Roskomnadzor and his plans
The post-May days were marked by the release of a huge number of new documents. So far, as a rule, in the form of projects, but still. Oddly, but apparently accustomed to everything, residents of Habr did not pay attention to it. And by the way, in vain.
Over the past year, interest in personal data protection issues has dropped significantly. Apparently, the majority of companies anyway have issued the necessary documents - on the one hand. On the other hand, despite high expectations, Roskomnadzor did not launch mass inspections. Moreover, having failed to solve the problems with the number of experts, he reduced the staff and salaries of employees .
But back to the rulemaking. If last year we were frightened by the increase in the level of fines, then this year Roskomnadzor decided to come from another side by posting a draft Government Resolution "On approving the Regulation on state control and supervision of the compliance of personal data processing with the laws of the Russian Federation."
')
I think the majority is aware that Roskomnadzor has the so-called Administrative Regulations, approved by the Order of the Russian Ministry of Communications and Mass Media on 11/11/2011 N 312, according to which, in particular, all the quality checks of personal data protection should pass. At first glance, the draft Government Decree is very similar to this regulation. If it were not for minor differences.
Attention! The publication discusses the elements of horror and mysticism and is not recommended for reading at night!
First, let's pay attention to who Roskomnadzor can control:
At the same time, the inspectors are not at all opposed to the same physical persons providing the inspectors with the premises necessary for the work.
By the way, the very possibility of carrying out inspections of individuals is not new - Federal Law No. 152-FZ extends its requirements to them, but, nevertheless, physical persons still in their mass requirements for the protection of their data, and not only personal ones, did not fulfill and not going to do it.
But let us go back to the beginning of the document and almost immediately see that, to the previously carried out planned and unscheduled inspections, an observation is also added. What it is? The thing is completely mysterious:
According to the results of the observation, a “request to eliminate the identified violation can be sent within a period not exceeding ten calendar days, followed by informing the Federal Service for Supervision in the Sphere of Communications, Information Technologies and Mass Communications or its territorial body about the execution of the requirement”.
In contrast to the rather logical verification procedure, when the verifier knows about the verification and is mentally prepared for comments, in this case the prescription can fall like snow on the head, and it should be completed in 10 days. At the same time, the possibility of implementation (the presence of the same specialists in the field) is not taken into account. In the case of non-compliance with the prescription:
Here and below, all the quotes are given in accordance with the spelling and punctuation of the documents from where they are taken.
Immediately after the section on systematic observation measures in the draft resolution there is an even more fantastic section:
Can you imagine that everyone, right up to physical order, began to proactively provide evidence of their compliance with the requirements of the law? And if it is also imposed on the personnel hunger of Roskomnadzor ...
Wherein:
Perhaps the goal was a good one. Indeed, the number of specialists, especially in small companies, able to independently develop the full range of documents for the protection of personal data, is not so great. And Roskomnadzor could assume the role of assistant and consultant in this difficult and important matter. But according to the current version, instead of consulting, you can only get an order - I have little idea of ​​those who want to embark on such an adventure.
Let's return to the beginning of the document and look at the goals of Roskomnadzor’s activities:
There is nothing about the forecasting itself further in the text of the project, so we can only guess how, by whom and in whose interests the forecasting will be carried out, and also how it will affect the results of the same checks or systematic observation.
At the beginning of the article a little horror was promised. And the project gives us it:
Clause 7.2 is unscheduled inspections based on the results of citizens' appeals.
At the moment, the current Administrative Regulations read as follows:
That is, at the moment all the activities of Roskomnadzor should be carried out under the control of the prosecutor's office, which greatly reduces the likelihood of inadequate actions (although, of course, it does not exclude) what will happen after the activity is taken out of control?
Or in the version of the current Regulations:
Administrative regulations at the moment clearly define the reasons for scheduled or unscheduled inspection:
The draft resolution expands the list. Several items from the project
Initiate an article in the local media based on roasted facts?
Very small firms, such as tourism, outsourcing, etc., can process a large amount of data in the current economy.
Do not expect problems?
With other opinions about this bill can be found here , here and here .
I remind you that the project is laid out , but has not yet been approved in its final version. We wait.
Over the past year, interest in personal data protection issues has dropped significantly. Apparently, the majority of companies anyway have issued the necessary documents - on the one hand. On the other hand, despite high expectations, Roskomnadzor did not launch mass inspections. Moreover, having failed to solve the problems with the number of experts, he reduced the staff and salaries of employees .
But back to the rulemaking. If last year we were frightened by the increase in the level of fines, then this year Roskomnadzor decided to come from another side by posting a draft Government Resolution "On approving the Regulation on state control and supervision of the compliance of personal data processing with the laws of the Russian Federation."
')
I think the majority is aware that Roskomnadzor has the so-called Administrative Regulations, approved by the Order of the Russian Ministry of Communications and Mass Media on 11/11/2011 N 312, according to which, in particular, all the quality checks of personal data protection should pass. At first glance, the draft Government Decree is very similar to this regulation. If it were not for minor differences.
Attention! The publication discusses the elements of horror and mysticism and is not recommended for reading at night!
First, let's pay attention to who Roskomnadzor can control:
2. State control and supervision includes the activities of the Federal Service for Supervision in the Sphere of Telecommunications, Information Technologies and Mass Communications and its territorial bodies aimed at preventing, detecting and suppressing, within its competence, violations by state bodies, local governments, legal entities and individuals of the requirements established by the legislation of the Russian Federation, by organizing and conducting inspections audited entities, taking predusmot ennyh legislation of the Russian Federation measures to combat and (or) the elimination of the consequences of violations, Event systematic monitoring of the execution by the Russian Federation legislation, as well as analysis and evaluation of the performance of the Russian Federation legislation in the implementation of audited entities on the processing of personal data activities on the basis of the they documents and local acts.
At the same time, the inspectors are not at all opposed to the same physical persons providing the inspectors with the premises necessary for the work.
47. The on-site inspection (both planned and unscheduled) is carried out at the location of the state body, local government, legal entity, individual and (or) at the place where he actually performs personal data processing activities. If an individual does not have the opportunity to provide premises for a field audit, the audit is carried out at the location of the Federal Service for Supervision in the Sphere of Communications, Information Technologies and Mass Communications and its territorial body.
By the way, the very possibility of carrying out inspections of individuals is not new - Federal Law No. 152-FZ extends its requirements to them, but, nevertheless, physical persons still in their mass requirements for the protection of their data, and not only personal ones, did not fulfill and not going to do it.
But let us go back to the beginning of the document and almost immediately see that, to the previously carried out planned and unscheduled inspections, an observation is also added. What it is? The thing is completely mysterious:
3. Activities for the implementation of state control and supervision are divided into planned and unscheduled and carried out through scheduled and unscheduled inspections, as well as systematic observation measures .
72. ... The subject of measures for systematic observation in the field of personal data is determined by the Federal Service for the Supervision of Communications, Information Technology and Mass Communication.
According to the results of the observation, a “request to eliminate the identified violation can be sent within a period not exceeding ten calendar days, followed by informing the Federal Service for Supervision in the Sphere of Communications, Information Technologies and Mass Communications or its territorial body about the execution of the requirement”.
In contrast to the rather logical verification procedure, when the verifier knows about the verification and is mentally prepared for comments, in this case the prescription can fall like snow on the head, and it should be completed in 10 days. At the same time, the possibility of implementation (the presence of the same specialists in the field) is not taken into account. In the case of non-compliance with the prescription:
76. ... Information ... is sent to the Prosecutor General's Office of the Russian Federation or the prosecutor's office of a constituent entity of the Russian Federation at the location of the state body, local government, legal entity, individual to consider the issue of taking prosecutor's response measures.
77. ... an unscheduled inspection is carried out in the manner established by these Regulations.
Here and below, all the quotes are given in accordance with the spelling and punctuation of the documents from where they are taken.
Immediately after the section on systematic observation measures in the draft resolution there is an even more fantastic section:
Analysis and assessment of the state of compliance with the requirements of the legislation of the Russian Federation
78. Analysis and assessment of the state of compliance with the requirements of the legislation of the Russian Federation ... is carried out ... on the basis of the initiative submitted by the state body, local government, legal entity, individual document, local acts and other information confirming compliance with the requirements of the legislation of the Russian Federation.
Can you imagine that everyone, right up to physical order, began to proactively provide evidence of their compliance with the requirements of the law? And if it is also imposed on the personnel hunger of Roskomnadzor ...
Wherein:
81. According to the results of the analysis and assessment of the state of compliance with the requirements of the legislation of the Russian Federation ... a letter with summary information is sent to the state body, local self-government body, legal entity, and individual with a conclusion on the compliance of the ... activity on personal data processing with the legislation of the Russian Federation data, or if there are facts of inconsistency of the submitted documents, local acts and information with the legislation of the Russian Federation operations in the field of personal data, with the requirement to eliminate the violations found .
82. The requirement to eliminate the violations found shall be enforceable within a period not exceeding ten calendar days ...
83. In the event of non-execution ... a protocol is drawn up on an administrative offense in accordance with the procedure established by the Code of Administrative Offenses of the Russian Federation.
Perhaps the goal was a good one. Indeed, the number of specialists, especially in small companies, able to independently develop the full range of documents for the protection of personal data, is not so great. And Roskomnadzor could assume the role of assistant and consultant in this difficult and important matter. But according to the current version, instead of consulting, you can only get an order - I have little idea of ​​those who want to embark on such an adventure.
Let's return to the beginning of the document and look at the goals of Roskomnadzor’s activities:
5. Planned and unscheduled systematic monitoring activities are carried out in order to prevent, detect, predict and prevent violations of the legislation of the Russian Federation without interaction with state bodies, local governments, legal entities and individuals engaged in the processing of personal data, and their authorized representatives.
There is nothing about the forecasting itself further in the text of the project, so we can only guess how, by whom and in whose interests the forecasting will be carried out, and also how it will affect the results of the same checks or systematic observation.
At the beginning of the article a little horror was promised. And the project gives us it:
8. Conducting unscheduled inspections on the grounds stipulated by clause 7 of these Regulations, with the exception of clause 7.2, does not require coordination with the prosecution authorities.
Clause 7.2 is unscheduled inspections based on the results of citizens' appeals.
At the moment, the current Administrative Regulations read as follows:
55. Coordination of unscheduled field inspections of the Service or its territorial bodies is carried out at the place of operation of the Operators related to small or medium-sized businesses in accordance with the legislation of the Russian Federation with prosecutors (deputy prosecutors) of the subjects of the Russian Federation on the grounds provided for by subparagraphs 38.2.1, 38.2.2 of these Regulations.
58. The decision of authorized officials of the prosecution authorities to approve an unscheduled field inspection or to refuse to approve its conduct may be appealed to a higher prosecutor or to a court.
84. After completing an unscheduled on-site inspection, previously agreed with the prosecution authorities, the Service or its territorial body sends to the prosecution authority that made the decision on the approval of the inspection, a copy of the inspection report within five working days from the date of its preparation.
That is, at the moment all the activities of Roskomnadzor should be carried out under the control of the prosecutor's office, which greatly reduces the likelihood of inadequate actions (although, of course, it does not exclude) what will happen after the activity is taken out of control?
9. Officials of the Federal Service for Supervision in the Sphere of Communications, Information Technologies and Mass Communications or its territorial bodies in exercising state control and supervision over the compliance of personal data processing with the requirements of the legislation of the Russian Federation have the right to:
9.3. issue mandatory orders for elimination of violations.
9.7. within its competence, check and assess the adequacy of measures taken by the state body, local self-government body, legal entity, and individual to ensure the fulfillment of duties provided for by the Federal Law “On Personal Data”.
9.8. issue mandatory requirements for the suspension or termination of personal data processing, carried out with violations of the requirements of the Federal Law “On Personal Data”.
63. In the event that during the course or as a result of verification of the processing of false or illegally obtained personal data, an official of the Federal Service for Supervision in the Sphere of Communications, Information Technologies and Mass Communications and its territorial body has the right to demand from a state body, local government, legal entity individuals, individuals taking measures to block or destroy the specified personal data .
69. In the event that a failure to comply with a prescription violates the rights and legitimate interests of the subject (s) of personal data, the state authority, local government, legal entity, individual is sent a request to suspend personal data processing activities until the violation previously identified during the audit is rectified. specified in the prescription.
Or in the version of the current Regulations:
6. The officials of the Service or its territorial body during the conduct of inspections are entitled, within their competence, to:
6.1. Issue binding instructions to eliminate identified violations in the field of personal data.
6.2. Prepare protocols on administrative violations or send materials to the prosecution authorities and other law enforcement agencies to decide whether to initiate cases of administrative offenses, as well as to initiate criminal cases on grounds of crimes related to the violation of the rights of personal data subjects, in accordance with jurisdiction.
6.3. To file claims with the court in defense of the rights of personal data subjects.
6.6. Get access to personal data information systems in the mode of viewing and retrieving the necessary information.
6.7. Send an application to the licensing authority of the Operator to consider the adoption of measures to suspend or revoke the relevant license in accordance with the procedure established by the legislation of the Russian Federation, if the license for such activities prohibits the transfer of personal data to third parties without written consent subject of personal data.
6.8. Take measures to suspend or terminate the processing of personal data , carried out in violation of the requirements of the legislation of the Russian Federation in the field of personal data.
Administrative regulations at the moment clearly define the reasons for scheduled or unscheduled inspection:
33. The basis for the inclusion of a routine check in the Plan is the commencement by the Operator of activities for the processing of personal data, as well as the expiration of three years from the day:
33.1. State registration of the Operator as a legal entity, an individual entrepreneur.
33.2. The end of the last scheduled inspection of the Operator.
34. The Operator shall be notified of the scheduled inspection no later than within three working days prior to its commencement by sending a copy of the order of the head, deputy head of the Service or its territorial body by mail with acknowledgment of receipt or other available means.
38. Unscheduled inspections are conducted for the following reasons:
38.1. Expiration by the Operator of the previously issued order to eliminate the revealed violation of the established requirements of the legislation of the Russian Federation in the field of personal data.
38.2. Entries and applications of citizens, legal entities, individual entrepreneurs, information from public authorities, local governments, the media, including the following facts to the Service or its territorial bodies, including:
38.2.1. The emergence of the threat of harm to life and health of citizens.
38.2.2. Causing harm to life, health of citizens.
38.3. Order of the Head of the Service or the head of the territorial body of the Service, issued in accordance with the instructions of the President of the Russian Federation, the Government of the Russian Federation.
38.4. Violation of the rights and legitimate interests of citizens by actions (inaction) of Operators in the processing of their personal data.
38.5. The violation by the Operators of the requirements of the legislation of the Russian Federation in the field of personal data, as well as the inconsistency of the information contained in the notification of the processing of personal data, the actual activities.
40. The Operator is notified of the conduct of an unscheduled on-site inspection no later than twenty-four hours before the start of the inspection by the Service or its territorial body in any available way.
41. If, as a result of the activities of the Operator, harm to life and health of citizens is or is being caused, prior notice to the Operator of the commencement of an unscheduled field audit is not required.
The draft resolution expands the list. Several items from the project
13. Formation of the plan of scheduled inspections is carried out, including, based on the following criteria:
13.1. a three-year period from the end of the last scheduled inspection.
13.2. information from public authorities, local authorities and the media about the facts that contain signs of violation of the legislation of the Russian Federation, made in the processing of personal data, as well as identified by the results of systematic observation.
Initiate an article in the local media based on roasted facts?
13.3. processing of personal data of a significant number of subjects of personal data, as well as the processing of biometric and special categories of personal data.
Very small firms, such as tourism, outsourcing, etc., can process a large amount of data in the current economy.
13.4. failure to provide information, including of a notification nature, the provision of which is provided for by the Federal Law “On Personal Data”.
14. The frequency of scheduled inspections in relation to a state body, local self-government body, a legal entity is no more than once every two years, and for an individual no more than once every three years.
7. Unscheduled inspections are carried out ...:
7.1. in the event of the expiration of the deadline for the execution of ... issued by ... orders to eliminate the revealed violation;
7.2. according to the results of consideration of citizens' appeals ... provided that:
7.2.1. availability of materials confirming the fact of violation of their rights ...
Appeals and statements that do not allow to identify the person who applied to the Federal Service for Supervision in the Sphere of Telecommunications, Information Technologies and Mass Communications or its territorial bodies, as well as appeals and statements that do not contain information about the facts specified in paragraph 7.2 of these Regulations, cannot to serve as a basis for making a decision to conduct an unscheduled inspection.
7.3. Receipts of ... information from state authorities, local authorities and the mass media on confirmed facts of violation of the legislation of the Russian Federation committed in the processing of personal data.
7.4. in accordance with the instructions of the President of the Russian Federation, the Government of the Russian Federation.
7.5. in case of violation by the state body, local self-government body, legal entity, physical person of the requirements of the legislation of the Russian Federation in the field of personal data, identified by the results of systematic observation measures in the field of personal data.
7.6. on the basis of the confirmed fact of inconsistency of the information contained in the notification of the processing of personal data, the actual activities of the state body, local government, legal entity, individual.
7.7. in case of non-fulfillment of the requirement ... on elimination of the revealed violation of the requirements in the field of personal data.
7.8. on the basis of the submission (requirement) of the prosecution authority for an unscheduled inspection.
Do not expect problems?
20. A state body, a local government body, a legal entity, an individual shall be notified of an unscheduled on-site inspection no later than twenty-four hours before the start of its implementation in any available way .
With other opinions about this bill can be found here , here and here .
I remind you that the project is laid out , but has not yet been approved in its final version. We wait.
Source: https://habr.com/ru/post/258177/
All Articles