How to handle PD in the Russian Federation and not violate the law
In our blog, we often touch on issues related to personal data. We talked about the changes related to the entry into force of the European regulation of GDPR , figured out why many companies were not ready for it , and also talked about the innovations of social media related to the new law.
In today's material we decided to point out the subtleties of processing PD users in Russia.
/ photo AJEL PD
In the Russian Federation, work with personal data of users is regulated by Law No. 152-ФЗ “On Personal Data” . According to Article 3 , a PD should be understood as any information directly or indirectly related to a specific individual (subject of the PD). However, unfortunately, the law does not have a list that would indicate what is possible and what cannot be considered personal data.
However, the network can find various lists compiled by individual departments and organizations that clarify the situation. For example, on the site of the control of the RKN in the Kamchatka regionIt provides a list of data that fall under the category of personal: it includes the name, education and income level. Individual PD operators also form their own lists. For example, East-Siberian Transport Commercial Bank JSC has about 30 categories in it . In school No. 17 there are about 40 categories of PD , which are processed by information systems.
Such a formulation of the law and a variety of examples, formed by individual organizations, lead to the fact that it is difficult to establish whether data are considered personal. Therefore, in the RKN offers the solution. The question to be asked is whether this data allows us to understand who exactly they belong to? For example, just the name does not give an idea of what particular person is being referred to, but the full name already gives (of course, this approach deserves a separate discussion).
Law No. 152-ФЗ states that a PD operator is a state or municipal body, a legal entity or an individual who, independently or together with other persons, performs the processing of personal data, as well as determining the purposes of their processing and composition. And such companies fall under the scope of Articles 5 and 6 of the aforementioned law , which describe the principles and conditions for working with PD users.
They say that operators must follow certain rules:
/ photo Cal Injury Lawyer PD
It happens that to implement all the requirements for processing PD is quite difficult and time consuming. However, FZ-152 does not say what technical means the operator must use when processing data. Clause 3 of Article 6 of FZ-152 stipulates that he may entrust the processing of PD to someone else, if the owner of the PD gives his consent.
Therefore, many companies give the task of meeting the requirements of the law for outsourcing: for example, cloud providers that provide the service "Cloud FZ-152" . It allows you to rent infrastructure with a full set of administrative (and technical) mechanisms to protect PD.
However, in this case there are also nuances that should be remembered. First you need to sign an agreement with the cloud provider, in which you specify the purpose of data processing, a list of actions taken on PD and the mechanisms for their protection. Moreover, a complex of protective measures should be built in accordance with the rules described in Article 19 of the Law on PD .
In addition, in the contract it is important to define areas of responsibility: what the operator is responsible for, and what the provider is responsible for.
To do this, the operator must:
In turn, the cloud provider should do the following:
At the same time, it is important to remember that the operator still receives consent to the processing of personal data of users - this is not included in the list of obligations of the cloud provider. This requirement is spelled out in the third and fourth paragraphs of Article 6 of the Federal Law . Thus, the operator is responsible to the owner of the PD for the actions of the provider.
However, the provider is responsible for their actions to the operator. For example, the provider did not comply with the terms of the contract and allowed PD to leak. Owners of PD are very unhappy about this. In this case, the provider will be responsible for the consequences to the operator, and the operator - to the affected people.
To keep the number of unpleasant situations to a minimum, when choosing a cloud provider, the operator should askThe provider has a document that confirms the passage of the audit for compliance with the declared level of security. You should also ask him to show the model of protecting the selected cloud segment from potential threats, as well as to evaluate ways to back up and restore data.
In July last year, the new Federal Law came into force, according to which fines for violating the law on the processing of personal data in Russia range from 1 to 75 thousand rubles. For example, the penalty for processing PD without the user's consent is from 3 to 5 thousand rubles for individuals and from 30 to 75 thousand rubles for legal entities. A refusal to provide the PD owner with information on how his data is processed may deprive a legal entity of 20–40 thousand rubles.
There have already been cases when companies were fined for violations in the field of PD processing. For example, the case of TGYUK LLC , where the company was brought to responsibility for the fact that on its website no confidentiality agreement was attached to the feedback form.
Anyone who collects, processes, stores PD, or entrusts operations with them to other persons, it is important to evaluate all these processes for compliance with the law. To do this, we suggest using the following checklist:
This will highlight potential weaknesses, implement the missing defensive measures and avoid fines or potential lawsuits.
PS Materials on the topic from the First Corporate IaaS Blog:
PPS Other articles from our blog on Habré:
The main activity of the company IT-GRAD is the provision of cloud services:
Virtual Infrastructure (IaaS) | PCI DSS Hosting | Cloud FZ-152 | Rent 1C in the cloud
In today's material we decided to point out the subtleties of processing PD users in Russia.
/ photo AJEL PD
What is considered PD in Russia
In the Russian Federation, work with personal data of users is regulated by Law No. 152-ФЗ “On Personal Data” . According to Article 3 , a PD should be understood as any information directly or indirectly related to a specific individual (subject of the PD). However, unfortunately, the law does not have a list that would indicate what is possible and what cannot be considered personal data.
However, the network can find various lists compiled by individual departments and organizations that clarify the situation. For example, on the site of the control of the RKN in the Kamchatka regionIt provides a list of data that fall under the category of personal: it includes the name, education and income level. Individual PD operators also form their own lists. For example, East-Siberian Transport Commercial Bank JSC has about 30 categories in it . In school No. 17 there are about 40 categories of PD , which are processed by information systems.
Such a formulation of the law and a variety of examples, formed by individual organizations, lead to the fact that it is difficult to establish whether data are considered personal. Therefore, in the RKN offers the solution. The question to be asked is whether this data allows us to understand who exactly they belong to? For example, just the name does not give an idea of what particular person is being referred to, but the full name already gives (of course, this approach deserves a separate discussion).
How to work with personal data
Law No. 152-ФЗ states that a PD operator is a state or municipal body, a legal entity or an individual who, independently or together with other persons, performs the processing of personal data, as well as determining the purposes of their processing and composition. And such companies fall under the scope of Articles 5 and 6 of the aforementioned law , which describe the principles and conditions for working with PD users.
They say that operators must follow certain rules:
- The operator must obtain the consent of the owner of the PD for their processing. A person should know what information he provides about himself and for what (for example, on the “Habré” there are prescribed policies for processing PD , where these points are indicated). At the same time, the operator is obliged, upon request, to inform the user about what his data is stored by him.
- The operator is obliged to adhere to the objectives of data processing, prescribed in the policies, that is, he can request only the data that is needed to perform a particular task. Requesting extra data "just in case" is prohibited. For example, to register a user account in an online store you cannot ask for a passport number. However, if we are talking about a resource of any state organization, then the request for passport data can be justified.
- You can store data as long as it is needed to fulfill the purpose of processing it. After that, the operator is obliged to remove or impersonate them.
/ photo Cal Injury Lawyer PD
How to process data in the cloud
It happens that to implement all the requirements for processing PD is quite difficult and time consuming. However, FZ-152 does not say what technical means the operator must use when processing data. Clause 3 of Article 6 of FZ-152 stipulates that he may entrust the processing of PD to someone else, if the owner of the PD gives his consent.
Therefore, many companies give the task of meeting the requirements of the law for outsourcing: for example, cloud providers that provide the service "Cloud FZ-152" . It allows you to rent infrastructure with a full set of administrative (and technical) mechanisms to protect PD.
However, in this case there are also nuances that should be remembered. First you need to sign an agreement with the cloud provider, in which you specify the purpose of data processing, a list of actions taken on PD and the mechanisms for their protection. Moreover, a complex of protective measures should be built in accordance with the rules described in Article 19 of the Law on PD .
In addition, in the contract it is important to define areas of responsibility: what the operator is responsible for, and what the provider is responsible for.
To do this, the operator must:
- Determine the level of security of the information system PD;
- Understand what security measures from Article 19 he can provide, and what measures need to be assigned to the provider;
- Build a model of actual threats in its own segment of the information system and implement the necessary security measures on its part.
In turn, the cloud provider should do the following:
- Obtain licenses from the Ministry of Communications and Mass Media (if the operator plans to transmit data or works with telematic services), as well as the FSB and FSTEC;
- Understand what may threaten data in the cloud and protect them as much as possible;
- Help the customer with the implementation of security measures on the client side and provide him with the opportunity to deploy additional security features (using PaaS or IaaS).
At the same time, it is important to remember that the operator still receives consent to the processing of personal data of users - this is not included in the list of obligations of the cloud provider. This requirement is spelled out in the third and fourth paragraphs of Article 6 of the Federal Law . Thus, the operator is responsible to the owner of the PD for the actions of the provider.
However, the provider is responsible for their actions to the operator. For example, the provider did not comply with the terms of the contract and allowed PD to leak. Owners of PD are very unhappy about this. In this case, the provider will be responsible for the consequences to the operator, and the operator - to the affected people.
To keep the number of unpleasant situations to a minimum, when choosing a cloud provider, the operator should askThe provider has a document that confirms the passage of the audit for compliance with the declared level of security. You should also ask him to show the model of protecting the selected cloud segment from potential threats, as well as to evaluate ways to back up and restore data.
Penalties for violation of the rules of work with PD
In July last year, the new Federal Law came into force, according to which fines for violating the law on the processing of personal data in Russia range from 1 to 75 thousand rubles. For example, the penalty for processing PD without the user's consent is from 3 to 5 thousand rubles for individuals and from 30 to 75 thousand rubles for legal entities. A refusal to provide the PD owner with information on how his data is processed may deprive a legal entity of 20–40 thousand rubles.
There have already been cases when companies were fined for violations in the field of PD processing. For example, the case of TGYUK LLC , where the company was brought to responsibility for the fact that on its website no confidentiality agreement was attached to the feedback form.
How to handle PD and not violate the law
Anyone who collects, processes, stores PD, or entrusts operations with them to other persons, it is important to evaluate all these processes for compliance with the law. To do this, we suggest using the following checklist:
- Register with Roskomnadzor as a PD operator.
- Determine the purpose of processing PD and do not use user data "not to its intended purpose" (for example, it is not necessary to include the user in the newsletter with information about promotions by e-mail, to which he did not agree).
- Warn the user that his personal data will be processed. Get his consent for this.
- If you plan to use the Cloud FZ-152 service, then conclude an appropriate agreement with the provider, in which you specify the obligations of the parties and the objectives of using the users' PD.
- Implement the protection measures specified in Article 19 of the Federal Law-152 .
- Check your system for outdated or incomplete customer data. They need to be removed or impersonal.
- Additionally, conduct a briefing with the company's staff on the intricacies of processing PD users.
This will highlight potential weaknesses, implement the missing defensive measures and avoid fines or potential lawsuits.
PS Materials on the topic from the First Corporate IaaS Blog:
- What refers to personal data from the point of view of the Russian regulator
- Principles of personal data processing: what the law says
- Personal data protection: a European approach
PPS Other articles from our blog on Habré:
- “According to the GDPR”: how do social networks change their privacy policies?
- Missed deadline, or why more than half of the companies were not ready for GDPR
- How EU copyright reform will change the state of the web
The main activity of the company IT-GRAD is the provision of cloud services:
Virtual Infrastructure (IaaS) | PCI DSS Hosting | Cloud FZ-152 | Rent 1C in the cloud