The experience of inspections by Roskomnadzor of personal data operators over the past year

    The agency indicated in the heading has lately been featured in the newsroom more often in news related to some regular blacklists and ridiculous locks, but in this article I would like to recall one of the equally important functions of Roskomnadzor - overseeing the implementation of legislation in the field of protection personal data.

    It so happened that in 2013-2014, many of our clients fell into the inspection plans of Roskomnadzor, but we were not particularly afraid of this, because our clients had passed inspections earlier, and there is very positive experience. We knew that for new customers, too, everything was put in order and waited for the next check only to put a new checkmark in the portfolio section of “Successfully conducted inspections of regulators”. But this article would not have been born if everything corresponded to our optimistic expectations ...

    At the beginning of last year, I wrote an article in which I tried step by step to talk about the stages of preparation for such checks. And this algorithm worked clearly until mid-2013. What happened? Below I will tell you in more detail about some cases of tyranny of ILV during inspections on personal data, but in short - the agency introduced a stick system in relation to such inspections. Auditors will now look for any minor violation, just to issue an order and make them pay at least a small but unpleasant fine. It is possible that sticks are considered only in our region, but communication with colleagues from other subjects of the Russian Federation suggests the opposite.

    Before telling specific cases, I ask you to read several facts to keep in mind:
    • the composition of the testers did not change, that is, in all the cases considered, the testers were the same people;
    • the set of measures and the quality of preparation for verification for all audited earlier and from the second half of 2013 was at the same level;
    • at each subsequent inspection, the previous whims of the inspectors were taken into account during the preparation process.

    In my old article, I wrote that most of the requirements are made in connection with the inconsistency of the data provided in the notification of the operator with the current state of affairs, that is, if you indicated that you are processing the name, address and contact number of the subject of personal data, but in fact If you process another gender and date of birth, you will receive a prescription. The first story is connected with this.

    The first instruction from one of our customers was due to the fact that the notification of the operator in the categories of personal data of employees did not indicate that they process the numbers of powers of attorney that are issued to one or another employee for one purpose or another. How many did not try to appeal to common sense and explain that the power of attorney is an independent document and that this person is the requisite of the power of attorney (to whom and for what the power of attorney was issued), and not the number of the power of attorney is the requisite of the person - it did not help. And this was facilitated by a very vague definition of the concept of “personal data” in 152-ФЗ (any information relating to a directly or indirectly determined or determined individual). In our country, lawmakers generally love vague wording.

    Okay, with the numbers of the power of attorney we took into account the moment, we began to wait for the next check. And here again a surprise awaited us.
    This time, the inspectors from Roskomnadzor apparently did not find inconsistencies in the categories of personal data and they decided to make a feint with their ears - to find a discrepancy in the categories of subjects of personal data. Here the situation is the same as with the categories of PDs themselves - if you indicated in the notification that you are processing personal data of employees and customers, but in fact you are processing additional PDs of some volunteers, then get an order. And in this case, it didn’t occur to the ILV representatives how to say that the current and dismissed employees of the organization are actually different categories of personal data subjects (and we remember that the inspectors are the same people and they did not pay attention to this before). Here, too, any appeals to common sense did not help.

    One of the clients got to the bottom of the content of the public policy regarding personal data. This is a document that should be published in the public domain (if there is a website, then on it). Naturally, in this document we never write any specifics, how, what and from whom we are protecting. And why should we actually publish useful information for a potential intruder in our portal? So, Roskomnadzor residents wanted us to detail the measures taken to protect personal data in a public document. Why - it’s not clear. In general, the abnormal craving for exhibitionism at Roskomnadzor has long been a concern. What does the registry of state information systems cost , in which we can find out working and MOBILE (for example, here) the number of the person responsible for this system, his e-mail, as well as information about the server and client OS used in the system, the application software of the system, information about financing, and much more. Just a paradise for social engineers, spammers, and other black hats.

    But back to the checks. The latter case was somewhat different from the rest. A client contacted us for help just a week before the check. In the process of preliminary conversation and verification of the registry of PD operators, it was found out that the organization had not filed a notification about the processing of personal data earlier. That is, the client was not in the registry of operators. It must be understood here that even if we prepared a notification on the day of the appeal, 152-FZ provides Roskomnadzor with a period of up to 30 days for the operator to be entered into the register from the moment of notification, and practice shows that an entry in the registry appears in 20-25 days from the day filing a notice (although, again, this applies directly to our region, somewhere the guys from the ILV can be quicker). In general, they decided to act from the position that cases are provided for in 152-FZ, when notifications are not required, this is, in particular, when the processing of personal data is carried out during the implementation of labor relations and upon conclusion of an agreement, one of the parties to which is the subject of personal data. In principle, this could work if the ILV did not have the goal of punishing the organization, since the client was a small commercial company that processes personal data on employees of the Labor Code of the Russian Federation and concludes agreements with clients. The order issued on the basis of the audit stated that this company should have filed a notice, and since it did not, it violated 152-FZ, ay-ay-ay! Moreover, there was no justification in the prescription itself, simply "there is no notification, and it does not fall under the exception, therefore it violates ...". The verifiers said in words that it is difficult to find fault with contractual relations with clients, therefore they must submit a notice, because (ATTENTION!) the organization transfers personal data of employees to third parties - to the Federal Tax Service and the FIU! There you go! Here, of course, it immediately becomes unclear - why then in the Federal Law all these exceptions, which allow not to file a notification to the PD operator? Isn’t it easier to write - “all legal entities must submit a notification” and finish this?

    What to do?

    Honestly, I’m even wondering what the ILV representatives will come up with and what they will get to during the next checks, because the stick system is there. But sometimes a thought arises - can it specifically leave a clear flaw in a prominent place? After all, the fines are still small, and when they see the violation in a prominent place, it is more likely that the inspectors will add it to the order, we will pay a small fine, eliminate the violation in a timely manner, and we will continue to live in peace, and the inspectors will not dig deeper. There is another option - to challenge the writ of Roskomnadzor in court, that is how our last client decided to do. Unfortunately, I cannot share the denouement of this story, because the story itself has not yet ended. In any case, everyone will choose his own path, although perhaps the stick system has not yet reached your region.

    Also popular now: