Personal Data: 5 Important Steps to Security

Contents:

• Personal data: definition and meaning
• Notification of registration with Roskomnadzor: important aspects
• List of documents required for processing personal data
• Consent to the processing of personal data: important aspects
• Responsibility for violations in the field of personal data processing

Personal Data: Definition and Meaning

Personal data occupies an important place in today's digital society. According to Federal Law No. 152-FZ "On Personal Data," this term encompasses any information that can be linked to a specific individual. This data includes both direct and indirect identifiers that allow the subject's identity to be established. Ensuring the security and confidentiality of personal data is becoming a priority for organizations working with such information. Proper understanding and compliance with personal data laws help protect the rights of citizens and prevent potential information leaks. Personal data includes information that allows an individual to be identified. This may include first name, last name, address, telephone number, email address, and other identifying characteristics. Furthermore, personal data includes biometric data, such as fingerprints or photographs, as well as location information and financial data. Protecting this data is important, as its leakage can have serious consequences for the security and privacy of individuals. It is important to comply with legal regulations governing the processing and storage of personal data in order to ensure the protection of citizens' rights.

• Surname, first name, patronymic;
• Contact phone numbers;
• Email address;
• Home address;
• Photographs;
• Passport details;
• Other information that allows for personal identification.

The processing of personal data begins from the moment this data is collected, stored, or used. At this moment, you become a personal data operator, which imposes certain obligations and responsibilities on you. Operators must ensure the protection of personal information and comply with applicable data protection legislation, which includes informing data subjects of the purposes of processing and obtaining their consent to the use of their personal information. It is also important to implement security measures to prevent leaks and unauthorized access to data.

Almost every organization in Russia acts as a personal data operator, since it processes information about its employees and clients. Examples of such organizations include businesses in the retail, service, education, and healthcare sectors. This data may include personal information, financial details, and other aspects related to employees and customers. It is important to remember that compliance with data protection laws is critical to ensuring the security and privacy of information.

• Users subscribe to a newsletter by leaving their name and email address;
• Potential buyers fill out test drive applications, providing their contact information;
• Customers place orders on marketplaces by providing their card number, address, and full name.

From the moment you begin processing personal data, you incur a responsibility that requires strict compliance with legal regulations. This means carefully following all data protection laws to ensure the security and privacy of information. Every step in data processing must comply with established rules to avoid legal consequences and protect the interests of data subjects.

Personal data operators must consider several key aspects to ensure compliance with the law. First of all, it is necessary to clearly define the purpose of data processing, as well as the timeframe, scope, and categories of information collected. An important step is obtaining consent from the data subject to the processing of their personal data. In the next section, we will examine in detail the requirements established by law that must be observed to ensure the rights of data subjects and the protection of their personal information.

Notification of registration with Roskomnadzor: important aspects

Before beginning to process personal data, it is important to notify Roskomnadzor. This requirement applies to all organizations, with the exception of those that were already engaged in similar activities before the adoption of the new legislation. Such companies can notify the regulator after they have begun processing data. Ensuring compliance with personal data legislation helps avoid fines and negative consequences. Notifying Roskomnadzor is an important step in ensuring the security and protection of citizens' personal information.

To submit a notification, you must gather the necessary documents in advance and meet the established requirements.

• Prepare a package of documents, including regulations on the processing of personal data and orders appointing responsible persons. Details on the required documents can be found in our dedicated section.
• Implement organizational and technical security measures, such as restricting access to premises and setting passwords on information systems.

Once all the necessary documents are prepared, you can register with Roskomnadzor. There are three ways to submit a notification for this procedure.

• Fill out the form, print it, and send it to your local Roskomnadzor office.
• Fill out and sign the form electronically by sending it through the Roskomnadzor website.
• Fill out the form and submit it through the Gosuslugi portal, provided that your account is linked to an organization.

The regulator enters data into the register of personal data operators within 30 days of receiving the notification. An important aspect is the need to notify Roskomnadzor in the event of changes to the terms of personal data processing or their termination. This ensures compliance with legislation on personal data protection and keeps the information in the register up to date.

It is possible to avoid registration with Roskomnadzor, but such cases are rare and are described in detail in Article 22 of Federal Law No. 152-FZ. This may apply to direct contracts with clients, in which information is not transferred to third parties, as well as other specific exceptions to the general rule.

• Processing employee data in accordance with the Labor Code of the Russian Federation;
• Using only the last name, first name, and patronymic;
• Issue of one-time passes to the premises.

In practice, ideally "clean" business practices are indeed rare. For example, when an employer makes salary transfers through a bank, this automatically implies the transfer of employees' personal data.

If you have any doubts about the need for registration, we recommend seeking clarification from the regulator. This will help avoid incorrect conclusions about whether your case falls under the registration requirements. Obtaining official information will help you make an informed decision and avoid potential legal consequences.

A car dealership encountered problems registering as a personal data operator due to a misunderstanding of the exceptions specified in Article 22 of Federal Law 152-FZ. Management mistakenly believed that issuing passes and concluding sales contracts did not require mandatory registration. This misconception led to legal consequences and the need to review the organization's approaches to personal data processing. It is important to remember that even if an activity appears exempt from registration, it may fall under personal data protection laws. Correct interpretation of the regulations and timely registration will help avoid fines and other sanctions.

Roskomnadzor clarified that car dealerships providing services related to the processing of personal data, such as maintenance, insurance, and test drives, are required to undergo the registration procedure. This requirement is necessary to comply with personal data protection laws and ensure the security of customer information. Registration will help the car dealership legally operate and guarantee the protection of its customers' personal information.

List of required documents for processing personal data

Properly executed legal documentation plays a critical role in mitigating the risks associated with possible violations of personal data laws. It is important to prepare the following key documents:

1. A personal data processing policy that will describe the purposes, methods, and conditions of data processing.
2. Consent to the processing of personal data from subjects, which is necessary for the legitimacy of processing.
3. Agreements with third parties, if data is transferred to third-party organizations.
4. Personal data security regulations describing measures to protect information.
5. A personal data processing log for keeping track of all data transactions.

Compliance with personal data laws will help avoid fines and maintain your company's reputation.

• Privacy Policy.
• Personal Data Processing Rules.
• Consent to Personal Data Processing.
• Personal Data Confidentiality Obligation.

In this section, we will carefully examine each of the presented documents.

Privacy Policy and Personal Data Processing Rules are two important documents that are often confused. It is important to clearly understand that the personal data processing rules, regulated by Federal Law No. 152 and Roskomnadzor recommendations, and the privacy policy serve different purposes. The privacy policy describes how the company collects, uses, and protects users' personal data, while the personal data processing rules set the requirements for the data processing procedure itself. Each of these documents must be drafted in accordance with current legislation and ensure the protection of users' rights. Proper separation and understanding of the functions of these documents helps build customer trust and ensure legal compliance.

Personal data processing rules should include clear requirements established by law. At the same time, a privacy policy covers a broader range of information. It includes the protection of additional data, such as contracts, correspondence, and internal documents. This is important to ensure transparency and trust from users and clients, as well as compliance with data protection laws. Working with personal data requires a careful approach to its collection, storage, and processing in order to minimize the risk of leaks and ensure information security.

Combining these two documents into one is legal. However, it is necessary to inform users of the privacy policy and the terms of personal data processing in advance before registering on the website. This will ensure transparency and trust from users, as well as compliance with legal requirements.

Download the Privacy Policy template and the Personal Data Processing Rules template. These documents will help you properly draft a personal information protection and personal data management policy in accordance with current legislation. Ensure the security of your users' data with our ready-made solutions.

Consent to the processing of personal data is an important document that must be completed by the subject of the personal data. It must include all the required information about the operator's information resources, including website addresses and other data related to the processing of personal data. This consent ensures the lawfulness of data processing and protects the rights of subjects. Proper execution of this document ensures that the information will be used in accordance with current data protection legislation.

The consent form should be clear and easy to understand so that users can easily understand how exactly their data will be used. Avoid ambiguous wording that could lead to misunderstandings. Transparency in data processing matters builds user trust and increases the likelihood that they will agree to the use of personal information.

When processing data exclusively online, it is important to specify in the privacy policy the specific situations in which the user consents to the processing of their information. This can be done, for example, by checking the appropriate box. This approach ensures transparency and compliance with data protection legislation.

A confidentiality agreement is an important document that requires company employees to maintain the confidentiality of client information. All employees with access to personal data are required to sign this document. This ensures the protection of clients' personal information and compliance with data protection laws. Signing a confidentiality agreement helps prevent information leaks and ensures that employees understand their responsibility regarding data privacy.

A non-disclosure agreement template is an important document that protects confidential information. It regulates the processing and storage of personal data, ensuring its protection from unauthorized access and use. Such a document is necessary for both organizations and individual entrepreneurs who want to ensure the security of the personal information of their clients and employees. The agreement should clearly state the conditions under which information may be disclosed, as well as the consequences of its unauthorized use. Using a personal data non-disclosure agreement template helps minimize the risk of information leaks and comply with data protection laws.

The order appointing a person responsible for processing personal data is an important internal document that is not subject to public publication. However, it may be requested by Roskomnadzor during compliance audits regarding personal data protection laws. In most cases, an IT specialist or security officer is appointed to this position to oversee the processing, storage, and protection of personal data within the organization. Properly drafting the order will help ensure compliance with legal requirements and protect the rights of personal data subjects.

The order template appointing a person responsible for processing personal data is an important document for organizations that process such data. In accordance with personal data protection laws, each organization must appoint a person responsible for processing it. This order formalizes the appointment and defines the responsibilities of the responsible person.

The order should contain the following key elements: the name of the organization, the basis for the appointment, the full name of the person responsible for working with personal data, and their job responsibilities. It is also recommended to specify the terms and conditions for fulfilling obligations related to the processing of personal data, as well as the procedure for interacting with other departments.

Using this template will help ensure compliance with legal requirements and improve the level of personal data protection within the organization. Be sure to familiarize all employees with the order and conduct appropriate training on the processing and protection of personal data.

If your website requires registration, it is crucial to familiarize users with the privacy policy in advance. It is necessary to obtain their consent to the processing of personal data before submitting the form. This not only complies with legal requirements but also helps build user trust in your resource. By being transparent about how you process data, you create a secure environment for interactions with your website.

Consent to the Processing of Personal Data: Important Aspects

When a customer signs up for a newsletter, places an order, or requests a test drive, they provide personal information, including their name, phone number, and email address. These actions create the legal basis for obtaining consent to the processing of personal data. It is important to be transparent in the use of this information, informing the customer of the purposes for which data is processed and their rights. Proper handling of personal information builds trust and strengthens customer relationships.

Each user should be able to independently and informedly decide whether to transfer their personal data. It is crucial that consent to the processing of this data is in writing, which ensures its legality and protects the rights of users. Properly formalizing consent helps avoid potential legal consequences and ensures transparency in the processing of personal information.

According to the law, consent to the processing of personal data must be obtained explicitly, not implicitly. This means that simply performing a user action is not sufficient to confirm their consent. Clear information must be provided that confirms the user's consent to the processing of their data. It is important that the consent process be transparent and accessible, which will avoid misunderstandings and ensure the protection of user rights.

Consent to the processing of personal data can be obtained using various methods, one of which is the use of checkboxes. It is important that the checkbox not be pre-selected, allowing the user to express their consent independently by checking the box. A checkbox must be a mandatory element of all forms in which personal data is collected and processed. This ensures transparency and compliance with data protection laws, and increases user trust in your company.

One way to obtain user consent to the processing of their data is to place a notice next to a button that confirms consent. Additionally, many web services offer personal accounts where users can indicate their preferences in special forms. This helps ensure transparency in data processing and improve customer interactions.

The collection of biometric data, including photographs and audio recordings, requires obtaining clear written consent from the user. Using a checkbox does not constitute sufficient consent and does not comply with legal requirements.

The user has the right to revoke consent to the processing of their personal data at any time. In this case, the organization is obligated to immediately cease processing the data and ensure its deletion.

There are situations where consent to the processing of personal data is not required. For example, this may occur if data processing is necessary to fulfill a contract to which the data subject is a party. However, such cases are exceptional and are not common.

It is important to remember the need to obtain consent to the processing of personal data, even if it may seem unnecessary. The most common violations for which companies can be fined include processing data without the consent of its owners and not providing the required data in accordance with the purposes for which it is processed. Such errors can lead not only to fines but also to serious data breaches, which will negatively impact the company's reputation and customer trust. Ensuring compliance with personal data protection laws is a key aspect of any organization's operations.

Liability for Violations in Personal Data Processing

Roskomnadzor, as well as other agencies such as Rostrud and the Federal Antimonopoly Service, oversees the legality of personal data processing in Russia. In recent years, there has been a trend toward increasing liability for violations in this area, underscoring the need for strict compliance with the law. For more detailed information on the types of liability and current legislative changes, we recommend that you read the materials on the official website of Roskomnadzor. Compliance with personal data laws is the key to protecting the rights of citizens and organizations.

According to Article 13.11 of the Code of Administrative Offenses of the Russian Federation (CAO), Roskomnadzor has the authority to initiate administrative offense cases. This body also has the authority to impose fines, the amount of which varies depending on the nature of the offense. It is important to note that such measures are aimed at ensuring compliance with legislation in the field of information technology and consumer protection.

• for individuals - from 700 to 100,000 rubles;
• for officials - from 3,000 to 800,000 rubles;
• for sole proprietors - from 5,000 to 20,000 rubles;
• for legal entities - from 15,000 to 18,000,000 rubles.

The amount of the fine and the likelihood of being held accountable do not depend on the size of the business. The key factors remain the nature of the violation and its severity. By complying with the law, companies avoid serious consequences, regardless of their size. Therefore, it is important to carefully monitor compliance with all requirements to minimize risks and protect your business from fines and sanctions.

The French company Gandi SAS was found to be in violation of personal data protection laws. When obtaining clients' consent to process their personal information, the company failed to provide the necessary information about the data controller. This violation highlights the importance of compliance with personal data processing laws and the need for transparency in customer relationships. Problems like the Gandi SAS case can lead to serious sanctions and loss of user trust, making compliance with data protection regulations critical for companies.

The company processed the personal data of Russian citizens in the United States, violating the requirements of Federal Law No. 152-FZ. According to Clause 5 of Article 18 of this law, operators are required to process personal data exclusively in Russia. As a result of this violation, the resource was included in the Register of Violators of the Rights of Personal Data Subjects. Information about non-compliance with legal requirements may negatively impact a company's reputation and its future operations.

In 2020, Roskomnadzor blocked over 190,000 internet resources, demonstrating strict control over compliance with information technology legislation. A full list of grounds for blocking is available on the regulator's official website, allowing users to familiarize themselves with the reasons for restricting access to certain resources. This practice underscores the importance of adhering to internet norms and rules, as well as Roskomnadzor's role in ensuring online security and law and order.

In 2021, Federal Law 355-FZ came into force, amending Article 7 of Federal Law 115-FZ, which concerns the fight against money laundering and the financing of terrorism. According to the new rules, banks are obligated to service only those companies whose websites are not blocked and comply with Roskomnadzor's requirements. This innovation significantly impacts the financial activities of organizations, as lack of access to banking services can hinder business operations and limit their growth. Compliance with legal regulations is becoming critical for companies seeking legal and sustainable market operations. Every company, regardless of age or legal form, is required to comply with current legal requirements. This applies even to organizations that already have current accounts. All banks are required to monitor compliance with regulations and standards, and if violations are detected, they may deny service. Therefore, it is important to closely monitor changes in legislation and ensure that your activities comply with new requirements.