Conference of Roskomnadzor "Protection of personal data"

On November 8, 2018, the 9th International Conference “Personal Data Protection” was held in Moscow, organized with the support of the Ministry of Communications of the Russian Federation and Roskomnadzor. Among the conference speakers (their full list can be found on the conference site itself - https://zpd-forum.com/ru ), of course there were representatives of Roskomnadzor: Alexander Zharov, Alexander Pankov, Antonina Priezezhev and Yury Kontemirov.

An important topic of the conference was the development of international legal regulation of personal data protection (PD) on the example of the GDPR and the Modernized Council of Europe Convention No. 108. Foreign participants joined the discussion, including representatives of the authorized data protection authorities of Azerbaijan, Bulgaria, Bosnia and Herzegovina, Hungary, Italy, Jordan, China, Serbia and the Republic of South Africa.

Representatives of Roskomnadzor recalled that Russia was among the first countries that signed the Council of Europe Convention ETS-108, and our country also participated in the preparation of a new version of the text of the Convention. It was stated that the modernization of the directive would not entail major changes in the organization of personal data protection in Russia, and the signing of a modernized Convention would allow Russia to get into the list of countries corresponding to the GDPR.

However, one of the most important results of the signing by Russia of the Convention will be the fact that Russian operators will have the obligation to notify about leaks of personal data and responsibility for its non-compliance. It was also said about the plans to create a resource on which citizens will be able to withdraw the consent given by them to the processing of their own personal data.

Yury Kontemirov in his speech clarified that Roskomnadzor supervises compliance with the law on personal data in general, including the norms of all laws related to the processing of PD. At the same time, in 2018, all territorial departments of Roskomnadzor together amounted to 98 protocols on administrative offenses in the field of personal data, qualified under article 13.11 of the Administrative Code of the Russian Federation in a new edition. For example, under article 19.7 of the Code on Administrative Offenses of the Russian Federation (non-notification of processing or non-response to a request), about 7,000 protocols are compiled per year.

As it is already known, the legislation on personal data in conjunction with the Decree of the Government of the Russian Federation No. 687 governs any processing of PD, including fully automated. At the same time, Yuriy Kontemirov clarified that their subject’s legal capacity for personal data begins at the age of 14, and there will be no complaints about the consent to the processing of personal data signed by a child 14 years and older. In addition, Yu. Kontemirov explicitly noted that it is possible to sign an agreement for processing in electronic form with any electronic signature provided for by the Federal Law “On Electronic Signature”, and not only by a reinforced qualified one.

It was also separately explained that the standard forms providing for the input of personal data in them, if they are developed by the operator independently, must comply with the requirements of clause 7 of the Resolution of the Government of the Russian Federation of September 15, 2008 N 687 “On Approval of the Regulation on Peculiarities of Personal Data Processing, carried out without the use of automation equipment ”, only if they are created by the operator independently.

But the forms developed by state bodies and governing bodies of extra-budgetary funds within their powers, as stated at the conference, are not subject to these requirements. At the same time, the phone number or the state car sign by themselves (without being tied to a specific subject of the action document) is not personal data.

The representative of FSTEC, Elena Torbenko, stated that the approach of Order No. 239 on safety of CII on the possibility of assessing the compliance of information protection tools in the form of testing and acceptance can be used when building an AP protection system, but the owner of the system should be aware of the responsibility for the quality and validity of such an assessment. The representative of the FSB A. Bodrov noted that the FSB still considers only valid the assessment of conformity in the form of certification in its system. Certification of the application software used for processing personal data is not required if it does not have protection functions against actual threats. But any customer has the right to demand such certification from the supplier or contractor, if he considers it necessary.

In addition, the ceremony of signing the Code of Fair Practices (the Code of Ethical Activities (Work) on the Internet) was held at the Conference “Protection of Personal Data”. The document was joined by the Chamber of Commerce and Industry of Russia, Delovaya Rossiya LLC, Opora Rossii LLC, Moscow State University named after M.V. Lomonosov, as well as representatives of foreign businesses - the Association of European Businesses, the American Chamber of Commerce in Russia and the Russian-German Chamber of Commerce.

The article is based on https://emeliyannikov.blogspot.com and https://zpd-forum.com/ru .