The mechanism for the exercise of their legal rights by the owners of personal data
In the previous article, I talked about the possibilities that law No. 152 gives to the owner of personal data. This part of the article presents the mechanism itself and the request forms for the exercise of its rights. The article does not address the issue when the operator does not have the right to process personal data at all. The task is to make it so that the illegal data processing operator is involved in serious financial and time costs for the personal data operator.
To exercise their rights, the owners of personal data may contact the operators for the following information.
* Article 14, paragraph 7. The subject of personal data has the right to receive information relating to the processing of his personal data, including containing:
1) confirmation of the processing of personal data by the operator;
2) the legal basis and purpose of the processing of personal data;
3) the goals and methods of personal data processing applied by the operator;
4) the name and location of the operator, information about persons (except for the operator’s employees) who have access to personal data or who can disclose personal data on the basis of an agreement with the operator or on the basis of federal law;
5) processed personal data relating to the relevant subject of personal data, the source of their receipt, unless a different procedure for providing such data is provided for by federal law;
6) the processing time of personal data, including the storage period;
7) the procedure for the subject of personal data to exercise the rights provided for by this Federal Law;
8) information on the performed or intended cross-border data transfer;
9) the name or surname, name, patronymic and address of the person performing the processing of personal data on behalf of the operator, if the processing is entrusted to or will be entrusted to such person;
10) other information stipulated by this Federal Law or other federal laws.
It makes sense to consider before contacting the operator whether the organization is an operator that should be registered in the Roskomnadzor registry. We go to the site and the name of the organization or its TIN see the result.
In which cases the organization is not registered as an operator of personal data:
* The operator has the right to carry out the processing of personal data without notifying the authorized body for the protection of the rights of personal data subjects:
1) processed in accordance with labor laws;
2) received by the operator in connection with the conclusion of a contract to which the subject of personal data is a party, if personal data is not distributed and is not provided to third parties without the consent of the subject of personal data and is used by the operator solely to execute the said contract and enter into contracts with the subject of personal data;
3) relating to members (participants) of a public association or religious organization and processed by the relevant public association or religious organization operating in accordance with the legislation of the Russian Federation to achieve the legitimate goals provided for by their constituent documents, provided that personal data will not be distributed or disclosed to third parties without written consent of the subjects of personal data;
4) made by the subject of personal data publicly available;
5) including only surnames, names and patronymic of personal data subjects;
6) necessary for the purpose of a single pass of the subject of personal data to the territory in which the operator is located, or for other similar purposes;
7) included in information systems of personal data, having in accordance with federal laws the status of state automated information systems, as well as state information systems of personal data, created in order to protect the security of the state and public order;
8) processed without the use of automation in accordance with federal laws or other regulatory legal acts of the Russian Federation, which establish requirements for ensuring the security of personal data when processing them and for observing the rights of personal data subjects;
9) processed in cases stipulated by the legislation of the Russian Federation on transport security, in order to ensure sustainable and safe functioning of the transport complex, protect the interests of the individual, society and the state in the field of the transport complex from acts of unlawful interference
')
If your relationship with the operator does not fall under the above exceptions, it should be in the registry of operators before processing your personal data. If it is not there, the consequences for the operator of personal data.
Next, we write a request and send it by registered mail to a legal entity to whom you want to make a complaint:
Request text
The operator of personal data of Horns and Hoofs LLC
from Pupkin
Passport: a series of xxxx issued by the Office of the area xxxxxx. Moscow xx, 1xxx
Address for correspondence:
Moscow, xxxx.
REQUEST
On the basis of clause 4, article 14 of the Federal Law of July 27, 2006 No. 152 “On Personal Data”, I request the deadline set by the Federal Law. No. 152 “On Personal Data”, to provide me, as a subject - owner of personal data, access to my personal data, which is in temporary possession of LLC “Horns and hoofs”, as well as the following information:
1) confirmation of the processing of personal data, as well as the purpose of such processing;
2) information about the operator of personal data;
3) personal data processing methods applied by the operator;
4) the implementation by the operator of the obligation to ensure the security of personal data;
5) the presence or absence of licensing for TZKI in the protection of personal data;
6) information on persons who have access to personal data or who may be granted such access;
7) a list of processed personal data and the source of their receipt;
8) the processing time of personal data, including the storage period;
9) information on what legal consequences for the subject of personal data may entail the processing of his personal data.
"_____" _______________ 2011
_______________________ / xxxxx /
We must respond within 30 days.
After receiving the answer or after 30 days, if the answer does not satisfy us, go to the website of Roskomnadzor , and form a statement. Duplicate by registered letter to the territorial body of Roskomnadzor, which belongs to your place of residence.
Statement to Roskomnadzor:
xx xx 2011 by me, the subject of the owner of personal data to the operator of LLC “Horns and hoofs”, in the temporary possession of which are my personal data, a request was sent in writing to provide access to my PDs, as well as providing me with the information provided Clause 4, Article 14 of the Federal Law of July 7, 2006 No. 152 “On Personal Data”. A copy of the request is attached.
xx.02.2011. I received a response from the operator “Horns and hoofs” LLC, number from .02.2011. A copy of the answer is attached.
This answer did not satisfy me for the following reasons:
1. I did not receive access to my personal data.
2. None of the information requested in the written application was provided to me.
3. I have not received any clarification on any question raised in my appeal.
(Describe what else you did not answer)
The stated purpose of processing PD operator LLC "Horns and hoofs" is including "the processing of personal data of individuals - customers of JSC" Horns and hoofs "in the implementation of ____ (specify for what purpose is processed).
From the terms of the contract, which is referred to in its response by the operator of the OJSC “Horns and hoofs”, it follows that it processes according to the contract xx.xxx.2011. Contract No. xxxx1 of xxx.xxx 2004. was fully executed.
It follows that there are no contractual relations with Horn and Hoof LLC and their conclusion is not expected. The operator’s stated objective of processing the PD “processing personal data of individuals - customers of Horns and Hoofs LLC when fulfilling the terms of the contract” has been achieved or does not correspond to the stated one.
I consider the actions of the operator Horns and Hoofs to process my personal data inconsistent with the requirements of this Federal Law On Personal Data and violate my rights and freedoms.
After studying the response of the operator to my request, I consider further correspondence with the operator of Horns and Hooves LLC inexpedient.
Based on the foregoing
I BEG:
1. To assist in the verification of the activities of the PD operator Horns and Hoofs for the processing of my personal data for compliance with current legislation in the field of personal data.
2. To assist in blocking and destroying my personal data that is in the temporary possession of the operator - Horns and Hoofs LLC on the basis of achieving the goal of processing them, as well as other violations found during the audit.
3. In the event of the destruction of personal data, the operator of LLC Horns and Hoofs must be obliged to notify me, the subject of personal data, of the result in writing.
Please send an answer to the address: xxxxx
You can include any items for which you want to get additional answers, or if you think that the actions of the operator violate the law and your rights.
According to the result of the request to Roskomnadzor, you should receive an answer about the test and its results.
Well, according to the results, we think whether to go further or the operator has corrected his mistakes.
To exercise their rights, the owners of personal data may contact the operators for the following information.
* Article 14, paragraph 7. The subject of personal data has the right to receive information relating to the processing of his personal data, including containing:
1) confirmation of the processing of personal data by the operator;
2) the legal basis and purpose of the processing of personal data;
3) the goals and methods of personal data processing applied by the operator;
4) the name and location of the operator, information about persons (except for the operator’s employees) who have access to personal data or who can disclose personal data on the basis of an agreement with the operator or on the basis of federal law;
5) processed personal data relating to the relevant subject of personal data, the source of their receipt, unless a different procedure for providing such data is provided for by federal law;
6) the processing time of personal data, including the storage period;
7) the procedure for the subject of personal data to exercise the rights provided for by this Federal Law;
8) information on the performed or intended cross-border data transfer;
9) the name or surname, name, patronymic and address of the person performing the processing of personal data on behalf of the operator, if the processing is entrusted to or will be entrusted to such person;
10) other information stipulated by this Federal Law or other federal laws.
It makes sense to consider before contacting the operator whether the organization is an operator that should be registered in the Roskomnadzor registry. We go to the site and the name of the organization or its TIN see the result.
In which cases the organization is not registered as an operator of personal data:
* The operator has the right to carry out the processing of personal data without notifying the authorized body for the protection of the rights of personal data subjects:
1) processed in accordance with labor laws;
2) received by the operator in connection with the conclusion of a contract to which the subject of personal data is a party, if personal data is not distributed and is not provided to third parties without the consent of the subject of personal data and is used by the operator solely to execute the said contract and enter into contracts with the subject of personal data;
3) relating to members (participants) of a public association or religious organization and processed by the relevant public association or religious organization operating in accordance with the legislation of the Russian Federation to achieve the legitimate goals provided for by their constituent documents, provided that personal data will not be distributed or disclosed to third parties without written consent of the subjects of personal data;
4) made by the subject of personal data publicly available;
5) including only surnames, names and patronymic of personal data subjects;
6) necessary for the purpose of a single pass of the subject of personal data to the territory in which the operator is located, or for other similar purposes;
7) included in information systems of personal data, having in accordance with federal laws the status of state automated information systems, as well as state information systems of personal data, created in order to protect the security of the state and public order;
8) processed without the use of automation in accordance with federal laws or other regulatory legal acts of the Russian Federation, which establish requirements for ensuring the security of personal data when processing them and for observing the rights of personal data subjects;
9) processed in cases stipulated by the legislation of the Russian Federation on transport security, in order to ensure sustainable and safe functioning of the transport complex, protect the interests of the individual, society and the state in the field of the transport complex from acts of unlawful interference
')
If your relationship with the operator does not fall under the above exceptions, it should be in the registry of operators before processing your personal data. If it is not there, the consequences for the operator of personal data.
Next, we write a request and send it by registered mail to a legal entity to whom you want to make a complaint:
Request text
The operator of personal data of Horns and Hoofs LLC
from Pupkin
Passport: a series of xxxx issued by the Office of the area xxxxxx. Moscow xx, 1xxx
Address for correspondence:
Moscow, xxxx.
REQUEST
On the basis of clause 4, article 14 of the Federal Law of July 27, 2006 No. 152 “On Personal Data”, I request the deadline set by the Federal Law. No. 152 “On Personal Data”, to provide me, as a subject - owner of personal data, access to my personal data, which is in temporary possession of LLC “Horns and hoofs”, as well as the following information:
1) confirmation of the processing of personal data, as well as the purpose of such processing;
2) information about the operator of personal data;
3) personal data processing methods applied by the operator;
4) the implementation by the operator of the obligation to ensure the security of personal data;
5) the presence or absence of licensing for TZKI in the protection of personal data;
6) information on persons who have access to personal data or who may be granted such access;
7) a list of processed personal data and the source of their receipt;
8) the processing time of personal data, including the storage period;
9) information on what legal consequences for the subject of personal data may entail the processing of his personal data.
"_____" _______________ 2011
_______________________ / xxxxx /
We must respond within 30 days.
After receiving the answer or after 30 days, if the answer does not satisfy us, go to the website of Roskomnadzor , and form a statement. Duplicate by registered letter to the territorial body of Roskomnadzor, which belongs to your place of residence.
Statement to Roskomnadzor:
xx xx 2011 by me, the subject of the owner of personal data to the operator of LLC “Horns and hoofs”, in the temporary possession of which are my personal data, a request was sent in writing to provide access to my PDs, as well as providing me with the information provided Clause 4, Article 14 of the Federal Law of July 7, 2006 No. 152 “On Personal Data”. A copy of the request is attached.
xx.02.2011. I received a response from the operator “Horns and hoofs” LLC, number from .02.2011. A copy of the answer is attached.
This answer did not satisfy me for the following reasons:
1. I did not receive access to my personal data.
2. None of the information requested in the written application was provided to me.
3. I have not received any clarification on any question raised in my appeal.
(Describe what else you did not answer)
The stated purpose of processing PD operator LLC "Horns and hoofs" is including "the processing of personal data of individuals - customers of JSC" Horns and hoofs "in the implementation of ____ (specify for what purpose is processed).
From the terms of the contract, which is referred to in its response by the operator of the OJSC “Horns and hoofs”, it follows that it processes according to the contract xx.xxx.2011. Contract No. xxxx1 of xxx.xxx 2004. was fully executed.
It follows that there are no contractual relations with Horn and Hoof LLC and their conclusion is not expected. The operator’s stated objective of processing the PD “processing personal data of individuals - customers of Horns and Hoofs LLC when fulfilling the terms of the contract” has been achieved or does not correspond to the stated one.
I consider the actions of the operator Horns and Hoofs to process my personal data inconsistent with the requirements of this Federal Law On Personal Data and violate my rights and freedoms.
After studying the response of the operator to my request, I consider further correspondence with the operator of Horns and Hooves LLC inexpedient.
Based on the foregoing
I BEG:
1. To assist in the verification of the activities of the PD operator Horns and Hoofs for the processing of my personal data for compliance with current legislation in the field of personal data.
2. To assist in blocking and destroying my personal data that is in the temporary possession of the operator - Horns and Hoofs LLC on the basis of achieving the goal of processing them, as well as other violations found during the audit.
3. In the event of the destruction of personal data, the operator of LLC Horns and Hoofs must be obliged to notify me, the subject of personal data, of the result in writing.
Please send an answer to the address: xxxxx
You can include any items for which you want to get additional answers, or if you think that the actions of the operator violate the law and your rights.
According to the result of the request to Roskomnadzor, you should receive an answer about the test and its results.
Well, according to the results, we think whether to go further or the operator has corrected his mistakes.
Source: https://habr.com/ru/post/127593/
All Articles