Law on personal data who is the operator. Is the employer a personal data operator?

Everything you need to know about personal data

Why was this law invented? This is another way to replenish the feeder. Now there is no point in building a website; they will still fine you every month.

The Personal Data Law is needed by those whose data is collected, processed and stored. The purpose of the law is to protect the interests and rights of these people.

Personal data protection standards were not invented in Russia. The UN described the rules for their processing back in 1948 in the Universal Declaration of Human Rights. In 1981, the Council of Europe adopted a convention on the processing of personal data. And Russia ratified it and in 2006 developed its own law.

In Europe, there has been paranoia about personal data for a long time.

The Constitution guarantees every person the inviolability of privacy, confidentiality of correspondence and telephone conversations. Even without a law on personal data, it is impossible to process, store and distribute information about a person without his consent.

However, personal data is constantly left: to place an order in an online store, take out a loan from a bank, enroll a child in kindergarten, register on a social network or subscribe to a newsletter. When a person leaves his data, he must be sure that his address will not be posted in the public domain, and his phone will not be given to someone without permission. And the one who processes personal data wants guarantees that he will not be sued for advertising mailings.

We recently told you how. This happened, among other things, because someone violated the rules for processing personal data.

The Personal Data Law prescribes the rules of the game for everyone. He forces everyone to take extra precautions, but he also protects everyone.

I have a website. I am not an individual entrepreneur or a legal entity - just a person. Is it necessary to comply with the law on personal data in this case?

Yes, the law must be followed by everyone who processes someone's personal data. The operator can be a legal entity, individual entrepreneur, government agency or a common person, which created and administers the forum of interests. Precise definition Who is the operator and what is the processing of personal data is in Article 3 of the law.

For example, a girl created a forum for pregnant women in order to post advertisements there. When registering, participants provide information about themselves. This girl is a personal data operator. It receives information about other people and does something with this data: organizes it by age and interests, checks user activity, uses it for mailing lists, invitations, or simply stores it.

Any of these actions is the processing of personal data. Anyone who performs this action is an operator.

I have friends’ emails, a list of contacts on my phone, different people’s social media accounts. It turns out that I am also an operator and must obtain the consent of these people to store and delete their data?

No, in such cases consent is not required. The law does not cover personal data that is processed for personal and family needs. These could be contacts the right people in the telephone directory, business cards of colleagues and partners, profiles of friends on Facebook.

Is the feedback form also covered by the law?

If a person can enter his personal data in it, then yes, he gets in.

There are no exceptions in the law regarding the form and method of collecting personal data. And there is no clarification of what exactly is a collection. The Ministry of Telecom and Mass Communications believes that collection is some kind of documented procedure for obtaining data about a person. Form feedback fits under this definition.

The feedback form itself is not covered by the law just because it exists. It is important what data the visitor transmits through this form, whether it can be used to directly or indirectly identify a person and harm him in the event of leakage and distribution.

If a site visitor indicates his first name, last name, telephone number and email in the form, this is personal data. The one who receives, processes and stores this data is considered the operator of personal data and must comply with the law.

And if you only receive a first name without a last name and a phone number, does this also fall under personal data? What if it’s just a phone number?

By law, personal data is any information relating to a directly or indirectly identified or identifiable individual. This definition does not give or clarify anything.

Taken literally, anything can be considered personal data. Lawyers have been debating this issue for many years.

The Ministry of Telecom and Mass Communications does not give specifics and says this: it seems impossible to more accurately determine the composition of personal data, including a list of them. There are also no clear explanations from other departments on this matter.

If there is a dispute over whether the email or login belongs to personal data, everything will be decided by the court. The courts have already made several decisions regarding personal data. From them the obvious follows: personal data is considered to be full name, passport data, address, telephone numbers, information about family members, from pension files and employment contract. Another thing that follows from them is not obvious: the TIN itself is not personal data, but data about the fact of crossing the border is.

The login itself does not seem to be personal data. It is impossible to understand from the set of characters what kind of person he is or even what gender he is.

But if a person puts his own on his avatar real photo or during registration he indicates an email where his last name with initials will be in the name, and the name of the company will be in the domain name, then in total this is already personal data.

No one really knows what personal data is personal.

There are no exceptions in the law regarding the topic of the site, legal form and data set.

To avoid risk, it is better to do this.

If you collect any information about any individuals anywhere for any purpose, you need to record their consent and prepare documents. If you do this for insurance, even when you don’t need it, nothing bad will happen. And if this is not done, there may be claims from users and Roskomnadzor.

I'm making a website for a client, processing and storing data on my side. At the same time, the site owner is not obliged to be a personal data operator?

The site owner is obliged to be a personal data operator and comply with the law. By law, you can collect personal data and transfer it to someone else for processing. The site owner can transfer customer data to the webmaster, and the online store - to the mailing service.

To do this, the site owner must obtain permission from visitors and explain to them who and why he will transfer their data.

Responsibility lies with the owner

The person to whom he transfers data for processing does not have to obtain separate permission, but must comply with the law.

The site owner will be responsible for compliance with the law to site visitors.

The owner of the site will be determined by Roskomnadzor and the court based on the totality of data. If the site contains information about a specific legal entity or individual entrepreneur, they will ask him. If there is no such data, they will ask the domain administrator.

How will they understand that I store and process data in order to issue a fine? It’s possible to organize a mask show in a Russian data center and take out the server, but such numbers don’t work abroad.

Roskomnadzor learns about violations in two ways:

will conduct the inspection himself;
will respond to someone's complaint.

If Roskomnadzor discovers violations, the site may be blocked and the company may be fined.

By law, operators are required to store personal data on Russian servers. There are a few exceptions, but these are specific. Any online store or subscription service must store a database with personal data of citizens in Russia.

Then you can transfer this data abroad. This is legal, but under certain conditions. Otherwise, it would be impossible to book hotels and buy plane tickets abroad.

Roskomnadzor may require confirmation of the storage location of the databases. For example, an agreement with a data center, hosting, or documents for your own server. If it turns out that personal data is stored in violation and not in Russia, there will be problems.

In addition to the law on personal data, there are requirements Federal service for technical and export control and the FSB. The prosecutor's office may also become involved in the investigation. They have enough power to find out where the data is actually stored and deal with violations.

What if our website is in English?

The law on personal data must be observed if the site is used to operate on the territory of the Russian Federation. Theoretically, Roskomnadzor has the right and can block it.

Here are the signs used to understand this:

the domain name is associated with the Russian Federation or a subject;
there is a Russian version of the site;
Payment for goods or services occurs in rubles, delivery is possible to the territory of the Russian Federation;
consumers of the site content are Russians;
There is an advertisement in Russian that leads to this site.

If there is any combination of these factors, the data controller must comply with the law, even if it is a foreign company. This means that documents must be accessible and understandable in the Russian Federation. It is enough to have them in Russian so that Roskomnadzor and Russian citizens understand them. Our privacy laws do not apply to non-residents outside the country.

The law did not explain how to determine the citizenship of a visitor. Operators were asked to solve this problem themselves. And if there is no clear position and tools, it is worth complying with the law in relation to all personal data collected on the territory of Russia.

Duplicate the same documents to foreign languages For Russians it makes no sense. But these rules were not invented in Russia. There is a Council of Europe convention on the protection of individuals with regard to automated data processing personal. So, if you collect data from foreigners, think about how you comply with the law of the country where they are residents.

In Europe, fines of hundreds of thousands of euros are imposed for a single violation of the rules for processing personal data. In Russia, the maximum fine from July 1, 2017 is 75 thousand rubles.

Can I not register with Roskomnadzor if I change the field in the feedback form from “Your name” to “Your company”?

The Personal Data Law only protects the data of individuals. It does not apply to company data. But what is stated in the feedback form is a formality. It is important what data the site owner collects and for what purpose.

If this is actually the name of the company and the telephone number of the office, such information is not subject to the law. But if a site collects mailing addresses and telephone numbers of company employees in order to then send mailings to them or transfer them to third parties, there may be problems both from these employees and from Roskomnadzor.

All personal data operators must register with Roskomnadzor. Exceptions are only for the cases listed in paragraph 2 of Art. 22 laws on personal data.

So I publish a post on Facebook and mention my friend - does that mean I’m processing the data? The cache of the post is stored on the phone, does that mean I am storing the data? And if I repost on Twitter, then I also provide them to a third party. And how to live with this?

This is not a violation of the law. In this case, the operator of personal data is social network. Everyone who registered there consented to the publication, processing and use of their data.

All Facebook users agreed to data processing about your location, devices used, friends, interests, payments, sites visited and connections with other people. And even the fact that Facebook can access the address book on any device and then use this data.

You have already given Facebook permission to do whatever it wants with your personal data.

Everyone agreed that Facebook transfers this data to its partners and advertisers. And the fact that any user can link, mention and tag anyone they want in their photos as part of their security settings. This is legal and Facebook is responsible for this, not users.

If there is an advertisement on a pole “I will buy deer antlers, 8,800..., Gennady,” then can this pole be fined?

No, the pole cannot be fined. Legal entity neither is he. And people who read such advertisements and write down phone numbers to sell horns are not personal data operators and are not subject to the law.

Gennady himself made his data publicly available in order to buy deer antlers. And those who call him about buying horns are using the phone for personal purposes.

If a microfinance organization records Gennady’s phone number and starts sending him advertisements for quick loans, then it can be held accountable. Gennady did not give her consent to process personal data for sending out advertisements.

A person who accidentally saw Gennady’s phone number, wrote it down in the phone book, or even called Gennady with an offer to buy horns cannot be held accountable.

That is, if a person specifically published for some advertising purposes, then this is not considered personal data? On Avito, for example.

If a person transfers his personal data to some resource, even for advertising purposes, this resource must comply with the law. He must warn the user why he collects personal data, what he will do with it, where to publish it, and to whom to transfer it.

To submit an ad on Avito, you need to register and confirm your phone number. You cannot submit an ad without registration.

Avito explains that it uses data to post it on its website, information resources, transfer it to its partners, hold competitions and verify the user’s identity. Avito can also transfer user data abroad and give it to some third parties for processing and writes honestly about this. It is legal.

There is no such rule that if a person himself has posted data in the public domain on some resource, then he can do whatever he wants with it: distribute, process and store it without permission.

The only exception for publicly available data: the operator of such data may not submit a notification to Roskomnadzor. But he is obliged to obtain consent, ensure security and delete data at the request of its owner.

How to correctly obtain consent to process personal data on the site? Can I take a template from the website of some large company?

You can't take any convention and use it on your site, but you can look at what others have done and use that experience.

Consent to the processing of personal data must be specific, informed and conscious. Silence or lack of objection to the processing of personal data is not consent.

There is no specific form in which it must be received from the visitor and client. This could be a link to the user agreement in a response letter or a checkmark in the registration form.

Consent must be conscious and informed

Every operator must have goals. The online store collects address data to deliver goods; the subscription service asks you to provide an email address to send letters; medical Center systematizes health data; school - family information.

Only personal data that is relevant for the purpose may be collected, processed and stored. At Lamoda, Glavred, Biblio-Globus and kindergarten the goals cannot be the same. And if you collect unnecessary data, you may be fined for it.

Obtaining consent to process personal data is not enough. It is necessary to follow the seven principles of processing and correctly draw up internal documents.

Clear. Apparently, I'm a personal data operator. What exactly should I do?

Study the law. It is complex, there is a lot of incomprehensible things, and some questions are not explained at all. If you can’t figure it out yourself, ask a lawyer you trust.

Place a user agreement, privacy policy, offer or some other document on the site so that the visitor will understand what data you collect, what you do with it, where you transfer it, how you store it and when you delete it. Pay attention to the wording: they will be useful in court.

Create a database with personal data on Russian servers. Then you can transfer data abroad if it is legal, reasonable and safe.

Ensure the technical security of data and protect it from leakage.

Prepare internal documents. A lot of them. These are orders, instructions, instructions and subscriptions. This needs to be done once, but correctly. When checking, Roskomnadzor has the right to request and check them.

Submit a notification to Roskomnadzor if you do not fall under the exceptions to Art. 22 laws on personal data. If you fall under the exceptions, draw up the documents in such a way that it is clear during a visual inspection and you will not be found fault with.

Have the website pages with documents regarding personal data certified by a notary so that you are not accused of missing them or changing the wording.

If you don't have a website, you can also be a personal data controller. It is not necessary to collect them in an automated way and via the Internet. When you hire an employee, you also process personal data. Complete your paperwork correctly.

The Personal Data Law is not scary

This is normal world practice. You don't have to spend a lot of money to follow it. And you don’t need to be afraid of fines either. If you complete everything correctly once and carefully treat information about other people, you will not be in any danger.

Each of us is a subject of personal data. This law protects our data too. And if someone violates it, you can sue, block the offending site, demand that information about yourself be removed, and even receive compensation.

I had an interview yesterday. I was told that I was being hired and asked to sign a document providing my personal data. But! The document was very unusual. I have more than once signed agreements for the processing of my personal data in medical services. institutions, in educational institutions and when hiring. But they were quite decent. Something like:

Olya Kadrovik: I agree with you, but for me it looks like this _____________________________________ (last name, first name,... patronymic) registered at the address: _____________________________________ (registration address is indicated _____________________________________ with postal code) passport series _________No.______________ issued by ________________________________ (date of issue and name _____________________________________ of the issuing authority) CONSENT to the processing of personal data I, _______________________________________________________________, (last name, first name, patronymic in full ) in accordance with Article 9 Federal Law dated July 27, 2006 No. 152-FZ "On Personal Data" I give my consent to the Limited Liability Company "Vesna" (LLC "Vesna") to automated, as well as without the use of automation tools, processing of my personal data, namely, the performance of actions provided for clause 3 of part one of Article 3 of the Federal Law of July 27, 2006 No. 152-FZ “On Personal Data”, with information about the facts, events and circumstances of my life presented to Vesna LLC. This consent is valid from the day it is signed until the day it is withdrawn V writing. ________________________________________________________________ (signature) (signature transcript) (date)

And so:

Julia 34: to CEO LLC" ____" Pupkin O.O. from __________ APPLICATION for processing... personal data I, (last name, first name, patronymic) give consent (name of organization) to automated, as well as without the use of automation tools, processing of my personal data, namely, the performance of actions provided for in clause 3, part 1, art. 3 of the Federal Law of July 27, 2006 No. 152 Federal Law “On Personal Data” contained in this application, in order to ensure compliance with labor legislation and other regulations, assistance in employment, training and promotion, ensuring the personal safety of workers, control the quantity and quality of work performed and ensure the safety of property, namely: 1.F.I.O. 2. Date of birth (day, month, year) 3. Identity document (name, number and series of the document, by whom and when issued) 4. Registration address at the place of residence 5. Address of actual residence, contact phone number) 6. Taxpayer Identification Number 7 Number of insurance certificate of pension insurance Warned about responsibility for the accuracy of the information provided. (Last name of the employee) (signature) (date)

I sign such contracts without much worry!
But here...
I took a photo of part of the document. I cannot quote the entire text verbatim, only a part.

In short... I am horrified by such a document! I told the personnel officer that I was refusing the job offer...
In short, I was scared. Maybe in vain?

Shmelev Pavel Vladimirovich

Part 1

The Federal Law “On Personal Data,” which came into force in January 2007, initially received little attention from personal data operators. Although, it would seem, it was the operators who should have been interested in all the resource-intensive “surprises” included by the legislator in this legal act. The alarming revival of operators began at the end of 2009 - after all, the date 01/01/2010 was named in the law as the deadline by which all personal data information systems must be brought into compliance with the law.

January 2010 was marked by amendments to the Federal Law “On Personal Data”, the essence of which is simple - operators received another year for the notorious “bringing into compliance”. In February 2010, the FSTEC of Russia undertook a “tactical alignment of the front line” (FSTEK order No. 58-2010), which many operators mistakenly perceived as the regulator admitting its mistakes and a “step back.” The operators “exhaled,” but this exhalation did not bring significant relief. As it turned out, all attempts by operators (both justified and dubious and ill-conceived) to revise certain provisions of the law were unsuccessful. And the FSTEC of Russia, adhering to a certain strategy, I think, did not make any mistakes. The number of scheduled and unscheduled inspections carried out by Roskomnadzor of the Russian Federation has also increased significantly, which has not gone unnoticed. The time has come for operators to make a decision - to continue to remain in the shadows, citing the “ill-thought-out and absurdity of the regulatory framework,” or to think about priority measures to implement the law.

The period of activation of the market for services for the protection of personal data has arrived, and, as its inevitable stage, the “enlightenment” of completely disoriented operators. Oddly enough, the most active pioneers of educational work were not experienced, qualified specialists in the field of information security (they comment very reservedly on what is happening), but “experts” new wave. Curious IT specialists, unemployed graduates of information security departments, and just “passers-by” found themselves at the forefront of the fight for the rights of operators. Employees of operators also did not stand aside, whose duties unexpectedly included the task of “resolving the personal data issue quickly and cheaply.”

The harmful fruit of such enlightenment was outwardly reliable myth-making, perceived by many operators as a brilliant breakthrough in the field of interpretation and application of regulations. Few people are alarmed that the legal assessment of certain norms of the law is given not by qualified lawyers with specialization in the field of information law, but by specialists of a different profile. The “innovative” solutions they generate are usually based on speculation and assumptions, but not on experience and law enforcement practice. The alchemical recipes of these “wizards” sometimes baffle even professionals who (sometimes unsuccessfully) warn businesses against playing games with the state. Moreover, when according to the rules of the game only one of the players has a goal.

Who will pay for the consequences of risks that sometimes border on absurd arrogance? It is obvious that the advice (sometimes sensible, more often illiterate, but always not backed up by practice) of such experts can be very costly for operators.

Let's try to look at the twenty most popular misconceptions that can cost operators dearly. So, top ten misconceptions...

Misconception #1.

The Law “On Personal Data” comes into force only on January 1, 2011. While there is time.

Reality.

The law came into force 180 days from the date of its publication, i.e. 01/29/2007. The Law of the Russian Federation of December 27, 2009 N 363-FZ extended the period for bringing personal data information systems created before 01/01/2010 into compliance. However, all other provisions of Law No. 152 (including those defining and other obligations of the operator, for example, obligations to protect personal data - Article 19 of Federal Law No. 152) are currently in force. The same applies to the provisions of other regulatory documents. For example, work to ensure the security of personal data during their processing in an ISPD is an integral part of the work on creating an ISPD (clause 4 of the Appendix to the Decree of the Government of the Russian Federation No. 781 of November 17, 2007). What does this mean? The fact that any work or services for the design or implementation of ISPD must necessarily take into account the creation of support subsystems information security. ISPDn is being created for accounting and personnel work? Then the deadline of January 1, 2010 is not for this ISPD, since it is created not before, but after the entry into force of the law.

Organizational measures to protect personal data must also be implemented by the operator regardless of any connection with the date of January 1, 2011. Reason: these measures in most cases are related to the facts of processing personal data not only as part of the ISPD, and, therefore, do not fall within the scope of Art. 25 Federal Law No. 152. The law enforcement practice of Roskomnadzor confirms the above.

Misconception No. 2.

It is important to protect yourself from claims from control and supervisory authorities (i.e. from the state), primarily Roskomnadzor. To do this, you need to send a notification to Roskomnadzor and create a set of internal documents required during the inspection.

Reality.

The introduction of a set of local organizational and administrative documents is, of course, a mandatory stage of work to protect personal data. However, these initial and necessary measures are not sufficient! Indeed, many operators believe that they need to protect themselves from the state, and not protect personal data. Often, in the operator’s understanding, the task of protection from the state in the person of Roskomnadzor is generally the only one that contradicts the meaning and purpose (it is one and simple, why not look at this purpose?) of the Law “On Personal Data”. This is a dead end path, fraught with complications.

Firstly, we should not forget that Federal Law No. 152 (Part 1, Article 19) established that, along with organizational protection measures, the operator is obliged to take technical protection measures. What exactly is a question beyond the scope of this article, we can only emphasize that in most cases the need to take technical protection measures is justified, and such measures must be taken within the time limits established by Art. 25 Federal Law No. 152.

Secondly, Roskomnadzor of the Russian Federation carries out supervisory functions only within the framework established by current legislation, the Regulations on Roskomnadzor and administrative regulations. Roskomnadzor does not carry out other measures (beyond its competence) to check the PD protection system, but this does not mean that the state does not have the ability to monitor the completeness and compliance with the law of PD protection measures carried out by a specific operator. Roskomndazor is not the only body overseeing the observance of citizens' rights. The prosecutor's office, for example, is vested with the rights to initiate administrative proceedings (including under Article 13.11 of the Code of Administrative Offenses of the Russian Federation), and a sufficient number of instructions from the prosecutor's office and court decisions allows us to talk about the formation of law enforcement practice.

Thirdly, the short-sightedness of such an operator strategy lies in the fact that the rights of the PD subject itself and possible negative consequences for the operator due to violation of the rights of the PD subject are not taken into account. Especially when such violations actually occur. The subject will complain, and his complaint will be considered regardless of the quantity and quality of provisions, instructions and regulations prepared by the operator! The rights of the subject of personal data are very extensive (Article 14 of Federal Law 152). Unfortunately, most operators are not aware of the time frame and what volume of information the operator is obliged to provide to the subject of personal data. But the subject of personal data, unaware of the “documentary protection system from Roskomnadzor” built by the operator, in his spiritual simplicity can file a justified complaint (appeal, application, claim) to the prosecutor’s office, internal affairs bodies, and the court. Of course, these bodies will be obliged to respond to such requests. The duration and consequences of such a response are directly dependent on the persistence of a competent PD subject (and his knowledge evolves very quickly) and the content of his appeals. That is why the operator’s strategy for implementing the requirements of Federal Law No. 152 should not consist in preparing “decimeters” of internal regulatory documents, but in creating a balanced system of personal data protection that excludes the occurrence of information security incidents. The exclusion of such incidents will guarantee the absence of justified (sic!) complaints from personal data subjects.

Misconception #3.

There is no need to send a notification to Roskomnadzor, because in this case, the operator will be “taken note”, will definitely be checked and punished.

Reality.

The territorial divisions of Roskomnadzor have quite obvious, accessible and legal ways to establish the fact of business activity of a person (operator), and to conclude that such a person is a PD operator. The absence of notification in this case will only aggravate the position of the operator who did not send notification in the cases provided for by Federal Law No. 152. Roskomnadzor has the right to regard the lack of notification from the operator as an administrative offense under Art. 19.7. Code of Administrative Offenses of the Russian Federation. That is, they will be “punished”, rather, due to the operator’s sluggishness and lack of notification, and not due to the sending of a notification to the supervisory authority. The task of collecting notifications is not total control of operators by the state, but the preparation of a register of operators in order to streamline the processing of personal data and, ultimately, proper protection of the rights of personal data subjects. The notification form can be found on the Roskomnadzor website www.rsoc.ru.

It only remains to add that preparing a notification is a fairly simple procedure, which, however, has its own characteristics related to the formulation of the goals and legal grounds for processing personal data.

Misconception #4.

There is no need to send a notification to Roskomnadzor if the operator processes personal data only of its employees on the basis of an employment contract (Part 2 of Article 22 of Federal Law 152).

Reality.

Formally, such an exception is provided for by this article. However, in practice, a meaningful and thoughtful attempt to apply this exception does not lead to a reasoned conclusion that there is no obligation on the operator to provide notice. This paradox applies to most operators. As an example, let’s consider the processing of personal data of a subject who is an employee of an operator. As a rule, in addition to processing the employee’s personal data, the operator legally processes the personal data of other persons related to the employee. These may include persons receiving alimony by court order or voluntarily (spouses, children, parents of employees). The operator can also process personal data in order to provide employees with standard tax deductions for children and (or) social tax deductions in connection with the education or treatment of children or other relatives; minor children of employees for the purpose of their health improvement (referring children to health camps) and so on. Finally, the operator processes the personal data of individuals for the purpose of their employment (resumes of candidates), while the processing of the personal data of these individuals occurs before establishing labor relations. Therefore, the application of such an exception must be treated very carefully.

Often, an operator, having superficially familiarized himself with Federal Law No. 152, comes to the following illogical conclusion: the absence of the need to send a notification means that there is no obligation to comply with the Law “On Personal Data” at all! What is this - a difficult to explain paradox Russian mentality, a painful need for the intervention of supervisory authorities, or banal arrogance combined with a veil of collective irresponsibility? Most likely, it is the illiteracy and negligence of the operator’s employees who mislead the operator’s manager.

Misconception #5.

Only those who provide any services to citizens and process the personal data of these citizens need to protect personal data. Protection of personal data of “their” employees is optional, or such protection may be less stringent.

Reality.

Such a statement is a prerequisite for violating the principle of equality of all before the law. This principle is enshrined in the Constitution of the Russian Federation (Article 19). Indeed, can the constitutional rights of an employee to the privacy of his personal life (Article 23 of the Constitution of the Russian Federation) differ from the rights of another person who is not an employee of the enterprise? An even more important question is: will an employee of an enterprise (organization) agree with the actual state of affairs in which his (the employee’s) constitutional rights are infringed? Even if there are few workers, and all of them are extremely loyal to the operator, you need to understand that the protection of any constitutional rights is a sphere of public interest. All authorities will protect the provisions of the Constitution of the Russian Federation, regardless of the wishes of the subject of personal data and contrary to the will of the operator - this is an axiom. In other words, the prosecutor’s office, for example, has the right to react to the operator’s stated position in a completely predictable manner.

Practice shows that an operator’s employee can be much more demanding than any other PD subject in relation to the operator in terms of the latter’s compliance with its obligations to protect the employee’s PD. Many operators (and the professional community) believe that current edition Federal Law 152, the rights of the subject of personal data are excessive and absolute. Indeed, this is so - the rights of the PD subject must be “balanced” common sense and the rights of the operator, and the subject’s requirements must be justified. One way or another, it’s time for the operator to get used to the fact that the constitutional rights of the subjects (his employees) are an immutable fact that requires the implementation of actions established by law. We should not forget that Labor Code The Russian Federation (Article 87) establishes the employer’s obligations for the storage and use of the employee’s personal data. In this regard, you can think about whether the employer is ready to face another body of state supervision and control - the State Labor Inspectorate.

Misconception #6

PD security and PD confidentiality are one and the same thing. If confidentiality is ensured, then the requirements of the law are met.

Reality.

Very often, operators understand confidentiality (confidentiality regime) as the entire range of security measures. This misconception is also reflected in the operator’s regulatory documents, in which the concept of “confidentiality” implies a set of measures to protect information. This is mistake. Serious, dangerous, system error. The nature and meaning of these terms (and, as a consequence, measures to implement protection) are different.

The law provides (clause 10, part 1, article 3 of Federal Law 152) a definition of confidentiality of information. In short, confidentiality is a requirement for non-disclosure of personal data. Security is a state of security. The term security is defined by the Federal Law of the Russian Federation “On Security”. The definition of information security is given in GOST R 50922-2006 “Information protection. Basic terms and definitions." It is also extremely important that the legislator (Part 4 of Article 6 of the Federal Law 152) distinguished these concepts and indicated them separately when establishing the operator’s responsibilities when transferring personal data to third parties for processing. By the way, this transfer practice occurs very often (for example, when outsourcing accounting, when sending employees for a medical examination, etc.). It is necessary to remember this also because the law established

Requirement to ensure the security and confidentiality of personal data as an essential condition of the contract. The absence of such conditions may lead to the recognition of the contract as invalid.

Misconception #7

A FSTEC license is required if services for technical protection of confidential information are provided to third parties. If the operator protects personal data “for his own needs”, not for money, then no license is needed.

Reality.

This misconception is the result of pseudo-legal research by some operators trying to pass off wishful thinking and save on the protection of personal data. Our detailed and reasoned opinion on this issue will be the subject of a separate article. Briefly we can explain the following. The operator does not have “own needs” for the protection of personal data, and cannot exist by force of law. The sole purpose of Federal Law 152 is to ensure the protection of the rights and freedoms of man and citizen when processing his personal data. The law does not specify other goals (including meeting the needs of operators). By the way, the absurdity of the developer’s statements that he does not need a construction license would be obvious to everyone. he is erecting a residential building “for his own needs.” Or – there is no need for a license to provide medical services, since the organization will treat only its employees. Supporters of this misconception should also refer to Article 4 of Federal Law 128-FZ “On Licensing individual species activities": "...licensed types of activities include types of activities, the implementation of which may entail damage to the rights, legitimate interests, and health of citizens...". In our case we're talking about about the constitutional right of a citizen to personal privacy! As we have already indicated, the law does not distinguish between the interests of the PD subject (employee) and the PD subject (third party). Any other state of affairs would be discrimination. The legislator (through the licensing institute) protects any subject of personal data from the consequences of poor quality work on technical specifications. It is likely that the judiciary will put an end to this issue, but for the professional community the truth is already obvious.

Misconception #8

First you need to create an information system, and only then solve the issue of protecting personal data in it. Moreover, these expenses are not included in the estimate (budget).

Reality.

Work to ensure the security of personal data during their processing in ISPD is an integral part of the work on creating ISPD (clause 4 of the Appendix to the Decree of the Government of the Russian Federation of November 17, 2007 No. 781). Inalienable! It is prohibited to create any ISPD without a PD protection system in the ISPD. In addition to this unambiguous requirement, which we do not recommend violating, there is also the logic of business processes and economic arguments - a security system created simultaneously with the information system will cost the operator much less than the “superstructure” created later. Regarding estimates and budgeting, we can only recall that there was enough time to plan such expenses - since January 2007.

Misconception #9

Protecting personal data is the job of the system administrator (or IT service), and this task can be successfully completed by them.

Reality.

Hardly man of sense A person in need of heart surgery will entrust it to even a very qualified dentist. A professional dentist will never undertake this. Information security is a professional specialization, not a hobby. In the Russian Federation there are six educational standards in the field of information security, and this is no coincidence! Of course, it is advisable to entrust the solution of a set of issues regarding the protection of personal data to a specialist who has a diploma in information security, or who has at least completed advanced training courses. But this is not enough. After all, the operator will have to resolve a lot of organizational, administrative and legal issues, involving legal, financial, and personnel services in measures to protect personal data, and not every operator has sufficient human resources. That's why the best solution is to involve a specialized organization that has the appropriate licenses. Self-medication is dangerous!

There is another aspect of the problem. As is known, in most cases the cause of information security incidents is the human factor, and the source of threats is the operator’s own employees (so-called internal threats). An IT specialist or system administrator of an organization is a person invested with trust. Therefore (and due to the specifics of the work) it also has unlimited access rights to information resources. But precisely for this reason, you cannot “put your eggs in one basket”, concentrating double responsibility in the functionality of one person (unit). The IT service should not control itself! Information security is a matter for an individual specialist (department). We advise you not to tempt fate.

Misconception #10

If you force all the operator’s employees to sign an agreement that their personal data is publicly available, then no measures to protect personal data need to be taken.

Reality.

As a rule, the operator has no reason to require such consent, and the subjects have no desire to give it. Forcing employees to such consent entails the creation of hidden conflicts with the employer, and “smoldering risks” are more dangerous than obvious ones. In a relatively large organization, not all employees will be willing to express such consent, and some employees will draw conclusions that are very unfavorable for the operator. In addition, any employee (personal data subject) has the right to revoke such consent, which will not be a basis for termination of employment with him or her labor contract. We emphasize that this is not about consent to the processing of personal data, but about consent to the public availability of personal data. Sometimes it is simply impossible to do such a manipulation, because... the public availability status of personal data will conflict with the confidentiality status of this information under laws other than Federal Law 512. Example - communication secrecy, tax secrecy, family secret and so on.

And finally, such an operator strategy may be considered an abuse of law by supervisory authorities.

Part 2.

A significant contribution to the confusion associated with the implementation of the Federal Law “On Personal Data” is made by the “demonization” of the problem of personal data protection, fueled by sensational messages from residents (when do they work?) of various thematic forums and “authoritative” conclusions of nameless well-wishers.

Huge costs, impossible requirements, confusing and contradictory documents - these are the arguments of “experts”, supposedly confirming the existence secret plan, designed to siphon (it is not clear how and in whose interests) billions from the pockets of gullible operators. These same pseudo-experts persuade operators to be “more courageous” in their relations with the state by constructing exotic policies to counteract regulatory authorities. Politicians as cheap (in literally), no matter how dubious, the essence of which is not to comply with the law, but to “reasonably” torpedo its demands. The very formulation of the question in this vein forces us to take a closer look at the “sorcerers” with the habits of serial business suicides, but, more importantly, to critically perceive their advice, guided by the law, common sense and a sense of self-preservation.

At the same time, many operators should think about why the flagships of the Russian economy and its individual industries (SIBUR, Rosneft, RusHydro, Eurochem, Gazprom, Severstal, Sberbank, Megafon, MTS, Beeline, and many, many others) have been progressively and continuously for the second year implement measures to protect personal data in their companies? Are these organizations experiencing excess Money and human resources? Or does the reason lie on the surface, and is it called a law, the strict requirements of which are supported by the purposeful actions of state institutions?

Any points of view on the norms of the law and the procedure for its implementation have the right to exist. Any, except those dangerous for both the operator and the subject of personal data. Let's look at the second ten popular misconceptions that can be very costly for the operator...

Misconception #11

When protecting personal data, you must be guided by departmental instructions or instructions from a higher organization. While they are not there, you can do nothing. Laws and other regulations do not play a role.

Reality.

This point of view is typical of organizations that are part of structures with a strictly structured vertical management. The heads of these organizations, however, must remember that the organizations they head are operators and bear the full burden of responsibility for failure to comply with the requirements for the protection of personal data. It is the operators (and not “superior organizations”) that the law imposes obligations to implement a set of measures to protect personal data and provides for liability for violation of the processing procedure. So, by the way, for violation of fire safety standards or working conditions of an employee, the owner of the fire hazard object or the head of the organization, and not the “superior organization,” will be held responsible. There is a similar situation here.

Misconception #12

The computers were transferred to us by a higher organization (ministry, department, etc.), which means that it must protect personal data. Our organization is not the owner of these computers, which means it is not obligated (or has no right) to do anything.

Reality.

Art. 3 Federal Law 152 defines an operator. However, the law does not link this concept (and, consequently, the operator’s responsibilities) with the right of ownership of information objects ( local networks, switching equipment, individual computers, servers, etc.). The operator is the one who processes personal data, and not the one who is the owner. This discovery is very disappointing for operators. But the conclusion is obvious - it’s time to start implementing measures to protect personal data. The most important of which are organizational ones.

Misconception #13

Storing personal data is not processing at all; the requirements of Federal Law 152 do not apply to the storage procedure.

Reality.

Storage is one of the actions (operations) for processing personal data. If the operator does not perform any other actions other than storage (including not as part of the ISPD, for example, in the form of paper documents), he is nevertheless an operator with all the ensuing responsibilities. The definition of processing is given in Art. 3 Federal Law 152. At the same time, Federal Law 152 does not apply to relations arising during the organization of storage, acquisition, accounting and use archival documents in accordance with the requirements of archival legislation of the Russian Federation. At the same time, you need to understand that it is not enough to call a room (cabinet, storage) an archive; this will not make the archive available to the operator. The proper procedure for organizing archival storage and transferring documents to archival storage can be described in the results of a survey conducted in the interests of the operator by specialized companies (licensees). We advise operators to require such a description when conducting surveys. A favorable factor is that if the operator (outside the archive) only stores PD (even in in electronic format), then the costs of protecting these personal data will most likely be minimal.

Misconception #14

You can buy a database with PD on the market and use it for your own purposes. In the event of an inspection or complaints, state that the PD is publicly available, confirming this by the fact that the database is freely circulating. It is also advisable to have a cash receipt.

Reality.

Indeed, there are publicly available sources of personal data. However, spontaneous markets where databases are sold are not one of these. Why? PD can be publicly accessible only in two cases - either by force of law, or in cases where the subject of PD has made his PD publicly available by his own will (by performing any actions). We do not consider the first case (there is no law that would call databases sold on spontaneous markets public sources). Let's consider the second case. Federal Law 152 (Part 3, Article 9) imposes on the operator the obligation to prove that he has received the subject’s consent to processing, and in the case of processing publicly available personal data, to prove that the processed personal data is publicly available. If the notorious database is purchased on the market, the operator is deprived of this opportunity, because not a single PD subject will confirm (especially retroactively) his consent to the processing of such PD. When an operator is inspected by a supervisory authority, a conclusion may be drawn about the illegality of the origin of such a database, and, consequently, the processing of personal data. The legislator provided for such behavior of the operator and gave it a definition - “bad faith” (Article 5 of Federal Law 152). Many operators violate the principle of good faith when collecting personal data - sometimes due to ignorance of the law, sometimes with direct intent, which is much more dangerous. Almost all banks, collection agencies, Insurance companies etc. They also carry out mutual intra-shop “cross-pollination” up-to-date information containing PD. There is no doubt that this is important for reducing credit risks. But is it legal? Sometimes such actions of the operator contain elements of a crime under Art. 137 of the Criminal Code of the Russian Federation. Leaving outside the scope of the article the methodology for proving illegal actions (by the way, according to this composition crime is simple and uncomplicated), we advise you to think about the following. Is the operator ready to risk his freedom, image, client base And stable business for the sake of achieving illusory goals, which are also contrary to the law?

Misconception #15

If the personal data is not collected by the operator independently, but received on the basis of an agreement (with the subject of the personal data or with another operator), or, moreover, at the direction of a higher organization, then there is no need to protect the personal data.

Reality.

There is a confusion between the concepts of “right to process” and “responsibility to protect”. Legitimate and justified purposes of processing do not exclude the need to take measures to protect personal data. Sometimes, the transfer of personal data from one operator to another, unexpectedly for both participants in such an information exchange, turns out to be not based on the law!

Most likely, in this case, the violators will be both organizations - the operator who transferred the PD and the operator who accepted it for processing. The first is for the absence of an essential condition in the contract (Part 4 of Article 6 of Federal Law 152, see above) and for the transfer of personal data without the consent of the subject of the personal data. The second is for violation of the processing procedure (Article 13.11 of the Code of Administrative Offenses of the Russian Federation). Why? Because the law does not make exceptions for those operators who did not collect personal data directly from subjects, but received personal data from another operator (even in the performance of their functions and powers established by any law). Operator – the one who carries out the processing, i.e. any person carrying out at least one of those specified in Art. 3 Federal Law No. 152 of actions (operations) with PD. The supervisory authority (Roskomnadzor), exercising its powers to protect the rights of personal data subjects and eliminate violations in this area, has the right to schedule (or conduct unscheduled) inspections of both operators. The powers of Roskomnadzor during inspections are detailed in the Administrative Regulations on the official website of Roskomnadzor.

Misconception #16

We will collect and use any personal data from any sources. In case of inspection, we will pay a fine (it is small), and that’s it!

Reality.

Without a doubt, such actions are a violation of the principles of personal data processing (Article 5 of Federal Law No. 152). Such ill-considered actions can lead to extremely negative consequences for the operator. A fine is not all the measures of influence that are provided for by law. Thus, if violations are detected during the processing of personal data, the operator is obliged to either eliminate these violations within 3 days or destroy the personal data. But the operator’s responsibilities do not end there. The operator is obliged to notify the PD subject about the elimination (for example, by destroying PD) of the identified violations. Databases purchased on the market may contain personal data of tens or even hundreds of thousands of individuals. Is the operator able to notify such a number of citizens about the destruction of their personal data? What consequences will such a notification have, how will PD subjects perceive the operator’s actions? And that is not all. Roskomnadzor has the right to take measures to stop processing personal data or suspend the operator’s activities, up to and including revocation of the license, if the processing of personal data is carried out (part 3 of article 23 of the Federal Law 152) with violations. Is the operator ready to take such risks?

Misconception #17

If an appeal (or complaint) has been received from the subject of personal data about the procedure for processing his personal data, but there were certainly no facts of information leakage, then the citizen must be answered that everything is in order with the confidentiality of personal data in the organization. Answers to tricky questions PD subject are not the operator's responsibilities and disclose confidential information (or trade secrets) of the operator. If you don’t have the time or desire, then you don’t have to respond to the PD subject.

Reality.

The rights of the PD subject are set out in Art. 14 Federal Law 152. According to many, they are redundant, but it is for this reason that the operator must be extremely careful when considering the subject’s appeal (complaint)! The operator is obliged to give an exhaustive and complete answer to the PD subject to all questions provided for in Art. 14 Federal Law 152 within 10 working days, and in case of a justified refusal to provide information - within 7 working days. Answers that do not reflect the real state of affairs (or the absence of a response) can be interpreted by the subject as a violation of his rights, which can lead to even more negative consequences for the operator - the PD subject’s appeal for protection of his rights to the body supervising compliance with the rights of the PD subject. Practice shows that an operator who has never previously paid attention to the issues of processing and protecting personal data is unable to cope with the preparation of a correct and comprehensive response to the request of a personal data subject. IN in this case This refers to legal grounds, purposes, processing methods and many other provisions, the formulation of which must be carried out in advance.

Misconception #18

Measures to protect personal data are very expensive. We’d better pay the fines, they are very small.

Reality.

The negative consequences of the lack of a protection system (besides the really minor fines so far) are given above. Regarding the high cost of a protection system, we can say that everything is relative. For example, the cost of building such a system in educational institution or a health care facility at the district level is an order of magnitude less than the cost of creating the system fire safety or video surveillance. A qualified licensee will be able to design such a personal data protection system, the costs of which will be optimal. Moreover, at the inspection stage, the authorized organization (licensee) will offer solutions to reduce costs when creating a protection system. Carrying out the first stage (examination) as a rule does not exceed 20% of total cost work to protect personal data.

Misconception #19

The personal data protection system is some kind of technical means. You need to buy and install them. Inspection, audit, design - this is redundant, it was invented to make more money from the operator’s problems.

Reality.

The analogy with treatment is useful here too. Any treatment is preceded by a diagnosis of the disease. Likewise, the survey stage precedes organizational, administrative and technical protection measures. The survey helps not only to reliably identify weaknesses in information systems and develop a protection plan, but also, oddly enough, to save money. How? A qualified survey determines exactly how costs can be reduced when building a protection system. There are many ways: justified reduction of the class of information data, revision of the list of personal data to be processed, segmentation of information systems, optimization of network topology, etc. All these methods are known to specialized organizations - licensees. We do not recommend throwing money away.

Misconception #20

The operator’s already existing powerful system for protecting confidential information (trade secrets) will certainly solve the problems of protecting personal data. There is no need to do anything additional.

Reality.

From a technical point of view, perhaps it will. However, there are many requirements for both the methods and methods of protecting ISPD, and for technical means of information security. These requirements are established by regulators (FSTEC of Russia and FSB of the Russian Federation) within their competence. Ignoring these requirements is not only a violation, but can also lead to negative consequences both for the operator and for the subject of personal data. Such requirements include, for example, the need to use information security tools that have passed the conformity assessment procedure. Specific requirements are also imposed at the stage of commissioning a personal data protection system (procedures for assessing the state of security of subsystems). Therefore, as a rule, any existing system protection (if it was not built for the purpose of protecting personal data and not in accordance with regulatory documents) needs to be reviewed and modernized. Perhaps the costs may turn out to be insignificant, but the benefits may be obvious. When designing a protection system, a specialized organization will necessarily take into account the existing components of the protection system and try to apply them effectively.

As for the organizational component of work to protect personal data, we can safely say that in the vast majority of organizations in which the task of protecting personal data (and not any other confidential information) was not set, the state of this work is deplorable.

Misconception #21 (bonus).

It is necessary to conduct a pre-project survey, guided by only one criterion for selecting a contractor - price. All the same, all performers create approximately the same documents.

Reality.

Firstly, the purpose of the survey is not at all to create documents that are waiting in the wings to be presented to the inspection authorities. As a result of a correct and qualified examination, the operator has a protection strategy at his disposal.

Secondly, the results of the survey conducted different organizations, may differ radically. A poorly conducted examination misleads the operator regarding the existing and required level of personal data security, disorients him when implementing a unified technical policy, exposes him to the risk of information security incidents, and, most importantly, creates preconditions for violating the rights of personal data subjects. And when such a violation occurs, the results of a poor-quality examination will only add to the operator’s troubles. Sometimes the operator receives as survey results only a private threat model, ISPD classification acts and some templates of documents that are not adapted to the specifics of the operator. However, the market, oddly enough, accepts such a cheap approach to the problem in every sense.

Is it worth saving on security? Worth it if you are not interested in the result.