5 myths about personal data

A couple of months ago, a hyip was raised about a change in the legislation on personal data. Resourceful lawyers began to convince one another that any form of feedback or widget of a callback order on the site indicates the processing of users' personal data, Roskomnadzor is already penalizing violations and urgently need to get registered.

All this hype is based on personal data myths. Let's see what actually happened, what it threatens and how to avoid it.
')
The rules for the processing of personal data have not changed. In July 2017, amendments to the Code of Administrative Offenses of the Russian Federation came into force, toughening liability for violation of personal data legislation. Introduced new formulations of offenses and the amount of fines increased to 75,000 rubles. It's true.

But you need to understand that the amount of fines for individuals is an order of magnitude, and for entrepreneurs at times lower than fines for legal entities. The maximum fine is 75 thousand rubles. established for legal entities in one of their 7 compositions. In other cases, the maximum fine ranges from 30 to 50 thousand rubles.

Of the unpleasant - fines for various compositions may partly take shape. Among the possible violations in particular are listed:

• processing of personal data in cases not prescribed by law, or incompatible with the purposes of collecting personal data;
• processing of personal data in the absence of written consent of the subject;
• non-fulfillment of the obligation to publish the personal data processing policy.

However, anxiety about this issue in most cases is caused by a superficial understanding of the law on personal data. To assess the risks of prosecution consider the 5 most popular myths about personal data, wandering in the minds of the Internet community.

1. Personal data is any information about an individual.

At first glance, it is.

“Personal data - any information relating to a directly or indirectly determined or determined individual (subject of personal data)” (Part 1 of Article 3 of the Federal Law “On Personal Data”).

However, if we transfer this rule to ordinary language, personal data is only information on the basis of which one can identify a person’s identity or which relate to a person whose identity is undoubtedly known.

Check the thesis on the information on the phone number or email address. You do not have legal access to the subscriber base or the user base of the mail service. Consequently, the information itself does not allow for the identification of the person who uses them.

Therefore, the data cannot be considered personalized if, without the use of additional information, they do not allow the identification of an individual.

If you still have doubts about this interpretation of the norm, you can familiarize yourself with the original source on the Roskomnadzor website. Literally, the norm of the Convention on the Protection of Individuals in the automated processing of personal data is as follows:

“Personal data means information relating to a specific or identifiable person (“ data subject ”)” (Article 2 of the Convention).

In other words, while Mr. “X” is not known to you, you can store data about him without violations. For example, regarding the incognito phone number, there are direct answers from regional offices of Roskomnadzor:

“The subscriber number (telephone number) is used to identify and identify the end user equipment in the communication network when the subscriber devices connect to it, which means that the telephone number without indicating its owner is not information on the basis of which this person (personal data subject ) can be uniquely identified and its use can not imply the processing of personal data of its owner ".

findings

If the feedback form does not imply the provision of additional information besides the telephone number or e-mail address identifying the user, such information does not apply to personal data. Requesting a name together with the user's phone number or email does not make the data personal, either. the name does not identify the citizen.

"A citizen acquires and exercises rights and obligations under his own name, including the surname and proper name, as well as the patronymic name, unless otherwise following from the law or national custom (Part 1 of Article 19 of the Civil Code of the Russian Federation)."

Therefore, from the point of view of civil law, just a name is not enough for the occurrence of legal consequences. At a minimum, a middle name and surname are needed.

Similarly, data on IP, cookies, and other data collected automatically in connection with activity on the website or in a user application that has not been fully identified does not apply to PD.

2. The personal processing operator is the person who processes them.

“Operator is a state body, municipal body, legal or natural person, independently or jointly with other persons organizing and (or) processing personal data, as well as determining the purposes of personal data processing, the composition of personal data to be processed, actions (operations), committed with personal data "(part 2 of article 3).

However, there is an exception to this rule.

“The operator has the right to entrust the processing of personal data to another person with the consent of the subject of personal data, unless otherwise provided by federal law, on the basis of an agreement concluded with this person” (part 3 of Article 6).

These persons do not define “the purposes of processing personal data, the composition of personal data to be processed, actions (operations) performed with personal data,” and therefore are not considered personal data operators.

In practice, such persons may include any consulting and service companies, including cloud services. Personal data is provided by customers, and they are also responsible for the legality of their processing.

Similarly, any services should not be responsible for the processing of personal data by the employees of customers who themselves upload the latter to the service. It is the client who must obtain the consent of the subject of personal data for the transfer to the service and their processing in appropriate ways.

findings

Do not rush to bury consider yourself an operator. You may have received personal data for processing from the operator, not the subject of personal data.

3. All sites must post a Privacy Policy.

Indeed, in the Federal Law “On Personal Data” there is a provision on the publication of the Privacy Policy:

"The operator who collects personal data using information and telecommunications networks is obliged to publish in the relevant information and telecommunications network a document defining its policy regarding the processing of personal data and information about the actual requirements for the protection of personal data, as well as to ensure accessibility to the specified document using the appropriate information and telecommunications network "(Part 2 of Article 18.1).

However, do not forget about the possible exceptions to this rule.

First, not all information about an individual relates to personal data (see myth 1).

Secondly, such rules are not imposed on the person processing personal data on behalf of the operator (see myth 2 above).

Thirdly, the Federal Law “On Personal Data” itself does not impose on individuals (including individual entrepreneurs) the obligation to issue documents defining the operator’s policy regarding the processing of personal data, local acts on the processing of personal data. Such documents should be issued only by legal entities (Clause 2 Part 1 of Article 18.1).

4. The processing of personal data requires written consent.

Indeed, as the first condition for PD processing, the consent of the subject of personal data to the processing of his personal data is specified (paragraph 1 of Part 1 of Article 6 of the Federal Law "On PD"). But it is not always necessary to issue consent on paper for the personal signature of the PD subject . There are a number of additional or mutually exclusive rules.

1. Consent to PD processing is not required to a person acting on the instructions of the operator (Part 4 of Article 6)

2. Separate consent is not required in cases when the operator performs PD processing:

• in order to conclude or execute a contract, to which party either the beneficiary or the guarantor for which is the subject of personal data (sub-clause 5 of Part 6 of Article 6);
• to which access is granted to an unlimited number of persons by the subject of personal data or at his request (paragraph 10 of Part 1 of Article 6).

Thus, in case of acceptance of the user agreement, it is enough to notify the user about the processing of his personal data.

3. Consent may be given to the operator in some other form.

“Consent to the processing of personal data may be given by the subject of personal data or his representative in any form allowing to confirm the fact of his receipt, unless otherwise established by federal law” (Part 1 of Article 9).

In other words, if federal law does not require obtaining consent strictly in writing, it can be given in any other way, including by performing the requested actions. For example, such actions may recognize the direction of the verification code specified in the SMS, clicking on the link sent to the user's email when registering with the account, etc.

4. The written consent may be signed by electronic signature.

“Consent in the form of an electronic document, signed in accordance with federal law, an electronic signature is considered equivalent to a written consent on paper that contains the personal signature of the subject of personal data” (Part 4 of Article 9)

Here it should be taken into account that an electronic signature is understood as an enhanced qualified electronic signature (see part 3 of article 18 of the Federal Law of April 6, 2011 No. 63- “On Electronic Signature”).

5. Each PD operator must be included in the Roskomnadzor registry.

Many consultants recommend submitting a notice to Roskomnadzor for inclusion in the register of personal data operators, referring to this provision:

“The operator, prior to the processing of personal data, is obliged to notify the authorized body for the protection of the rights of personal data subjects of their intention to process personal data” (Part 1 of Article 22).

However, they forget that in the same article of the law there are exceptions to this rule. The considered situation of PD processing by a private Internet service includes at least two grounds for exemption from the obligation to submit a notification.

In particular, the operator is entitled to process the following personal data without notifying Roskomnadzor:

“Received by the operator in connection with the conclusion of a contract to which the subject of personal data is a party, if personal data is not distributed, and is not provided to third parties without the consent of the subject of personal data and is used by the operator solely for executing the said contract and concluding contracts with the subject of personal data” ( Clause 2 Part 2 Article 22)
“Made by the subject of personal data publicly available” (subparagraph 4 of part 2 of article 22)

findings

1) In the first case, to process personal data without notifying Roskomnadzor, it is enough to invite the user to accept the user agreement, which is essentially a contract. In order to receive messages to the phone number and e-mail address, in any case, it is necessary to obtain user consent, therefore accepting a user agreement solves two problems at the same time: on the one hand, you legally use the data without notifying Roskomnadzor, on the other hand, you agree to contact the user by the specified numbers and addresses, including, if necessary, an advertising newsletter.

2) The second exception applies to publicly available data. This basis can be useful social network, bulletin board or job search site, where users independently make available information about themselves. In this case, there is no need not only to notify Roskomnadzor about the processing of this category of PD, but also to obtain additional consent from the user to process them.

3) In addition, remember that not all persons carrying out PD processing are considered operators. Some of them act on the instructions of the operator (see myth 2 above). Therefore, they do not need to send a notification to Roskomnadzor about the processing of PDs provided by the operator.

4) The special mention deserves the re-recommendation to get registered “as if something did not work out”. This is a bad advice in every way, because Roskomnadzor must conduct scheduled inspections of operators included in the registry. And then a simple privacy policy will not help you: they will ask all internal regulations on information security and check the actual implementation!

Pay attention to the details - in them lies the lawyer devil.

A source