Conference of Roskomnadzor "Protection of personal data"
On November 8, 2018, the 9th International Conference “Personal Data Protection” was held in Moscow , organized with the support of the Ministry of Communications of the Russian Federation and Roskomnadzor. Among the speakers of the conference (their full list can be found on the website of the conference itself - https://zpd-forum.com/ru ), of course there were representatives of Roskomnadzor: Alexander Zharov, Alexander Pankov, Antonina Priezezheva and Yury Kontemirov.
An important topic of the conference was the development of international legal regulation of personal data protection (PD) on the example of the GDPR and the Modernized Council of Europe Convention No. 108. Foreign participants joined the discussion, including representatives of the authorized data protection authorities of Azerbaijan, Bulgaria, Bosnia and Herzegovina, Hungary, Italy, Jordan, China, Serbia and the Republic of South Africa.
Representatives of Roskomnadzor recalled that Russia was among the first countries to sign the Council of Europe Convention ETS-108, and our country also participated in the preparation of a new version of the text of the Convention. It was stated that the modernization of the directive would not entail major changes in the organization of personal data protection in Russia, and the signing of a modernized Convention will allow Russia to get into the list of countries corresponding to the GDPR.
However, one of the most important results of the signing of the Convention by Russia will be that the Russian operators will have the obligation to notify about leaks of personal data and responsibility for its non-compliance. It was also said about the plans to create a resource on which citizens will be able to withdraw the consent given by them earlier to the processing of their own personal data.
Yury Kontemirov in his speech clarified that Roskomnadzor supervises compliance with the legislation on personal data in general, including the norms of all laws related to the processing of PD. At the same time, in 2018, all territorial departments of Roskomnadzor together amounted to 98 protocols on administrative offenses in the field of personal data, qualified under Article 13.11 of the Administrative Code of the Russian Federation in a new edition. For example, under article 19.7 of the Code on Administrative Offenses of the Russian Federation (non-notification of processing or non-response to a request), about 7,000 protocols are compiled per year.
As it is already known, the legislation on personal data in conjunction with the Decree of the Government of the Russian Federation No. 687 regulates any processing of PD, including fully automated. At the same time, Yuriy Kontemirov clarified that their subject’s legal capacity for personal data begins at the age of 14, and there will be no complaints about the consent to the processing of personal data signed by a child 14 years and older. In addition, Yu. Kontemirov explicitly noted that it is possible to sign an agreement for processing in electronic form with any electronic signature provided for by the Federal Law “On Electronic Signature”, and not only by a reinforced qualified one.
It was also separately explained that the standard forms providing for the introduction of personal data in them, if they are developed by the operator independently, must comply with the requirements of clause 7 of the Resolution of the Government of the Russian Federation No. 687 of September 15, 2008 “On Approval of the Regulation on Peculiarities of Personal Data Processing, carried out without the use of automation equipment ”, only if they are created by the operator independently.
«7. При использовании типовых форм документов, характер информации в которых предполагает или допускает включение в них персональных данных (далее — типовая форма), должны соблюдаться следующие условия:
а) типовая форма или связанные с ней документы (инструкция по ее заполнению, карточки, реестры и журналы) должны содержать сведения о цели обработки персональных данных, осуществляемой без использования средств автоматизации, имя (наименование) и адрес оператора, фамилию, имя, отчество и адрес субъекта персональных данных, источник получения персональных данных, сроки обработки персональных данных, перечень действий с персональными данными, которые будут совершаться в процессе их обработки, общее описание используемых оператором способов обработки персональных данных;
б) типовая форма должна предусматривать поле, в котором субъект персональных данных может поставить отметку о своем согласии на обработку персональных данных, осуществляемую без использования средств автоматизации, — при необходимости получения письменного согласия на обработку персональных данных; в) типовая форма должна быть составлена таким образом, чтобы каждый из субъектов персональных данных, содержащихся в документе, имел возможность ознакомиться со своими персональными данными, содержащимися в документе, не нарушая прав и законных интересов иных субъектов персональных данных;
г) типовая форма должна исключать объединение полей, предназначенных для внесения персональных данных, цели обработки которых заведомо не совместимы.»
But the forms developed by state bodies and governing bodies of extra-budgetary funds within their powers, as stated at the conference, are not subject to these requirements. At the same time, the phone number or the state car sign by themselves (without being tied to a specific subject of the action document) is not personal data.
FSTEK representative Elena Torbenko said that the approach of the Order No. 239 on safety of CII on the possibility of assessing the compliance of information protection tools in the form of testing and acceptance can be applied when building an AP protection system, but the system owner should be aware of the responsibility for the quality and validity of such an assessment. The representative of the FSB A. Bodrov noted that the FSB still considers only valid a conformity assessment in the form of certification in its system. Certification of the application software used for processing personal data is not required if it does not have protection functions against actual threats. But any customer has the right to demand such certification from the supplier or contractor, if he considers it necessary.
In addition, the ceremony of signing the Code of Fair Practices (Code of Ethical Activities (Work) on the Internet) was held at the Conference “Protection of Personal Data”. The document was joined by the Chamber of Commerce and Industry of Russia, Delovaya Rossiya LLC, Opora Rossii LLC, Moscow State University named after M.V. Lomonosov, as well as representatives of foreign businesses - the Association of European Businesses, the American Chamber of Commerce in Russia and the Russian-German Chamber of Commerce.