance system” recognizes the bank as ensuring the availability of information about persons that have a significant (direct or indirect) influence on decisions made management bodies of the bank, to an unlimited circle of persons, if information about them is posted on the official website of the bank or on the official website of the Bank of Russia. The absence of a written confirmation of the bank on the disclosure of this information to an unlimited circle of persons is the basis for refusing to issue a license for attracting deposits Money individuals, no more and no less.

Now let's imagine - the issuer of securities or the bank has violated the law on personal data, without placing, for example, on the site a policy regarding the processing of personal data, and is held liable for this. The situation is quite real, about such cases not so long ago wrote. The court decision entered into force, the site was blocked, and then a completely different regulator received a complaint that it was impossible to access information subject to mandatory disclosure. Silent scene. Curtain.

And finally. The bill was written with errors and inaccuracies. How do you, for example, the phrase “the registry operator excludes downloads for telecom operators of a domain name, a site page index on the Internet or a network address that allows you to identify a site on the Internet”, based on the request of the owner of the site on the Internet, provider hosting or telecom operator providing services for providing access to the information and telecommunications network "Internet", no later than within three days from the date of such application after taking measures to eliminate the violation of the legislation of the Russian Federation in the field of personal data, or on the basis of a legal the force of a court decision on the annulment of a previously adopted court act. No matter how hard I tried, I did not understand who should do what.

In general, in my humble opinion, it is not only impossible to pass a law in this form, but it is also very harmful, since the consequences of its adoption will be completely unpredictable, and in those areas that the authors clearly did not think about.

A draft Decree of the Government of the Russian Federation “On the automated information system “Register of Violators of the Rights of Personal Data Subjects” has been published on the portal for disclosing information about upcoming regulations. Now the project is under discussion, which should end on May 23.

It would seem that the Decree should specify the norms of Law No. 152-FZ “On Personal Data”, but in fact it determines how exactly another federal law, No. 242-FZ, will be implemented, requiring the creation of a register of violators No. 152-FZ and the transfer of personal data of Russians to the territory of the Russian Federation. The draft states that the Registry should contain the addresses of websites that this requirement ignored, and that access to them should be blocked by Russian providers. In fact, this is another "black list".

Alexander Baryshnikov, Head of Consulting and Audit Department, Informzashchita reminds: " Telecom operators providing Internet access services are already complying with the requirements of Law No. 149-FZ “On Information, Information Technologies and Information Protection” to restrict access to information disseminated in violation of the law. As you know, such information is processed using a unified automated information system "Unified Registry of Domain Names, Site Page Pointers on the Internet" and network addresses that allow you to identify sites on the Internet that contain information whose distribution is prohibited in the Russian Federation "( hereinafter referred to as the Unified Register). The procedure for working with the Register of Violators of the Rights of Personal Data Subjects is very similar to the procedure for working with the Unified Register, therefore, the discussed requirements of the Resolution should not cause any technical or organizational difficulties for operators providing Internet access services.».

In turn, Elena Respublianskaya, product expert “Contour. Personal data" SKB "Kontur", assures: The Register of Violators being created will include companies registered on the territory of the Russian Federation that process information on the Internet in violation of the legislation on personal data. It is important that a company can get into the Register only on the basis of a judicial act that has entered into legal force, and not a decision of Roskomnadzor. Upon elimination of violations, these companies may be excluded from the Register. Most often, the processing of personal data of employees and customers is carried out within enterprises, without being posted on the Internet, and such companies will not be included in the Register of Violators. Online stores, travel agencies, hotels and other businesses that process personal data online are at risk.».

As noted in his Alexey Lukatsky, Cisco Business Consultant for information security , « 242-FZ is not as terrible as it is painted. Once again, the idea, expressed at one of the meetings on Staraya Ploshchad, that one should be afraid of foreign Internet companies that can influence Russian public opinion (such as social networks and search engines). With regard to other PD operators, the application of these rules seems to be more than difficult. Moreover, it is difficult to process internal systems companies located outside of Russia, PD of their employees or customers. On the Internet, such data is usually not published or processed, and therefore, there is nothing to block access to and nothing to enter into the Register».

Truth, Lukatsky immediately states: " At closed meetings, the Deputy Head of the RKN, Ms. Priezzheva, argued that the law also applies to those who do not have representative offices in Russia, but have Russian sections on their websites". This approach was practiced by some American judges, who extended US jurisdiction even to those sites that simply had English-language sections, since, in theory, US citizens could also access them.

Evgeny Chernyshev, Head of the Information Policy Committee of the Right Cause Party, believes that the preparation of the Resolution is connected with the transfer of powers related to control over the Internet to a commercial enterprise under Roskomnadzor. " The requirements of the Ordinance apply exclusively to the operator of this list; it also describes what needs to be stored in the Registry, he notes. - Now the Register of banned sites is administered by Roskomnadzor, which is not averse to getting rid of such a heavy burden. According to independent sources, it has practically been decided that the Federal State Unitary Enterprise "Main Radio Frequency Center", a subsidiary of Roskomnadzor, will maintain the Register of Banned Sites (and, most likely, the Register of Violators of 152-FZ). Since the RKN, the State Duma and even the President cannot control the implementation of 152-FZ by operators or owners of Internet services, I believe that this is a document from the "need more gold" series, although it is directly stated that additional funding will not be required. This year, it may not be necessary.»

According to Nana Kulikova, managing partner of Rusinternetcom agency, The registry will not start working immediately. " As practice shows, the requirements will be fulfilled, but not by all, not immediately and, perhaps, not in the right way, - she explains. - It always happens. At first - slowly and with difficulty, and then - faster and more familiar. To ensure more accurate and faster execution specific requirements it is worth paying attention to some significant case so that everyone understands why, why and how. In this regard, we can use the experience of the West. This method will seem harsh to someone, but, unfortunately, otherwise the new initiative will not take root.»

A Vadim Baibuz, Partner at Baibuz & Partners Law Office explains: " I do not know if Russian operators are ready to comply with the requirements of this Decree, but, according to Art. 315 of the Criminal Code of the Russian Federation, non-execution of a court decision by a commercial organization is a criminal offense, the maximum penalty for which is two years in prison. Since violators are supposed to be included in the Register on the basis of court decisions, if the operator fails to comply with such a judicial act, its officials risk being held criminally liable».

1. In order to restrict access to information on the Internet processed in violation of the legislation of the Russian Federation in the field of personal data, an automated information system "Register of violators of the rights of personal data subjects" (hereinafter referred to as the register of violators) is being created.

2. The register of violators includes:

1) domain names and (or) indexes of pages of sites on the Internet containing information processed in violation of the legislation of the Russian Federation in the field of personal data;

2) network addresses that allow identifying sites on the Internet that contain information processed in violation of the legislation of the Russian Federation in the field of personal data;

3) an indication of a judicial act that has entered into legal force;

4) information on the elimination of violations of the legislation of the Russian Federation in the field of personal data;

5) the date of sending data on the information resource to telecom operators to restrict access to this resource.

3. Creation, formation and maintenance of the register of violators are carried out by the federal executive body exercising the functions of control and supervision in the field of mass media, mass communications, information technologies and communications, in the manner established by the Government of the Russian Federation.

4. The federal executive body exercising the functions of control and supervision in the field of mass media, mass communications, information technologies and communications, in accordance with the criteria determined by the Government of the Russian Federation, may involve the operator of such a register in the formation and maintenance of a register of violators - an organization registered in the territory of the Russian Federation.

5. The basis for inclusion in the register of violators of the information specified in paragraph 2 of this article is a judicial act that has entered into legal force.

6. The subject of personal data has the right to apply to the federal executive body exercising the functions of control and supervision in the field of mass media, mass communications, information technology and communications, with a statement on taking measures to restrict access to information processed in violation of the legislation of the Russian Federation in the field of personal data, on the basis of a judicial act that has entered into legal force. The form of the said application is approved by the federal executive body exercising the functions of control and supervision in the sphere of mass media, mass communications, information technologies and communications.

7. Within three working days from the date of receipt of a judicial act that has entered into legal force, the federal executive body exercising the functions of control and supervision in the field of mass media, mass communications, information technologies and communications, on the basis of the said court decision:

1) determines the hosting provider or other person providing the processing of information in the information and telecommunications network, including the Internet, in violation of the legislation of the Russian Federation in the field of personal data;

2) sends the hosting provider or other person specified in clause 1 of this part in electronic form a notification in Russian and English about the violation of the legislation of the Russian Federation in the field of personal data with information about the judicial act that has entered into force, the domain name and network address, allowing to identify a site on the Internet on which information is processed in violation of the legislation of the Russian Federation in the field of personal data, as well as on pointers to the pages of the site on the Internet that make it possible to identify such information, and with the requirement to take measures to eliminate violations of the legislation of the Russian Federation in the field of personal data specified in the court decision;

3) fixes the date and time of sending the notification to the hosting provider or other person specified in paragraph 1 of this part in the register of violators.

8. Within one working day from the moment of receipt of the notification specified in clause 2 of part 7 of this article, the hosting provider or other person specified in clause 1 of part 7 of this article is obliged to inform the owner of the information resource served by them and notify him of the need to immediately accept measures to eliminate the violation of the legislation of the Russian Federation in the field of personal data specified in the notification, or take measures to restrict access to information processed in violation of the legislation of the Russian Federation in the field of personal data.

9. Within one working day from the date of receipt from the hosting provider or other person specified in clause 1 of part 7 of this article of the notification about the need to eliminate the violation of the legislation of the Russian Federation in the field of personal data, the owner of the information resource is obliged to take measures to eliminate the violation specified in the notification. In case of refusal or inaction of the owner of the information resource, the hosting provider or another person specified in paragraph 1 of part 7 of this article is obliged to restrict access to the relevant information resource no later than three working days from the date of receipt of the notification specified in paragraph 2 of part 7 of this article.

10. If the hosting provider or other person specified in clause 1 of part 7 of this article and (or) the owner of the information resource fails to take the measures specified in parts 8 and of this article, the domain name of the site on the Internet, its network address, page indexes site on the Internet, allowing to identify information processed in violation of the legislation of the Russian Federation in the field of personal data, as well as other information about this site and information are sent via an automated information system to telecom operators to take measures to restrict access to this information resource, in including to the network address, domain name, site page index on the Internet.

part 4 of this article, the operator of the registry of infringers excludes from such a registry a domain name, a site page index on the Internet or a network address that makes it possible to identify a site on the Internet, based on the request of the owner of the site on the Internet, hosting provider or operator communication no later than within three days from the date of such application after taking measures to eliminate the violation of the legislation of the Russian Federation in the field of personal data or on the basis of a court decision that has entered into force to cancel a previously adopted judicial act.

12. The procedure for the interaction of the operator of the register of violators with the hosting provider and the procedure for obtaining access to the information contained in such a register by the telecom operator are established by the federal executive body authorized by the Government of the Russian Federation.

In accordance with parts 3 and 4 of Article 155 of the Federal Law "On information, information technologies and information protection" The Government of the Russian Federation decides:

1. Approve the attached:

Rules for the creation, formation and maintenance of the automated information system "Register of Violators of the Rights of Personal Data Subjects";

Prime Minister

Russian Federation D.Medvedev

APPROVED
Government Decree
Russian Federation
dated August 19, 2015 No. 857

REGULATIONS
creation, formation and maintenance of the automated information system "Register of violators of the rights of subjects of personal data"

2. The creation, formation and maintenance of the register is carried out by the Federal Service for Supervision in the Sphere of Communications, Information Technologies and Mass Communications.

3. The Federal Service for Supervision in the Sphere of Communications, Information Technologies and Mass Communications may involve in the formation and maintenance of the register an organization registered in the territory of the Russian Federation that meets the criteria for determining the operator of the automated information system "Register of Violators of the Rights of Personal Data Subjects" - an organization registered in territory of the Russian Federation, in order to involve in the formation and maintenance of such a register, approved by the Decree of the Government of the Russian Federation of August 19, 2015 No. 857 "On the automated information system" Register of Violators of the Rights of Personal Data Subjects ".

4. The register includes:

a) domain names and (or) indexes of pages of sites on the Internet containing information processed in violation of the law (hereinafter referred to as domain names);

b) network addresses that allow identifying sites on the Internet that contain information processed in violation of the law (hereinafter, respectively - sites, network addresses);

e) information on the elimination of violations of the legislation of the Russian Federation in the field of personal data.

5. Information on the elimination of violations of the legislation of the Russian Federation in the field of personal data includes:

a) the date and time of receipt by the Federal Service for Supervision in the Sphere of Communications, Information Technologies and Mass Media of the act on access restriction;

c) the date and time of sending the provider a notification of a violation of the legislation of the Russian Federation in the field of personal data;

d) the date and time of entering the domain name into the registry;

e) date and time of entry of the network address into the register;

h) the date and time of entry into the registry of information about the exclusion of the domain name from the registry;

i) the date and time of entry into the register of information about the exclusion of the network address from the register.

6. In pursuance of the act on restricting access to the register, the information specified in subparagraphs "a" - "d" of paragraph 4 and "a" - "e" of paragraph 5 of these Rules is entered.

a) entering into the register the information specified in subparagraphs "a", "c" of paragraph 4 and subparagraph "a" of paragraph 5 of these Rules;

b) provider definition;

c) sending the provider in Russian and English in electronic form a notification of a violation of the legislation of the Russian Federation in the field of personal data with information regarding the act of restricting access, a domain name, a network address, as well as with a requirement to take measures to eliminate violations of the legislation of the Russian Federation in the field of personal data areas of personal data specified in the access restriction act;

d) entry into the register of the information specified in subparagraphs "b" - "d" of paragraph 5 of these Rules.

If there is access to information processed in violation of the law, the Federal Service for Supervision of Communications, Information Technology and Mass Media enters into the register the information specified in subparagraph "b" of paragraph 4 and subparagraph "e" of paragraph 5 of these Rules, and sends to operators domain name, network address and information specified in subparagraph "c" of paragraph 4 of these Rules, in order to take measures to restrict access to information processed in violation of the law.

a) entry into the register of the information specified in subparagraphs "e", "h" and "i" of paragraph 5 of these Rules;

b) notification of the provider and (or) telecom operators about the entry into the register of information about the exclusion of the domain name and network address from the register.

APPROVED
Government Decree
Russian Federation
dated August 19, 2015 No. 857

CRITERIA
determination of the operator of the automated information system "Register of Violators of the Rights of Personal Data Subjects" - an organization registered on the territory of the Russian Federation, in order to involve in the formation and maintenance of such a register

With changes and additions from:

Popular