To whom can personal data be provided? Request for personal data

As a general rule, personal data operators are required to send a notification to Roskomnadzor before processing this data. At the same time, the law contains a number of exceptions in which it is not necessary to notify Roskomnadzor.

If a company plans to collect information about individuals, it must notify Roskomnadzor immediately after registration. Moreover, the agency must be notified of the intention to process the personal data of citizens before processing the information begins (Article 22 of the Federal Law of July 27, 2006 No. 152-FZ “On Personal Data”). On July 1, 2017, increased administrative fines were introduced for non-compliance with the requirements of Federal Law No. 152-FZ.

You can send a message to Roskomnadzor via the Internet on the official website of the department. The notice indicates the legal basis for the processing of personal data, the purpose of data collection, the start date of processing and measures to ensure the safety of the information received. Data collection is considered to be the collection from individuals of any information that allows them to be identified.

At the same time, the law contains a number of exceptions in which it is not required to notify Roskomnadzor. The list of such restrictions is established in Art. 22 of the Federal Law of July 27, 2006 No. 152-FZ. Notification is not required in the following cases:

• When collecting and processing personal data without the use of automation tools. If processing is carried out without a computer and electronic databases, there is no need to notify Roskomnadzor. At the same time, the data operator must comply with the requirements of the Government of the Russian Federation of September 15, 2008 No. 687 “Regulations on the specifics of processing personal data carried out without the use of automation tools.” If a company uses computers, this does not mean that data processing is carried out using automation tools. Non-automated processing of personal data is the use, clarification, distribution, destruction of personal data that is carried out with the direct participation of a person.
• When collecting personal information from employees as part of an employment relationship. This applies only to the data that must be provided to the employer when drawing up an employment and collective agreement. Roskomnadzor must be notified about the collection and processing of information that does not relate to labor relations. You also need to notify if the employer intends to process the data of dismissed employees (clause 1, part 2, article 22 of the Federal Law of July 27, 2006 No. 152-FZ).
• When a company enters into an agreement with an individual. In this case, there is no need to notify Roskomnadzor if the contractor/seller/supplier does not intend to transfer personal data to third parties (clause 2, part 2, article 22 of the Federal Law of July 27, 2006 No. 152-FZ). Personal data must be used solely for the performance of the contract in connection with which it was obtained.
• When collecting information by a public association or religious organization. Processing of information from members of such organizations is carried out without notification, unless personal data is distributed or disclosed to third parties without the written consent of the subjects of personal data (clause 3, part 2, article 22 of the Federal Law of July 27, 2006 No. 152-FZ).
• When collecting and processing information that the individual himself has made publicly available (clause 4, part 2, article 22 of the Federal Law of July 27, 2006 No. 152-FZ).
• When collecting personal data that includes only the first name, patronymic and last name of an individual (clause 5, part 2, article 22 of the Federal Law of July 27, 2006 No. 152-FZ).
• Upon receipt of information for a one-time entry of an individual into the territory of the data operator (clause 6, part 2, article 22 of the Federal Law of July 27, 2006 No. 152-FZ).
• When processing data included in personal data information systems that have the status of state automated information systems (clause 7, part 2, article 22 of the Federal Law of July 27, 2006 No. 152-FZ).
• When collecting information by transport companies to ensure the safe functioning of the transport complex, protecting the interests of the individual, society and the state in the field of the transport complex.

In all other cases, notification of data processing is mandatory. To clarify whether your organization is required to submit a notification, you can contact Roskomnadzor.

To learn how to protect your business from fines under Law No. 152-FZ, read the article

Processing of personal data without the consent of the subject is possible only in cases established by law. The use of such information in violation of order or without appropriate grounds entails bringing the perpetrators to civil, labor, administrative and criminal liability.

In what cases is it permissible to transfer to third parties and otherwise process personal information about the subject?

The Law “On Personal Data” dated July 27, 2006 No. 152-FZ established 2 options in which the processing of personal information of a citizen (subject) is legal:

1. Upon receipt of his consent to this.
2. Without obtaining consent in the following cases:
   • use of information by other people for personal and family needs, if this does not violate the rights of a citizen;
   • entering personal information into the database of the Archival Fund of Russia;
   • making a decision to classify information as a state secret (in this case, the consent of the subject is not required to classify information about him);
   • the need to use information in order for Russia to implement the terms of international treaties and laws;
   • participation of a person in the legal process and in connection with such participation;
   • use for execution of a judicial act or the provisions of a document adopted by enforcement authorities;
   • receipt by a person of municipal or government services;
   • recognition by a person of information about himself as publicly available;
   • conclusion and execution of an agreement in which the subject is a party or beneficiary;
   • impossibility of obtaining consent in the event of a threat to the life, health, or important interests of a person;
   • exercising rights, ensuring the interests of the operator (person processing information) or third parties, achieving socially significant goals;
   • carrying out professional activities by journalists and the media, creative activities, when this does not violate human rights;
   • use of anonymized information about a person for research and statistical purposes, with the exception of political agitation, promotion of goods, services and work on the market;
   • the need for mandatory disclosure and publication of data based on the law (for example, civil servants are required to disclose information about their income).

The procedure for processing (storing, distributing, etc.) information without obtaining the approval of the subject

The general procedure for operators to process personal data about citizens without their special permission is as follows:

1. The operator receives information if there are legal grounds. It is not required to notify the person about the start of processing of his information, but in some cases the notification is sent to Roskomnadzor.
2. The operator carries out the necessary actions (collects, records, transmits, clarifies, etc.). As stated in Art. 5 of Law No. 152-FZ, user actions are limited to the purpose of processing.
3. After achieving the goals or after the need for use ceases, the data is destroyed or anonymized.

An additional stage may be an individual challenging the legality of using information about him. The body for resolving disputes is (at the citizen’s choice) the court or Roskomnadzor. In the course of resolving the conflict, the operator presents evidence of the existence of circumstances that allow him to use the data without the approval or contrary to the citizen’s prohibition.

Operator Responsibility

If the operator violates the procedure and conditions for processing personal information, he may be subject to various types of liability:

Thus, processing information without the permission of the subject is possible if the operator is granted such a right by law. The information must be used to the extent necessary to achieve the operator’s goals, after which the data is destroyed or anonymized. A person who believes that his personal data has been used illegally has the right to appeal to the court or Roskomnadzor.

Don't know your rights?

Directly related to an individual. The provision of this data refers to actions aimed at providing such limited information to one or more persons.

Receipt of such a request can occur both from organizations representing labor legislation (tax authorities, pension fund, etc.), and from representatives of the police or prosecutor's office. The latter case is explained by participation in a criminal or administrative process. However, the citizen’s consent to provide this information is not required.

Rules for considering appeals from entities or their representatives

The consideration of these requests is called the regulations for responding to requests or their representatives and is dealt with by the chief, deputy or authorized official, whose responsibilities include. These officials provide:

1. Timely, objective and comprehensive review of the document.
2. Sending written responses on the merits of the request.
3. Taking measures to restore or protect the violated rights and interests of the subject.
4. All incoming requests are recorded on the day they are received. The papers are stamped with the date and incoming number.

The document is read and checked for repetition. In some cases, it is checked against past correspondence (if any). If there have been requests in the past, the request can be repeated 30 days after the last request.

After registration, requests are sent to the head of the company or his deputy, who determines the period and procedure for consideration. After which instructions are given to the performers.

During the consideration of the request, officials should:

If they refuse to provide the information about the selected entity specified in the appeal, authorized officials must provide a reasoned response in writing with reference to Part 8 of Art. 14 of the Federal Law or another law that may serve as a basis for refusal, within 30 days from the date of application or from the date of receipt of the request.

Who can you provide personal information to?

The following have the right to receive this information on the basis of legislation:

• Social Insurance Fund of the Russian Federation.
• Tax authorities.
• Federal Labor Inspectorate.
• Pension Fund of the Russian Federation.
• Other bodies of state control and supervision over the implementation of labor legislation.

In these cases, no new consent from the subject is required beyond that provided to the employer.

Do certain authorities have the right to request them and which ones?

The paragraph above has already indicated organizations that, by law, have the right to receive information. However there are other individuals and organizations that may require personal information.

Lawyers

The named persons have the right to request any data relevant to the case:

• Certificates from authorized persons.
• Information about the activities of a citizen.
• Characteristics.

But not all information is subject to disclosure. A lawyer may be refused in the following cases:

• The person to whom the request was received does not possess these documents.
• The requirements for the request form were violated.
• Information has limited access (commercial, state or personal secrets).

Also, a lawyer does not have the right to demand information about personal data, except in cases where official consent is given.

Police officers

In accordance with clause 4, part 1, article 13 of the Federal Law of 02/07/2011 “On the Police”, an officer has the right, when investigating criminal cases or administrative offenses, as well as when checking allegations of possible violations, to request and receive personal data of citizens on free of charge. Such appeals must be motivated. When transferring this personal data to police officers at their request, the consent of the citizens themselves is not required.

Investigators of the prosecutor's office

B was supplemented with a clause that expands the organization’s rights to access information, which includes and. Processing of received data in cases established by the law of the Russian Federation is carried out by prosecutorial authorities due to the implementation of prosecutorial supervision.

This document must be drawn up in accordance with Federal Law No. 152-FZ “On Personal Data”. The document should include the following information:

• Full name of the subject about whom information must be provided, or his official representative.
• The number of the person’s identity document, the date of receipt and the authority that issued it.
• The date the request was written and the signature of the 3rd party, i.e. those from whom it comes.

The document is compiled according to the following algorithm:

1. The request header is written (indicating who is sending the document and his identification data).
2. To whom this request is intended (name and address of the organization).
3. Contents (indicates the reasons why the selected information is required and its justification in accordance with the facts and legislation).
4. Signature and seal of the sending authority.

Response request

In response to the received request, you need to write a response message., which should contain the following information:

1. The name of the authority from which the request came.
2. Operator's name and address.
3. Nationality of the employee whose data was requested.
4. Full name, passport details of the subject, registration address.
5. Position held.
6. Information about labor activity in accordance with the marks in the work book (the attached order numbers are also recorded).

When sending a response, the transmitted information must not be violated, therefore the form with the relevant information must be filled out and sent by an authorized person - the operator.

Many legislative bodies may obtain personal information without prior permission from the subject. The reason for this may be participation in a criminal or administrative process. Also, many organizations related to labor legislation have the right to request this data from the employer.

In September, Roskomnadzor provided clarifications on the law on personal data in the form of questions and answers. We publish them.

What is the Authorized Body for the Protection of the Rights of Personal Data Subjects and who is entrusted with the implementation of these functions?

The authorized body is a federal executive body exercising control and supervision functions in the field of information technology and communications. Currently, in accordance with Government Decree No. 228 of March 16, 2009 “On the Federal Service for Supervision of Communications, Information Technologies and Mass Communications,” this function is assigned to Roskomnadzor.

Who can be an operator of personal data?

In accordance with paragraph 2 of Article 3 of the Federal Law of July 27, 2006 No. 152-FZ “On Personal Data,” the operator is a state body, municipal body, legal entity or individual that organizes and (or) carries out the processing of personal data, as well as determining the purposes and content of the processing of personal data. In this case, the specified bodies and persons are operators regardless of inclusion in the register of operators processing personal data maintained by Roskomnadzor.

In what cases should operators not ensure the confidentiality of personal data?

In accordance with Part 2 of Article 7 of the Federal Law of July 27, 2006 No. 152-FZ “On Personal Data,” ensuring the confidentiality of personal data is not required:

1) in case of depersonalization of personal data;

2) in relation to publicly available personal data.

In what cases is the consent of the subject of personal data not required for the processing of personal data?

According to Part 2 of Article 6 of the Federal Law of July 27, 2006 No. 152-FZ “On Personal Data,” the consent of the subject of personal data is not required in the following cases:

1) the processing of personal data is carried out on the basis of a federal law establishing its purpose, the conditions for obtaining personal data and the range of subjects whose personal data are subject to processing, as well as defining the powers of the operator;

1.1) processing of personal data is necessary in connection with the implementation of international treaties of the Russian Federation on readmission; (clause 1.1 introduced by Federal Law No. 266-FZ of November 25, 2009)

2) the processing of personal data is carried out for the purpose of fulfilling a contract, one of the parties to which is the subject of personal data;

3) the processing of personal data is carried out for statistical or other scientific purposes, subject to the mandatory anonymization of personal data;

4) the processing of personal data is necessary to protect the life, health or other vital interests of the subject of personal data, if obtaining the consent of the subject of personal data is impossible;

5) the processing of personal data is necessary for the delivery of postal items by postal organizations, for telecommunication operators to make payments to users of communication services for the services provided, as well as for consideration of claims of users of communication services;

6) the processing of personal data is carried out for the purposes of the professional activities of a journalist or for the purposes of scientific, literary or other creative activities, provided that the rights and freedoms of the subject of personal data are not violated;

7) personal data subject to publication in accordance with federal laws is processed, including personal data of persons holding government positions, positions in the state civil service, personal data of candidates for elected state or municipal positions.

Who should request the consent of the company’s employees to process personal data when it is transferred for processing to another operator?

The administration of the enterprise where the subject of personal data works must obtain the employee’s consent to transfer his personal data for processing to another operator.

In what cases does the operator have the right to process personal data without notifying the authorized body for the protection of the rights of personal data subjects?

In accordance with Part 1 of Article 22 of the Federal Law of July 27, 2006 No. 152-FZ “On Personal Data,” the operator, before starting the processing of personal data, is obliged to notify the authorized body for the protection of the rights of personal data subjects (Roskomnadzor) of his intention to process personal data . The exception is the cases provided for in Part 2 of the commented article when processing personal data:

1) relating to subjects of personal data who have an employment relationship with the operator;

2) received by the operator in connection with the conclusion of an agreement to which the subject of personal data is a party, if personal data is not distributed or provided to third parties without the consent of the subject of personal data and is used by the operator solely for the execution of the specified agreement and the conclusion of contracts with the subject of personal data;

3) relating to members (participants) of a public association or religious organization and processed by the relevant public association or religious organization operating in accordance with the legislation of the Russian Federation, to achieve the legitimate purposes provided for by their constituent documents, provided that personal data will not be disseminated without written consent of the subjects of personal data;

4) which are publicly available personal data;

5) including only the last names, first names and patronymics of the subjects of personal data;

6) necessary for the purpose of one-time entry of the subject of personal data into the territory where the operator is located, or for other similar purposes;

7) included in personal data information systems that, in accordance with federal laws, have the status of federal automated information systems, as well as in state personal data information systems created to protect state security and public order;

8) processed without the use of automation tools in accordance with federal laws or other regulatory legal acts of the Russian Federation establishing requirements for ensuring the security of personal data during their processing and for respecting the rights of personal data subjects. The notification must be sent in writing and signed by an official or sent in electronic form and signed with an electronic digital signature in accordance with the legislation of the Russian Federation

A sample notification form for the processing of personal data and guidelines for filling it out are posted on the official website of Roskomnadzor.

What liability is provided for violations by the operator of the requirements of the Federal Law “On Personal Data”?

Article 24 of the Federal Law “On Personal Data” defines liability for violation of this Federal Law, which is expressed in the form of criminal, administrative, disciplinary and other liability provided for by the legislation of the Russian Federation. Administrative liability for violation of this Federal Law occurs for:

- unlawful refusal to provide a citizen with documents and materials collected in the prescribed manner, or untimely provision of such documents and materials, failure to provide other information in cases provided for by law, or provision of incomplete or deliberately unreliable information to a citizen (Article 5.39 of the Code of Administrative Offenses of the Russian Federation);

— violation of the procedure established by law for the collection, storage, use or dissemination of information about citizens (personal data) (Article 13.11 of the Code of Administrative Offenses of the Russian Federation);

— disclosure of information to which access is limited by federal law (except for cases where disclosure of such information entails criminal liability) (Article 13.14 of the Administrative Code);

- failure to submit or untimely submission to a state body (official) of information (information), the submission of which is provided for by law and is necessary for this body (official) to carry out its legal activities, as well as the submission of such information (information) to a state body (official) in incomplete or distorted form (Article 19.7 of the Code of Administrative Offenses of the Russian Federation).

In addition, for the illegal collection or dissemination of information about the private life of a person, constituting his personal or family secret, and unlawful access to legally protected computer information, Russian legislation provides for criminal liability under Articles 137, 272 of the Criminal Code of the Russian Federation.

Does a credit institution have the right to process personal data of individuals who have been refused a loan? Is it possible to store loan application forms as digital copies?

Personal data of the subjects of personal data received by a credit institution when considering applications for a loan, in the event of a negative decision of the credit institution, are subject to destruction within a period not exceeding three working days from the date of the relevant decision.

Please note that standard forms of documents, the nature of the information in which suggests or allows the inclusion of personal data in them, can be stored in the format of digital copies subject to the requirements for ensuring the security of personal data during their processing in personal data information systems approved by the Decree of the Government of the Russian Federation dated November 17, 2007 No. 781 “On approval of the Regulations on ensuring the security of personal data during their processing in personal data information systems.”

Is it possible to obtain consent to the processing of personal data over the phone?

Obtaining consent to the processing of personal data by telephone or via SMS messages is not established by the current legislation of the Russian Federation.

What is evidence of obtaining consent to the processing of personal data when purchasing goods in online stores?

When filling out a web application form for the purchase of goods on the website of an online store on the Internet information and telecommunications network, the criterion indicating that the operator has received the consent of the subject of personal data to process his personal data is an electronic digital signature file.

In addition, the operator’s offer to sell goods in some cases may be considered as a public offer. Thus, the subject of personal data, emphasizing the specified offer, thereby carries out implicit actions expressing his will and consent to the processing of his personal data provided when filling out an application for the purchase of goods.

Does the operator have the right to request information about criminal records?

In accordance with Part 3 of Article 10 of the Federal Law “On Personal Data”, the processing of personal data on a criminal record can be carried out by state bodies or municipal bodies within the powers granted to them in accordance with the legislation of the Russian Federation, as well as by other persons in cases and in accordance with the procedure , which are determined in accordance with federal laws.

Which foreign countries provide adequate protection of personal data?

Before the start of cross-border transfer of personal data, the operator processing personal data (hereinafter referred to as the Operator) on the territory of the Russian Federation is obliged to ensure that the foreign state to whose territory the transfer of personal data is carried out ensures adequate protection of the rights of personal data subjects.

The current legislation of the Russian Federation does not provide for criteria that determine the adequacy of the protection of the rights of personal data subjects on the territory of a foreign state. An operator carrying out cross-border transfer of personal data must be guided by the legislation of the foreign state to whose territory the transfer of personal data is carried out, the legislation of the Russian Federation in the field of protection of rights subjects of personal data, as well as international regulations, including the Convention for the Protection of the Rights of Individuals with respect to Automatic Processing of Personal Data of January 28, 1981 ETS No. 108, taking into account the list of countries that have signed and ratified this Convention. These are Austria, Belgium, Bulgaria, Denmark, Great Britain, Hungary, Germany, Greece, Ireland, Spain, Italy, Latvia, Lithuania, Luxembourg, Malta, the Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Finland, France, Czech Republic, Sweden , Estonia.

The second group that can claim the status of countries that provide adequate protection of personal data are countries that have nationwide regulations in the field of personal data protection and an authorized supervisory authority for the protection of the rights of personal data subjects. These are Andorra, Argentina, Israel, Iceland, Canada, Liechtenstein, Norway, Serbia, Croatia, Montenegro, Switzerland, South Korea, Japan.

Do the requirements of the Federal Law “On Personal Data” apply to a legal entity of a foreign state?

The requirements of the Federal Law “On Personal Data” apply to representative offices of legal entities of foreign states carrying out activities related to the processing of personal data on the territory of the Russian Federation.

Is the website an information system for processing personal data?

According to paragraph 9 of Article 3 of the Federal Law “On Personal Data”, a personal data information system is an information system that is a set of personal data contained in the database, as well as information technologies and technical means that allow the processing of such personal data using automation or without the use of such means. If the website meets the specified requirements, it is an information system.

How to document the fact of destruction of the subject’s personal data?

The procedure for documenting the destruction of the subject’s personal data is determined by the personal data operator independently. The destruction of the subject’s personal data is carried out by a commission or other official created (authorized) on the basis of the order of the Operator. The most common ways to document the destruction of the subject’s personal data is to issue an appropriate act on the termination of the processing of personal data or to register the fact of destruction of personal data in a special journal. The standard form of the act and journal is approved by the Operator himself.

Are there standards or recommendations for the implementation of the Federal Law of July 27, 2006 No. 152-FZ “On Personal Data” by operators?

Yes, such documents developed by individual representatives of the operator community exist:

— methodological recommendations for organizing information security when processing personal data in healthcare, social, labor and employment institutions.

The Personal Data Protection Law has created additional risks for businesses. Photo courtesy of the press service of the Moscow School of Management Skolkovo

Adoption“On personal data” has become a headache for many companies, imposing a huge responsibility on them. What to do in such a situation for those for whom personal data is vital for work, in particular for online stores, in the material “KS”.

The topic under consideration was raised at the beginning of May at the next meeting of the Siberia eCommerce club. Anna Voitsekhovich, patent attorney at the law firm "Grebneva and Partners", whose specialization is intellectual property, told the meeting participants about how you can live and work calmly with personal data in the conditions of today's tightening of screws. “KS” consolidated the theses of her speech and, at the same time, turned to other legal experts, offering to give their recommendations to business in this regard.

Who wants to become an operator

What needs to be done for Roskomnadzor to include you in the list of personal data operators (PD)? Yes, actually, almost nothing - just create a personal account on the site, a user profile, a call back button, and an advertisement form. Is it possible to find an online store that does not have any of the above?

If a company engaged in online trading falls under this definition (and this is almost 100%), it needs to notify Roskomnadzor, and it is advisable to do this as soon as possible, preferably before starting to collect personal data from clients.

What to remember first

Firstly, there is no clear definition of what should be included in the list of personal data. There are things that Roskomnadzor may consider as such, and the issue will be considered individually each time. If we follow the current trend of court cases, the following information can be considered personal data: last name, first name and patronymic, date and place of birth, home address, family, social and property status, education and place of work. It is very important: for information to be recognized as personal data, it is not necessary to collect everything listed above, just one point is enough.

“In fact, personal data can be called any information relating to a directly or indirectly identified or identifiable individual. That is, personal data is any information about a person by which he can be identified, emphasized Anna Voitsekhovich. - The law does not contain a complete and exclusive list of such information. The law does not provide for any verification that the data relates to a specific individual. Even if the client has entered obviously fictitious data, this does not relieve you of your obligations to process personal data.”

Secondly, there is virtually no presumption of innocence for suspects here. RKN does not have to prove that certain data is personal. “There is reason to believe” is more than enough. In turn, the information holder must provide as convincing evidence as possible that this information is really necessary. Here's an example: an online store asks you to indicate your birthday when registering - for what? The most obvious answer - to offer a special discount on your birthday or simply to congratulate you - is unlikely to satisfy the inspectors. The regulator has the right to require the provision of a document setting out such a loyalty program. If they didn’t provide it, that’s it, the fee is considered unreasonable. Saying that the program is just being developed is the same thing. “Roskomnadzor’s position is very simple - information must be collected for a very specific purpose, and you must have a very clear explanation of why you need each detail,” the lawyer comments.

Very often, online merchants collect everything “just in case,” without thinking about why all this information is needed - and this is one of the most common mistakes. The vast majority of personal data that stores ask for is not needed by them: there are often cases when they are asked to indicate their home address at the registration stage, and sometimes they also require you to enter passport data. By the way, according to Anna Voitsekhovich, it is better not to collect them at all; the only industry that really needs this information is the medical one, and RKN pays special attention to it.

Thirdly, you should not expect to be warned before the inspection. Of course, the regulatory authority (in our case, RKN) is obliged to send a notification in advance before the inspection if you need to look at some documents in the office, the contents of the server, computers, and so on. But in the case of personal data, as practice shows, this is simply not necessary - according to Anna Voitsekhovich, in 95% of cases, violations are located directly on the company’s or store’s website. And in order to detect them, no warnings are needed.

Laws on which the RKN relies

There are not many regulatory legal acts on the basis of which cases regarding the storage of personal data are dealt with. Most often, Law 152-FZ “On Personal Data” is considered when it comes to information about clients, and Article 14 of the Labor Code, if the subject of personal data is employees of the company itself. Violations of these laws fall under the Administrative Code.

Telephone,e— mail, IP, cookies- controversial issues

Do mobile phone numbers and emails qualify as personal data? There is still no definite answer. The position of Roskomnadzor is yes, they are, because SIM cards are sold and registered using a passport, and if you enter a phone number into a search engine, you can find out personal information about the owner. The position of many lawyers is no, it is not, the contract with the cellular operator can be concluded for another individual, and the post office can be working. There are already court decisions: in St. Petersburg, the court recognized an e-mail as personal data, in Lipetsk - a telephone number. It happens that court rulings include in the list of personal data a registration certificate for the house, information about crossing the state border - and all these cases become precedents. And you have to live with them.

As experience shows, judicial and administrative practice is inclined to believe that a mobile phone number relates to personal data, since it is the owner of the number who has the right to dispose of information about it (for example, to use the number to send any information through it).

If an online store uses an e-mail address as a login, this is already collecting personal data

Login and password, which Internet merchants who have a personal account on their selling website cannot do without, fortunately, are not yet recognized as personal data. Anna Voitsekhovich quotes the head of the RKN, Alexander Zharov: “User names and passwords to accounts in email services or social networks themselves do not constitute personal data.” But if an online store uses an e-mail address as a login (not always, but this also happens) or requires you to indicate it to confirm registration (much more often) - this is already collecting personal data.

Whether IP addresses are personal data is a controversial issue in all respects. The Chelyabinsk Arbitration Court gave a positive answer in February 2016; six months earlier in St. Petersburg, the court made the opposite conclusion. “In my opinion, IP addresses cannot be called personal data, since they identify not an individual, but a computer,” Anna Voitsekhovich expresses her point of view. - And to understand how much this technique is associated with a specific user, you still need to try very hard. In general, from my personal experience of communicating with law enforcement agencies, requests and courts, I can conclude that an IP address is not personal data.”

About photos

The Law “On Personal Data,” as already mentioned, does not contain a specific list of personal data, but distinguishes several categories: general, by which a person can be identified immediately, special, revealing it only partially, and biometric. The latter include not only fingerprints, but also, for example, photographs, which can be used to verify a person’s identity. Anna Voitsekhovich gives an example from personal experience: in a photograph from the scene of an incident, a random person appeared in the frame, and the police, considering this to be biometric information, seized the photographs, issuing only a report, without an attachment.

If the photo is biometric, you must obtain permission to publish it. And do it in writing. If the image is used in the media or advertising (even if the person cannot be identified from it), consent is also required. Even if the subject posed for the photographer himself and received money for it, this does not mean automatic consent - everything must be agreed upon in advance.

Is it possible to be excluded from the list of personal data operator?

An online store will not be able to completely exclude itself from the list of personal data operators, but in some cases it is possible not to submit a notification to the RKN. Notification may not be submitted in the following cases.

If all subjects of personal data are employees of the company itself.

If personal data is obtained only for the execution of a specific contract with a specific person and will not be used in any way, much less disseminated. This technique is often used by businessmen, but in fact with violations. It is very important to remember that the conclusion of the contract (or at least the beginning of its execution) must occur before the processing of the client’s personal data. In reality, the buyer first registers on the site, then selects a purchase, and only then, perhaps, buys something. RKN will definitely pay attention to this during the inspection.

The third option is if the person himself published his data in the public domain. This technique, contrary to the assertion of many lawyers, is quite workable, although labor-intensive - confirmation has to be done for each subject. Roskomnadzor itself views this method more loyally than the previous one - otherwise they simply would not have time to process all incoming applications.

About sanctions

Since July 1, 2017, fines for violations of work with personal data have increased. From this moment on, the Code of Administrative Offenses (sanctions for violations of 152-FZ are contained mainly in Article 13.11) includes seven offenses, six of which may affect online merchants.

For unreasonable collection of data (for example, passport number, TIN where they are not needed) - a fine of up to 50 thousand rubles.

For collecting personal data without the consent of the owner (no written confirmation) - up to 75 thousand rubles.

For failure to provide the subject of personal data with information about them (silence in response to a request) - up to 40 thousand rubles.

For failure to comply with the requirements of the PD subject or controller on time (for example, to destroy or clarify data) - up to 45 thousand rubles.

For leakage of personal data or unauthorized access to it (except for those cases when a criminal article is already in force) - up to 50 thousand rubles.

In case of particularly serious violations, the Criminal Code may be used, in particular, Art. (“Violation of privacy”) or Art. (“Illegal access to computer information”). Here the punishment can reach imprisonment for up to four years.

Anna Voitsekhovich also notes that Roskomnadzor makes the decision to give the violator time to correct himself, to fine him immediately or, for example, to arrest the server on the spot. The decision also depends on the industry in which the company operates; controllers treat some (for example, medical institutions) more strictly than others. Plus, you need to take into account that the above fines are issued for each established fact of violation and are ultimately summed up. And the saddest thing is that if more than one violation is found during one inspection, Roskomnadzor has every right to close the site and seize the server - that is, to paralyze the work of the entire company for at least two months. It is useless to open “mirrors” - RKN has long been able to find and close them, the mechanism has already been worked out. This will only make it worse for the violators themselves.

Algorithm of actions

Co-founder and chief expert of the B-152 company Maxim Lagutin At the request of “KS,” he gave several recommendations on how to avoid violating federal law.

First, you need to answer in writing what information about users you collect, how it is used and to whom it is shared. All this must be included in the current documents.

Secondly, you need to warn everyone about everything: the site should have a notice about the collection of not only cookies, but also user data. Please ensure that your data policy is published and available on the website.

The site should display a notice about the collection of not only cookies, but also user data

Thirdly, it is important to collect consent for the processing of personal data: you need to send a confirmation link by email, an SMS code to a mobile phone, or save the user’s IP address. Make sure that each case of collection of personal data on the site contains a link to the appropriate consent for this purpose. This could be just text or a checkbox “By clicking on the “Send message” button, I agree to the processing of personal data.” In this case, the text “I give my consent” must be a link to the text of the consent itself, which must be read before the user can give consent.

1. User agreement is a contract of accession that is accepted by the user without reservations in full. The document allows you to resolve in advance possible conflicts related to what volume of services and in what order the user will receive. In addition, this option is suitable if individuals post any information on the website of an organization or entrepreneur on their own behalf. The user agreement will allow the site owner to moderate such information. The PS stipulates the general conditions for using the site, the responsibility of the owner of the service, how the rights to the site and its content are protected, permission to send various notifications to users, and the procedure for resolving disputes.
2. A public offer for the distance sale of goods, which sets out the conditions and procedure for concluding a contract for the sale and purchase of goods through an online store.
3. Privacy Policy, which describes the procedure for processing personal data. It should include a list of information that the site collects and processes, the purpose of collecting information, requirements for the protection of personal data and cases when they can be transferred to third parties. A prerequisite is that the user must be able to edit his data. If the inspector does not find the required form, this is already a violation. The PC is approved by order of the site owner and is placed in a visible place in the office, on the site and in the mobile application in the public domain. If the terms of the PC change, it is necessary not only to notify the user of the change, but also to keep on the site the old versions of the Policy on the basis of which personal data was collected. If you didn’t save it, that’s already a violation.

All three documents must be approved by the site owner and posted in the company’s office or other place of residence of the site owner in paper form. Plus, they need to be published on the website itself and in the mobile application.

The provisions on the protection of personal data should closely intersect with the Privacy Policy, but not duplicate each other. If during an inspection Roskomnadzor finds contradictions in them (for example, some condition is specified in one document, but not in another), the documents will be declared “not working.”

“Many people are mistaken in believing that one user agreement, personal data processing policy or one consent is enough, which must be put on all forms of personal data collection on the site and thereby comply with the law. In fact, on the site, personal data is collected through different forms for different purposes - in some cases for mailings, in others for contact with a person, in others for downloading promotional materials or ordering a price list, notes Maxim Lagutin. “The goals are different, and the consents must be different, otherwise it is also possible to get a fine of up to 50 thousand rubles.”

Many people are mistaken in believing that one user agreement, personal data processing policy or one consent is enough

Unsubscribing from mailings and notifications should work clearly and without failures, the unsubscribe buttons should be in visible places. If the inspector cannot find them or at least one person complains that he could not unsubscribe (and thus the store stores his data illegally), this is already a violation.

It is necessary to select and indicate on the website a separate e-mail address to which an individual can apply with a request to change or delete his personal data and ask any questions about it. It is advisable that this is not a general mailbox like [email protected], but an address dedicated specifically for this purpose.

It is best to inform visitors and clients as often as possible that their data is being collected and stored - including for market research purposes. Saying it again is much better than not saying it.

If the RKN is ready to begin an inspection (and not just monitoring the site), then, having received a notification, you need to conduct a self-audit: collect the necessary documents, notify employees and try to convey to the inspectors that you are law-abiding operators and conscientiously notify everyone about everything.

Finally, the last point, which also relates to the law on personal data - servers with them must be located in Russia.

DIRECT SPEECH

Anton Karasev, head of the Internet marketing department of the IT-GRAD group of companies:

Companies related to online stores or other forms of business must comply with the established requirements of the regulator and, first of all, remember their own responsibility. To avoid violations, it is necessary to study the issue of the correctness of drawing up a policy for the processing of personal data and provide for the possibility of obtaining mandatory consent to the processing of personal data. If the website of an online store contains any forms of data collection, under each of them it is necessary to place a sentence stating that the subject consents to the processing of personal data, and it is imperative to provide for the possibility of accepting this condition. Do not forget about the prescribed conditions for processing personal data, which must be accompanied by a hyperlink to the document from the website page.

Dmitry Korobitsyn, General Director of the company “Supplier of Happiness”:

We take these legal issues seriously. Our company works with online stores that are directly concerned with the issue of personal data. I recommend that every company pay attention to the documents published on its website and, if necessary, promptly make changes to it.

To avoid a fine due to violation of the requirements of the Federal Law “On Personal Data”, you need to place two documents on the website. The first is “Consent of the subject to the processing of personal data.” This is a clear document that states that the user agrees to the processing of his personal data. After indicating his data (full name, email and telephone number), he checks the box indicating that he is not against the processing of the data that he left on the site. There, as a rule, he is invited to familiarize himself with the full text of the document.

The second document is less clear, but necessary - “The organization’s policy regarding and processing of personal data.” There is no clear explanation of what this document should be, what the policy is. In this regard, lawyers for IT companies decided that the policy could be a compilation from the Federal Law “On Personal Data” and some information from the document “Consent to the Processing of Personal Data”.

Subscribe to the “Continent of Siberia” channel on Telegram to be the first to learn about key events in the business and government circles of the region.

Found an error in the text? Select it and press Ctrl + Enter