Guidelines for completing a personal data operator notification
In one of our previous articles , which was devoted to the preparation for inspections of Roskomnadzor to fulfill the requirements of the law “On Personal Data”, we talked about the importance of correctly filling out a notification, about cases when you need to fill out a notification and there we promised to tell you more about how to fill out each notification field.
It would seem that by the names of many fields it should be intuitively clear what exactly to write in them. But practice shows that many personal data operators have a lot of questions, and some fall into a real stupor when trying to fill in all the fields.
Here we decided to write detailed instructions here so as not to tell the same thing to our customers many times, as well as to make it always available to everyone.
The notification of the personal data operator is filled in on the personal data portal of Roskomnadzor. Now let's look at each of the fields.
There should not be any problems with the first positions. We select the territorial administration of Roskomnadzor, to which a notification should be sent. Then select the type of operator. We introduce the full and abbreviated name of the operator in accordance with the constituent documents. We indicate the actual and legal address of the organization. Choose the region (or regions) in which the organization operates. We fill in the details of the organization (only TIN and PSRN are mandatory, the rest can be left blank). If the organization has branches, we add information about them.
Everything seems to be simple and clear here, but with the following fields there may already be questions.
In the column “Legal basis for the processing of personal data”, you can specify all the regulatory and internal documents that may in one way or another be connected with the processing of personal data. Usually they start with 152-ФЗ and the Labor Code of the Russian Federation, continue with legislation related to the organization’s sphere of activity (for example, if it’s a medical institution, then we write here 323-ФЗ “On the basics of protecting the health of citizens in the Russian Federation” and other regulatory acts, like federal and regional scale related to healthcare) and end with the charter of the enterprise.
The column “Purpose of processing personal data” is one of the most insidious. When filling out this field, we must not forget that Part 2 of Article 5 of the Federal Law “On Personal Data” tells us that the processing of personal data should be limited to achieving specific, predetermined and legitimate goals. Processing of personal data that is incompatible with the purposes of collecting personal data is not allowed.
We give one example of how you do not need to.
Some employers, inviting candidates for a vacant position for an interview, ask to fill out a questionnaire, in which, among other things, they ask for their passport details. However, from the point of view of 152-FZ this is not legal. Since the purpose of processing personal data is to select a candidate for a vacant position and try to come up with a plausible justification for why passport data is needed. Work experience? Yes. Education Information? Yes. Age? And here it already smacks of discrimination, but we are not going to exploit child labor. But the passport data for the selection of personnel are not needed.
No, we are not so naive and understand that often the passport details of a candidate are needed by the employer in order to “break through” the candidate, for example, on loans or participating in other unpleasant stories. But once again - from the point of view of the law this cannot be done.
Let's go back to filling in the field “Purpose of processing personal data”. Here we must correctly and adequately formulate these goals. And adequate to what? It is adequate to the list of categories of personal data that we will fill in further. After all, we don’t want the ILV to have reasons to issue a prescription on the basis of our notification already before the verification? Here we draw a vicious circle - we write that we process the passport data of applicants, will be punished for violating the legislation on personal data, say that “passport data” was accidentally notified, they will write in the verification protocol “incomplete / inaccurate information in the notification of the personal data operator ".
As you already understood, the column “Purpose of processing personal data” for different organizations can differ greatly, but for most commercial organizations it will be correct to write “Provision of personnel and accounting, selection of personnel for vacant positions, provision of services [list of services]”.
The next section is one of the most difficult and incomprehensible. Roskomnadzor wants us to describe the measures taken, provided for in articles 18.1 and 19 of the Law on Personal Data. But in fact, this section is one of the simplest, we just take the provisions of the indicated articles of the law and write that all of this has been done with us. We have done it - right?
An example of filling out the field “Description of measures provided for in Articles 18.1 and 19 of the Federal Law“ On Personal Data ”
A person responsible for organizing the processing of personal data has been appointed. Documents that determine the organization’s policy regarding the processing of personal data and establish procedures aimed at preventing and detecting violations of the law have been approved. Such documents in particular include: an action plan to ensure the security of personal data in ISPDn “Accounting and Personnel”; a list of personal data to be protected; list of personal data information systems; regulation on the delineation of access to personal data; an order approving the list of persons authorized to process personal data; Regulation on the processing and protection of personal data; policy regarding the processing of personal data; rules for processing personal data without the use of automation; an order on the approval of places of storage of personal data and persons responsible for maintaining the confidentiality of personal data during their storage. The elimination of the consequences of violations of the legislation of the Russian Federation is carried out in accordance with the current legislation of the Russian Federation, in accordance with the regulation on the processing and protection of personal data, as well as in accordance with the instructions to the administrator of the security of personal data and in accordance with the procedure for backing up and restoring the functionality of hardware and software, databases data and information security tools. Internal control of compliance of personal data processing with the legislation of the Russian Federation in this area is carried out in accordance with the internal audit plan, instructions of the security administrator and the regulation on the processing and protection of personal data. For the personal data information system, a model of threats to the security of personal data has been developed, in which when determining the danger of threats, an assessment is made of the harm that may be caused to the subjects of personal data in case of violation of the law. Onlinewww.example.rupublished a policy regarding the processing of personal data. For the personal data information system, a technical task has been developed for creating an information security system and a preliminary design for an information security system that provides for the implementation of measures defined by law for the information system of the third level of security, as well as measures aimed at neutralizing threats identified as relevant in the security threat model. The draft design is fully implemented, which indicates the implementation of measures defined by law and the neutralization of current security threats in the personal data information system. The effectiveness of measures taken to ensure the security of personal data has been evaluated. Accounting for machine media is made in the appropriate journal. The detection of unauthorized access to personal data and the adoption of measures is carried out using the information protection tools used in accordance with the instructions of the security administrator. The rules for access to personal data are approved in the relevant provision and are technically implemented using information security tools. Employees admitted to the processing of personal data are briefed on information security, sign an agreement on non-disclosure of personal data, are familiarized with documents for protecting personal data against signature. technically implemented using information security tools. Employees admitted to the processing of personal data are briefed on information security, sign an agreement on non-disclosure of personal data, are familiarized with documents for protecting personal data against signature. technically implemented using information security tools. Employees admitted to the processing of personal data are briefed on information security, sign an agreement on non-disclosure of personal data, are familiarized with documents for protecting personal data against signature.
The information on ensuring the security of personal data indicates the list of information protection tools used in ISPDn. Fortunately, this information is not published in the public domain for all comers, unlike other fields, so you can specify all actually used SZI.
The date of the start of PD processing usually coincides with the date of foundation of the company (registration).
The next paragraph usually selects “The termination of processing PD” and as the condition indicates “Termination of the organization”.
In the “Categories of personal data” section, first check the categories that are processed by checkboxes, and then in the “Other categories of personal data not listed in this list” field indicate those PDNs that are not in the list, and it is better to do this separately for different categories of subjects, for example: “Other categories of workdays for workers: [list of workdays for workers]. Other categories of customer data: [list of customer data] ”.
In the section “Categories of entities whose personal data are processed”, we indicate the list of categories of persons whose data we have stored or processed, for example: “Employees, job seekers for vacant positions, contractors, customers”. Please note that an explanation is added in the field name indicating in which case the information should be indicated.
In the field “List of actions with personal data” it is easiest to quote the definition of PD processing from 152-FZ: “collection, recording, systematization, accumulation, storage, clarification (updating, changing), extraction, use, transfer (distribution, provision, access) , depersonalization, blocking, removal, destruction. " Naturally, actions that are not relevant for your organization (for example, depersonalization) should be removed from this list. And do not forget about the case.
Next, we indicate the method for processing personal data, usually it is “mixed, with transmission over the internal network of a legal entity, with transmission over the Internet”.
Then they want to know from us whether we transfer personal data abroad. If not, then declare no cross-border transfer. If so, you will also have to indicate all the countries to which the data is transmitted.
And the last in this block is the use of cryptography. If it is not used, then move on. If we answer in the affirmative, then we will be asked to write the names of such remedies and their class. All these data can be found in the documentation for the crypto facility. We will only say here that the crypto funds of the KV and KA classes are usually used for state secrets, and the state secrets 152-ФЗ are not regulated, therefore, in ordinary ISPDs, most often you have to choose from 3 options of the used crypto facility - KS1, KS2 or KS3. If different hospital facilities of different classes are used, then the form allows you to specify all the necessary information.
The next section of the form appeared on September 1, 2015. Anyone who has been filling out a notification for a long time needs to make changes to it and supplement it with data on the data center. Yes, do not be surprised, the local 1C-Accountancy database deployed on the computer of the chief accountant is also the data center in the understanding of Roskomnadzor ...
We select the country in which our "data center" is located and indicate its address. Further it is necessary to indicate whether the “DPC” is our property or not, and if not, then indicate the information of the owner of the site. If you have several ISPDs, then the data center data must be specified for each separately. Even if we are talking about one single server.
Next, fill out the data of the person who was appointed responsible for organizing the processing of personal data at the enterprise. IMPORTANT!Name of the person responsible, his contact phone number and e-mail will be available to everyone in the register of PD operators. Keep this in mind and, of course, it is better to warn the appointed person about this.
At the very end we indicate the data of the contractor. Contractor, this is the person filling out this notice. This may not be a responsible person, but a completely different person. But, as we see, these fields are also optional, therefore, apparently, if you do not specify the contractor, then they will automatically become responsible.
Then we tick off “I agree on everything”, enter the captcha and press the big button “Send electronic notification and prepare the form for printing”. Then the form must be printed, signed, stamped with the organization (if any) and sent by analogue mail to its department of Roskomnadzor. After a while, your data will be entered into the registry.