home-Shoes-Amendments to the law on personal data: what Roskomnadzor has prepared for us

Amendments to the law on personal data: what Roskomnadzor has prepared for us

In just a couple of days, on July 1, 2017, amendments made to the Code of Administrative Violations and tightening liability for non-compliance (hereinafter referred to as Law No. 152-FZ) will come into force. There was enough information on this topic; “Clerk” also wrote about it.

But questions still remain.

Read more about responsibility for storing personal data:

It feels like there is just a stir around this topic. What actually happened? In general, the law has not changed. Changes were made to it only in terms of fines.

Now according to Art. 13.11 of the Administrative Code there is only one violation with a fine of 10,000 rubles for legal entities. After July 1, there will be seven of them and the total fine could be up to 295,000 rubles.

Why are the authorities taking up personal data now? All fines, which come into force on July 1, are the most common violations identified by Roskomnadzor over the past five years.

One of the main questions: do all sites really need to register as a personal data operator with Roskomnadzor?

It turns out not. It is possible to avoid this need. But as? Data received from users must be processed on the basis of the user agreement. Subclause 2 of clause 2 of Article 22 of Law No. 152-FZ provides the following.

We quote: “...2. The operator has the right to process personal data without notifying the authorized body for the protection of the rights of personal data subjects:

…2) received by the operator in connection with the conclusion of an agreement to which the subject of personal data is a party, if personal data is not distributed, and is not provided to third parties without the consent of the subject of personal data and is used by the operator solely for the execution of the specified agreement and the conclusion of agreements with the subject of personal data ;"

If the website of an organization or individual has a form for collecting visitor data - for example, a feedback form, a line for subscribing to a newsletter, registering or Personal Area, this is considered the processing of personal data.

From July 1, the February amendments to Article 13.11 of the Code of Administrative Offenses come into force. They concern personal data operators: everyone who collects, stores and processes users’ personal data in any way. The number of one-time fines will increase to 7, the maximum amount of one fine will increase to 75 thousand rubles, the wording of the law will become more specific, and Roskomnadzor, rather than the prosecutor’s office, will monitor compliance with the order.

The law is dead, long live the law: what awaits us on July 1

Seven clearly defined elements of administrative offenses

If previously they could punish for a vague “violation of the order established by law,” now there is a clear formulation. A separate fine may be issued for each of the seven points. For those who are not a state or municipal body, only 6 offenses are provided.

The maximum fine for one offense is 75 thousand rubles

For legal entities. For ordinary citizens, the maximum fine for one fine is 5 thousand rubles, for individual entrepreneurs– 20 thousand. We announce the entire list (click for a larger version):


The prosecutor's office is no longer involved in this

Instead - Roskomnadzor. Previously, the chain looked like “a violation is detected by Roskomnadzor - the results of the investigation are sent to the prosecutor’s office - administrative proceedings are initiated - a protocol - a court.” Removing two links from the chain will speed up the investigation and reduce the number of cases closed due to statutes of limitations.

The concept of personal data: still nothing clear

Article 13.11 of the Code of Administrative Offenses does not include precise definition personal data. There is also no list of data that is considered personal. Under the general definition - any information that directly or indirectly relates to a specific to an individual– falls under:

  • Full Name;
  • Date of Birth;
  • passport details;
  • place of residence;
  • phone number, link to social networks;
  • Family status;
  • education and place of work.

The list is incomplete; it includes everything that in one way or another can characterize a person, find him or link a virtual image to a real person.

What is the processing of personal data: everyone falls under the locomotive of the law

The law does not apply to those who collect information for personal use - only to those who process it, use it for trading, transactions, or transfer it to third parties.

It is not a violation to write down the number of the attending physician. Posting it on the Internet without the owner’s consent is a violation and a fine.

If you have a form on your website call back, registration with the obligatory indication of personal data, order form or personal account - you are subject to the law. And it's time to do something.

What to do now

  1. Indicate on the website how and why it is processed personal information users, how to prohibit its processing and any other information related to data processing. The format is free: user agreement, privacy policy, terms of service. The page with this information should be accessible from anywhere on the site. Or add it to a page with a form where the user enters data.
  2. Make an unambiguous determination that the user has agreed to the processing of his personal data. The most popular option is the checkbox. If you do not check it, the user data is not transferred and the action (registration, purchase, order) is not completed.
  3. Create clear instructions and regulations for your employees on the processing of users’ personal data.
  4. Register your website with Roskomnadzor. The earlier the better.

Registration with Roskomnadzor is optional if you:

  • use the data only to fulfill contractual obligations;
  • use public data that was posted by the owner;
  • process the data of your company’s employees, for example in a corporate portal;
  • Use only the user's full name.

In this case, prepare documents that, when checked, will convince representatives of Roskomnadzor of the legality of your actions.

What to do next

  • Process the user's personal data only after his written consent or an electronic digital signature file. It sounds absurd, but there is one caveat.

Quote from Roskomnadzor:

... operator offers to sell goods in in some cases may be considered as a public offer. Thus, the subject of personal data, emphasizing the specified offer, thereby carries out implicit actions expressing his will and consent to the processing of his personal data provided when filling out an application for the purchase of goods.

  • Don’t go too far and ask only for what you need. Do not ask for information about education and marital status from people who buy their own sneakers. Showing off your target audience’s research at a conference is now expensive.
  • Use the data only for what the user was informed about: carrying out promotions, personalizing advertising, placing an order and delivery, and so on. The requested data and the purposes for its collection are combined, and the legality of use is verified by Roskomnadzor.
  • Set up feedback with users. Upon request, provide information: what personal information user you have, how it is used and to whom it is shared. Delete and recall data that is used for advertising mailings.

Transferring data abroad: the glass bead game of laws

There are two facts.

  • Data must be collected and processed only on the territory of Russia - the federal law No. 242-FZ dated July 21, 2014.
  • Cross-border transfer of personal data is allowed - Federal Law No. 152-FZ, Article 12.

The absurdity of the coexistence of these two laws is only apparent. It's all about the subtleties of wording.

According to 242-FZ, the list of prohibitions does not include data transfer. The operator can copy and transfer data abroad without violating current legislation - you just need to comply with the conditions of 152-FZ.

The current database is still located in Russia, and the foreign operator has a copy of it. The copy can be used and updated only under the terms of the agreement between the two operators and the legislation of the countries in which these operators are located. At the same time, the Russian operator is not responsible for the actions that the foreign operator performs with a copy of the database.

Bottom line: data can only be stored and processed on the territory of Russia, but no one has prohibited transferring the database of users’ personal data abroad - it is enough to comply with the requirements of 152-FZ.

If you are still not sure, make a request to Roskomnadzor, the Ministry of Telecom and Mass Communications, or your hosting company.

Conclusion: fines are coming

You can endlessly argue about the absurdity of some provisions, the vagueness of the concept of “personal data” and complain that the laws are again becoming stricter, and the conditions for their compliance are more incomprehensible. But today the facts look like this:

  • Six fines can be issued at a time based on the results of the inspection. Seven – for state and municipal institutions.
  • The maximum fine is 75 thousand rubles.
  • You need to start bringing your website to the requirements of the updated Federal Law now. Roskomnadzor is distinguished by its speed of inspection and punishment.

There is a misconception that only mobile operators and banks work with personal data. Actually this is not true. Any company processes personal data of at least its employees, as well as counterparties, clients, office visitors, etc. In the article we explained what personal data is and how to process it correctly. Read and do not break the law - from July 1, fines for companies will increase sevenfold.

Every company works with personal data, but not every lawyer knows what personal data is and how to process it correctly. If before July 1, 2017, this was not so scary - fines for violations were small, now the situation has changed. From this date, amendments to the Code of Administrative Offenses of the Russian Federation come into force, which increase fines for companies for violations in the processing of personal data and introduce 7 new offenses (Federal Law dated 02/07/17 No. 13-FZ). Fines will be paid not only by companies, but also by employees who violated the law - including lawyers. We decided to help you not break the law and talked about the basics of processing personal data that relate to each company.

What information is considered personal data?

Personal data is any information that directly or indirectly relates to a specific or identifiable individual (Clause 1, Article 3 of the Federal Law of July 27, 2006 No. 152-FZ “On Personal Data”; hereinafter referred to as Law No. 152-FZ). More specifically, the list of such information is defined in Decree of the President of the Russian Federation dated 03/06/97 No. 188 “On approval of the List of confidential information”: this is information about facts, events and circumstances privacy citizen, which allow his personality to be identified, with the exception of information subject to dissemination in the media in cases established by law.

In the work of legal and personnel services companies processed personal data usually includes the following information about the person:

  • Full Name;
  • year, month, date and place of birth;
  • address;
  • family, social, property status;
  • education, profession, position, income;
  • biometric personal data.

Judicial practice expands the list of personal data. For example, the courts recognized the following as personal data:

  • information about the death of a citizen (resolution of the Volga Region Autonomous District Court dated September 25, 2014 in case No. A49-2005/2014);
  • number mobile phone(appeal ruling of the Altai Regional Court dated October 1, 2013 in case No. 33-9241/2015);
  • photographs of a citizen (appeal ruling of the Sverdlovsk Regional Court dated 04/09/15 in case No. 33-5232/2015).

IN Lately There is a clear trend - the list of information that constitutes personal data is becoming wider. Thus, the European Court of Justice in its Decision dated 10/19/16 in case No. 582/14 (Patrick Breir v. Germany) recognized that when certain conditions even the IP address of an Internet user can be recognized as personal data.

What is personal data processing

Processing of personal data is any action with personal data, including collection, recording, systematization, accumulation, storage, clarification (updating, changing), extraction, use, transfer (distribution, provision, access), depersonalization, blocking, deletion and destruction ( Clause 3 of Article 3 of Law No. 152-FZ).

For example, a company processes personal data if it collects customer profiles (in paper form or via the website), maintains and stores client base, transfers customer contacts to the call center, records passport details of office visitors at the checkpoint, etc. In fact, any company processes personal data.

Nota bene!
Additional conditions for the processing of personal data of applicants and employees are established in Chapter. 14 of the Labor Code of the Russian Federation and clarifications of Roskomnadzor dated December 14, 2012 “Issues relating to the processing of personal data of employees, applicants for vacant positions, as well as persons in the personnel reserve.”

When to notify Roskomnadzor

If a company processes personal data, it is an operator (clause 2 of article 3 of Law No. 152-FZ). Before processing personal data, the operator is obliged to notify Roskomnadzor of his intention (Clause 1, Article 22 of Law No. 152-FZ).

It is not necessary to send a notification (clause 2 of Article 22 of Law No. 152-FZ) if the operator company processes personal data, in particular:

  • only their employees;
  • for the purposes of concluding and executing contracts (for example, personal data of counterparties);
  • for a one-time pass of a person to the company’s territory;
  • without the use of automation tools (personal data is used, clarified, distributed and destroyed with the direct participation of a person - see Decree of the Government of the Russian Federation of September 15, 2008 No. 687).

Check whether the company falls under the exceptions specified in Law No. 152-FZ. If not, draw up a notification in the official form (Appendix No. 2 to the administrative regulations, approved by Order of the Ministry of Telecom and Mass Communications of Russia dated December 21, 2011 No. 346). Then send it to the territorial body of Roskomnadzor at the place of registration of the company. You can send a notification either on paper or in the form of an electronic document through the Gosuslugi portal (gosuslugi.ru) or the official website of Roskomnadzor (pd.rkn.gov.ru/).

Roskomnadzor will enter information about the company into the register of operators within 30 days from the date of receipt of the notification. You can check whether the company is included in the register on the official website of the department (pd.rkn.gov.ru/).

How to properly collect personal data

By general rule In order to collect personal data, you need to obtain the consent of their owner - the subject of personal data (clause 1, clause 1, article 6 of Law No. 152-FZ). Consent must be specific, informed and conscious (clause 1, article 9, Law No. 152-FZ). This means that the list of grounds for the processing of personal data must be indicated as specifically as possible, and also contain the processing period and the procedure for revoking consent (resolution of the Ural District Administrative Court dated September 29, 2014 in case No. A60-31459/2013, resolution of the Fifth Arbitration Court dated August 13 .14 ​​in case No. A59-48/2014).

The law does not establish a form of consent for the processing of personal data, with the exception of special information. The subject can give consent in any form that will confirm the fact of its receipt (Clause 1, Article 9 of Law No. 152-FZ). In particular, consent can be expressed electronically by filling out a form on the website (resolution of the Federal Antimonopoly Service of the North-Western District dated 12/13/10 in case No. A56-73636/2009, appeal ruling of the Omsk Regional Court dated 08/07/13 in case No. 33-5139 /2013).

FOOTNOTE
Written consent of the subject is required for processing special categories personal data - for example, about nationality and the state of health of the person (Article 10 of Law No. 152-FZ). Consent can be obtained on paper or in electronic form with an enhanced qualified electronic signature.

Obtaining consent to processing in a standard contract form is risky if the consent clause is simply included in the text. The court may recognize this method as improper if the consumer cannot change this condition - for example, make a note of his consent or refusal (resolution of the Arbitration Court of the North-Western District dated 07.18.16 in case No. A44-9647/2015, resolution of the Arbitration Court of the Ural District dated 22.12 .16 in case No. A76-5164/2016).

In the event of an inspection or legal dispute, it is the operator who is obliged to prove that he will receive consent to the processing of personal data (Clause 3 of Article 9 of Law No. 152-FZ). Therefore, determine in advance what type of personal data your company processes. Depending on this, develop a form for obtaining consent to processing. Important point- the subject has the right to withdraw his consent at any time (clause 2 of article 9 of Law No. 152-FZ). If the company receives such a request, it is obliged to stop processing personal data.

Nota bene!
Consent to the processing of personal data is not required if the subject himself has made it publicly available. For example, when registering on a forum or social network. If the subject later revokes consent to processing, it can be ignored (clause 10, clause 1, article 6, clause 2, clause 2, article 10 of the Law).

How to obtain consent from employees

Employees must be familiarized, against signature, with the company documents that establish the procedure for processing personal data, as well as their rights and obligations in this area (Clause 8 of Article 86 of the Labor Code of the Russian Federation). This order can be specified in the employment contract, appendices to it, internal rules labor regulations or other local acts - for example, the company’s policy on the processing of personal data. The fact that employees have familiarized themselves with these documents must be recorded separately - for example, in a special journal.

FOOTNOTE
For violations in the processing of personal data of employees, the company may be held liable under Art. 5.27 Code of Administrative Offenses of the Russian Federation (up to 80 thousand rubles fine).

The employee’s consent to the processing of personal data is not necessary in the following cases (see clarifications of Roskomnadzor dated December 14, 2012 “Issues regarding the processing of personal data of employees and applicants...”):

  • processing of personal data of close relatives of the employee to the extent provided for by the personal card in the T-2 form;
  • receiving motivated requests from the prosecutor's office, law enforcement agencies, security agencies, state labor inspectors;
  • processing is necessary to fulfill the contract concluded with the employee or the obligations assigned to the employer;
  • processing is related to the employee’s performance of his job duties, including when he is sent on business trips.

How to ensure the security of personal data

Personal data is classified as confidential information (Article 7 of Law No. 152-FZ). Operators and other persons who have access to them are obliged not to disclose to third parties or distribute personal data without the consent of the subject. The operator is obliged to ensure the security of personal data. Measures depend on the method of data processing - using automation tools or manually.

If a company carries out automated processing of personal data, it is subject to the Requirements for the protection of personal data during their processing in information systems, approved. by Decree of the Government of the Russian Federation dated 01.11.12 No. 1119 and Order of the FSTEC of Russia dated 18.02.13 No. 21. To fulfill these requirements, it is necessary to attract IT specialists.

To protect personal data without automation, advisory measures are provided (Article 19 of Law No. 152-FZ and clauses 13-15 of the Regulations, approved by Decree of the Government of the Russian Federation of September 15, 2008 No. 687). One of these measures is to determine in the company’s internal documents a list of persons who process personal data or have access to it. Data security can be ensured by storing personal data media that are processed for different purposes separately (for example, storing separately the data of employees, office visitors and clients).

What and who faces for violations in the field of personal data

For violations in the processing of personal data, the company may be brought to civil and administrative liability under Art. 13.11 Code of Administrative Offenses of the Russian Federation. Until July 1, 2017, the maximum penalty for official there was a fine of 1 thousand rubles, and for the company - up to 10 thousand rubles.

On July 1, 2017, amendments that strengthen administrative responsibility come into force (Federal Law No. 13-FZ dated 02/07/17). The amendments introduce additional offenses into Art. 13.11 Code of Administrative Offenses of the Russian Federation and increase fines. In particular, the law introduces liability of legal entities for the following violations:

  • processing of personal data in cases not provided for by law (Part 1 of Article 13.11 of the Code of Administrative Offenses of the Russian Federation) - a fine of 30 thousand to 50 thousand rubles;
  • processing of personal data without consent writing when the law requires obtaining such consent (Part 2 of Article 13.11 of the Code of Administrative Offenses of the Russian Federation) - a fine of 15 to 70 thousand rubles;
  • failure by the operator to publish a policy regarding the processing of personal data when such an obligation is provided for by law (Part 3 of Article 13.11 of the Code of Administrative Offenses of the Russian Federation) - a fine of 15 to 30 thousand rubles.

An employee can be held administratively liable, but not only that. Additionally, he bears material (clause 7 of Article 243 of the Labor Code of the Russian Federation), disciplinary (clause “c” of clause 6 of Part 1 of Article 81 of the Labor Code of the Russian Federation) and even criminal liability (Part 2 of Article 137 of the Criminal Code of the Russian Federation).

Both the violating employee (for example, who copied the customer database onto his flash drive and transferred it to a competitor) and the employee who is responsible for the processing of personal data in the company will be held accountable.



Related publications: