⬆️ ⬇️

The law on personal data - is the devil as scary as it is painted?

In July 2017, the so-called. “The Personal Data Act”, which greatly frightened the Internet sector. The main HYIP about this has already subsided, the site owners have ticked off the agreement under each form on their sites and calmed down.



In fact, the law existed before, but nobody was fined, because it was terribly inconvenient even for Roskomnadzor. Now he can independently write out fines, ostensibly, even for poorly designed feedback forms.



It sounds terrifying, but I decided to check how Roskomnadzor will actually act if there is no personal data processing policy under the feedback form.



Initial data:

')

- Online store with real physical stores;

- Specified legal details in the contact section;

- The feedback form contains a check mark and a link to the “Personal Data Processing Policy”, but the link contains a blank page;

- Standard fields: name, telephone, message text;

- The owner is not registered as an operator processing PD in Roskomnadzor;

- The time of the audit: the 20th of August 2017



The application to Roskomnazdor is made in electronic form. the text, unfortunately, is not exactly preserved, but the approximate content:

I wanted to contact through the feedback form on the site "such and such" and noticed

that the PD processing policy of the form is empty. I fear for their PD, take action. The owner is not registered as a PD processing operator.

Website address, form address, empty PD policy address, legal entity details on such and such page. Screenshots indicating what is where.


After a little less than a week I received an answer.



Roskomnadzor response text






p.38 of the Administrative Regulations
38. Unscheduled inspections are conducted for the following reasons:

38.1. Expiration by the Operator of the previously issued order to eliminate the revealed violation of the established requirements of the legislation of the Russian Federation in the field of personal data.

38.2. Entries and applications of citizens, legal entities, individual entrepreneurs, information from public authorities, local governments, the media, including the following facts to the Service or its territorial bodies, including:

38.2.1. The emergence of the threat of harm to life and health of citizens.

38.2.2. Causing harm to life, health of citizens.

38.3. The order of the Head of the Service or the head of the territorial body of the Service, issued in accordance with the instructions of the President of the Russian Federation, the Government of the Russian Federation, and based on the requirement of the prosecutor to conduct an unscheduled inspection as part of the supervision of the implementation of laws on the materials and appeals received by the prosecution authorities.

(as amended by the Order of the Ministry of Communications and Media of Russia dated 08.10.2014 No. 340)

38.4 - 38.5. Are excluded. - Order of the Ministry of Communications and Media of Russia dated 08.10.2014 No. 340.



Brief essence: The owner decides whether to register or not. Unscheduled check can not be held, because There is no reason for this.



Verdict:



- To get a penalty on a competitor's complaint is unrealistic (which, by the way, makes me personally happy), because According to the Administrative Regulations, verification can be carried out only when there is a threat to health, and this is very problematic on the Internet.

- Theoretically, you can get a fine in a routine check, but a small site will most likely not be noticed against the general background of the Internet.



PS Online store was not affected during the experiment.

Source: https://habr.com/ru/post/356210/



All Articles