Experience with Roskomnadzor of personal data operators over the past year
The office in the headline has recently been increasingly featured in the news in the news, linked by some regular blacklists and ridiculous blocking, but in this article I would like to recall one of the equally important functions of Roskomnadzor - supervision of the implementation of legislation in the field of protection personal data.
It so happened that in 2013-2014 quite a few of our clients got into the plans of inspections of Roskomnadzor, but we were not particularly afraid of this, because our clients had passed checks earlier, there is very positive experience. We knew that new customers had everything put in order, too, and waited for the next check only to put a new tick in the “Successfully carried out checks of regulators” section of the portfolio. But this article would not have come into being if everything had met our optimistic expectations ...
At the beginning of last year I wrote an article in which I tried step by step to talk about the stages of preparation for such checks. And this algorithm worked well until mid-2013. What happened? Below, I will tell in more detail about some cases of the ILV tyranny during checks on personal data, but if briefly, the bast system has been introduced in the department regarding such checks. Inspectors will now look for any smallest violation, just to issue an order and make them pay at least a small but unpleasant penalty. It is possible that the sticks are considered only in our region, but communication with colleagues from other subjects of the Russian Federation suggests otherwise.
')
Before telling specific cases, I’ll ask you to remember a few facts when reading further:
In my old article I wrote that most of the regulations are made due to the discrepancy between the data provided in the operator’s notification and the present state of affairs, that is, if you indicated that you are processing the name, address and contact phone of the subject of personal data, but in fact If you process another gender and date of birth, you will receive a prescription. The first story is connected with this.
The first order from one of our clients was due to the fact that in the operator’s notification in the categories of personal data of employees it was not indicated that they process the numbers of powers of attorney issued to one or another employee for a particular purpose. How many did not try to appeal to common sense and explain that the power of attorney is an independent document and this person is the props of the power of attorney (to whom and for which the power of attorney was issued), and not the number of the power of attorney is the person's props - did not help. And this was facilitated by a very vague definition of the concept of “personal data” in 152-FZ (any information relating to a directly or indirectly determined or determinable individual). Our legislators in general are very fond of vague wording. For this, in this case, anti-corruption examinations of draft laws are held in the Ministry of Justice is not particularly clear.
Okay, with the numbers of the power of attorney taken into account the moment, they waited for the next check. And here we were again waiting for a surprise.
This time, the inspectors from Roskomnadzor, apparently, did not find inconsistencies in the categories of personal data, and they decided to make a feint with their ears - to find a discrepancy in the categories of subjects of personal data. Here, the situation is the same as with the categories of PDs themselves - if you indicated in the notification that you are processing personal data of employees and customers, but in fact you are processing additional PDn of some volunteers, then get a prescription. And in this case, it did not occur to the representatives of the RKN how to say that the current and dismissed employees of the organization are in fact different categories of personal data subjects (and we remember that the testers are the same people before they did not pay attention to this). Here also, any appeals to common sense did not help.
One of the clients got to the bottom of the public policy regarding personal data. This is a document that should be published in the public domain (if there is a website, then on it). Naturally, in this document we never write any specifics, how, what and from whom we protect. And why should we actually publish useful information for a potential violator on our portal? So, Roskomnadzorovtsy wanted us to describe in detail in the public document the measures taken to protect personal data. Why - it is not clear. In general, the anomalous craving for exhibitionism at Roskomnadzor has long been a concern. What is there is a register of state information systems in which we can find out the worker and MOBILE (for example, here ) number responsible for this system, his e-mail, as well as information about server and client OS used in the system, system application software, information about financing and more. Just a haven for social engineers, spammers, and other blacktails.
But back to the checks. The latter case was somewhat different from the rest. The client contacted us for help literally a week before the check. During the preliminary conversation and verification of the register of PD operators, it was found out that the organization had not given notice of the processing of personal data earlier. That is, there was no client in the registry of operators. Here you need to understand that even if we prepared a notice on the day of the appeal, 152-FZ provides Roskomnadzor with up to 30 days to register the operator in the register from the moment of notification, and practice shows that an entry in the registry appears 20-25 days from the date filing a notice (although, again, this applies directly to our region, somewhere the guys from the ILV may be more efficient). In general, it was decided to act from the position that 152-FZ provides for cases when notifications are not required to submit, this is, in particular, when PD processing is carried out during the implementation of labor relations and at the conclusion of a contract, one of the parties to which is PD. In principle, this could have worked if the RKN would not have had the goal of punishing the organization, since the client was a small commercial company that handles PD of employees under the Labor Code of the Russian Federation and concludes agreements with clients. The order issued following the results of the audit stated that the company had to file a notice, and since it did not file, it violated 152-FZ, ay-ay-ay! Moreover, there was no justification in the prescription itself, simply “there is no notification, but it does not fall under exceptions, therefore it violates ...”. In words, the inspectors said that it is difficult to find fault with contractual relations with clients, therefore they must give a notification, because (ATTENTION!) The organization transfers personal data of employees to third parties - to the FTS and the FIU! That's it! Here, of course, it immediately becomes unclear - why, then, in the Federal Law are all these exceptions, allowing not to give notice to the PD operator? Isn't it easier to write - “all legal entities must file a notice” and finish there?
To be honest, I’m even wondering what the representatives of the ILR will come up with and get to the bottom with the following checks, because the cane system is obvious. But sometimes there is a thought - and may specifically leave in a prominent place a clear defect? After all, the fines are still small, but when they see the violation in a conspicuous place, the checkers will most likely make it to the order, we will pay a small fine, eliminate the violation in a timely manner and we will live peacefully on, and the inspectors will not dig deeper. There is another option - to challenge the prescription of Roskomnadzor in court, this is how our last client decided to do. Unfortunately, I cannot share the denouement of this story, because the story itself has not yet ended. In any case, each will choose his own path himself, although it is possible that the cane system has not yet reached your region.
It so happened that in 2013-2014 quite a few of our clients got into the plans of inspections of Roskomnadzor, but we were not particularly afraid of this, because our clients had passed checks earlier, there is very positive experience. We knew that new customers had everything put in order, too, and waited for the next check only to put a new tick in the “Successfully carried out checks of regulators” section of the portfolio. But this article would not have come into being if everything had met our optimistic expectations ...
At the beginning of last year I wrote an article in which I tried step by step to talk about the stages of preparation for such checks. And this algorithm worked well until mid-2013. What happened? Below, I will tell in more detail about some cases of the ILV tyranny during checks on personal data, but if briefly, the bast system has been introduced in the department regarding such checks. Inspectors will now look for any smallest violation, just to issue an order and make them pay at least a small but unpleasant penalty. It is possible that the sticks are considered only in our region, but communication with colleagues from other subjects of the Russian Federation suggests otherwise.
')
Before telling specific cases, I’ll ask you to remember a few facts when reading further:
- the composition of the inspectors did not change, that is, in all the considered cases the inspectors were the same people;
- the set of measures and the quality of preparation for the inspection of all those who were checked before and from the second half of 2013 were at the same level;
- on each following check in the course of preparation the previous whims of the checking were taken into account.
In my old article I wrote that most of the regulations are made due to the discrepancy between the data provided in the operator’s notification and the present state of affairs, that is, if you indicated that you are processing the name, address and contact phone of the subject of personal data, but in fact If you process another gender and date of birth, you will receive a prescription. The first story is connected with this.
The first order from one of our clients was due to the fact that in the operator’s notification in the categories of personal data of employees it was not indicated that they process the numbers of powers of attorney issued to one or another employee for a particular purpose. How many did not try to appeal to common sense and explain that the power of attorney is an independent document and this person is the props of the power of attorney (to whom and for which the power of attorney was issued), and not the number of the power of attorney is the person's props - did not help. And this was facilitated by a very vague definition of the concept of “personal data” in 152-FZ (any information relating to a directly or indirectly determined or determinable individual). Our legislators in general are very fond of vague wording. For this, in this case, anti-corruption examinations of draft laws are held in the Ministry of Justice is not particularly clear.
Okay, with the numbers of the power of attorney taken into account the moment, they waited for the next check. And here we were again waiting for a surprise.
This time, the inspectors from Roskomnadzor, apparently, did not find inconsistencies in the categories of personal data, and they decided to make a feint with their ears - to find a discrepancy in the categories of subjects of personal data. Here, the situation is the same as with the categories of PDs themselves - if you indicated in the notification that you are processing personal data of employees and customers, but in fact you are processing additional PDn of some volunteers, then get a prescription. And in this case, it did not occur to the representatives of the RKN how to say that the current and dismissed employees of the organization are in fact different categories of personal data subjects (and we remember that the testers are the same people before they did not pay attention to this). Here also, any appeals to common sense did not help.
One of the clients got to the bottom of the public policy regarding personal data. This is a document that should be published in the public domain (if there is a website, then on it). Naturally, in this document we never write any specifics, how, what and from whom we protect. And why should we actually publish useful information for a potential violator on our portal? So, Roskomnadzorovtsy wanted us to describe in detail in the public document the measures taken to protect personal data. Why - it is not clear. In general, the anomalous craving for exhibitionism at Roskomnadzor has long been a concern. What is there is a register of state information systems in which we can find out the worker and MOBILE (for example, here ) number responsible for this system, his e-mail, as well as information about server and client OS used in the system, system application software, information about financing and more. Just a haven for social engineers, spammers, and other blacktails.
But back to the checks. The latter case was somewhat different from the rest. The client contacted us for help literally a week before the check. During the preliminary conversation and verification of the register of PD operators, it was found out that the organization had not given notice of the processing of personal data earlier. That is, there was no client in the registry of operators. Here you need to understand that even if we prepared a notice on the day of the appeal, 152-FZ provides Roskomnadzor with up to 30 days to register the operator in the register from the moment of notification, and practice shows that an entry in the registry appears 20-25 days from the date filing a notice (although, again, this applies directly to our region, somewhere the guys from the ILV may be more efficient). In general, it was decided to act from the position that 152-FZ provides for cases when notifications are not required to submit, this is, in particular, when PD processing is carried out during the implementation of labor relations and at the conclusion of a contract, one of the parties to which is PD. In principle, this could have worked if the RKN would not have had the goal of punishing the organization, since the client was a small commercial company that handles PD of employees under the Labor Code of the Russian Federation and concludes agreements with clients. The order issued following the results of the audit stated that the company had to file a notice, and since it did not file, it violated 152-FZ, ay-ay-ay! Moreover, there was no justification in the prescription itself, simply “there is no notification, but it does not fall under exceptions, therefore it violates ...”. In words, the inspectors said that it is difficult to find fault with contractual relations with clients, therefore they must give a notification, because (ATTENTION!) The organization transfers personal data of employees to third parties - to the FTS and the FIU! That's it! Here, of course, it immediately becomes unclear - why, then, in the Federal Law are all these exceptions, allowing not to give notice to the PD operator? Isn't it easier to write - “all legal entities must file a notice” and finish there?
What to do?
To be honest, I’m even wondering what the representatives of the ILR will come up with and get to the bottom with the following checks, because the cane system is obvious. But sometimes there is a thought - and may specifically leave in a prominent place a clear defect? After all, the fines are still small, but when they see the violation in a conspicuous place, the checkers will most likely make it to the order, we will pay a small fine, eliminate the violation in a timely manner and we will live peacefully on, and the inspectors will not dig deeper. There is another option - to challenge the prescription of Roskomnadzor in court, this is how our last client decided to do. Unfortunately, I cannot share the denouement of this story, because the story itself has not yet ended. In any case, each will choose his own path himself, although it is possible that the cane system has not yet reached your region.
Source: https://habr.com/ru/post/228063/
All Articles