152-FZ. Data Centers, Databases and Notifications
According to the changes made to Federal Law 152- by Federal Law dated July 21, 2014 N 242-, the notification sent to Roskomnadzor must contain:
Until recently, this requirement was not duplicated either in the Administrative Regulations of Roskomnadzor or in the forms of the relevant Notifications (there are two - for submission in paper and electronic form - and oddly enough they are different). But since the law is law (changes 152-, requiring to indicate the location of the database with PD entered into force this summer), it is logical that Roskomnadzor demanded that the operators specify this data in the notification. And naturally, this caused difficulties for the operators, since no one could answer the question what and where should be indicated.
But everything changes and the Ministry of Communications issued the Order of August 28, 2015 N 315 (links in pdf , textual form ).
According to the Order, changes are made to the Administrative Regulations - paragraphs 46 (data entered in the register) and 54 (data specified in the Notification) are supplemented with the following:
')
The form of the Notification changes accordingly (it is given in the annex to the Order). And here begins the interesting.
Recall that according to the current version of 152-FZ:
That is, the Notice:
And if we look at the paper Notification form, then a paragraph has been added in which you need to specify the country, the address of the database location, the name of the information system (database).
By the way, if you look at the text 152-FZ, then the personal data information system is:
Not to mention that personal data can be not only in the composition of databases - there can be many databases (and this is logical), but you need to specify one according to the notification form. Why is that? Mysterious.
But let's move on to the electronic form of Notifications.
After cross-border data transfer, there is a section describing database information. But this is the title. And the text is required to describe the address of the data center! Immediately the question - did everyone go to the clouds? What to write if the data center is not used?
Fill out the form
Despite the offer to choose from the directory - there is no directory. Data is entered manually
If you do not explicitly indicate that your own data center is being used, then you will be asked to specify data on the data center owner:
Naturally, nothing like this under the Administrative Regulations is required:
Another difference between the electronic form and the paper one is the possibility (necessity?) Of indicating all the databases (data centers in the formulation of the electronic Notification) that are in the organization. Neither in the aforementioned Order (and in the form of notification approved by him) nor in the law there is a similar requirement.
In addition to the general information required in paper form, here you need to specify much more information and each database - and according to the form one database corresponds to one IP
Is it required to send a notification in connection with the entry into force of these notifications? According to the law:
That is, the Law clearly states that it is not necessary to notify. According to the law, according to the new form, it is necessary to submit data only to those operators who will send their first notification after December 1, 2015 (the effective date of the changes in the Notification) or in case of emergency and to those who send notifications after the effective date. changes in the law.
But it is formal. In fact, traditionally, everything will be decided by the position on the ground - and there are already precedents .
And the last. About the actual databases. What it is - there is no definition. But there is a position of Roskomnadzor
(more info here ). That is, the concept of a database will fall into any ordered list of data - even in a text file. Accordingly, filling out an electronic notification, you must specify all the locations of all ordered arrays of information. For all offices, data centers and subcontractors. The benefit is not required to specify the addresses of personal (BYOD!) And home computers.
Let's sum up:
10.1) information about the location of the database of information containing personal data of citizens of the Russian Federation;
Until recently, this requirement was not duplicated either in the Administrative Regulations of Roskomnadzor or in the forms of the relevant Notifications (there are two - for submission in paper and electronic form - and oddly enough they are different). But since the law is law (changes 152-, requiring to indicate the location of the database with PD entered into force this summer), it is logical that Roskomnadzor demanded that the operators specify this data in the notification. And naturally, this caused difficulties for the operators, since no one could answer the question what and where should be indicated.
But everything changes and the Ministry of Communications issued the Order of August 28, 2015 N 315 (links in pdf , textual form ).
According to the Order, changes are made to the Administrative Regulations - paragraphs 46 (data entered in the register) and 54 (data specified in the Notification) are supplemented with the following:
')
Information about the location of the database of information containing personal data of citizens of the Russian Federation.
The form of the Notification changes accordingly (it is given in the annex to the Order). And here begins the interesting.
Recall that according to the current version of 152-FZ:
3. The notification provided for in part 1 of this article shall be sent in the form of a document on paper or in the form of an electronic document and signed by an authorized person. The notice must contain the following information:
The notice must contain the following information:
1) name (last name, first name, middle name), address of the operator;
2) the purpose of personal data processing;
3) categories of personal data;
4) categories of subjects whose personal data are processed;
5) the legal basis for the processing of personal data;
6) a list of actions with personal data, a general description of the personal data processing methods used by the operator;
7) a description of the measures provided for by Articles 18.1 and 19 of this Federal Law, including information on the availability of encryption (cryptographic) tools and the names of these funds;
7.1) the last name, first name and patronymic of the individual or the name of the legal entity responsible for organizing the processing of personal data, and their contact numbers, postal addresses and e-mail addresses;
8) the date of commencement of the processing of personal data;
9) the term or condition for the termination of the processing of personal data;
10) information on the presence or absence of a cross-border transfer of personal data in the course of their processing;
10.1) information about the location of the database of information containing personal data of citizens of the Russian Federation;
That is, the Notice:
- can be sent either in paper or in electronic form;
- the law does not make a difference in the composition of the information provided between the two options.
And if we look at the paper Notification form, then a paragraph has been added in which you need to specify the country, the address of the database location, the name of the information system (database).
By the way, if you look at the text 152-FZ, then the personal data information system is:
a set of personal data contained in databases and information technologies and technical means ensuring their processing;
Not to mention that personal data can be not only in the composition of databases - there can be many databases (and this is logical), but you need to specify one according to the notification form. Why is that? Mysterious.
But let's move on to the electronic form of Notifications.
After cross-border data transfer, there is a section describing database information. But this is the title. And the text is required to describe the address of the data center! Immediately the question - did everyone go to the clouds? What to write if the data center is not used?
Fill out the form
Despite the offer to choose from the directory - there is no directory. Data is entered manually
If you do not explicitly indicate that your own data center is being used, then you will be asked to specify data on the data center owner:
Naturally, nothing like this under the Administrative Regulations is required:
46. The following information is entered in the Register:
46.1. Registration number.
46.2. Name (last name, first name, middle name), address of the Operator.
46.3. Addresses of branches (representative offices) of the Operator (if available).
46.4. Date of notification.
46.5. The purpose of processing personal data.
46.6. Categories of personal data.
46.7. Categories of subjects whose personal data are processed.
46.8. Legal basis for the processing of personal data.
46.9. The list of actions with personal data, a general description of the personal data processing methods used by the Operator.
46.10. Description of measures provided for by Articles 18.1 and 19 of the Federal Law, including information on the availability of encryption (cryptographic) tools and the names of these funds.
46.11. Surname, name, patronymic of an individual or the name of a legal entity responsible for organizing the processing of personal data, and their contact phone numbers, postal addresses and email addresses.
46.12. Information on the presence or absence of a cross-border transfer of personal data in the course of their processing.
46.12.1. Information about the location of the database of information containing personal data of citizens of the Russian Federation
46.13. Information about ensuring the security of personal data in accordance with the requirements for the protection of personal data established by the Government of the Russian Federation.
46.14. Start date of processing personal data.
46.15. Term or condition of stopping the processing of personal data.
Another difference between the electronic form and the paper one is the possibility (necessity?) Of indicating all the databases (data centers in the formulation of the electronic Notification) that are in the organization. Neither in the aforementioned Order (and in the form of notification approved by him) nor in the law there is a similar requirement.
In addition to the general information required in paper form, here you need to specify much more information and each database - and according to the form one database corresponds to one IP
Is it required to send a notification in connection with the entry into force of these notifications? According to the law:
7. In the event of changes in information (previously submitted to Roskomnadzor) ... as well as in case of termination of the processing of personal data, the operator is obliged to notify the authorized body for the protection of the rights of personal data subjects, within ten working days from the date of such changes or from the date of termination data.
That is, the Law clearly states that it is not necessary to notify. According to the law, according to the new form, it is necessary to submit data only to those operators who will send their first notification after December 1, 2015 (the effective date of the changes in the Notification) or in case of emergency and to those who send notifications after the effective date. changes in the law.
But it is formal. In fact, traditionally, everything will be decided by the position on the ground - and there are already precedents .
Head of the Department for the Protection of the Rights of Subjects of Personal Data and Supervision in the Field of Information Technologies of the Office of Roskomnadzor for the Altai Territory and the Altai Republic Zhdanov AP directly and clearly said that they (this is the department and the department in particular) believe that Part 7 of Art. 22 152- applies to the situation with the addition of new items in part 3 of article 22 in general and the location of the database in particular. Those. during the checks they will consider a violation not to submit an Amendment Information Letter ...
And the last. About the actual databases. What it is - there is no definition. But there is a position of Roskomnadzor
(more info here ). That is, the concept of a database will fall into any ordered list of data - even in a text file. Accordingly, filling out an electronic notification, you must specify all the locations of all ordered arrays of information. For all offices, data centers and subcontractors. The benefit is not required to specify the addresses of personal (BYOD!) And home computers.
Let's sum up:
- Paper and electronic notifications are significantly different.
- According to 152-FZ, personal data can only be in the database.
- What is a database - there is no definition, but most likely it will be interpreted as somehow ordered information stored electronically.
- It is necessary to indicate the storage locations of only databases for citizens of the Russian Federation. In principle, it is clear where this demand came from - it was born on the wave of demands for the transfer of personal data processing sites to Russia. But having entered into the law - it began to look strange - we are not interested in protecting the data of citizens and nationals of other countries? From here, by the way, databases also arose - the struggle was for transfer from foreign data centers. But again, having entered the law, it became a source of oddities.
- It is not defined what is the location. With what accuracy should you specify according to the law - up to the country or at home? Personally, I don’t understand why the state should know all the locations of all personal data (yes - according to the letter of the law - to the last mobile at any given time, if it contains stored information).
Source: https://habr.com/ru/post/273657/
All Articles