The mechanism for the exercise of their legal rights by the owners of personal data
In a previous article, I talked about the opportunities that Law No. 152 provides to the owner of personal data. This part of the article presents the mechanism and forms of requests for the exercise of their rights. The article does not address the issue when the operator has no right to process personal data at all. The task is to make the illegal data processing of the personal data operator cost serious financial and time costs.
To exercise their rights, personal data owners may contact the operators for the following information.
* Article 14, paragraph 7. The subject of personal data has the right to receive information regarding the processing of his personal data, including containing:
1) confirmation of the fact of processing of personal data by the operator;
2) the legal basis and purpose of processing personal data;
3) goals and methods used by the operator for processing personal data;
4) the name and location of the operator, information about persons (with the exception of operator’s employees) who have access to personal data or to whom personal data may be disclosed on the basis of an agreement with the operator or on the basis of federal law;
5) the processed personal data relating to the relevant subject of personal data, the source of their receipt, unless otherwise provided for by federal law;
6) the processing time for personal data, including the storage period;
7) the procedure for the exercise by the subject of personal data of the rights provided for by this Federal Law;
8) information on the carried out or alleged cross-border data transfer;
9) the name or surname, name, patronymic and address of the person performing the processing of personal data on behalf of the operator, if processing is or will be entrusted to such a person;
10) other information provided for by this Federal Law or other federal laws.
It makes sense to consider before contacting the operator whether the organization is an operator, which should be registered in the registry of Roskomnadzor. We go to the site and by the name of the organization or its TIN we look at the result.
In some cases, the organization is not registered as a personal data operator:
* The operator has the right to process without the notification of the authorized body for the protection of the rights of personal data subjects personal data:
1) processed in accordance with labor legislation;
2) received by the operator in connection with the conclusion of an agreement to which the subject of personal data is a party, if personal data is not disseminated, and is also not provided to third parties without the consent of the subject of personal data and is used by the operator exclusively for the execution of this contract and the conclusion of contracts with the subject of personal data;
3) relating to members (participants) of a public association or religious organization and processed by the relevant public association or religious organization operating in accordance with the legislation of the Russian Federation to achieve the legitimate goals provided for by their constituent documents, provided that personal data will not be distributed or disclosed to third parties without written consent of personal data subjects;
4) made by the subject of personal data publicly available;
5) including only the last names, first names and patronymics of the subjects of personal data;
6) necessary for the purpose of a single pass of the subject of personal data to the territory in which the operator is located, or for other similar purposes;
7) those included in personal data information systems that have the status of state automated information systems in accordance with federal laws, as well as in state personal data information systems created to protect the security of the state and public order;
8) processed without the use of automation in accordance with federal laws or other regulatory legal acts of the Russian Federation, establishing requirements for ensuring the security of personal data during their processing and for observing the rights of subjects of personal data;
9) processed in cases provided for by the legislation of the Russian Federation on transport security, in order to ensure the stable and safe functioning of the transport complex, protect the interests of the individual, society and the state in the field of the transport complex from acts of unlawful interference
If your relationship with the operator does not fall under the above exceptions, it must be in the register of operators prior to the processing of your personal data. If he is not there, the consequences for the operator of personal data.
Next, we write a request and send it by registered letter to the legal entity to which you want to make a complaint:
The text of the request to the
Personal Data Operator of Horns and Hooves LLC
from Pupkin
passport: series xxxx issued by the Office for the district xxxxxxr. Moscow xx, 1xxx, the
address for correspondence:
Moscow, xxxx.
Z A P R O S
On the basis of Clause 4, Article 14 of the Federal Law of July 27, 2006 No. 152 “On Personal Data”, I request, within the time limit, established by the Federal Law. No. 152 “On personal data”, to provide me, as the subject-holder of personal data, with access to my personal data temporarily owned by Horns and Hooves LLC, as well as the following information:
1) confirmation of the fact of processing personal data, as well as the purpose of this processing;
2) information about the operator of personal data;
3) methods of processing personal data used by the operator;
4) the implementation by the operator of the obligation to ensure the security of personal data;
5) the presence or absence of licensing under TZKI when protecting personal data;
6) information about persons who have access to personal data or who may be granted such access;
7) a list of processed personal data and the source of their receipt;
8) the processing time for personal data, including the storage period;
9) information on what legal consequences for the subject of personal data may entail the processing of his personal data.
"_____" _______________ 2011
_______________________ / xxxxx /
We must be answered within 30 days.
After receiving a response or after 30 days, if the answer did not satisfy us, we go to the website of Roskomnadzor and form a statement. We duplicate by registered letter to the territorial authority of Roskomnadzor, which refers to your place of residence.
Application to Roskomnadzor:
xx xx 2011. I, a holder of personal data, addressed to the operator of LLC Horns and Hooves, who temporarily owns my personal data, sent a written request for access to my PD, as well as providing me with the information provided for in Clause 4 of Article 14 of the Federal Law of 07.27.2006 No. 152 "On Personal Data". A copy of the request is attached.
xx. 02.2011. I received a response from the operator LLC Horns and Hooves No. xx from xx.02.2011. A copy of the answer is attached.
This answer did not satisfy me for the following reasons:
1. I did not get access to my personal data.
2. None of the information requested in a written request was provided to me.
3. I have not received any clarification question raised in my appeal.
(Describe that you have not been answered yet)
The stated purpose of processing the PD of the operator of LLC “Horns and Hooves” is including “the processing of personal data of individuals - clients of JSC“ Horns and Hooves ”during ____ (specify for what purposes it is processed).
From the terms of the contract to which the operator of Horns and Hooves OJSC refers in its response, it follows that it processes according to the contract xx.xxx.2011 the Contract No. xxx1 of xxx.xxx. 2004. was completely executed.
It follows that there is no contractual relationship with LLC Horns and Hooves and their conclusion is not expected. The operator’s stated purpose of processing PD "processing personal data of individuals - clients of Horns and Hooves LLC in the implementation of the conditions for the fulfillment of the contract" is achieved or does not correspond to the declared one.
I consider the actions of the operator of LLC Horns and Hooves in the processing of my personal data to be inconsistent with the requirements of this Federal Law “On Personal Data” and violating my rights and freedoms.
After studying the operator’s response to his request, I consider further correspondence with the operator of Horns and Hooves LLC inappropriate.
Based on the foregoing,
I ASK:
1. To assist in the verification of the activities of the operator of the PD LLC Horns and Hooves in the processing of my personal data for compliance with current legislation in the field of personal data.
2. To assist in blocking and destroying my personal data temporarily owned by the operator - Horns and Hooves LLC based on the achievement of the purpose of their processing, as well as other identified violations during the verification.
3. In the event of the destruction of personal data, oblige the operator of Horns and Hooves LLC to notify me, the subject of personal data, of the result in writing.
I ask to send the answer to the address: xxxxx
You can include any items for which you want additional answers, or if it seems to you that the operator’s actions violate the law and your rights.
According to the result of the request to Roskomnadzor, you should receive an answer about the audit and its results.
Well, as a result, we think whether to go further or the operator corrected his mistakes.
To exercise their rights, personal data owners may contact the operators for the following information.
* Article 14, paragraph 7. The subject of personal data has the right to receive information regarding the processing of his personal data, including containing:
1) confirmation of the fact of processing of personal data by the operator;
2) the legal basis and purpose of processing personal data;
3) goals and methods used by the operator for processing personal data;
4) the name and location of the operator, information about persons (with the exception of operator’s employees) who have access to personal data or to whom personal data may be disclosed on the basis of an agreement with the operator or on the basis of federal law;
5) the processed personal data relating to the relevant subject of personal data, the source of their receipt, unless otherwise provided for by federal law;
6) the processing time for personal data, including the storage period;
7) the procedure for the exercise by the subject of personal data of the rights provided for by this Federal Law;
8) information on the carried out or alleged cross-border data transfer;
9) the name or surname, name, patronymic and address of the person performing the processing of personal data on behalf of the operator, if processing is or will be entrusted to such a person;
10) other information provided for by this Federal Law or other federal laws.
It makes sense to consider before contacting the operator whether the organization is an operator, which should be registered in the registry of Roskomnadzor. We go to the site and by the name of the organization or its TIN we look at the result.
In some cases, the organization is not registered as a personal data operator:
* The operator has the right to process without the notification of the authorized body for the protection of the rights of personal data subjects personal data:
1) processed in accordance with labor legislation;
2) received by the operator in connection with the conclusion of an agreement to which the subject of personal data is a party, if personal data is not disseminated, and is also not provided to third parties without the consent of the subject of personal data and is used by the operator exclusively for the execution of this contract and the conclusion of contracts with the subject of personal data;
3) relating to members (participants) of a public association or religious organization and processed by the relevant public association or religious organization operating in accordance with the legislation of the Russian Federation to achieve the legitimate goals provided for by their constituent documents, provided that personal data will not be distributed or disclosed to third parties without written consent of personal data subjects;
4) made by the subject of personal data publicly available;
5) including only the last names, first names and patronymics of the subjects of personal data;
6) necessary for the purpose of a single pass of the subject of personal data to the territory in which the operator is located, or for other similar purposes;
7) those included in personal data information systems that have the status of state automated information systems in accordance with federal laws, as well as in state personal data information systems created to protect the security of the state and public order;
8) processed without the use of automation in accordance with federal laws or other regulatory legal acts of the Russian Federation, establishing requirements for ensuring the security of personal data during their processing and for observing the rights of subjects of personal data;
9) processed in cases provided for by the legislation of the Russian Federation on transport security, in order to ensure the stable and safe functioning of the transport complex, protect the interests of the individual, society and the state in the field of the transport complex from acts of unlawful interference
If your relationship with the operator does not fall under the above exceptions, it must be in the register of operators prior to the processing of your personal data. If he is not there, the consequences for the operator of personal data.
Next, we write a request and send it by registered letter to the legal entity to which you want to make a complaint:
The text of the request to the
Personal Data Operator of Horns and Hooves LLC
from Pupkin
passport: series xxxx issued by the Office for the district xxxxxxr. Moscow xx, 1xxx, the
address for correspondence:
Moscow, xxxx.
Z A P R O S
On the basis of Clause 4, Article 14 of the Federal Law of July 27, 2006 No. 152 “On Personal Data”, I request, within the time limit, established by the Federal Law. No. 152 “On personal data”, to provide me, as the subject-holder of personal data, with access to my personal data temporarily owned by Horns and Hooves LLC, as well as the following information:
1) confirmation of the fact of processing personal data, as well as the purpose of this processing;
2) information about the operator of personal data;
3) methods of processing personal data used by the operator;
4) the implementation by the operator of the obligation to ensure the security of personal data;
5) the presence or absence of licensing under TZKI when protecting personal data;
6) information about persons who have access to personal data or who may be granted such access;
7) a list of processed personal data and the source of their receipt;
8) the processing time for personal data, including the storage period;
9) information on what legal consequences for the subject of personal data may entail the processing of his personal data.
"_____" _______________ 2011
_______________________ / xxxxx /
We must be answered within 30 days.
After receiving a response or after 30 days, if the answer did not satisfy us, we go to the website of Roskomnadzor and form a statement. We duplicate by registered letter to the territorial authority of Roskomnadzor, which refers to your place of residence.
Application to Roskomnadzor:
xx xx 2011. I, a holder of personal data, addressed to the operator of LLC Horns and Hooves, who temporarily owns my personal data, sent a written request for access to my PD, as well as providing me with the information provided for in Clause 4 of Article 14 of the Federal Law of 07.27.2006 No. 152 "On Personal Data". A copy of the request is attached.
xx. 02.2011. I received a response from the operator LLC Horns and Hooves No. xx from xx.02.2011. A copy of the answer is attached.
This answer did not satisfy me for the following reasons:
1. I did not get access to my personal data.
2. None of the information requested in a written request was provided to me.
3. I have not received any clarification question raised in my appeal.
(Describe that you have not been answered yet)
The stated purpose of processing the PD of the operator of LLC “Horns and Hooves” is including “the processing of personal data of individuals - clients of JSC“ Horns and Hooves ”during ____ (specify for what purposes it is processed).
From the terms of the contract to which the operator of Horns and Hooves OJSC refers in its response, it follows that it processes according to the contract xx.xxx.2011 the Contract No. xxx1 of xxx.xxx. 2004. was completely executed.
It follows that there is no contractual relationship with LLC Horns and Hooves and their conclusion is not expected. The operator’s stated purpose of processing PD "processing personal data of individuals - clients of Horns and Hooves LLC in the implementation of the conditions for the fulfillment of the contract" is achieved or does not correspond to the declared one.
I consider the actions of the operator of LLC Horns and Hooves in the processing of my personal data to be inconsistent with the requirements of this Federal Law “On Personal Data” and violating my rights and freedoms.
After studying the operator’s response to his request, I consider further correspondence with the operator of Horns and Hooves LLC inappropriate.
Based on the foregoing,
I ASK:
1. To assist in the verification of the activities of the operator of the PD LLC Horns and Hooves in the processing of my personal data for compliance with current legislation in the field of personal data.
2. To assist in blocking and destroying my personal data temporarily owned by the operator - Horns and Hooves LLC based on the achievement of the purpose of their processing, as well as other identified violations during the verification.
3. In the event of the destruction of personal data, oblige the operator of Horns and Hooves LLC to notify me, the subject of personal data, of the result in writing.
I ask to send the answer to the address: xxxxx
You can include any items for which you want additional answers, or if it seems to you that the operator’s actions violate the law and your rights.
According to the result of the request to Roskomnadzor, you should receive an answer about the audit and its results.
Well, as a result, we think whether to go further or the operator corrected his mistakes.