The Law on Personal Data is all you wanted to know, but were afraid to ask
In September 2015, the Federal Personal Data Act changed dramatically. We will now consider them carefully to understand how this will all work in the realities of Runet. Our lawyers talked many times about PD and before the changes came into force. And now the hour has come, and everything that used to be used only in theory has now been put into operation. Alas, we have not yet broken through with the report on the main channels of the country and all we have to do is to write here. So let's get started.
Of course, we need to start with the fact that now when collecting personal data (abbreviated PD), no one knows why that is so, but we will use what we have), online or offline, the operator is obliged to ensure recording, systematization, storage and clarification personal data of citizens of the Russian Federation using databases located on the territory of the Russian Federation. This question has already done a lot of noise on the web. And everyone has already discussed many times that servers with databases of personal data of citizens should be located on the territory of our mother Russia. In this regard, many questions and misinterpretations arose, and the "ducks", of course, also. The citizens asked themselves the questions: “Where can we get so many quality servers? But will not the lack of competition worsen the already “niochen” situation with domestic servers? ”. It is true. But we are not talking about that now.
')
Who is considered an operator? As before, it is a legal or natural person organizing or carrying out PD processing. But what exactly is behind this "PDN"? And this is any information relating directly or indirectly to a specific individual (that is, not only the full name and passport number, but also the phone number and e-mail of that person) can be considered personal data.
This whole mess with the localization of the storage of citizens' data in Russia is a legislative novelty. Therefore, the law is somewhat contradictory. For example, its provisions can be interpreted too broadly and ambiguously, and, most importantly, it is not clear how the new standards should work in practice.
The main stumbling block looks mysteriously - “personal data bases should not be stored abroad,” but the law stipulates the possibility of transferring personal data to other countries (which can provide adequate protection of the rights of PD subjects), called cross-border data transfer. And it seems that this requirement applies only to Russian companies and does not apply to foreign jurisdictions. That is, the requirement to store personal data in Russia should not apply to organizations registered abroad and collecting personal data of citizens of the Russian Federation. The Ministry of Communications came to the rescue and explained that when operating on the Internet, it is impossible to clearly define the geographical boundaries, which means that it is necessary to identify a number of signs, according to which a particular resource can be attributed to “used in the territory of the Russian Federation”.
Of course, one cannot exclude the possibility that the law, which has proposed broad interpretations and criteria, will be applied selectively and the Federal Law “On Personal Data” will be directed to foreign Internet resources, the activities of which are directed, among other things, to Russia (Internet shops , marketplaces, platforms, etc.), which can be blocked on the territory of the Russian Federation if the requirements of the Russian law on personal data are not observed. It was around this issue that the mainsrach noise and din in social networks rose. People are terribly afraid of losing their friends on FB and Twitter followers. They can be understood, but we are again distracted from the main thing.
The Ministry of Communications and Mass Media shared with the world the signs of a resource that is obliged to store all our personal data in the Russian Federation, we convey them to you, dear readers.
Roskomnadzor will use two main criteria:
By the way, it is likely that the regulatory authorities will pay their watchful eyes especially to domestic companies working with foreign services.
Let's move on. From the text of article 18 of the Federal Law "On Personal Data" it follows that
This means that personal data obtained as a result of organizing the collection of such data, and not as a result of accidental access to it, are subject to storage in the Russian Federation. Accordingly, the receipt of contacts, for example, couriers of one organization by another organization, transferred during the work process, will not be a collection of personal data. And if you received a business card during a personal meeting with an employee of a certain company, then you scored this data in the CRM, and you also included it in the newsletter, then, sorry, this can already be considered as PD processing. However, the law here does not give precise formulations and there is no judicial practice yet. Therefore, it can be long and tedious to discuss this question, but never come to an exact answer. Therefore, together with you, we will wait for explanations from above.
Consider the articles of the Federal Law "On Personal Data" is not possible separately. A simple example: if the requirement for the localization of individual PD processing processes from Article 18 is considered together with Art. 12 on the cross-border data transfer, while still taking into account the definitions from Article 3: “transfer of personal data to the territory of a foreign state to a foreign person: a foreign state authority, a foreign natural person or a foreign legal entity”, we get the following in the sum: PD of a citizen, initially entered into the database on the territory of the Russian Federation and updated in it (the “primary database”), can then be transferred to databases located abroad (“secondary databases”), with their admins. All this, of course, must be turned in compliance with the provisions on cross-border data transfer.
The next thing I would like to say is the “Register of violators of the rights of personal data subjects” (in the picture above the name of the Roskomnadzor portal ), in which data on those resources that process personal data in violation of the law will be entered. For the time being, it is possible to enter the register only by a court decision on the basis of an application filed by either a PD subject or Roskomnadzor. The restriction of access to the operator’s site was chosen as a measure. And in order to implement this measure, there must be a regulated procedure. Roskomnadzor was not long in coming and has already approved such an order according to the “registry - hosting provider” scheme.
We convey it as it is:
In turn, the provider will be able to obtain the following information from the registry: the domain name, the network address, the page of the site where the information is processed in violation, the case number and the date of the judicial act, on the basis of which information about the information resource was included in the registry.
We have it all.
Keepmoney in savings banks data in the territory of the Russian Federation and do not forget every time to ask the consent of users to collect and process their personal data. Otherwise, Roskomnadzor will find you, even if you personally are in Bali.
Of course, we need to start with the fact that now when collecting personal data (abbreviated PD), no one knows why that is so, but we will use what we have), online or offline, the operator is obliged to ensure recording, systematization, storage and clarification personal data of citizens of the Russian Federation using databases located on the territory of the Russian Federation. This question has already done a lot of noise on the web. And everyone has already discussed many times that servers with databases of personal data of citizens should be located on the territory of our mother Russia. In this regard, many questions and misinterpretations arose, and the "ducks", of course, also. The citizens asked themselves the questions: “Where can we get so many quality servers? But will not the lack of competition worsen the already “niochen” situation with domestic servers? ”. It is true. But we are not talking about that now.
')
Who is considered an operator? As before, it is a legal or natural person organizing or carrying out PD processing. But what exactly is behind this "PDN"? And this is any information relating directly or indirectly to a specific individual (that is, not only the full name and passport number, but also the phone number and e-mail of that person) can be considered personal data.
This whole mess with the localization of the storage of citizens' data in Russia is a legislative novelty. Therefore, the law is somewhat contradictory. For example, its provisions can be interpreted too broadly and ambiguously, and, most importantly, it is not clear how the new standards should work in practice.
The main stumbling block looks mysteriously - “personal data bases should not be stored abroad,” but the law stipulates the possibility of transferring personal data to other countries (which can provide adequate protection of the rights of PD subjects), called cross-border data transfer. And it seems that this requirement applies only to Russian companies and does not apply to foreign jurisdictions. That is, the requirement to store personal data in Russia should not apply to organizations registered abroad and collecting personal data of citizens of the Russian Federation. The Ministry of Communications came to the rescue and explained that when operating on the Internet, it is impossible to clearly define the geographical boundaries, which means that it is necessary to identify a number of signs, according to which a particular resource can be attributed to “used in the territory of the Russian Federation”.
Of course, one cannot exclude the possibility that the law, which has proposed broad interpretations and criteria, will be applied selectively and the Federal Law “On Personal Data” will be directed to foreign Internet resources, the activities of which are directed, among other things, to Russia (Internet shops , marketplaces, platforms, etc.), which can be blocked on the territory of the Russian Federation if the requirements of the Russian law on personal data are not observed. It was around this issue that the main
The Ministry of Communications and Mass Media shared with the world the signs of a resource that is obliged to store all our personal data in the Russian Federation, we convey them to you, dear readers.
Roskomnadzor will use two main criteria:
- Use of a domain name associated with the Russian Federation or a subject of the Russian Federation (.ru, ., .su, etc.).
- The presence of the Russian-language version of the website. And besides, there is the possibility of making settlements in rubles, the possibility of executing an agreement concluded on such an Internet site in Russia or the use of advertising in Russian.
By the way, it is likely that the regulatory authorities will pay their watchful eyes especially to domestic companies working with foreign services.
Let's move on. From the text of article 18 of the Federal Law "On Personal Data" it follows that
When collecting personal data, the operator is obliged to ensure the storage of personal data of citizens of the Russian Federation using databases located in the territory of the Russian Federation.
This means that personal data obtained as a result of organizing the collection of such data, and not as a result of accidental access to it, are subject to storage in the Russian Federation. Accordingly, the receipt of contacts, for example, couriers of one organization by another organization, transferred during the work process, will not be a collection of personal data. And if you received a business card during a personal meeting with an employee of a certain company, then you scored this data in the CRM, and you also included it in the newsletter, then, sorry, this can already be considered as PD processing. However, the law here does not give precise formulations and there is no judicial practice yet. Therefore, it can be long and tedious to discuss this question, but never come to an exact answer. Therefore, together with you, we will wait for explanations from above.
Consider the articles of the Federal Law "On Personal Data" is not possible separately. A simple example: if the requirement for the localization of individual PD processing processes from Article 18 is considered together with Art. 12 on the cross-border data transfer, while still taking into account the definitions from Article 3: “transfer of personal data to the territory of a foreign state to a foreign person: a foreign state authority, a foreign natural person or a foreign legal entity”, we get the following in the sum: PD of a citizen, initially entered into the database on the territory of the Russian Federation and updated in it (the “primary database”), can then be transferred to databases located abroad (“secondary databases”), with their admins. All this, of course, must be turned in compliance with the provisions on cross-border data transfer.
The next thing I would like to say is the “Register of violators of the rights of personal data subjects” (in the picture above the name of the Roskomnadzor portal ), in which data on those resources that process personal data in violation of the law will be entered. For the time being, it is possible to enter the register only by a court decision on the basis of an application filed by either a PD subject or Roskomnadzor. The restriction of access to the operator’s site was chosen as a measure. And in order to implement this measure, there must be a regulated procedure. Roskomnadzor was not long in coming and has already approved such an order according to the “registry - hosting provider” scheme.
We convey it as it is:
- Sending to the hosting provider a notice of violation of the legislation of the Russian Federation in the field of personal data.
- Providing by the hosting provider to the registry operator a request to exclude information about the domain name or Internet site page pointers, network address that allows identifying sites containing information processed with violation of the rights of personal data subjects from the registry.
- Forwarding to the hosting provider by the registry operator a notification about the exclusion from the registry of the domain name or page pointer of the website, as well as the network address.
- Receipt from the hosting provider by the registry operator information necessary for organizing interaction in the framework of the registry.
In turn, the provider will be able to obtain the following information from the registry: the domain name, the network address, the page of the site where the information is processed in violation, the case number and the date of the judicial act, on the basis of which information about the information resource was included in the registry.
We have it all.
Keep
Source: https://habr.com/ru/post/296146/
All Articles