So that Roskomnadzor does not come SUDDENLY
Again, lawmakers are perfecting our lives! The legal information portal published Decree of the Government of the Russian Federation of February 13, 2019 No. 146 " On approval of the Rules for the organization and implementation of state control and supervision of the processing of personal data ".
It establishes the procedure for organizing and conducting inspections of personal data operators. The rules do not apply to monitoring the implementation of organizational and technical measures to ensure the security of personal data. It is clear that the responsibility to control and oversee was assigned to Roskomnadzor. Now he will have to adjust his busy schedule.
They will oversee in four forms:
- will be checked as planned and suddenly;
- will prevent and eliminate the consequences of violations;
- will control without contacting operators;
- will do prevention of violations.
Usually checked no more than once every three years. It happens, not more than once every two or even one year under the following conditions:
- if the operator processes personal data in the State Information System;
- collects biometric and special categories of personal data;
- transfers data abroad, without protecting the rights of the owners of these data;
- processes data in the service of a foreign state body, foreign legal entity, foreign individual that are not registered in our country.
If a violation has been identified, and the operator has not completely corrected everything, citizens are complaining, and the prosecutor is demanding, then the check will come on suddenly. If the head of Roskomnadzor reads a denunciation of the jambs identified without an operator, consider that everything will be unexpected again.
But if everything goes according to plan, Roskomnadzor will notify no later than three business days before the start of the audit. Something went wrong - you will only have 24 hours to calm down and prepare for the test. Scheduled to check should be no longer than 20 working days, although, in rare cases, everything can be. A sudden check lasts 10 business days.
Documents are checked by receiving them from the operator. Suddenly they are not being checked. The operator issues documents within 5 days from the receipt of the request.
After they write an act of verification. At the exit, they write in the operator’s log that they checked everything. If there is no such junker, they will write about it in the act. So do not forget to prepare it. At the bottom of the act indicate exactly what is violated. If not broken, they write that everything is ok.
When controlled without an operator:
- when they monitor compliance with the posting of information on the Internet and the media;
- when they analyze information about the operator’s activities and see if the operator complies with the requirements.
- For prevention, Roskomnadzor is required to:
- post on your site a list of requirements;
- inform operators how things are going in the field of protecting the rights of owners of personal data;
- summarize the results of inspections for the year;
- Report on your site about the most common violations;
- post instructions on how not to mess up information on seminars, conferences and banquets;
- describe the requirements of the legislation in the human language in the media and in other ways;
- guard operators that you can’t break anything.
You can check whether everything is fine, right now. Roskomnadzor posted the relevant requirements here .