Or maybe not notify about the processing of personal data?

    Part one of Article 22 of the Federal Law of July 27, 2006 N 152-ФЗ “On Personal Data” (hereinafter referred to as the Law) stipulates the obligation of the operator who processes personal data to notify the Roskomnadzor authority before processing begins. Immediately (in the second part of the article) the Law offers the grounds on which the operator has the right not to notify about the processing. These cases are quite common. But since the Law does not prohibit notification, even if there are such cases, a number of operators choose to follow the notification path. Perhaps you should not send a notification, or even think about how to fall under the “exceptions”. There are at least 3 reasons for this.

    It would be difficult to answer the question “Why?” For all those who decided to send a notification to the Roskomnadzor if it could not be done. Of course, marketing campaigns (image, openness) cannot be ruled out. Nevertheless, in a number of cases, they are notified out of ignorance or on the basis of the position “It is better to retake.” I would like to draw attention to the well-known right of operators involved in the processing of personal data not to notify the Roskomnadzor authorities about the processing and here are several reasons for this.
    1. The person who has submitted a notice on the processing of personal data must bear the burden of constant updating of the submitted information. This obligation is provided for in Part 7. Art. 22 of the Law. If the operator processing the personal data does not submit a notification about the change of information (change of the address of the operator, change of the categories of personal data that are processed, change of the person responsible for processing personal data and his contacts, etc.), he may be held administratively liable. It would seem that it’s complicated: something has changed in the organization, picked up and sent a letter. As practice shows, in most cases this is forgotten. For example, those who entered the Register (all who submitted processing notifications are included in the Register) of operators, When processing personal data before July 1, 2011, they were obliged to additionally send the information provided for in paragraphs 5, 7.1, 10 and 11 of part 3 of Article 22 of the Law until January 1, 2013 (legal basis for processing personal data, name of the responsible person, etc.). As can be seen from the registry of personal data operators of Roskomnadzor, more than half of the operators have not done this to date. The idea that all these organizations had no internal changes related to the processing of personal data was also doubtful. I suggest that you think about whether you will keep track of the relevance of entries in the Register in a long-term perspective, if there is a possibility not to do this at all? Name of the responsible person, etc.). As can be seen from the registry of personal data operators of Roskomnadzor, more than half of the operators have not done this to date. The idea that all these organizations had no internal changes related to the processing of personal data was also doubtful. I suggest that you think about whether you will keep track of the relevance of entries in the Register in a long-term perspective, if there is a possibility not to do this at all? Name of the responsible person, etc.). As can be seen from the registry of personal data operators of Roskomnadzor, more than half of the operators have not done this to date. The idea that all these organizations had no internal changes related to the processing of personal data was also doubtful. I suggest that you think about whether you will keep track of the relevance of entries in the Register in a long-term perspective, if there is a possibility not to do this at all?
    2. The bodies of Roskomnadzor are planning inspections of operators that process personal data using a departmental unified information system - the UIS . All the operators who submitted notifications are already in it, and therefore, the likelihood of getting into the inspection plan increases many times. Organizations verified by Roskomnadzor in other areas (communication services, RES, media, broadcasting) are automatically checked for compliance with the legislation in the field of personal data if they notified Roskomnadzor about processing.
    3. If the personal data operator has decided to notify the Roskomnadzor authority about the processing, although he had the right not to do this, then he will be excluded from the Register due to the fact that he could not notify at all. Such an opportunity is not provided by either the Law or the corresponding Administrative Regulations. Rather, it is provided only for general reasons.

    If you were going to send a notification, but the above mentioned something hooked you, the general recommendations are simple.
    1. Carefully read (understand) Part 2 of Art. 22 of the Federal Law of the Russian Federation of July 27, 2006 N 152-ФЗ "On Personal Data".
    2. See what personal data and in connection with which it is processed by you.
    3. In some cases, you may need to adjust your work with personal data carriers. I’ll give an example that it would be clear what I mean.

    One of the possibilities not to notify about the processing of personal data provided for in clause 2 of Part 2 of Art. 22 of the Law sounds like this
    received by the operator in connection with the conclusion of a contract to which the subject of personal data is a party, if personal data is not disseminated, and is also not provided to third parties without the consent of the subject of personal data and is used by the operator exclusively for the execution of this contract and the conclusion of contracts with the subject of personal data

    So, you have concluded an agreement with an individual for some service. They took a person’s mobile phone number to inform about the readiness of the service. In most cases, a mobile phone number is not needed for contract execution purposes. If a mobile phone number is taken from the client, his consent to the processing of personal data is additionally necessary. However, in this case, you do not fall under the exception in the Law, which allows you to notify about the processing of personal data.
    If in the contract with this individual you register the need for a mobile phone number for the purpose of fulfilling the contract, then you are already applying for the right to be excluded.
    To beat the need for a mobile phone number for the purpose of fulfilling the contract is something like this: "The organization is obligated to notify the client by phone number x ... x of readiness ...".

    Also popular now: