Hello, SaaS | Personal Information | Have you moved?
On September 1, the law on the storage of personal data enters into force in Russia, which obliges foreign companies owning, including postal services, social networks and search engines, to place personal data of Russian users exclusively on servers in Russia. Russian companies that store data on servers abroad are also required to comply with the requirements of the Act. Today, I once again talked to lawyers from Zartsin & Partners and decided to put two things in order: what to do with the Dental Cloud SaaS start-up in general and how to arrange contractual relations with clients in the SaaS paradigm. Post with examples, and as it turned out, even the leaders are not all OK!
Contractual relationship
Not so long ago, Lyudmila Kharitonova and I had already discussed the topic and today we will touch on the question superficially and in essence. Today, there are two models of contractual design in the framework of the Saas service:
')
License agreement - under which a non-exclusive license for a product is presented to the User. Such an approach, in our opinion, is the most fair. Saas service is software to which remote access is provided and which is used by the User independently to achieve the desired result. The Rightholder does not provide services to the User. does not actively interact with the User.
For example, in Dental Cloud we use just such a model ( Offer Agreement ), but with one proviso - we provide password access services for a couple, but we transfer the rights to the software.
Service Agreement - in many ways, this construction is based on the translation of the term Saas - software as a service.
But with such a model, the transfer of rights to the software, which, according to the Civil Code, must be executed through a licensing agreement, remains outside the scope. The service contract is applied by one of the popular systems - MoySklad .
It is worth paying attention to the obvious advantages of using the licensed model:
Personal Information
On the issue of transferring or not, I am sure that comments are not needed if you want to be in the legal field and not let your users down. On PD, in general, in any SaaS service, 2 categories of personal data are processed:
In order for the work of the Saas service to comply with the legislation on personal data
The privacy policy is a solid document that should establish the objectives and principles of data processing, and contain information about the implemented requirements for the protection of personal data. Today, only a small part of the Privacy Policy complies with the requirements of the law. As a rule, the Privacy Policy only quotes the norms of the law and does not contain any individual data.
For example, Privacy Policy 1C Bitrix contains a specific list of implemented methods of protection (but in a rather limited form).
In addition, it is necessary to perform a number of internal measures for the protection of PD:
From September 1, 2015 new PD processing requirements are introduced, which will affect all Internet services. The new requirements establish that when collecting PDs, the operator is obliged to ensure the recording, systematization, accumulation, storage, refinement, and extraction of personal data of Russian citizens using the database in the territory of the Russian Federation. How this norm will be applied is not clear as it has a number of possible interpretations, but it is obvious that:
What to do if your service lives on the side of a partner provider? There are additional agreements between the parties and we have already considered this case .
Users
In fact, SaaS service vendors are responsible for the work of users with their data in part and most concerned about the procedure for protecting PD. Each user must independently organize the work in accordance with the requirements of the legislation. My personal position on working with users in organizing such work is to help and recommend our friends .
* - note
1152-FZ established that the concept of processing includes any action (operation) or a set of actions (operations) performed using automation means or without using such means with personal data, including collection, recording, systematization, accumulation, storage, clarification ( update, change), extraction, use, transfer (distribution, provision, access), depersonalization, blocking, deletion, destruction of personal data.
Previous materials of the author
Contractual relationship
Not so long ago, Lyudmila Kharitonova and I had already discussed the topic and today we will touch on the question superficially and in essence. Today, there are two models of contractual design in the framework of the Saas service:
')
License agreement - under which a non-exclusive license for a product is presented to the User. Such an approach, in our opinion, is the most fair. Saas service is software to which remote access is provided and which is used by the User independently to achieve the desired result. The Rightholder does not provide services to the User. does not actively interact with the User.
For example, in Dental Cloud we use just such a model ( Offer Agreement ), but with one proviso - we provide password access services for a couple, but we transfer the rights to the software.
Service Agreement - in many ways, this construction is based on the translation of the term Saas - software as a service.
But with such a model, the transfer of rights to the software, which, according to the Civil Code, must be executed through a licensing agreement, remains outside the scope. The service contract is applied by one of the popular systems - MoySklad .
It is worth paying attention to the obvious advantages of using the licensed model:
- Payments under a license agreement are taxed at a VAT rate of 0% (and payments under a service agreement are taxed at a total VAT rate of 18%);
- There is a possibility of limiting liability in the framework of the provision of software on the model "as is" Within the framework of the service agreement, it is impossible to limit your liability as the contractor must provide a quality service.
Personal Information
On the issue of transferring or not, I am sure that comments are not needed if you want to be in the legal field and not let your users down. On PD, in general, in any SaaS service, 2 categories of personal data are processed:
- PD of direct Users (which they enter during Registration);
- PDs that Users log and process through the Saas service. Saas service does not work directly with this data group, but stores them, and therefore processes them according to the rules of the law. - see Note
In order for the work of the Saas service to comply with the legislation on personal data
- Receive from the User consent to the processing of his PD. Consent must comply with Art. 9 FZ "about personal data";
- Describe the Privacy Policy - in which describe the procedure for the protection of all personal and other data.
The privacy policy is a solid document that should establish the objectives and principles of data processing, and contain information about the implemented requirements for the protection of personal data. Today, only a small part of the Privacy Policy complies with the requirements of the law. As a rule, the Privacy Policy only quotes the norms of the law and does not contain any individual data.
For example, Privacy Policy 1C Bitrix contains a specific list of implemented methods of protection (but in a rather limited form).
- Uses RSA encryption in 1C Bitrix Products.
- Provides, if necessary, two-step authentication for access to the account.
- Protects authorized sessions.
- Constantly improving ways to collect, store and process data.
In addition, it is necessary to perform a number of internal measures for the protection of PD:
- designate the person responsible for the organization of PD processing;
- develop internal documents for PD processing;
- to exercise internal control and (or) audit of compliance with the processing of personal data by the requirements of the legislation;
- familiarization of workers directly carrying out PD processing with the provisions of the legislation of the Russian Federation on personal data and Saas service internal documents.
From September 1, 2015 new PD processing requirements are introduced, which will affect all Internet services. The new requirements establish that when collecting PDs, the operator is obliged to ensure the recording, systematization, accumulation, storage, refinement, and extraction of personal data of Russian citizens using the database in the territory of the Russian Federation. How this norm will be applied is not clear as it has a number of possible interpretations, but it is obvious that:
- when collecting, it is necessary to ask the citizenship of the PD subject;
- provide storage of personal data of citizens of the Russian Federation on the territory of the Russian Federation.
What to do if your service lives on the side of a partner provider? There are additional agreements between the parties and we have already considered this case .
Users
In fact, SaaS service vendors are responsible for the work of users with their data in part and most concerned about the procedure for protecting PD. Each user must independently organize the work in accordance with the requirements of the legislation. My personal position on working with users in organizing such work is to help and recommend our friends .
* - note
1152-FZ established that the concept of processing includes any action (operation) or a set of actions (operations) performed using automation means or without using such means with personal data, including collection, recording, systematization, accumulation, storage, clarification ( update, change), extraction, use, transfer (distribution, provision, access), depersonalization, blocking, deletion, destruction of personal data.
Previous materials of the author
Source: https://habr.com/ru/post/294080/
All Articles