Guidelines for completing the personal data operator's notice

In one of our previous articles , which was devoted to preparing Roskomnadzor for checks on meeting the requirements of the law “On Personal Data”, we talked about the importance of correctly filling out the notice, about cases when the notice needs to be filled out, and we also promised to tell more about how to fill each notification field.

It would seem that by the names of many fields it should be intuitively clear what exactly to write in them. But practice shows that many personal data operators have a lot of questions, and some fall into a real stupor when trying to fill in all the fields.
')
We decided to write a detailed instruction here, so many times not to tell the same thing to our customers, and also to make it just always available for everyone.

The notification of the operator of personal data is filled out on the Roskomnadzor personal data portal. Now let's look at each of the fields.



There should be no problems with the first positions. We choose the territorial office of Roskomnadzor to which the notification should be sent. Then select the type of operator. Enter the full and abbreviated name of the operator in accordance with the constituent documents. We indicate the actual and legal addresses of the organization. Choose a region (or regions) in which the organization operates. Fill in the details of the organization (only the TIN and OGRN are required, the rest can not be filled). If the organization has branches, add information about them.

Everything seems to be simple and understandable here, but there may already be questions with the following fields.



In the column “Legal basis for the processing of personal data”, you can specify all regulatory and internal documents that may in one way or another be associated with PD processing. Usually they start with 152- and the Labor Code of the Russian Federation, continue with legislation relating to the organization’s field of activity (for example, if it is a medical institution, then we write 323- hereof “On the basics of public health protection in the Russian Federation” and other regulations as federal and regional scale related to health) and end the charter of the enterprise.



The “Purpose of processing personal data” column is one of the most insidious. Completing this field we must not forget that Part 2 of Article 5 of the Federal Law “On Personal Data” tells us that PD processing should be limited to achieving specific, predetermined and legitimate goals. It is not allowed to process personal data incompatible with the purposes of collecting personal data.

We give one example of how to do it.

Some employers, when inviting a candidate for a vacant position to an interview, ask to fill out a questionnaire in which, among other things, they are asked to enter their passport information. However, from the point of view of 152-FZ, this is not legal. Since the purpose of processing personal data is to select a candidate for a vacant position and try to come up with a plausible rationale for why you need passport information. Work experience? Yes. Education background? Yes. Age? And here it smacks of discrimination, but we are not going to exploit child labor. But the passport data for the selection of staff is not needed.

No, we are not so naive and we understand that often the employer's passport data is needed by the employer in order to “punch” the candidate, for example, for debt load or for participation in other unpleasant stories. But once again - from the point of view of the law it is impossible to do that.

Let us return to filling out the field “Purpose of personal data processing”. Here we must correctly and adequately formulate these goals. And adequately what? Adequate to the list of categories of personal data that we will fill out below. After all, we do not want, that already before checking the RKN on the basis of our notification, there were reasons for issuing a prescription? Here we draw a vicious circle - we will write that we process the passport data of applicants, punish for violating the law on personal data, say that the “passport data” accidentally fell into the notice, wrote in the verification protocol “incomplete / unreliable information is indicated in the notification of the personal data operator ".

As you already understood, the column “The purpose of personal data processing” for different organizations can be very different, but for most commercial organizations it will be correct to write “Provision of personnel and accounting, staff recruitment for vacant positions, provision of services [list of services]”.



The next section is one of the most difficult and incomprehensible. Roskomnadzor wants us to describe the measures taken, provided for in Articles 18.1 and 19 of the Law “On Personal Data”. But in fact, this section is one of the most simple, just take the provisions of these articles of the law and write that all of this is done with us. We have done - right?


In the information on ensuring the security of personal data, a list of information security tools used in the ISPDN is indicated. Fortunately, this information is not published in the public domain for everyone, unlike other fields, so you can specify all the actually used GIS.



Date of commencement of PD processing usually coincides with the date of foundation of the company (registration).
In the next paragraph, the “Condition for terminating PD processing” is usually selected and “Termination of the organization’s activity” is indicated as a condition.



In the “Categories of personal data” section, we first check the processed categories by checkboxes, and then in the “Other categories of personal data that are not listed in this list” field, indicate those PDs that are not in the list, and it’s better to do it separately for different categories of subjects, for example: “Other categories of PD of workers: [list of PD of workers]. Other categories of PD of clients: [list of PD of clients] ".

In the section “Categories of subjects whose personal data are processed,” we indicate a list of categories of persons whose data we have are stored or processed, for example: “To employees, applicants for vacant positions, contractors, clients”. Note that an explanation is added to the field title, indicating in which case the information should be indicated.

In the field “List of actions with personal data” the easiest way to quote the definition of PD processing from 152-FZ: “collection, recording, systematization, accumulation, storage, refinement (update, change), extraction, use, transfer (distribution, provision, access) , depersonalization, blocking, removal, destruction ". Naturally, actions that are not relevant to your organization (for example, depersonalization) should be removed from this list. And do not forget about the case.

Next, we indicate the method of processing PD, usually it is “mixed, with transfer via the internal network of a legal entity, with transfer via the Internet”.

Then they want to know from us whether we are transferring PD abroad. If not, then declare the absence of a cross-border transfer. If so, you will also have to specify all countries to which data is transferred.

And the last thing in this block is the use of cryptography. If it is not used, then go ahead. If the answer is yes, then we will be asked to write the names of such remedies and their class. All these data can be found in the cryptographic documentation. Let us just say that cryptographic classes of KV and KA are usually used for state secrets, and state secrets of 152-FZ are not regulated, therefore in conventional ISPDs, it is often the KS1, KC2 or KS3 that is most often chosen. If different assets of different classes are used, the form allows you to specify all the necessary information.

The next section of the form appeared on September 1, 2015. Anyone who has filled out a notice a long time ago needs to make changes to it and supplement it with data on the data center. Yes, do not be surprised, the local database of 1C-Accounting, deployed on the computer of the chief accountant, is also understood by Roskomnadzor in the data center ...



We select the country in which our “Data Center” is located and indicate its address. Further it is necessary to indicate whether the “data center” is our property or not, and if not, indicate the site owner’s data. If you have several ISPDn, then the data "data center" must be specified for each separately. Even if we are talking about a single server.

Next, fill in the data of the person who was appointed in the company responsible for organizing the processing of personal data. IMPORTANT! The name of the person in charge, his contact phone number and e-mail will be available to everyone in the register of PD operators. Keep this in mind and, of course, it is better to warn an appointed person about this.

At the very end we indicate the data of the performer. The performer is the person who filled out this notice. This may not be a responsible, but a completely different person. But, as we see, these fields are also not obligatory, therefore, apparently, if the performer is not indicated, then it automatically becomes responsible.

Then we tick off “I agree on everything”, enter the captcha and click the big button “Send an electronic notification and prepare the form for printing”. Then the form must be printed out, signed, stamped by the organization (if any) and sent by analog mail to its Roskomnadzor management. After a while, your data will be entered in the registry.