5 myths about personal data

A couple of months ago, hype rose about a change in the legislation on personal data. Resourceful lawyers vied with each other to persuade that any form of feedback or a callback order widget on the site indicates the processing of personal data of users, Roskomnadzor is already fined for violations and it is urgent to register.

All this hype is based on myths about personal data. Let's see what really happened, what it threatens with and how to avoid it.

The rules for processing personal data have not changed. In July 2017, amendments to the Code of Administrative Offenses of the Russian Federation came into force, tightening liability for violation of the legislation on personal data. New offenses were introduced and the amount of fines increased to 75,000 rubles. It's true.

But you need to understand that the amount of fines for individuals is an order of magnitude, and for entrepreneurs many times lower than fines for legal entities. The maximum fine of 75 thousand rubles. established for legal entities in one of their 7 compositions. In other cases, the maximum fine ranges from 30 to 50 thousand rubles.

From unpleasant - fines for various compositions can partially be added up. Among the possible violations in particular are listed:

• processing of personal data in cases not provided for by law, or incompatible with the purposes of collecting personal data;
• processing of personal data in the absence of the written consent of the subject;
• failure to publish a personal data processing policy.

However, concern about this in most cases is caused by a superficial understanding of the law on personal data. To assess the risks of bringing to justice, consider the 5 most popular myths about personal data that wander in the minds of the Internet community.

1. Personal data is any information about an individual

At first glance it is.

“Personal data - any information relating directly or indirectly to a defined or determined individual (subject of personal data)” (Part 1 of Article 3 of the Federal Law “On Personal Data”).

However, if this norm is transferred to a common language, only the information on the basis of which it is possible to establish the identity of a person or which relates to a person whose identity is undeniably known is personal data.

We check the thesis on the information about the phone number or email address. You do not have legal access to the subscriber base or the user base of the mail service. Therefore, by themselves, this information does not allow to establish the identity of the person who uses them.

Therefore, data cannot be considered personal if, without the use of additional information, they do not allow identification of an individual.

If you still have doubts about this interpretation of the norm, you can familiarize yourself with the source on the Roskomnadzor website. Literally, the norm of the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data is as follows:

"Personal data means information relating to a specific or identifiable person (" data subject ")" (Article 2 of the Convention).

In other words, as long as Mr. “X” is not known to you, you can store data about him without violation. For example, regarding the incognito phone number, there are direct answers from the regional offices of Roskomnadzor:

“The subscriber number (phone number) is used to indicate and identify the end equipment of the subscriber in the communication network when connecting subscriber devices, which means that the phone number without indicating its owner is not information on the basis of which this person (the subject of personal data ) can be unambiguously identified and its use cannot imply the processing of personal data of its owner. ”

Conclusions

If the feedback form does not imply providing, in addition to the phone number or email address, additional information identifying the user, such information does not apply to personal data. Requesting a name together with a phone number or email user also does not make the data personal, because the name does not identify the citizen.

“A citizen acquires and exercises rights and obligations under his own name, including his last name and first name, as well as his middle name, unless otherwise provided by law or national custom (part 1 of article 19 of the Civil Code of the Russian Federation).”

Therefore, from the point of view of civil law, just a name is not enough for legal consequences. At the very least, a middle name and surname are needed.

Similarly, IP information, cookies, and other data collected automatically in connection with activity on the site or in the application of a user who has not fully authenticated do not apply to PD.

2. A personal processing operator is a person who processes them

“Operator - a state body, municipal body, legal entity or individual, independently or jointly with other persons organizing and (or) processing personal data, as well as determining the purposes of processing personal data, the composition of personal data to be processed, actions (operations), committed with personal data ”(Part 2, Article 3).

However, there is an exception to this rule.

“The operator has the right to entrust the processing of personal data to another person with the consent of the subject of personal data, unless otherwise provided by federal law, on the basis of an agreement concluded with this person” (Part 3 of Article 6).

These persons do not define “the purposes of processing personal data, the composition of personal data to be processed, actions (operations) performed with personal data”, and therefore are not considered personal data operators.

In practice, such consulting companies may include any consulting and service companies, including cloud services. Personal data is provided by customers, they are also responsible for the legality of their processing.

Similarly, any services should not be responsible for processing personal data of customer employees who download the latter on their own. It is the client who must obtain the consent of the subject of personal data to transfer to the service and their processing in appropriate ways.

Conclusions

Do not rush to buryconsider yourself an operator. Perhaps you received personal data for processing from the operator, and not the subject of personal data.

3. All sites must publish a privacy policy

Indeed, in the Federal Law "On Personal Data" there is a rule on the publication of the Privacy Policy:

“An operator collecting personal data using information and telecommunication networks is obliged to publish a document defining its policy regarding the processing of personal data and information on the requirements for the protection of personal data in the relevant information and telecommunication network, as well as providing access to this information a document using the means of the appropriate information and telecommunication network ”(Part 2 of Article 18.1).

However, do not forget about the possible exceptions to this rule.

Firstly, not all information about an individual refers to personal data (see myth 1).

Secondly, such rules are not imposed on the person who processes personal data on behalf of the operator (see myth 2 above).

Thirdly, the Federal Law “On Personal Data” itself does not impose on individuals (including IP) the obligation to publish documents defining the operator’s policy regarding the processing of personal data, local acts on the processing of personal data. Such documents should be published only by legal entities (paragraph 2 of part 1 of article 18.1).

4. A written consent is required for the processing of personal data

Indeed, the first condition for the processing of personal data is the consent of the subject of personal data to the processing of his personal data (clause 1 part 1 of article 6 of the Federal Law “On personal data”). However, it is not always necessary to issue consent on paper with the personal signature of the subject of personal data . There are a number of additional or mutually exclusive rules.

1. Consent to the processing of personal data is not required for a person acting on behalf of the operator (part 4 of article 6)

2. Separate consent is not required in cases when the operator processes personal data:

• for the purpose of concluding or executing a contract to which either the beneficiary or guarantor is a personal data subject (paragraph 5, part 1, article 6);
• to which access is granted to an unlimited number of persons by the subject of personal data or at his request (paragraph 10, part 1, article 6).

Thus, in case of acceptance of the user agreement, it is enough to notify the user about the processing of his personal data.

3. Consent may be given to the operator in another form

“Consent to the processing of personal data may be given by the subject of personal data or his representative in any form allowing confirming the fact of its receipt, unless otherwise provided by federal law” (Part 1 of Article 9).

In other words, if a federal law does not require obtaining written consent, it can be given in any other way, including by performing the requested actions. For example, such actions may recognize the direction of the verification code indicated in the SMS, the following the link sent to the user's email when registering in the account, etc.

4. Consent in writing may be signed by electronic signature

“Consent in the form of an electronic document signed in accordance with federal law by an electronic signature is recognized to be equivalent to a written consent on the paper’s basis containing the personal signature of the data subject” (Part 4 of Article 9)

It should be taken into account that an electronic signature means an enhanced qualified electronic signature (see part 3 of article 18 of the Federal Law of 06.04.2011 N 63-ФЗ "On electronic signature").

5. Each PD operator should be included in the register of Roskomnadzor

Many consultants recommend submitting a notification to Roskomnadzor for inclusion in the registry of personal data operators, referring to this rule:

“The operator is obliged to notify the authorized body for the protection of the rights of personal data subjects of his intention to process personal data before the processing of personal data” (Part 1 of Article 22).

However, they forget that the same article of the law provides for exceptions to this rule. The considered situation of PD processing by a private Internet service includes at least two grounds for exemption from the obligation to notify.

In particular, the operator is entitled to process the following personal data without notice to Roskomnadzor:

“Received by the operator in connection with the conclusion of an agreement to which the subject of personal data is a party, if personal data is not disseminated, and is also not provided to third parties without the consent of the subject of personal data and is used by the operator exclusively for the execution of this contract and the conclusion of contracts with the subject of personal data” ( subparagraph 2 part 2 of article 22)
"made by the subject of personal data publicly available" (subparagraph 4 part 2 of article 22)

Conclusions

1) In the first case, for processing PD without notification of Roskomnadzor, it is enough to invite the user to accept the user agreement, which is essentially a contract. In order to receive messages to the phone number and email address, in any case, it is necessary to obtain the user's consent, therefore the acceptance of the user agreement solves two problems at the same time: on the one hand, you legally use the data without notifying Roskomnadzor, on the other hand, you consent to contact the user at the indicated numbers and addresses, including newsletters if necessary.

2) The second exception to the rule concerns publicly available data. This basis can be useful to a social network, a bulletin board or a job search site where users independently make available information about themselves. In this case, there is no need to not only notify Roskomnadzor of the processing of this category of PD, but also to obtain additional user consent for their processing.

3) In addition to this, remember that not all persons processing PD are considered operators. Some of them act on behalf of the operator (see myth 2 above). Therefore, they do not need to send a notification to Roskomnadzor about the processing of personal data provided by the operator.

4) A special mention deserves the recommendation to register “no matter what happens”. This is in all respects a bad advice, because Roskomnadzor should conduct scheduled inspections of operators included in the registry. And then a simple privacy policy will not help you: they will ask all the internal regulations on information security and check the actual implementation!

Pay attention to details - the devil lawyer is hidden in them .

A source