What gives an ordinary person Federal Law No. 152 On Personal Data?
There are quite a few articles written about personal data operators.
The operators are very upset that they have to spend money on the protection of personal information, that they all have a hard time living and everything is very bad.
On the other hand, there are the owners of personal data themselves, and I propose to consider the topic from this side. What gives the owner of personal data Federal Law number 152 and how he can protect their legitimate interests?
In this case, the conversation will be about commercial organizations, the question regarding state bodies is the topic of a separate article.
The collection and processing of personal data by legal entities is a common practice. Someone includes personal data in the contract, someone collects personal data for loyalty programs, someone collects for calling to offer their most modern vacuum cleaners. Everyone has their own goals. And that's fine, as long as it doesn't inconvenience people.
If an organization does not have enough money for remedies, experts, desires, these are the difficulties of a particular organization. No money for remedies, well, write on paper, but with the permission of the owner. If the online store cannot ensure the security of order information, then it is not necessary to store these orders.
This article allows the owner of personal data to figure out how he can force the operator of personal data to stop violating his rights.
The main message in the law on personal data: information containing any personal data * does not belong to anyone except the owner, and if any company wants to receive it, it must substantiate this desire and obtain permission from the owner, or have legal grounds for processing . In addition, such a company must ensure the security of this information.
')
* Article 2. Clause 1. personal data - any information relating to a directly or indirectly determined or determined individual (subject of personal data)
Permission may be given either as a separate document containing the signature of the owner, or as part of any contract: for the provision of services, employment contract or other forms. There are exceptions when written permission is not required; they are specified in article 6 of the federal law. If the organization does not fall under the points where permission is not required and also does not have written permission, then the operator is obliged to destroy personal data within a period not exceeding 7 days (article 20, paragraph 3) and notify the owner of personal data about this.
Your personal data can only be processed for clearly defined purposes, no one can process it just like that **. If you are offered to indicate your passport data, the availability of real estate and bank accounts, when receiving the loyalty card, this is redundant information that is not required to provide the service, and the collection of such information is illegal. At the same time, they cannot refuse to issue you a card if you do not indicate how much your apartment is worth in this application form.
** Article 1 clause 3 personal data processing - any action (operation) or set of actions (operations) performed using automation means or without using such means with personal data, including collection, recording, systematization, accumulation, storage, clarification (updating , modification), extraction, use, transfer (distribution, provision, access), depersonalization, blocking, deletion, destruction of personal data;
If any organization processes your personal data, you have the right to request information from the operator of personal data *** regarding the processing of personal data, which is specified in Article 7.
*** Article 14 clause 7. The personal data subject has the right to receive information regarding the processing of his personal data, including those containing:
1) confirmation of the processing of personal data by the operator;
2) the legal basis and purpose of the processing of personal data;
3) the goals and methods of personal data processing applied by the operator;
4) the name and location of the operator, information about persons (except for the operator’s employees) who have access to personal data or who can disclose personal data on the basis of an agreement with the operator or on the basis of federal law;
5) processed personal data relating to the relevant subject of personal data, the source of their receipt, unless a different procedure for providing such data is provided for by federal law;
6) the processing time of personal data, including the storage period;
7) the procedure for the subject of personal data to exercise the rights provided for by this Federal Law;
8) information on the performed or intended cross-border data transfer;
9) the name or surname, name, patronymic and address of the person performing the processing of personal data on behalf of the operator, if the processing is entrusted to or will be entrusted to such person;
10) other information stipulated by this Federal Law or other federal laws.
The operator is obliged to rearrange the response to this request within 30 days.
If, for example, you were called by collectors and they are demanding any payments from you, you shouldn’t swear to them, you should carefully write down from which organization and who is calling. After that you should send a request to this organization by registered mail. The letter must request the basis of processing, the purpose of processing and the composition specified in paragraph 7 of Article 14 of the Federal Law.
If you haven’t received an answer within 30 days, feel free to write an application to Roskomnadzor , at the same time checking whether the collector is in the register of personal data operators.
Here is an example of the consequences for the operator of personal data at the request of the owner:
A case of life: I was once again upset by my Internet provider with my quality of service, and I decided to see how legally he was processing my personal data. Having written and printed a letter with a request for information from Article 14, I went to them and gave it to the secretary for painting, along with a claim to the quality of service. The next day, the head of technical support (I hadn’t been able to talk to him before, they didn’t switch) informed me with joy that they had repaired everything, gave me their contacts with a request to call if something was wrong for him personally. The Internet has been working fine since then.
Another example of a violation on the part of the operator of personal data: after buying a car in a car dealership, a letter came from a manufacturer from Germany in the mail stating that I had purchased a car of a certain brand with a request to evaluate the quality of service provided by their dealer. When concluding a contract, the text of the contract was not described anywhere that I authorize to process my data, much less to transfer it to someone.
The operator did not destroy my personal data after achieving the processing objectives (the contract was executed), made a cross-border transmission of this data and continues to process them in its information systems, without any basis (SMS comes with information about promotions).
If the article is interesting to readers, on the last example of violation, I will lay out appeal forms and step-by-step instructions on organizing requests to personal data operators, requests to Roskomnadzor, tell you where to go besides Roskomnadzor, and which pieces of legislation to refer to.
The operators are very upset that they have to spend money on the protection of personal information, that they all have a hard time living and everything is very bad.
On the other hand, there are the owners of personal data themselves, and I propose to consider the topic from this side. What gives the owner of personal data Federal Law number 152 and how he can protect their legitimate interests?
In this case, the conversation will be about commercial organizations, the question regarding state bodies is the topic of a separate article.
The collection and processing of personal data by legal entities is a common practice. Someone includes personal data in the contract, someone collects personal data for loyalty programs, someone collects for calling to offer their most modern vacuum cleaners. Everyone has their own goals. And that's fine, as long as it doesn't inconvenience people.
If an organization does not have enough money for remedies, experts, desires, these are the difficulties of a particular organization. No money for remedies, well, write on paper, but with the permission of the owner. If the online store cannot ensure the security of order information, then it is not necessary to store these orders.
This article allows the owner of personal data to figure out how he can force the operator of personal data to stop violating his rights.
The main message in the law on personal data: information containing any personal data * does not belong to anyone except the owner, and if any company wants to receive it, it must substantiate this desire and obtain permission from the owner, or have legal grounds for processing . In addition, such a company must ensure the security of this information.
')
* Article 2. Clause 1. personal data - any information relating to a directly or indirectly determined or determined individual (subject of personal data)
Permission may be given either as a separate document containing the signature of the owner, or as part of any contract: for the provision of services, employment contract or other forms. There are exceptions when written permission is not required; they are specified in article 6 of the federal law. If the organization does not fall under the points where permission is not required and also does not have written permission, then the operator is obliged to destroy personal data within a period not exceeding 7 days (article 20, paragraph 3) and notify the owner of personal data about this.
Your personal data can only be processed for clearly defined purposes, no one can process it just like that **. If you are offered to indicate your passport data, the availability of real estate and bank accounts, when receiving the loyalty card, this is redundant information that is not required to provide the service, and the collection of such information is illegal. At the same time, they cannot refuse to issue you a card if you do not indicate how much your apartment is worth in this application form.
** Article 1 clause 3 personal data processing - any action (operation) or set of actions (operations) performed using automation means or without using such means with personal data, including collection, recording, systematization, accumulation, storage, clarification (updating , modification), extraction, use, transfer (distribution, provision, access), depersonalization, blocking, deletion, destruction of personal data;
If any organization processes your personal data, you have the right to request information from the operator of personal data *** regarding the processing of personal data, which is specified in Article 7.
*** Article 14 clause 7. The personal data subject has the right to receive information regarding the processing of his personal data, including those containing:
1) confirmation of the processing of personal data by the operator;
2) the legal basis and purpose of the processing of personal data;
3) the goals and methods of personal data processing applied by the operator;
4) the name and location of the operator, information about persons (except for the operator’s employees) who have access to personal data or who can disclose personal data on the basis of an agreement with the operator or on the basis of federal law;
5) processed personal data relating to the relevant subject of personal data, the source of their receipt, unless a different procedure for providing such data is provided for by federal law;
6) the processing time of personal data, including the storage period;
7) the procedure for the subject of personal data to exercise the rights provided for by this Federal Law;
8) information on the performed or intended cross-border data transfer;
9) the name or surname, name, patronymic and address of the person performing the processing of personal data on behalf of the operator, if the processing is entrusted to or will be entrusted to such person;
10) other information stipulated by this Federal Law or other federal laws.
The operator is obliged to rearrange the response to this request within 30 days.
If, for example, you were called by collectors and they are demanding any payments from you, you shouldn’t swear to them, you should carefully write down from which organization and who is calling. After that you should send a request to this organization by registered mail. The letter must request the basis of processing, the purpose of processing and the composition specified in paragraph 7 of Article 14 of the Federal Law.
If you haven’t received an answer within 30 days, feel free to write an application to Roskomnadzor , at the same time checking whether the collector is in the register of personal data operators.
Here is an example of the consequences for the operator of personal data at the request of the owner:
A case of life: I was once again upset by my Internet provider with my quality of service, and I decided to see how legally he was processing my personal data. Having written and printed a letter with a request for information from Article 14, I went to them and gave it to the secretary for painting, along with a claim to the quality of service. The next day, the head of technical support (I hadn’t been able to talk to him before, they didn’t switch) informed me with joy that they had repaired everything, gave me their contacts with a request to call if something was wrong for him personally. The Internet has been working fine since then.
Another example of a violation on the part of the operator of personal data: after buying a car in a car dealership, a letter came from a manufacturer from Germany in the mail stating that I had purchased a car of a certain brand with a request to evaluate the quality of service provided by their dealer. When concluding a contract, the text of the contract was not described anywhere that I authorize to process my data, much less to transfer it to someone.
The operator did not destroy my personal data after achieving the processing objectives (the contract was executed), made a cross-border transmission of this data and continues to process them in its information systems, without any basis (SMS comes with information about promotions).
If the article is interesting to readers, on the last example of violation, I will lay out appeal forms and step-by-step instructions on organizing requests to personal data operators, requests to Roskomnadzor, tell you where to go besides Roskomnadzor, and which pieces of legislation to refer to.
Source: https://habr.com/ru/post/127086/
All Articles