Data transfer to Russia. Short FAQ on Misconceptions

    The phrase "have told the world how many times" probably fits perfectly the description of the situation with the protection of personal data and its transfer to Russia. Since the discussion of problems in this area has elapsed, it would seem that everything has been discussed. And even more so, lawyers should be able to read laws.

    Alas. Attending the next conference dispelled this myth for me, in connection with which I offer answers to common questions in the field of data transfer to the Khabrazhitel’s piggy bank.

    How to transfer responsibility for the processing of personal data?

    For some reason, they forget that Federal Law of July 21, 2014 No. 242-FZ is not a law in itself. It only makes changes to:

    • Federal Law of July 27, 2006 N 149-ФЗ “On Information, Information Technologies and Information Protection”
    • Federal Law of July 27, 2006 N 152-ФЗ "On Personal Data"
    • Federal Law of December 26, 2008 N 294-ФЗ On the Protection of the Rights of Legal Entities and Individual Entrepreneurs

    Therefore, speaking of the protection of personal data, it is necessary to operate with the provisions of 152-FZ. In accordance with 152-FZ:

    2) operator - a state body, municipal body, legal or natural person, independently or jointly with other persons, organizing and (or) processing personal data, as well as determining the purposes of processing personal data, the composition of personal data to be processed, actions (operations) committed with personal data;
    5. In the event that the operator commits the processing of personal data to another person, the operator is responsible to the personal data subject for the actions of the specified person . A person who processes personal data on behalf of the operator is responsible to the operator.

    Thus, the responsibility to the subject in any case remains with the operator - the company that has received the consent of the subject of personal data for their processing. In general, even the allocation of a part of employees to another legal entity will not save the situation, since the data will continue to be processed in the company anyway - business interactions will continue with these employees.

    ... Roskomnadzor ... secure channel / encryption

    A lot of questions are about security measures. And this is natural. But for some reason, the only point of application is Roskomnadzor. Again, according to 152-FZ, there are three regulators, each of which has its own area of ​​responsibility.

    4. The composition and content of the requirements for the protection of personal data established by the Government of the Russian Federation in accordance with part 3 of this article for each of the levels of security, organizational and technical measures to ensure the security of personal data during their processing in personal data information systems are established by the federal authority the executive authority authorized in the field of security and the federal executive authority are authorized in countering technical intelligence and technical protection of information within their authority.

    And this is our FSTEC of the Russian Federation and the FSB of the Russian Federation, where the latter is responsible for encryption.

    How do we fulfill the server migration requirement?

    The current edition of 149-FZ states:

    7) the location on the territory of the Russian Federation of information databases that are used to collect, record, systematize, accumulate, store, refine (update, change), extract personal data of citizens of the Russian Federation.

    And accordingly 152-FZ:

    5. When collecting personal data, including through the information and telecommunications network “Internet”, the operator is obliged to record, systematize, accumulate, store, clarify (update, change), extract personal data of citizens of the Russian Federation using databases located on the territory of the Russian Federation, with the exception of cases specified in clauses 2, 3, 4, 8 of part 1 of Article 6 of this Federal Law

    It is important here that the definition uses “using” in the definition. There are many interpretative options. In principle, even a parallel server will fall under it. But usually the definition is interpreted in the sense. what:

    1. Data collection and storage should be carried out on the territory of the Russian Federation, but processing can be anywhere
    2. Abroad, you can also store copies of data - which will be accessed during processing




    Hereinafter, illustrations were taken from conference materials .



    Attentive reading allows to minimize the risk of breaking the law

    2) operator - a state body, municipal body, legal or natural person, independently or jointly with other persons, organizing and (or) processing personal data, as well as determining the purposes of processing personal data, the composition of personal data to be processed, actions (operations) committed with personal data;
    3. The operator has the right to entrust the processing of personal data to another person with the consent of the subject of personal dataunless otherwise provided by federal law, on the basis of an agreement concluded with this person, including a state or municipal contract, or by adoption by the state or municipal body of the relevant act (hereinafter - the operator’s order). A person who processes personal data on behalf of the operator is required to comply with the principles and rules for the processing of personal data provided for by this Federal Law. The operator’s instructions must specifya list of actions (operations) with personal data that will be performed by the person processing the personal data, and the purpose of processing, the obligation of such a person to maintain the confidentiality of personal data and to ensure the security of personal data during their processing, and the protection requirements must be indicated processed personal data in accordance with Article 19 of this Federal Law.
    4. A person who processes personal data on behalf of the operator is not required to obtain the consent of the personal data subject to the processing of his personal data.

    Responsibility to the subject in any case will remain with the operator, but protection measures (together with responsibility for their implementation) can be transferred to a third party. The relevant contract should spell out the goals of data processing, requirements for their protection, etc.



    A separate issue is the need to notify Roskomnadzor by the company to which the data are transmitted for processing along with the responsibility for their protection. Theoretically, such a company may be a specialized company providing the fulfillment of the requirements of the law as a service. But in the general case, she cannot know what the next client will demand from her - and notify Roskomnadzor before the start of processing in the case of each contract ... The most interesting option of 152-FZ states that

    2. The operator is entitled to process without the notification of the authorized body for the protection of the rights of subjects of personal data personal data:
    2) received by the operator in connection with the conclusion of an agreement to which the subject of personal data is a party, if personal data is not disseminated, and is also not provided to third parties without consent the subject of personal data and are used by the operator solely for the execution of the specified contract and the conclusion of contracts with the subject of personal data;

    This option is possible only in the case of a tripartite agreement, one of the parties to which is the subject of personal data.

    Also popular now: