Basics of personal data processing
We have already started talking about personal data, their collection and processing. But, this can be talked about endlessly and we will continue. Last time we talked about changes in the law, but did not take into account the most important thing - YOU NOT READ THE LAW YOURSELF! .. And, judging by the feedback, the information requires a more detailed study.
Therefore, we have re-read all the laws and additions to them several times. Made from him such a squeeze. Clearly, by points, writing down its basic norms and requirements.
“The processing of personal data is based on the principles of legality and fairness” - reads FZ-152 “On personal data”. Of these concepts, the rest of the principles are based, reflecting the essence of the processing of personal data as a process. And here's what you need to remember:
1. The processing of personal data must be consistent with the objectives of collecting personal data;
This means that the PD processing entity (buyer, customer, employee, etc.) must be notified of the processing objectives. Therefore, the objectives must be reflected in the form of written consent to the processing of personal data.
')
2. The databases containing personal data that are processed for incompatible purposes should not be combined;
Everything is obvious here: personal data bases containing, for example, fiscal information about the company's employees and the personal data bases of the company's clients should not be combined.
3. The processed volume of personal data should not be redundant in relation to the purposes of their processing;
It turns out that an online store selling socks can process personal data of customers, which may contain information about preferences, marketing activity, but personal data of the customer, indicating that he has, say, diseases, will be clearly redundant.
4. When processing personal data, their accuracy, sufficiency and relevance should be ensured in relation to the purposes of processing;
This is necessary primarily for the qualitative and timely implementation of any legally significant action that uses personal data. For example, for direct purchase of goods.
5. The storage of personal data should not be longer than the purpose of processing personal data.
The personal data to be processed shall be destroyed or depersonalized upon the achievement of the processing objectives or in case of the loss of the need to achieve these objectives. That is, if an online store closes, then the personal data of its customers cannot be left to “enemies”, you must at least depersonalize it.
1. Collection
When collecting personal data from site visitors, we recommend in any case to indicate:
In addition, at the request of a citizen, the personal processing operator must provide:
2. Storage
Storage and recording, systematization, accumulation, clarification should be carried out on the territory of the Russian Federation - everyone already knows this. Storage of personal data can be carried out in any form, including paper.
The processing of personal data can be carried out abroad, if the database in the Russian Federation contains an equal or greater amount of personal data.
3. Use
Remember! Actions performed with the collected personal data must be carried out strictly in accordance with the purposes for which they were provided.
That is, if the data is collected when buying socks in the online store "A", then they should be used only for the sales of store "A", to which this data was left. If this data is used to sell apartments on another resource, then it will already be considered an illegal use of personal data.
4. Blocking
If the subject finds out that his data is being used inappropriately and appealed to you with a complaint (or his representative / relevant authority), then you are obliged to block his personal data and check the validity of their use. If the contractor processes these data, then you must do everything to block and verify the data of the applicant.
All the same, you must turn in the event that the subject found inaccuracies in their data.
Blocking should be carried out from the moment of such treatment or receiving a request at the time of the inspection, if blocking personal data does not violate the rights and legitimate interests of the personal data subject or third parties.
5. Destruction
But to destroy the data or to ensure the termination of use, you must in the case of withdrawal of consent. Also, if the preservation of personal data is no longer required for the purposes of processing personal data.
All this must be done within a period not exceeding thirty days from the date of receipt of the revocation, unless otherwise provided by the contract.
Recall that a violation of the procedure established by law for the collection, storage, use or dissemination of information about citizens entails a warning or the imposition of an administrative fine:
The amounts in themselves are small, but the mere fact of attracting the attention of the supervisory authorities can lead to much more serious problems.
Cross-border data transfer is possible, nobody forbade it.
BUT, you owe
Responsibility for the use of the transferred data shall be borne by the Operator to whom these databases are transferred.
Providing remote access to databases located on the territory of the Russian Federation from the territory of another state FZ-242 is not prohibited.
That's all, colleagues. May the grace of Eru be with you!
Therefore, we have re-read all the laws and additions to them several times. Made from him such a squeeze. Clearly, by points, writing down its basic norms and requirements.
Basics of the basics
“The processing of personal data is based on the principles of legality and fairness” - reads FZ-152 “On personal data”. Of these concepts, the rest of the principles are based, reflecting the essence of the processing of personal data as a process. And here's what you need to remember:
1. The processing of personal data must be consistent with the objectives of collecting personal data;
This means that the PD processing entity (buyer, customer, employee, etc.) must be notified of the processing objectives. Therefore, the objectives must be reflected in the form of written consent to the processing of personal data.
')
2. The databases containing personal data that are processed for incompatible purposes should not be combined;
Everything is obvious here: personal data bases containing, for example, fiscal information about the company's employees and the personal data bases of the company's clients should not be combined.
3. The processed volume of personal data should not be redundant in relation to the purposes of their processing;
It turns out that an online store selling socks can process personal data of customers, which may contain information about preferences, marketing activity, but personal data of the customer, indicating that he has, say, diseases, will be clearly redundant.
4. When processing personal data, their accuracy, sufficiency and relevance should be ensured in relation to the purposes of processing;
This is necessary primarily for the qualitative and timely implementation of any legally significant action that uses personal data. For example, for direct purchase of goods.
5. The storage of personal data should not be longer than the purpose of processing personal data.
The personal data to be processed shall be destroyed or depersonalized upon the achievement of the processing objectives or in case of the loss of the need to achieve these objectives. That is, if an online store closes, then the personal data of its customers cannot be left to “enemies”, you must at least depersonalize it.
Stages of work with personal data
1. Collection
When collecting personal data from site visitors, we recommend in any case to indicate:
- operator name;
- the purpose of the processing of personal data and its legal basis;
- intended users of personal data;
- statutory rights of the subject of personal data;
- source of personal data.
In addition, at the request of a citizen, the personal processing operator must provide:
- Confirmation of the processing of personal data by the operator;
- The name and location of the operator, information on persons who have access to personal data or to whom personal data may be disclosed on the basis of an agreement with an operator or on the basis of federal law;
- Terms of personal data processing;
- Information on completed or intended cross-border data transfer;
2. Storage
Storage and recording, systematization, accumulation, clarification should be carried out on the territory of the Russian Federation - everyone already knows this. Storage of personal data can be carried out in any form, including paper.
The processing of personal data can be carried out abroad, if the database in the Russian Federation contains an equal or greater amount of personal data.
3. Use
Remember! Actions performed with the collected personal data must be carried out strictly in accordance with the purposes for which they were provided.
That is, if the data is collected when buying socks in the online store "A", then they should be used only for the sales of store "A", to which this data was left. If this data is used to sell apartments on another resource, then it will already be considered an illegal use of personal data.
4. Blocking
If the subject finds out that his data is being used inappropriately and appealed to you with a complaint (or his representative / relevant authority), then you are obliged to block his personal data and check the validity of their use. If the contractor processes these data, then you must do everything to block and verify the data of the applicant.
All the same, you must turn in the event that the subject found inaccuracies in their data.
Blocking should be carried out from the moment of such treatment or receiving a request at the time of the inspection, if blocking personal data does not violate the rights and legitimate interests of the personal data subject or third parties.
5. Destruction
But to destroy the data or to ensure the termination of use, you must in the case of withdrawal of consent. Also, if the preservation of personal data is no longer required for the purposes of processing personal data.
All this must be done within a period not exceeding thirty days from the date of receipt of the revocation, unless otherwise provided by the contract.
Recall that a violation of the procedure established by law for the collection, storage, use or dissemination of information about citizens entails a warning or the imposition of an administrative fine:
- on citizens in the amount of from three hundred to five hundred rubles;
- on officials - from five hundred to one thousand rubles;
- on legal entities - from five thousand to ten thousand rubles.
The amounts in themselves are small, but the mere fact of attracting the attention of the supervisory authorities can lead to much more serious problems.
BONUS
Cross-border data transfer is possible, nobody forbade it.
BUT, you owe
- store and update all data on servers in the Russian Federation (primary database)
- indicate in the “Agreement on PD processing” that you plan to transfer this data to another country and for what specific purposes (whether to write a specific country is not specified in the law)
Responsibility for the use of the transferred data shall be borne by the Operator to whom these databases are transferred.
Providing remote access to databases located on the territory of the Russian Federation from the territory of another state FZ-242 is not prohibited.
That's all, colleagues. May the grace of Eru be with you!
Source: https://habr.com/ru/post/298882/
All Articles