People's Privacy Policy

Due to numerous requests from working webmasters and website owners, we have published a free sample of the Privacy Policy for websites with a feedback form, a subscription or a call order.

We decided to take this step because this form of the Policy does not provide for the processing of personal data, and as a result does not imply a large variation of the decision. It is important to remember that it is not suitable for sites where PDs are processed. For example, online stores and other services, in which besides the phone number or email the user additionally provides other information about themselves, require more attention to personal data processing.
')
Therefore, we thought about the drafting of a “People’s” Privacy Policy with PD processing. A simple template is not enough. They took as a basis the Roskomnadzor Recommendations issued in 2017 (hereinafter referred to as “Recommendations”) for drafting the document defining the operator’s policy regarding the processing of personal data (hereinafter referred to as the “Policy”). We supplemented it with live examples.

We look what happened.

Scroll through the first 2 sections of the Recommendations due to their vacuity

In section 1, Roskomnadzor states that the Recommendations are developed in order to work out unified approaches to the structure and form of the Policy. We readily believe and follow the wishes of the department to facilitate further work with auditors.

Section 2 cites the basic concepts of the Federal Law "On Personal Data". We skip as useless. If desired, the Policy is better to introduce your own terms, clarifying legal.

In section 3, the long-awaited advice on the structure and content of the Policy finally arrived. Let us dwell on them in detail.

1. General Policy Provisions

In this section, it is recommended to describe the purpose of the Policy, as well as include the basic concepts used in it (personal data processing, operator, personal data subject, personal data confidentiality, etc.), list the main rights and obligations of the operator and personal subject (s) data.

According to the authors of the Recommendations, the Policy, like any serious document, must be impressive in size, so that everyone is filled with respect and trembling at the mere mention of it.

So let's start with the definitions. In order not to repeat the Federal Law 152, we suggest making reference to specific points and sections of the Policy, which specify the concepts used. Below is an example of the terms and definitions of the Privacy Policy for an online store.

1.1. The following terms and definitions are used in this document and in the consequent or related relations of the Parties:

Personal data - the data provided by the subject of personal data or his representative, the volume and composition of which are indicated in item X.X. Politicians.

Administration - Romashka LLC, INN XXX, OGRN XXX, Address: XXXXX, which the Site is legally owned and / or managed by. In cases stipulated by this Policy, the Administration acts as an operator of personal data.

User - a person using the Website for the purpose of entering into and / or executing Contracts.

Agreement - a user agreement to use the Site, a contract of sale, delivery agreement, contract of carriage and / or other agreement proposed for conclusion and / or entered into by the User on the basis of any offer posted on the Website.

The processing of personal data is an action (operation) or a set of actions (operations) with personal data listed in item X. X. Politicians.

Site - an automated information system available on the Internet at the network address: / URL /.

1.2. This Policy uses the terms and definitions provided by the Agreement, as well as other Agreements concluded with the User, unless otherwise provided by this Policy or derives from its essence. In other cases, the interpretation of the term used in the Policy is made in accordance with the current legislation of the Russian Federation, or the customs of business turnover.

2. Purpose of collecting personal data

According to the Recommendations, the processing of personal data should be limited to the achievement of specific, predetermined and legitimate goals. It is not allowed to process personal data incompatible with the purposes of collecting personal data.

If there is no desire to register with Roskomnadzor and undergo the following mandatory checks, we suggest linking all the purposes of PD processing with the conclusion and execution of contracts.

The role of such a contract may be fulfilled by the User Agreement accepted by any user at the beginning of using the Site, or another agreement proposed by the owner of the Site.

As a result, we get a fairly standard set of goals:

1. Conclusion of contracts for use with the user or using the Site.
2. User identification in the framework of the fulfillment of obligations under contracts concluded with him.
3. Fulfillment of obligations under the concluded agreements, including providing the user with access to the Site and technical support, using the user’s functionality of the Site.
4. Invoicing and refund of cash balance in case of repayment of contracts concluded with the user.
5. Notification within the framework of information services, mailings and service quality improvement under the concluded Agreements, including with the involvement of third parties.

3. Legal grounds for the processing of personal data

According to the explanation of Roskomnadzor, the legal basis for the processing of personal data is a set of legal acts, pursuant to which and in accordance with which the operator performs the processing of personal data.

In the presence of the above bundle, contracts concluded between the operator and the subject of personal data may be indicated as the legal basis for the processing of personal data.

If personal data are processed for other purposes, a separate consent to the processing of personal data should be indicated as a basis.

4. Volume and categories of personal data processed, categories of personal data subjects

Roskomnadzor warns that the content and volume of processed personal data must comply with the stated processing objectives. The processed personal data should not be redundant in relation to the stated purposes of their processing.

Taking into account these recommendations of Roskomnadzor, we indicate in the Policy that information of a personal nature that you collect using the Site.

First of all, we present data from the fields of online feedback forms, order, subscription and registration. Then we pay close attention to the composition of the information entered by the user when filling out a profile in your account.

Additionally, we indicate the data that is requested by the support or sales department when making or processing applications by phone or at the service points.

5. The procedure and conditions for the processing of personal data

In this section, Roskomnadzor recommends specifying the list of actions performed by the operator with the personal data of the subjects, as well as the methods used by the operator for the processing of personal data and the terms for processing personal data.

We choose. Federal Law 152 provides for the following list of transactions with personal data: collection, recording, systematization, accumulation, storage, refinement (update, change), retrieval, use, transfer (distribution, provision, access), depersonalization, blocking, deletion, destruction of personal data.

Treatment methods may include:

a) automated processing of personal data

b) the processing of personal data without the use of automation.

According to the definition given in the Federal Law 152, automated processing of personal data is the processing of personal data using computer technology.

It would seem that any actions with PD carried out using computer technology fall here. But not everything is so simple. We are reviewing the Regulation on the peculiarities of the processing of personal data, carried out without the use of automation equipment, approved by the Decree of the Government of the Russian Federation of September 15, 2008 N 687.

Clause 1 states that the processing of personal data contained in the information system of personal data or extracted from such a system (hereinafter referred to as personal data) is considered to be carried out without the use of automation tools (non-automated), if such actions with personal data as use, clarification , distribution, destruction of personal data in relation to each of the subjects of personal data are carried out with the direct participation of the person.

The processing of personal data cannot be deemed to be carried out using automation equipment solely on the basis that personal data is contained in the personal data information system or has been extracted from it (clause 2).

In other words, if PD is not used, are not specified, are not distributed and are not destroyed in the IPDN of your site automatically without human intervention, you can safely choose the second processing method - personal data processing without using automation tools.

The result of this simple action will be a legal rejection of the application of the Draconian requirements of the Federal Law 152 for processing automated processing of pay money in the information system.

In relation to the processing time of PD, we suggest specifying at least the term of the contract for which PD was requested. You can add to the term of the contract 3 years of limitation of actions for the protection of rights in connection with its execution.

Roskomnadzor reminds that in carrying out the storage of personal data, the personal data operator is obliged to use the databases located in the territory of the Russian Federation, in accordance with Part 5 of Art. 18 of the Federal Law “On Personal Data”. It is not necessary to reflect this clause in the Policy, since it is related to actual circumstances. Although for the pro forma, you can include in the Policy a declarative article on PD processing in Russia.

Further, Roskomnadzor recommends specifying the conditions for the transfer of personal data to third parties. An important point. Usually this list comes down to the following reasons for transmitting PD:

• The user has consented to such actions;
• The transfer is required for the conclusion and execution of contracts for or using the Site;
• At the request of the court or other authorized state body in the framework of the procedure established by law
• To protect the rights and legitimate interests in connection with the violation of contracts concluded with the user.

Within certain limits, this list can be expanded in cases of the sale of the Site or the transfer of personal data in an impersonal form.

In addition, Roskomnadzor recommends that in this section of the Policy information on compliance with the confidentiality requirements for personal data set forth in art. 7 of the Federal Law “On Personal Data”, as well as information on the adoption by the operator of the measures provided for by Part 2 of Art. 18.1, Part 1 of Art. 19 of the Federal Law "On Personal Data".

In practice, this information is reduced to the statement that the administration of the Site stores Personal Data and ensures its protection from unauthorized access and distribution in accordance with internal rules and regulations.

6. Updating, correction, deletion and destruction of personal data, responses to requests from subjects for access to personal data

Roskomnadzor recommends the inclusion in the Policy of the regulation (s) of responding to requests / appeals of personal data subjects and their representatives, authorized bodies about inaccuracy of personal data, illegality of their processing, withdrawal of consent and access of the personal data subject to their data, as well as appropriate request forms / appeals.

In such cases, it is usually indicated that the user has the right to edit the information provided to them in his personal account at any time. In case of termination of the concluded agreement, the user has the right to delete his own personal account on his own or by contacting the support service at the email address XXX@XXX.XX.

If you wish, you can tighten the conditions of the rules for processing requests to change / delete PD, requiring the user to send valuable letters to your address in Bobruisk.

These are the main Recommendations regarding the form and content of the Policy.

7. Processing anonymous data

It is noteworthy that, as always, Roskomnadzor avoided the issue of processing data that are equally important for data users who are not considered personal. We are talking about information collected on the site in automatic mode: cookie, IP, information about the device and its location, etc.

Apparently, Roskomnadzor stubbornly does not want to disclose the composition of PD, even by the method of elimination through non-personal information. However, in practice, it is customary to include in the Privacy Policy a notification and the procedure for processing such data in order to inform the user as fully as possible about the consequences of using the site.

Below is an example of such a notice.

You acknowledge and accept the possibility of using third party software on the Website, as a result of which such persons can receive and transmit data in an impersonal form.
This third-party software includes Google Analytics visitor statistics systems.

The composition and terms of collecting anonymised data using third-party software are determined directly by their respective owners and may include:

• browser data (type, version, cookie);
• device data and its location;
• operating system data (type, version, screen resolution);
• Request data (time, jump source, IP address).

A complete description of the conditions for processing anonymous data can be found in the sample Privacy Policy with which we began our article.

We wish you success in developing your own Privacy Policy in accordance with the recommendations of Roskomnadzor and the approaches developed in practice.

→ Source