Data transfer to Russia. Short FAQ on Misconceptions
The phrase “how many times they told the world” probably ideally fits the description of the situation with the protection of personal data and its transfer to Russia. In the past since the discussion of problems in this area, everything seemed to be discussed. And the more lawyers should be able to read the laws.
Alas. A visit to the next conference dispelled this myth for me, in connection with which I propose to the Hrabrage users the answers to typical questions in the field of data transfer.
How to transfer responsibility for the processing of personal data?
For some reason, they forget that the Federal Law of 21.07.2014 No. 242-FZ is not a law in itself. It only makes changes to:
')
Therefore, speaking from the protection of personal data, you need to operate the provisions of 152-FZ. In accordance with 152-FZ:
Thus, the responsibility to the subject in any case remains on the operator - the company that received the consent of the subject of personal data to their processing. In general, even the allocation of a part of employees to another legal entity will not save the situation, since the data will continue to be processed in the company anyway - after all, business interactions will continue with these employees.
... Roskomnadzor ... secure channel / encryption
A lot of questions related to protection measures. And this is natural. But for some reason Roskomnadzor is considered the only point of application. Again, according to 152-FZ, there are three regulators, each of which has its own area of responsibility.
And this is our FSTEC of the Russian Federation and the Federal Security Service of the Russian Federation, where the latter is responsible for encryption.
How do we fulfill the server migration requirement?
In the current edition of 149-FZ reads as follows:
And accordingly 152-:
It is important here that the definition uses the phrase “with use”. Interpretation options are many. In principle, even a parallel server will fall under it. But usually the definition is interpreted in a sense. what:
Here and further illustrations were taken from the conference materials .
Minimizing the risk of violation of the law allows for careful reading
Responsibility to the subject in any case will remain on the operator, but the measures of protection (together with the responsibility for their execution) can be transferred to a third party. In the relevant contract must be set the purpose of data processing, the requirements for their protection, etc.
A separate question is the need to notify Roskomnadzor by the company to which the data is sent for processing along with the responsibility to protect them. Theoretically, such a company could be some kind of specialized company that provides compliance with the requirements of the law as a service. But in general, she cannot know what the next client will require from her - and notify Roskomnadzor before starting processing in the case of each contract ... The most interesting option from 152- says that
This option is possible only in the case of a tripartite agreement, one of the parties to which is the subject of personal data.
Alas. A visit to the next conference dispelled this myth for me, in connection with which I propose to the Hrabrage users the answers to typical questions in the field of data transfer.
How to transfer responsibility for the processing of personal data?
For some reason, they forget that the Federal Law of 21.07.2014 No. 242-FZ is not a law in itself. It only makes changes to:
')
- Federal Law of July 27, 2006 No. 149- “On Information, Information Technologies and Information Protection”
- Federal Law of July 27, 2006 N 152- “On Personal Data”
- Federal Law of December 26, 2008 N 294- “On Protection of the Rights of Legal Entities and Individual Entrepreneurs
Therefore, speaking from the protection of personal data, you need to operate the provisions of 152-FZ. In accordance with 152-FZ:
2) operator - a state body, municipal body, legal or physical person, independently or jointly with other persons organizing and (or) processing personal data, as well as determining the purposes of personal data processing, the composition of personal data to be processed, actions (operations) committed with personal data;
5. In the event that the operator assigns the processing of personal data to another person, the responsibility to the subject of personal data for the actions of the said person shall be borne by the operator . The person processing personal data on behalf of the operator is liable to the operator.
Thus, the responsibility to the subject in any case remains on the operator - the company that received the consent of the subject of personal data to their processing. In general, even the allocation of a part of employees to another legal entity will not save the situation, since the data will continue to be processed in the company anyway - after all, business interactions will continue with these employees.
... Roskomnadzor ... secure channel / encryption
A lot of questions related to protection measures. And this is natural. But for some reason Roskomnadzor is considered the only point of application. Again, according to 152-FZ, there are three regulators, each of which has its own area of responsibility.
4. The composition and content of the requirements for the protection of personal data for each level of security, organizational and technical measures to ensure the security of personal data required for the implementation of personal data protection systems for personal data, are set by the federal authority in accordance with part 3 of this article executive authorities authorized in the field of security, and the federal executive body authorized in countering technical intelligence and technical protection of information within their authority.
And this is our FSTEC of the Russian Federation and the Federal Security Service of the Russian Federation, where the latter is responsible for encryption.
How do we fulfill the server migration requirement?
In the current edition of 149-FZ reads as follows:
7) the presence on the territory of the Russian Federation of databases of information, with the use of which the collection, recording, systematization, accumulation, storage, refinement (updating, modification), extraction of personal data of citizens of the Russian Federation are carried out.
And accordingly 152-:
5. When collecting personal data, including through the Internet information and telecommunications network, the operator is obliged to ensure the recording, systematization, accumulation, storage, refinement (updating, modification), extraction of personal data of citizens of the Russian Federation using the databases located on the territory of the Russian Federation, with the exception of the cases specified in Clauses 2, 3, 4, 8 of Part 1 of Article 6 of this Federal Law
It is important here that the definition uses the phrase “with use”. Interpretation options are many. In principle, even a parallel server will fall under it. But usually the definition is interpreted in a sense. what:
- Data collection and storage should be carried out on the territory of the Russian Federation, but processing can be anywhere
- Abroad, you can also store copies of data - which will be addressed during processing
Here and further illustrations were taken from the conference materials .
Minimizing the risk of violation of the law allows for careful reading
2) operator - a state body, municipal body, legal or physical person, independently or jointly with other persons organizing and (or) processing personal data, as well as determining the purposes of personal data processing, the composition of personal data to be processed, actions (operations) committed with personal data;
3. The operator has the right to entrust the processing of personal data to another person with the consent of the subject of personal data , unless otherwise provided by federal law, on the basis of a contract concluded with this person, including a state or municipal contract, or by adopting a state or municipal body of the relevant act (hereinafter - instruction of the operator). A person who processes personal data at the request of the operator must comply with the principles and rules for the processing of personal data provided for by this Federal Law. The statement of the operator should define the list of actions (operations) with personal data that will be performed by the person processing the personal data, and the processing objectives, should establish the obligation of such person to maintain the confidentiality of personal data and to ensure the security of personal data during their processing, as well as The requirements for the protection of processed personal data in accordance with Article 19 of this Federal Law must be specified.
4. A person engaged in the processing of personal data on the instructions of the operator is not required to obtain the consent of the subject of personal data to the processing of his personal data.
Responsibility to the subject in any case will remain on the operator, but the measures of protection (together with the responsibility for their execution) can be transferred to a third party. In the relevant contract must be set the purpose of data processing, the requirements for their protection, etc.
A separate question is the need to notify Roskomnadzor by the company to which the data is sent for processing along with the responsibility to protect them. Theoretically, such a company could be some kind of specialized company that provides compliance with the requirements of the law as a service. But in general, she cannot know what the next client will require from her - and notify Roskomnadzor before starting processing in the case of each contract ... The most interesting option from 152- says that
2. The operator has the right to carry out the processing of personal data without notifying the authorized body to protect the rights of personal data subjects:
2) received by the operator in connection with the conclusion of a contract to which the subject of personal data is a party, if personal data is not distributed, and is not provided to third parties without the consent of the subject of personal data and is used by the operator solely to execute the said contract and enter into contracts with the subject of personal data;
This option is possible only in the case of a tripartite agreement, one of the parties to which is the subject of personal data.
Source: https://habr.com/ru/post/271023/
All Articles