The article "PD for an ordinary person" - debriefing
Recently, articles on the fertile subject of personal data protection (PD) have increasingly begun to appear on Habré. This is understandable - the topic is really relevant, and here, too, the new amendments to the law were adopted. Another thing is not clear: errors in explaining the requirements of the law and the proposed solutions not only do not meet with objections from habrovchan, but are also strongly supported and supported.
I’m afraid to seem D'Artagnan, but I still consider it necessary to clarify certain points based on my own experience and knowledge (first reading of the law: summer 2009, since then I have been involved in bringing the PD processing into compliance with the requirements of the Federal Law, actively monitoring the resources for news, changes and expert discussions on this topic).
In particular, some comments regarding the recent article “What gives the common man Federal Law No. 152 On Personal Data?”, As I understand it, not voiced in the comments.
')
So:
Quotation: “ Permission may be given either as a separate document containing the owner’s signature, or as part of an agreement: for the provision of services, employment agreement or other forms. There are exceptions, when written permission is not required, they are specified in the article 6 federal law "
A little bit wrong. Firstly, in art. 6 shows cases where the consent of the subject is not required at all (there are as many as 10 points). In paragraphs 1, item 1 of article 6 establishes that the processing of PD of the subject can be made with his consent, but without specifying that the "written". And this is important. Cases where consent must be specifically written in the law are expressly stated, these are:
- the location of the PD of the subject in publicly available sources (Article 8);
- processing of special categories (article 10);
- processing of biometric PDN (Art. 11);
- cross-border transfer of PD to countries that do not provide adequate protection and have not ratified the Euroconvention (Article 12);
- making decisions that generate legal consequences in relation to the subject of PD on the basis of exclusively automated processing (Article 16).
Everything. In other cases, consent may be given in any form, as long as the Operator is able to prove that it has indeed been received (Article 9, Clause 1, p. “Consent to the processing of personal data may be given by the subject of personal data or his representative in any way its receipt form, unless otherwise provided by federal law "). For example, according to information on the Roskomnadzor website, the test was successfully passed by the organization, on the website of which, before entering the PD, the user had to click on the “I agree” button at the question of giving them consent.
Further: “ If you are asked to provide your passport data, the availability of real estate and bank accounts, when receiving a loyalty card, this is redundant information that is not required to provide the service, and the collection of such information is illegal. At the same time, they cannot refuse to issue you cards, if you do not indicate how much your apartment is worth in this application. "
Controversial allegations. If you look specifically at the 152-FZ, then it says nothing about the impossibility of refusing the entity to provide the service if the PD is not provided. Yes, the PD that it seems redundant to him, he may not indicate, and yes, he may ask for help from the Authorized Body (read: Roskomnadzor). But let me give you or not give you a loyal customer card on your terms, the shop will decide and hardly a carefully instructed employee will convince your legal literacy.
The case of life is so easy in any gate does not climb. Let us then expand the application, “I came to the hospital, I was told to stand in a long line, so I wrote them a Request and the head doctor has since then personally taken my temperature!”. Not to mention the fact that earned the Internet does not affect the need to provide an answer by the provider, such a tool can only work a very big miracle.
There is one more nuance: on the Internet, I met the opinion of specialists that the legality of checking Roskomnadzor in response to appeals from subjects can be challenged and that is why. The inspections are carried out in accordance with the Administrative Regulations adopted by Roskomnadzor in accordance with Federal Law N 294- dated December 26, 2008, in which, in particular, the entire basis for such inspections is determined. But that's bad luck, there are only three in the law, and in the Regulations - five. From the "legitimate":
a) the emergence of the threat of causing harm to life, health of citizens, harm to animals, plants, the environment, state security, as well as threats of natural and man-made emergencies;
b) causing harm to life, health of citizens, harm to animals, plants, the environment, security of the state, as well as the occurrence of emergency situations of natural and man-made character;
c) violation of the rights of consumers (in the case of the appeal of citizens whose rights have been violated).
There is not a word about any violations of the rights of subjects. Thus, the notorious store or provider offers quite an opportunity to refuse to participate in such an interesting event as an “unscheduled check” (if, of course, there is an intelligent lawyer).
In the comments there was a question regarding rent receipts. A bunch of "Full name. + the address of the place of residence ”, and even more so the“ + phone number ”and, possibly,“ + payment arrears ”are without a doubt personal data. Moreover, in no way publicly available. Public utilities get out differently. A common practice of harmonization is the collection of consent to the transfer in open form (as before, but according to the law) and distribution in envelopes (payment of envelopes is included in the bill). I read about the case when the residents were sent out questionnaires asking which of the above methods they consider preferable.
And finally, what does IMHO give FZ-152 to ordinary citizens. First, the planned inspections of organizations are going on and very actively. And this means that organizations have to bring the process in some order. For example, there was information on the recognition of the transfer of information by banks to collection agencies illegal.
Secondly, if you are interested, you can contact the organization where you think your personal data are processed, read them and, if necessary, require their specification, termination of processing, etc., although there are some nuances that deserve a separate article.
That, in fact, is all that comes to mind. Perhaps he missed something, but he got used to looking at the problem from the perspective of the organization. In view of the above, it remains to wish to raise my own legal literacy, not to be afraid to ask on occasion “and for what purpose will my phone number be used?” And carefully read what and where you sign (I give my consent consent to any actions with any of my personal data and allow me to consider them publicly available (alas, not uncommon).
I’m afraid to seem D'Artagnan, but I still consider it necessary to clarify certain points based on my own experience and knowledge (first reading of the law: summer 2009, since then I have been involved in bringing the PD processing into compliance with the requirements of the Federal Law, actively monitoring the resources for news, changes and expert discussions on this topic).
In particular, some comments regarding the recent article “What gives the common man Federal Law No. 152 On Personal Data?”, As I understand it, not voiced in the comments.
')
So:
Quotation: “ Permission may be given either as a separate document containing the owner’s signature, or as part of an agreement: for the provision of services, employment agreement or other forms. There are exceptions, when written permission is not required, they are specified in the article 6 federal law "
A little bit wrong. Firstly, in art. 6 shows cases where the consent of the subject is not required at all (there are as many as 10 points). In paragraphs 1, item 1 of article 6 establishes that the processing of PD of the subject can be made with his consent, but without specifying that the "written". And this is important. Cases where consent must be specifically written in the law are expressly stated, these are:
- the location of the PD of the subject in publicly available sources (Article 8);
- processing of special categories (article 10);
- processing of biometric PDN (Art. 11);
- cross-border transfer of PD to countries that do not provide adequate protection and have not ratified the Euroconvention (Article 12);
- making decisions that generate legal consequences in relation to the subject of PD on the basis of exclusively automated processing (Article 16).
Everything. In other cases, consent may be given in any form, as long as the Operator is able to prove that it has indeed been received (Article 9, Clause 1, p. “Consent to the processing of personal data may be given by the subject of personal data or his representative in any way its receipt form, unless otherwise provided by federal law "). For example, according to information on the Roskomnadzor website, the test was successfully passed by the organization, on the website of which, before entering the PD, the user had to click on the “I agree” button at the question of giving them consent.
Further: “ If you are asked to provide your passport data, the availability of real estate and bank accounts, when receiving a loyalty card, this is redundant information that is not required to provide the service, and the collection of such information is illegal. At the same time, they cannot refuse to issue you cards, if you do not indicate how much your apartment is worth in this application. "
Controversial allegations. If you look specifically at the 152-FZ, then it says nothing about the impossibility of refusing the entity to provide the service if the PD is not provided. Yes, the PD that it seems redundant to him, he may not indicate, and yes, he may ask for help from the Authorized Body (read: Roskomnadzor). But let me give you or not give you a loyal customer card on your terms, the shop will decide and hardly a carefully instructed employee will convince your legal literacy.
The case of life is so easy in any gate does not climb. Let us then expand the application, “I came to the hospital, I was told to stand in a long line, so I wrote them a Request and the head doctor has since then personally taken my temperature!”. Not to mention the fact that earned the Internet does not affect the need to provide an answer by the provider, such a tool can only work a very big miracle.
There is one more nuance: on the Internet, I met the opinion of specialists that the legality of checking Roskomnadzor in response to appeals from subjects can be challenged and that is why. The inspections are carried out in accordance with the Administrative Regulations adopted by Roskomnadzor in accordance with Federal Law N 294- dated December 26, 2008, in which, in particular, the entire basis for such inspections is determined. But that's bad luck, there are only three in the law, and in the Regulations - five. From the "legitimate":
a) the emergence of the threat of causing harm to life, health of citizens, harm to animals, plants, the environment, state security, as well as threats of natural and man-made emergencies;
b) causing harm to life, health of citizens, harm to animals, plants, the environment, security of the state, as well as the occurrence of emergency situations of natural and man-made character;
c) violation of the rights of consumers (in the case of the appeal of citizens whose rights have been violated).
There is not a word about any violations of the rights of subjects. Thus, the notorious store or provider offers quite an opportunity to refuse to participate in such an interesting event as an “unscheduled check” (if, of course, there is an intelligent lawyer).
In the comments there was a question regarding rent receipts. A bunch of "Full name. + the address of the place of residence ”, and even more so the“ + phone number ”and, possibly,“ + payment arrears ”are without a doubt personal data. Moreover, in no way publicly available. Public utilities get out differently. A common practice of harmonization is the collection of consent to the transfer in open form (as before, but according to the law) and distribution in envelopes (payment of envelopes is included in the bill). I read about the case when the residents were sent out questionnaires asking which of the above methods they consider preferable.
And finally, what does IMHO give FZ-152 to ordinary citizens. First, the planned inspections of organizations are going on and very actively. And this means that organizations have to bring the process in some order. For example, there was information on the recognition of the transfer of information by banks to collection agencies illegal.
Secondly, if you are interested, you can contact the organization where you think your personal data are processed, read them and, if necessary, require their specification, termination of processing, etc., although there are some nuances that deserve a separate article.
That, in fact, is all that comes to mind. Perhaps he missed something, but he got used to looking at the problem from the perspective of the organization. In view of the above, it remains to wish to raise my own legal literacy, not to be afraid to ask on occasion “and for what purpose will my phone number be used?” And carefully read what and where you sign (I give my consent consent to any actions with any of my personal data and allow me to consider them publicly available (alas, not uncommon).
Source: https://habr.com/ru/post/127180/
All Articles