2. State control and supervision includes the activities of the Federal Service for Supervision in the Sphere of Telecommunications, Information Technologies and Mass Communications and its territorial bodies aimed at preventing, detecting and suppressing, within its competence, violations by state bodies, local governments, legal entities and individuals of the requirements established by the legislation of the Russian Federation, by organizing and conducting inspections audited entities, taking predusmot ennyh legislation of the Russian Federation measures to combat and (or) the elimination of the consequences of violations, Event systematic monitoring of the execution by the Russian Federation legislation, as well as analysis and evaluation of the performance of the Russian Federation legislation in the implementation of audited entities on the processing of personal data activities on the basis of the they documents and local acts.
47. The on-site inspection (both planned and unscheduled) is carried out at the location of the state body, local government, legal entity, individual and (or) at the place where he actually performs personal data processing activities. If an individual does not have the opportunity to provide premises for a field audit, the audit is carried out at the location of the Federal Service for Supervision in the Sphere of Communications, Information Technologies and Mass Communications and its territorial body.
3. Activities for the implementation of state control and supervision are divided into planned and unscheduled and carried out through scheduled and unscheduled inspections, as well as systematic observation measures .
72. ... The subject of measures for systematic observation in the field of personal data is determined by the Federal Service for the Supervision of Communications, Information Technology and Mass Communication.
76. ... Information ... is sent to the Prosecutor General's Office of the Russian Federation or the prosecutor's office of a constituent entity of the Russian Federation at the location of the state body, local government, legal entity, individual to consider the issue of taking prosecutor's response measures.
77. ... an unscheduled inspection is carried out in the manner established by these Regulations.
Analysis and assessment of the state of compliance with the requirements of the legislation of the Russian Federation
78. Analysis and assessment of the state of compliance with the requirements of the legislation of the Russian Federation ... is carried out ... on the basis of the initiative submitted by the state body, local government, legal entity, individual document, local acts and other information confirming compliance with the requirements of the legislation of the Russian Federation.
81. According to the results of the analysis and assessment of the state of compliance with the requirements of the legislation of the Russian Federation ... a letter with summary information is sent to the state body, local self-government body, legal entity, and individual with a conclusion on the compliance of the ... activity on personal data processing with the legislation of the Russian Federation data, or if there are facts of inconsistency of the submitted documents, local acts and information with the legislation of the Russian Federation operations in the field of personal data, with the requirement to eliminate the violations found .
82. The requirement to eliminate the violations found shall be enforceable within a period not exceeding ten calendar days ...
83. In the event of non-execution ... a protocol is drawn up on an administrative offense in accordance with the procedure established by the Code of Administrative Offenses of the Russian Federation.
5. Planned and unscheduled systematic monitoring activities are carried out in order to prevent, detect, predict and prevent violations of the legislation of the Russian Federation without interaction with state bodies, local governments, legal entities and individuals engaged in the processing of personal data, and their authorized representatives.
8. Conducting unscheduled inspections on the grounds stipulated by clause 7 of these Regulations, with the exception of clause 7.2, does not require coordination with the prosecution authorities.
55. Coordination of unscheduled field inspections of the Service or its territorial bodies is carried out at the place of operation of the Operators related to small or medium-sized businesses in accordance with the legislation of the Russian Federation with prosecutors (deputy prosecutors) of the subjects of the Russian Federation on the grounds provided for by subparagraphs 38.2.1, 38.2.2 of these Regulations.
58. The decision of authorized officials of the prosecution authorities to approve an unscheduled field inspection or to refuse to approve its conduct may be appealed to a higher prosecutor or to a court.
84. After completing an unscheduled on-site inspection, previously agreed with the prosecution authorities, the Service or its territorial body sends to the prosecution authority that made the decision on the approval of the inspection, a copy of the inspection report within five working days from the date of its preparation.
9. Officials of the Federal Service for Supervision in the Sphere of Communications, Information Technologies and Mass Communications or its territorial bodies in exercising state control and supervision over the compliance of personal data processing with the requirements of the legislation of the Russian Federation have the right to:
9.3. issue mandatory orders for elimination of violations.
9.7. within its competence, check and assess the adequacy of measures taken by the state body, local self-government body, legal entity, and individual to ensure the fulfillment of duties provided for by the Federal Law “On Personal Data”.
9.8. issue mandatory requirements for the suspension or termination of personal data processing, carried out with violations of the requirements of the Federal Law “On Personal Data”.
63. In the event that during the course or as a result of verification of the processing of false or illegally obtained personal data, an official of the Federal Service for Supervision in the Sphere of Communications, Information Technologies and Mass Communications and its territorial body has the right to demand from a state body, local government, legal entity individuals, individuals taking measures to block or destroy the specified personal data .
69. In the event that a failure to comply with a prescription violates the rights and legitimate interests of the subject (s) of personal data, the state authority, local government, legal entity, individual is sent a request to suspend personal data processing activities until the violation previously identified during the audit is rectified. specified in the prescription.
6. The officials of the Service or its territorial body during the conduct of inspections are entitled, within their competence, to:
6.1. Issue binding instructions to eliminate identified violations in the field of personal data.
6.2. Prepare protocols on administrative violations or send materials to the prosecution authorities and other law enforcement agencies to decide whether to initiate cases of administrative offenses, as well as to initiate criminal cases on grounds of crimes related to the violation of the rights of personal data subjects, in accordance with jurisdiction.
6.3. To file claims with the court in defense of the rights of personal data subjects.
6.6. Get access to personal data information systems in the mode of viewing and retrieving the necessary information.
6.7. Send an application to the licensing authority of the Operator to consider the adoption of measures to suspend or revoke the relevant license in accordance with the procedure established by the legislation of the Russian Federation, if the license for such activities prohibits the transfer of personal data to third parties without written consent subject of personal data.
6.8. Take measures to suspend or terminate the processing of personal data , carried out in violation of the requirements of the legislation of the Russian Federation in the field of personal data.
33. The basis for the inclusion of a routine check in the Plan is the commencement by the Operator of activities for the processing of personal data, as well as the expiration of three years from the day:
33.1. State registration of the Operator as a legal entity, an individual entrepreneur.
33.2. The end of the last scheduled inspection of the Operator.
34. The Operator shall be notified of the scheduled inspection no later than within three working days prior to its commencement by sending a copy of the order of the head, deputy head of the Service or its territorial body by mail with acknowledgment of receipt or other available means.
38. Unscheduled inspections are conducted for the following reasons:
38.1. Expiration by the Operator of the previously issued order to eliminate the revealed violation of the established requirements of the legislation of the Russian Federation in the field of personal data.
38.2. Entries and applications of citizens, legal entities, individual entrepreneurs, information from public authorities, local governments, the media, including the following facts to the Service or its territorial bodies, including:
38.2.1. The emergence of the threat of harm to life and health of citizens.
38.2.2. Causing harm to life, health of citizens.
38.3. Order of the Head of the Service or the head of the territorial body of the Service, issued in accordance with the instructions of the President of the Russian Federation, the Government of the Russian Federation.
38.4. Violation of the rights and legitimate interests of citizens by actions (inaction) of Operators in the processing of their personal data.
38.5. The violation by the Operators of the requirements of the legislation of the Russian Federation in the field of personal data, as well as the inconsistency of the information contained in the notification of the processing of personal data, the actual activities.
40. The Operator is notified of the conduct of an unscheduled on-site inspection no later than twenty-four hours before the start of the inspection by the Service or its territorial body in any available way.
41. If, as a result of the activities of the Operator, harm to life and health of citizens is or is being caused, prior notice to the Operator of the commencement of an unscheduled field audit is not required.
13. Formation of the plan of scheduled inspections is carried out, including, based on the following criteria:
13.1. a three-year period from the end of the last scheduled inspection.
13.2. information from public authorities, local authorities and the media about the facts that contain signs of violation of the legislation of the Russian Federation, made in the processing of personal data, as well as identified by the results of systematic observation.
13.3. processing of personal data of a significant number of subjects of personal data, as well as the processing of biometric and special categories of personal data.
13.4. failure to provide information, including of a notification nature, the provision of which is provided for by the Federal Law “On Personal Data”.
14. The frequency of scheduled inspections in relation to a state body, local self-government body, a legal entity is no more than once every two years, and for an individual no more than once every three years.
7. Unscheduled inspections are carried out ...:
7.1. in the event of the expiration of the deadline for the execution of ... issued by ... orders to eliminate the revealed violation;
7.2. according to the results of consideration of citizens' appeals ... provided that:
7.2.1. availability of materials confirming the fact of violation of their rights ...
Appeals and statements that do not allow to identify the person who applied to the Federal Service for Supervision in the Sphere of Telecommunications, Information Technologies and Mass Communications or its territorial bodies, as well as appeals and statements that do not contain information about the facts specified in paragraph 7.2 of these Regulations, cannot to serve as a basis for making a decision to conduct an unscheduled inspection.
7.3. Receipts of ... information from state authorities, local authorities and the mass media on confirmed facts of violation of the legislation of the Russian Federation committed in the processing of personal data.
7.4. in accordance with the instructions of the President of the Russian Federation, the Government of the Russian Federation.
7.5. in case of violation by the state body, local self-government body, legal entity, physical person of the requirements of the legislation of the Russian Federation in the field of personal data, identified by the results of systematic observation measures in the field of personal data.
7.6. on the basis of the confirmed fact of inconsistency of the information contained in the notification of the processing of personal data, the actual activities of the state body, local government, legal entity, individual.
7.7. in case of non-fulfillment of the requirement ... on elimination of the revealed violation of the requirements in the field of personal data.
7.8. on the basis of the submission (requirement) of the prosecution authority for an unscheduled inspection.
20. A state body, a local government body, a legal entity, an individual shall be notified of an unscheduled on-site inspection no later than twenty-four hours before the start of its implementation in any available way .
Source: https://habr.com/ru/post/258177/
All Articles