To bookmarks

Construction portal

Join VKontakte
home Ceiling Protection of personal data from July 1. What fine does a company face for violating the personal data law? for legal entities

Protection of personal data from July 1. What fine does a company face for violating the personal data law? for legal entities

From July 1, 2017, increased administrative fines are introduced for non-compliance with the requirements of the Federal Law “On Personal Data” dated July 27, 2006 No. 152-FZ. A tax expert told BUKH.1S about how to avoid fines during Roskomnadzor inspections Igor Karmazin.

Fines for non-compliance with the requirements of the Federal Law "On Personal Data" were increased in accordance with Federal law dated 02/07/2017 No. 13-FZ. New fines compared to existing ones have grown exponentially. The maximum fine for organizations has been increased to 75 thousand rubles, the maximum fine for entrepreneurs has been increased to 20 thousand rubles. At the same time, if earlier in the Code of Administrative Offenses there was only one corpus delicti, common for all cases, in the field of personal data (Article 13.11 of the Code of Administrative Offenses of the Russian Federation), now as many as seven corpus delicti have appeared in this article.

To avoid fines under 152-FZ, companies and individual entrepreneurs should take a more careful approach to compliance with the requirements of the law on personal data from July 1, 2017.

Cheat sheet on the article from the editors of BUKH.1S for those who do not have time

1. From July 1, 2017, increased administrative fines are introduced for non-compliance with the requirements of the Federal Law “On Personal Data”.

2. New fines have increased significantly compared to existing ones. The maximum fine for organizations has been increased to 75 thousand rubles, the maximum fine for entrepreneurs has been increased to 20 thousand rubles.

3. Fines for illegal processing of personal information of citizens apply to all companies and entrepreneurs that receive passport data of Russians. The law does not contain a specific list of such organizations.

4. Companies legally classified as personal data operators must be registered with Roskomnadzor.

5. You can protect yourself from fines by following 6 rules:

  • exclude cases of inappropriate collection and processing of data;
  • obtain written consent from citizens to process their data;
  • familiarize citizens with the policy for processing personal data;
  • answer citizens' questions about how their personal data is used;
  • comply with citizens’ demands for clarification of personal data, their blocking or destruction;
  • ensure the safety of media with personal data, excluding their leakage, damage, theft, copying, etc.

6. From 07/01/2017, a simplified procedure for bringing to administrative responsibility comes into force. Cases will be initiated by Roskomnadzor itself without the participation of prosecutors.

Who will be affected by the new fines?

Fines for illegal processing of personal information of citizens apply to all companies and entrepreneurs that receive passport data of Russians. By law, they are classified as personal data operators and are required to comply with legal restrictions.

The law does not contain a specific list of such organizations. However, these include banks Insurance companies, mobile and Internet operators, medical organizations, transport companies, educational establishments and all those companies, when contacting which citizens are asked to provide personal data or fill out a questionnaire.

But that's not all. The law applies to employers receiving information from employees both under employment contracts and under civil contracts. Employers are also operators of personal data, with a small caveat. If an employer has an employment or civil law relationship with a citizen, he is not required to notify Roskomnadzor about the processing of personal information (Part 2 of Article 22 of Federal Law No. 152-FZ).

Operators of personal data also include companies that have their own websites with a feedback form and registration of users from whom personal information is requested.

How to protect yourself from fines: 6 rules

1. Eliminate cases of inappropriate collection and processing of data.

This violation also includes cases of collecting excessive information about citizens. For example, when a site for an e-mail newsletter requires visitors to provide, say, passport information. This is considered improper processing of data, so exclude such cases from the practice of your company and website.

These actions constitute an offense under Part 1 of Art. 13.11 Code of Administrative Offenses of the Russian Federation. The fine for entrepreneurs is from 5 to 10 thousand rubles, and for organizations - from 30 to 50 thousand rubles.

2. Obtain written consent from citizens to process their data.

Operators obtain citizens' consent to process personal data, when required by law, in accordance with Part 4 of Art. 9 of Federal Law No. 152-FZ. There are not many exceptions to this rule. For example, written consent is not required when obtaining personal data for personal and family purposes (Part 2 of Article 1 of Federal Law No. 152-FZ).

In most cases, in addition to the main contract, the parties must sign an agreement on the processing of personal data. This agreement may be included in the text of the main agreement, or act as a separate document. Consent must come personally from the citizen. Data cannot be transferred without his knowledge.

The most common example of abuse in this area is when, for example, a mobile operator transfers subscribers’ contacts without their knowledge to third-party companies, and all kinds of spam begins to arrive on citizens’ phone numbers.

If the company does not have a written agreement for data processing, a fine in the amount of 3 to 5 thousand rubles will be imposed on citizens (IP), on officials from 10 to 20 thousand rubles, and on legal entities - from 15 to 75 thousand rubles (Part 2 Article 13.11 of the Code of Administrative Offenses of the Russian Federation). Judging by judicial practice, individual entrepreneurs are fined the first time as individuals, and if the violation is repeated, then as officials - managers of the individual entrepreneur, since in the second case the fine is higher.

The consequences of failure to receive written consent to controllers will be unimportant, but the fact of the presence or absence of such consent in writing will be important.

3. Inform citizens about the policy for processing personal data.

This information should be freely available and everyone should be able to read it. For example, sites post information about the procedure for working with personal data on their individual pages.

Otherwise, liability will arise under Part 3 of Art. 13.11 Code of Administrative Offenses of the Russian Federation. Individual entrepreneurs will pay a fine in the amount of 5 to 10 thousand rubles, and organizations in the amount of 15 to 30 thousand rubles.

4. Answer citizens’ questions about how their personal data is used.

In practice, there are cases when data is “leaked” to third parties, and the company’s clients begin to receive all kinds of advertising from stores, medical centers and credit institutions. In this case, the client may require the personal data operator to provide information about how his personal information is used and stored.

For ignoring citizens' requests, personal data operators are liable under Part 4 of Art. 13.11 Code of Administrative Offenses of the Russian Federation. The fine for individual entrepreneurs is from 10 to 15 thousand rubles, and for legal entities – from 20 to 40 thousand rubles.

5. Fulfill citizens’ demands for clarification of personal data, their blocking or destruction.

This should be done in cases where personal data is incomplete, out of date, inaccurate, unlawfully obtained or is not necessary for the stated purpose of processing.

Failure to fulfill this obligation may result in a fine under Part 5 of Art. 13.11 Code of Administrative Offenses of the Russian Federation. For individual entrepreneurs, the fine will be from 10 to 20 thousand rubles, for organizations - from 25 to 45 thousand rubles.

6. Ensure the safety of media with personal data, excluding their leakage, damage, theft, copying, etc.

Responsibility for failure to ensure the safety of personal information is established in Part 6 of Art. 13.11 Code of Administrative Offenses of the Russian Federation. For entrepreneurs - from 10 to 20 thousand rubles, for companies - from 25 to 50 thousand rubles.

Responsibility for state and municipal authorities

Punitive liability is also provided for state and municipal authorities (Part 7, Article 13.11 of the Code of Administrative Offenses of the Russian Federation).

In their documents (protocols, reports, decisions, etc.) they must anonymize the personal data of citizens, preventing their place of residence and full name from being indicated.

Otherwise, you will have to pay a fine of 3 to 6 thousand rubles.

Registration of personal data operators in Roskomnadzor

Companies legally classified as personal data operators must be registered with Roskomnadzor. To do this, you must submit a processing notice(about the intention to process) personal data (Part 3 of Article 22 of Federal Law No. 152-FZ).

After filling out the notification form about the processing (of the intention to process) personal data, it should be sent to the information system of the Authorized Body for the Protection of the Rights of Personal Data Subjects. Then the completed form must be printed and properly certified, signed and sealed by the organization, and then sent to the appropriate territorial body of Roskomnadzor at the place of registration of the company operator of personal data.

What should sites do?

As for websites (and now almost every company has them), the bulk of violations here are related precisely to the inappropriate collection and use of personal data (Part 1 of Article 13.11 of the Code of Administrative Offenses of the Russian Federation).

For example, often in the registration form on a website fields such as “date of birth” and “telephone” are used, and in the user profile form - “patronymic”, “date of birth”, “place of residence” (country, region/region, city) .

It should be understood that to register a user on most online resources, you do not need to know such data as the user’s phone number and place of residence/registration. This information should be removed from the registration form.

And from the personal profile form it is better to remove information such as “profession”, “www-page”, Skype (or other messenger) and “date of birth”.

There is no need for outsiders (and your company is such a person) to know this information. The subscription form for site news should collect information only about users’ e-mails. The registration form can collect the user's first name, last name, email and gender.

Collecting unnecessary information during an inspection may be considered a violation.

Compliance with the rules described above and knowledge of the law will allow you to avoid liability for violating it. In this case, one important circumstance should be taken into account. If previously the law on personal data bypassed your company and you did not bear any responsibility for its violation, then from July 1 everything may change dramatically.

The fact is that from this date a simplified procedure for bringing to administrative responsibility begins to operate. Previously, cases in this area were initiated by the prosecutor's office (Article 28.1 of the Code of Administrative Offenses of the Russian Federation). According to the new rules (clause 58, part 2, article 28.3 of the Code of Administrative Offenses of the Russian Federation), cases will be initiated by Roskomnadzor itself without the participation of prosecutors. In practice, this means that the number of fines and cases brought to court may increase significantly, and it will become much more difficult to evade responsibility.

All companies have personal data about employees. From July 1, 2017, new fines apply. They are larger than before. We'll show you how to work without violations.

From July 1, 2017, liability for violations in working with personal data increases. The changes will affect all employers without exception who have personal information of employees and other individuals.

What applies to personal data in 2017

Personal data means any information about an individual (Clause 1, Article 3 of the Federal Law of July 27, 2006 No. 152-FZ). Such information includes last name, first name, patronymic, gender, age, education, place of residence of an individual, etc.

This means that the employer must process, store and destroy all documents with personal data of individuals in accordance with legal requirements.

Such documents include:

  • employment history;
  • passport or other identity document;
  • insurance certificate of compulsory pension insurance;
  • military registration documents - for those liable for military service and persons subject to conscription military service;
  • documents on education and (or) qualifications or availability of special knowledge - when applying for a job that requires special knowledge or special training;
  • documents (certificates) containing information about the employee’s health status;
  • documents (certificates) containing information about the employee’s age or marital status.

July

2017, fines for violations of rules for working with personal data will increase

How to ensure the protection of personal data

Let's consider what needs to be done on the farm in connection with the protection of personal data of employees and other individuals. Just five steps.

Step 1. Fix the procedure for receiving, processing, transferring and storing personal data in a local act of the organization. For example, in the provision on the processing of personal data of employees (Article 8, 87 of the Labor Code of the Russian Federation, clause 2, part 1, article 18.1 of the Federal Law of July 27, 2006 No. 152-FZ).

Step 2. Appoint an employee responsible for working with personal data (Part 5 of Article 88 of the Labor Code of the Russian Federation). This could be an HR employee who interacts with employee personnel files. He will obtain employee consent to process personal data, maintain employee cards, etc.

Step 3. Prepare a consent template for the processing of personal data. Without it, you cannot request personal information from individuals. Such consent must include the following information (part 4 of article 9 of the Law of July 27, 2006 No. 152-FZ):

  • Full name, address of the employee, passport details (other document proving his identity), including information about the date and place of issue of the document;
  • name or full name and address of the employer who obtains the employee’s consent;
  • purpose of processing personal data;
  • list of personal data for the processing of which consent is given;
  • name or full name and address of the person processing personal data on behalf of the employer, if the processing will be entrusted to such a person;
  • list of actions with personal data for which consent is given, general description methods used by the employer for processing personal data;
  • the period during which the employee’s consent is valid, as well as the method of its withdrawal, unless otherwise established by federal law;
  • employee signature.

Sample consent to the processing of personal data

Last name, first name, patronymic (last - if available) of the subject of personal data

Residence address _________________________________________________________

______________________________________________________________________________

Identity document of the subject of personal data, date of issue and issuing authority ________________________________________________________________

______________________________________________________________________________

CONSENT TO PROCESSING OF PERSONAL DATA

I hereby express my consent to the processing of my personal data provided for in Part 3 of Article 3 of the Federal Law of July 27, 2006 No. 152-FZ, for the purpose of providing the Federal Service for intellectual property(Rospatent) in accordance with the Federal Law of July 27, 2010 No. 210-FZ “On the organization of the provision of state and municipal services”, public services for state registration of an invention and the issuance of a patent for an invention, its duplicate.

______________________________________________________________________________

(indicate the name of the invention)

Application No. ________________________________________________________________________________

(indicated if the registration number of the application is available)

Applicant _____________________________________________________________________

______________________________________________________________________________

(indicate last name, first name, patronymic (the latter - if available) and place of residence)

I am aware that the personal data provided by me, which is not necessary for the provision of the specified public service, will be subject to processing provided for by the Federal Law of July 27, 2006 No. 152-FZ, while the publication of my personal data will be carried out by Rospatent in accordance with the current legislation.

I am aware that this consent is valid for an indefinite period. In case of withdrawal of consent to the processing of personal data federal Service for intellectual property has the right to continue processing personal data without my consent in accordance with Part 2 of Article 9, Clause 4 of Part 1 of Article 6 of the Federal Law of July 27, 2006 No. 152-FZ.

Signature _______________________________________________

last name, first name, patronymic (last - if available)

Date _____________

Step 4. Provide, at the request of an individual, information regarding the processing of his personal data (Part 7, Article 14 of the Law of July 27, 2006 No. 152-FZ). Such information includes, for example:

  • confirmation of the fact of processing of personal data;
  • purposes of processing personal data;
  • methods of processing personal data;
  • name and address of the employer, information about persons (except for the operator’s employees) who have access to personal data or to whom personal data may be disclosed by law, etc.

How to work with personal data on the site

Publish or otherwise provide unrestricted access to the document that defines the policy for the processing of personal data. If the farm collects personal data on the Internet, this step also needs to be taken (Clause 2 of Article 18.1 of the Law of July 27, 2006 No. 152-FZ).

For example, on some sites the user indicates his full name and e-mail when registering or responding to a vacancy. Then you need to place links to documents on the site:

  • “Personal Data Processing Policy”;
  • “Regulations on the processing of personal data”, etc.

How long to store personal data

Personal data must be destroyed 30 days from the date of receipt of consent to the processing of his personal data. Another term can be established in a contract or agreement with an individual.

If the farm does not have the ability to destroy personal data within the deadline, the information must be blocked. After this, personal information must be destroyed no later than six months (Part 6, Article 21 of Law No. 152-FZ).

The commission destroys personal data based on the order of the manager. The result must be formalized in the form of an act of termination of processing of personal data. Another option is to make a record of destruction in a special journal.

Who faces new fines for violating work with personal data?

From July 1, 2017, the list of grounds for bringing an employer to administrative liability in the field of personal data protection will expand. In addition, the amount of fines will increase (Federal Law No. 13-FZ of February 7, 2017).

Previously, there was only one fine: from 500 rubles. up to 1000 rub. for the director and from 5000 rubles. up to 10,000 rub. for a legal entity (Article 13.11 of the Code of Administrative Offenses of the Russian Federation). Now there will be six types of responsibility. For various violations by employers in the field of personal data, inspectors will be able to impose several fines. More details about the types of violations and fines are in the table.→00

Fines for violating the rules for working with personal data

Violation

Personal data was processed illegally or processed for purposes other than the stated purpose. For example, a company transferred full names, telephone numbers, and addresses to a legal entity for advertising mailings.

Warning or fine:

for individuals from 1000 to 3000 rubles;

for a manager or chief accountant - from 5,000 to 10,000 rubles;

for legal entities - from 30,000 to 50,000 rubles.

Processed personal data without the consent of the individual

for individuals - from 3,000 to 5,000 rubles;

for a manager or chief accountant - from 10,000 to 20,000 rubles;

for legal entities - from 15,000 to 75,000 rubles.

Documents on the policy on the processing of personal data were not made publicly available

for individuals - from 700 to 1500 rubles;

for a director or chief accountant - from 3,000 to 6,000 rubles;

for individual entrepreneurs - from 5,000 to 10,000 rubles;

for legal entities - from 15,000 to 30,000 rubles.

Did not provide the individual with information regarding the processing of his personal data

for individuals - from 1000 to 2000 rubles;

for a director, personnel officer or accountant - from 4,000 to 6,000 rubles;

for individual entrepreneurs - 10,000 to 15,000 rubles;

for legal entities - from 20,000 to 40,000 rubles.

Personal data was not destroyed or blocked

for citizens - from 1000 to 2000 rubles;

for a director or chief accountant - from 4,000 to 10,000 rubles;

for legal entities - 25,000 to 45,000 rubles.

They collected personal data of employees only on paper and did not conduct any automated processing; there are no special programs for processing

for individuals - from 700 to 2000 rubles;

for a manager or chief accountant - from 4,000 to 10,000 rubles;

for individual entrepreneurs - from 10,000 to 20,000 rubles;

for legal entities - from 25,000 to 50,000 rubles.

On July 1, 2017, amendments to Article 13.11 of the Code of Administrative Offenses of the Russian Federation came into force, according to which fines for violation of legislation in the field of personal data (PD) were significantly increased.

When making purchases in online stores, buyers leave some information about themselves - full name, delivery address and other contact information. Therefore, owners of online stores should carefully study this issue and ensure compliance with the requirements of Federal Law dated July 27, 2006 No. 152-FZ “On Personal Data” when trading on the Internet.

We'll tell you which cash register from our catalog is suitable for your business.

What applies to the personal data of an individual who is a visitor to an online store

Personal data is any information that directly or indirectly relates to a specific individual or allows him to be identified (Clause 1, Article 3 of the Law “On Personal Data” No. 152-FZ).

In the context of organizing the work of an online store, personal data, in principle, can even include Cookies - used, in particular, to personalize product offers to specific users. There are judicial precedents confirming the classification of such files as personal data - for example, Decision Arbitration Court Moscow dated March 11, 2016 in case No. A40-14902/2016-84-126 11.

Personal data may be:

  • processed;
  • common;
  • changed;
  • provided to certain persons (disclosed);
  • deleted.

These actions are performed by the personal data operator. It can be any individual, organization, or state or municipal government body. Including, of course, an online store - established by an individual (IP) or owned by a legal entity.

Therefore, becoming an operator of personal data, the online store is obliged to comply with the norms of Law No. 152-FZ. But in what cases does it acquire such status?

To acquire the status of a personal data operator, a business entity only needs to complete any procedure that characterizes their processing, in particular:

  • collection;
  • recording;
  • systematization;
  • accumulation;
  • clarification;
  • application;
  • spreading.

That is, having carried out at least the first procedure - collecting data (in practice - receiving from the client through an online form), the online store becomes an operator, and it has obligations to comply with the provisions of Law No. 152-FZ.

A separate segment of legal relations in which compliance with the legislation on personal data is required is the interaction of an online store as an employer and its employees (working both remotely and in offline departments of the online store). However, such legal relations, in general, are carried out in the jurisdiction of those legal norms that are relevant for the interaction of employers and employees (remote or offline), regardless of the type of activity they carry out.

In turn, the exchange of data specifically between the online store and its customers forms a separate and, in fact, unique - in terms of the application of the norms of Law No. 152-FZ, a segment of legal relations in which a business entity has a wide range of rights and obligations in accordance with the law .

Let's take a closer look at exactly what obligations an online store must fulfill in connection with the need to comply with the provisions of Law No. 152-FZ.

Subscribe to our channel in Yandex Zen - Online cash register !
Be the first to receive the hottest news and life hacks!

What does an online store need to do to comply with the requirements of Federal Law No. 152-FZ

The main responsibility of any operator of personal data (and an online store is no exception) is to comply with the procedure for processing it. The main condition of this procedure is obtaining consent from the subject of personal data (that is, the buyer) for such processing.

Such consent can be obtained in any reliable form (Clause 1, Article 9 of Law No. 152-FZ). But in cases provided for by law, such consent is required in writing - that is, on paper or using an electronic document certified by an electronic signature (Clause 4 of Article 9 of Law No. 152-FZ).

The purchase of goods in an online store is not directly classified by law as those operations that require the written consent of the subject of personal data. Therefore, obtaining such consent is possible, in principle, in any form - which, however, should make it possible to clearly certify the fact of the individual’s approval of the transfer of personal data to the operator.

The next duty of the personal data operator is to carry out actions aimed at realizing the legal rights of personal data subjects. In particular, we are talking about the right:

  • to confirm that the online store has received the PD and has begun processing it;
  • to receive information about the purposes and methods of processing personal data;
  • to become familiar with the persons (excluding persons who work on the operator’s staff) who are involved in the processing of personal data).

Other important responsibilities of personal data operators include maintaining data confidentiality. If the client of the online store has not given consent to the distribution of his data to other persons, then the business entity does not have the right to do this - or otherwise disclose personal data (Article 7 of Law No. 152-FZ). At the same time, even if consent is obtained, the online store itself bears responsibility for the actions of third parties who received the personal data of the client of the online store (Clause 5 of Article 6 of Law No. 152-FZ).

An important nuance characterizing the processing of personal data is the operator’s obligation to place data on servers located in Russia- unless otherwise specified by law (clause 5 of article 18 of Law No. 152-FZ). Russian online stores do not fall under the exceptions, and therefore must comply with this rule of law.

A separate issue is the need for the operator of personal data to submit a notification that they are being processed to Roskomnadzor - in accordance with the instructions of paragraph 1 of Art. 22 of Law No. 152-FZ. In general, such notification is required. But the provisions of paragraph 2 of Art. 22 of Law No. 152-FZ provides for a wide range of exceptions to this rule.

In particular, sub. 2 p. 2 art. 22 of Law No. 152-FZ provides that operators have the right not to submit a notification when executing an agreement concluded with the subject of personal data and provided that personal data is not transferred to third parties without the consent of the subject. The purchase and sale agreement concluded between the store and the buyer fully falls under such criteria. Therefore, in the general case, an online store does not need to submit the notifications in question when interacting with customers (but exceptions to this rule are possible - we will consider them later in the article).

So, the main responsibilities of the personal data operator are:

  • to obtain consent to process them;
  • to ensure confidentiality of personal data;
  • to fulfill other legal requirements (on the placement of PD on the territory of Russia, on the fulfillment of requests from PD subjects regarding how they are used).

Let’s study in more detail how these responsibilities can be technically fulfilled by an online store.

Online cash registers for all types of businesses! Delivery throughout Russia.

Leave a request and receive a consultation within 5 minutes.

How to obtain consent to process personal data via the Internet

So, since in relation to the activities of online stores the law does not establish requirements for obtaining written consent to the processing of personal data, such consent can be obtained in any reliable way. But which one exactly?

The possible options here are:

  1. When an online store requests personal data through an order form.

In this case, consent to data processing can be obtained by setting a condition under which sending order data through the form is possible only if a tick is placed (or another form element that performs a similar function) opposite the line in which wording like “I agree to processing of personal data transmitted to the operator through this form.”

The Consent usually reflects:

  • the purpose of providing the document to the operator (in the case of an online store - for delivery of goods and other purposes determined by the purchase and sale procedure);
  • list of PD transferred to the operator;
  • terms and procedure for storing PD;
  • the procedure for transferring PD to certain third parties (for example, a goods delivery service).

At the same time, next to the checkbox and the link to Consent, you should attach a link to a special document that explains in detail the procedure for processing personal data by the online store in accordance with Law No. 152-FZ - Privacy Policy. It can be submitted as an attachment to the order form. The description of the link should contain wording that may sound like “With application to this form, which reflects the procedure for processing personal data in accordance with the law, I am familiar with.”

Privacy Policy is a document that must be published in the public domain. In addition, it can be considered as part of the local regulatory framework organization that establishes an online store. Employees of a business entity must therefore be required to follow the approved Policy.

The Policy usually includes:

  • general provisions;
  • wording reflecting the purposes of collecting PD by an economic entity;
  • provisions on the legal basis for collecting personal data;
  • classification of PD used, procedure and conditions for working with them;
  • the procedure for ensuring the implementation by subjects of personal data of the rights established by law.

The Policy can reflect:

  • how the online store ensures the rights of users to request information about the processing of personal data;
  • how data storage is organized (in this case, information can be provided that allows you to establish the fact that servers with customer PD are located in Russia).
  1. When an online store requests personal data through an advertising mailing form (subscriptions to thematic materials from the site - for example, booklets with discounts, promotional codes).

The collection of personal data here can be carried out according to a similar scheme - using a checkbox next to the “I Agree” item, a Consent file and a link to the Privacy Policy with wording reflecting the fact that the buyer of the online store has read the Policy.

Among IT specialists and experts in the field of legislation on personal data, there is a widespread point of view according to which obtaining a person’s consent to the processing of personal data should be carried out in a mode that involves establishing “increased reliability” of his expression of will. The common scheme using a checkbox with Consent and a link to the Privacy Policy is considered by such experts from a critical position - and, it must be said, not unreasonably, since, according to experts:

  • the checkbox may be checked accidentally;
  • the online form may load with an error - alternatively, without a link to the Privacy Policy, with the absence of a check mark or the accompanying wording;
  • A user may accidentally or intentionally enter someone else's personal data into the form.

Taking into account these nuances, it is proposed to supplement the system under consideration - while maintaining its main elements in the form of a check mark, Consent and a link to the Privacy Policy, with a mechanism for obtaining secondary consent. Options for organizing such a mechanism in the case of an online store could be:

  1. Mandatory user registration before making a purchase.

Such registration involves filling out, in fact, the same form with a check mark, Consent and a link to the Privacy Policy, with the subsequent sending by the online store to the e-mail specified by the user of a letter confirming registration (and at the same time to certify the fact of providing consent to the processing of personal data and familiarization with the Privacy Policy).

In this case, the form requires the indication of a login and password, which the user will use to subsequently log into his account on the online store website.

If the user does not confirm registration by letter, then consent to the processing of personal data will not be considered received (but, at the same time, it will be considered that the user has been asked to read the Privacy Policy).

The considered method of obtaining consent to process data with “increased reliability” can be used by the store for marketing purposes. Through the buyer’s personal account, you can inform him about various discounts and promotions, exchange messages with him and solve other problems typical for the interaction between the seller and the buyer.

  1. Confirmation of the completion of a separate order by e-mail (without the mandatory registration of an account on the online store website).

The algorithm for such confirmation will, in principle, be similar to that which characterizes the procedure for registering a buyer’s account, with the exception of the use of a user login and password. In this case, confirmation will be made, in fact, for the sole purpose of obtaining consent to the processing of personal data and verifying that the person has familiarized himself with the proposal to read the Privacy Policy.

The next large-scale task of an online store is to ensure the confidentiality of personal data in practice.

1. Ask our specialist a question at the end of the article.
2. Get detailed advice and Full description nuances!
3. Or find a ready-made answer in the comments of our readers.

How can an online store ensure confidentiality of personal data?

In accordance with paragraph 1 of Art. 18.1 of Law No. 152-FZ, the personal data operator must take measures sufficient to fulfill the obligations provided for by law. At the same time, the operator determines the list of appropriate measures independently - unless otherwise provided by law.

Obviously, we are talking, first of all, about measures that are designed to ensure the confidentiality of personal data - that is:

  • preventing access to them by persons who do not have permission to read the relevant PD;
  • prevention of unauthorized use, modification, distribution of PD;
  • ensuring the necessary protection of personal data from various cyber threats, modification, distribution and other unauthorized transactions with personal data due to technical failures.

The law proposes the following measures aimed at solving these problems:

  1. Appointment by the operator, who has the status of a legal entity, of a responsible employee - who organizes the processing of personal data at the enterprise.
  1. Development by the operator of local regulations governing the procedure for processing personal data in accordance with legal requirements.
  1. Application technical means to ensure PD protection.
  1. Carrying out internal control procedures within the framework of PD processing.
  1. Conducting an assessment of the harm that may be caused to subjects of personal data as a result of violations of the legislation on the processing of personal data and eliminating the consequences of such violations.
  1. Carrying out necessary work with employees to improve their level of knowledge in the field of personal data protection.

Based on the principle of legal analogy, all of these rules are also applicable to individual entrepreneurs selling online. Including - if the individual entrepreneur works independently, without involving employees. Potentially, one way or another, he may have a staff, and by that time he should have valid local regulations governing the organization of the processing of personal data.

You should know that in accordance with paragraph 4 of Art. 18.1 of Law No. 152-FZ, those documents that an online store must issue as part of the implementation of the above instructions and recommendations may be requested by Roskomnadzor when conducting an inspection of a business entity.

One way or another, measures aimed at ensuring that the personal data operator fulfills the requirements of the law (primarily in terms of ensuring the confidentiality of personal data) can be divided into 2 groups:

  • organizational (essentially and fundamentally legal);
  • technical.

Organizational (legal) measures relate mainly to documentary regulation of the application of these mechanisms of interaction between the online store (represented by the owner or his employees) with the buyer.

Note that when implementing organizational and legal measures, it is expected to develop

a purchase and sale agreement (offer) between the store and the buyer, on the basis of which consent to the processing of personal data is issued in a form other than written - using a tick in the order form and a link to the Privacy Policy.

Technical measures can be presented in a wide range - let's look at them in more detail.

Technical support of equipment. We will solve any problems!

Leave a request and receive a consultation within 5 minutes.

What is the technical side of ensuring PD confidentiality?

The main source of legal norms that must be followed when solving technical problems to ensure the confidentiality of personal data is the provisions of Art. 19 of Law No. 152-FZ.

It states, in particular, that ensuring the security of personal data can be achieved through:

  1. Establishing threats to data security as part of their processing using information systems.

In practice, the implementation of such a measure involves the use of various anti-virus and complementary solutions - which are supposed to be implemented in the site management system. Such solutions are designed to promptly detect attempts by hackers to automatically or manually unauthorized access to personal data collected using order forms on the website or stored on servers administered by the online store.

  1. Using technical means to increase the level of security of personal data.

We are talking, first of all, about various data encryption tools - so that when accessing them they are presented in a form in which their reading without subsequent decryption is impossible, provided that the decryption itself must be authorized by the online store.

  1. The use of technical means to restore deleted, damaged or unauthorized modified personal data.

Here we can talk about solutions that are used for the following purposes:

  • duplication of personal data in case of their deletion from the original medium (damage or modification);
  • in fact, recovery of deleted (damaged or modified) data from existing media.
  1. The use of technical means to differentiate access (determine access levels) to personal data depending on the status of the person who has the authority to process personal data.

So, for example, the manager of an online store can only have access to the buyer’s contact information (in order to contact him in case of any questions), and the delivery manager can also access the address. Or - the first may only have the authority to read contacts, and the second - to change them.

  1. Application of control systems over persons processing personal data.

Indeed, local regulations alone are not enough to ensure the confidentiality of personal data - a mechanism for monitoring their implementation is needed. Solutions here can be very different - from selective monitoring of the actions of specific employees of an online store to the introduction of tools for continuous traffic analysis for unauthorized transfer of personal data.

How secure an information system should be for processing personal data is determined based on the potential harm that can be caused to the system due to the influence of typical threats. Lists of such threats and requirements for system security, corresponding to the degree of threats, are defined in Decree of the Government of Russia dated November 1, 2012 No. 1119.

Let's take a closer look at them.

How secure should an online store be for safe processing of personal data?

In order to determine what specific measures are needed to ensure the required level of personal data protection, the owner of an online store should use the table in the Appendix to the Composition and Content of Organizational and Technical Measures, which is approved by Order No. 21.

Note that this list concerns, first of all, the same personnel nuances of organizing the work of an online store. But even if its owner is an individual entrepreneur working without a staff, then, in particular, in order to ensure the protection of customers’ personal data at least at level 1, he will have to:

  • apply means of identification and authentication of users;
  • manage user accounts;
  • control access to the server on which the PD is located;
  • use antivirus;
  • identify incidents related to unauthorized access to personal data.

Of course, it makes sense to delegate a significant part of such work to an individual entrepreneur (and a legal entity, of course, too) to a third-party partner - for example, the owner of the hosting on which the online store website is located. But the transfer of such powers must be correctly secured legally - using detailed agreements that correctly delineate the responsibilities of the online store and its partner, ensuring the protection of customers’ personal data in accordance with the law.

In practice, many of the modern CMS site management systems have the necessary functionality to ensure that the operation of an online store complies with the above requirements regarding the establishment of security levels for the processing of personal data.

But, of course, in many cases their modification and addition are required. As a rule, the largest providers of website management solutions and hosting services try to offer their clients products that best meet the requirements established by Law No. 152 and departmental standards. However, when choosing a specific CMS system, it is always a good idea to seek additional expert advice regarding its compliance with personal data protection laws.

These are the main nuances that characterize the online store’s compliance with the requirements of Law No. 152-FZ and accompanying legal acts regarding interaction with buyers of goods. However, such interaction can also occur in other legal contexts. In particular, reflecting settlements between the store and the buyer using an innovative type of cash register

As we already noted at the beginning of the article, according to Law No. 152-FZ, personal data includes any information that may directly or indirectly relate to a specific person (or identify a person). Obviously, e-mail or phone can be, at a minimum, indirect identifiers.

As for e-mail, it can take the form like [email protected], and in case of leakage of such email address From the online store’s databases, third parties can easily understand that purchases in the store were made by Stepan Petrov, who was born in 1976 in Moscow and studied at the University of Massachusetts.

It’s more complicated with a phone - but if you wish, you can count it as an indirect identifier. For example, a person who has unauthorizedly received a number from an online store can call it and, posing as a person from a courier service, ask the subscriber to specify his full name and delivery address - but in fact, to issue an intrusive advertising mailing.

Thus, despite the fact that, according to Law No. 54-FZ, which regulates the use of online cash registers, buyers of online stores leave their contacts to receive checks voluntarily, we are talking about the transfer of personal data to the seller.

Does this mean that operations with such data will be subject to the same requirements that characterize the processing of other personal data?

Please note that some of these requirements remain relevant. For example, an online store that makes payments through an online cash register is obliged to:

  • guarantee buyers the right to receive information about the processing of personal data;
  • ensure data confidentiality;
  • comply with other requirements of Law No. 152-FZ (in particular, on the placement of personal data on Russian servers).

The most noteworthy thing is that such requirements will not include obtaining consent to the processing of personal data.

The fact is that in paragraph 1 of Art. 6 of Law No. 152-FZ lists a number of exceptions to the rule on the need to obtain consent. Such exceptions include the processing of data within the framework of the operator’s performance of the functions and duties assigned to him by law. Such functions and responsibilities of an online store include the requirements of Law No. 54-FZ - on the generation of cash receipts for settlements with customers.

Thus, the online store is not required to ask the buyer for consent to receive e-mail and phone number - as types of personal data.

Of course, there are no legal obstacles to asking buyers for consent to the processing of personal data provided by e-mail and telephone, at the same time as requesting consent to the processing of other personal data. That is, in the Consent - which is downloaded when confirming the order form, and in the accompanying Personal Data Policy, it can be reflected that part of the data - the buyer’s e-mail and phone number - will be used by the online store in order to comply with the provisions of Law No. 54-FZ. That is, to send electronic cash receipts to the buyer.

But this procedure, strictly speaking, is optional from the point of view of legislation - although it is not at all complicated.

At the same time, the seller should keep in mind that obtaining personal data in order to comply with the norms of Law No. 54-FZ does not fall under the exceptions prescribed in paragraph 2 of Art. 22 of Law No. 152-FZ - those that relate to the obligation to inform Roskomnadzor about the receipt of personal data. That is - When accepting payment online, such notification will need to be submitted. The department, having received a notification from the online store, enters it into the register of personal data operators.

The notice must indicate:

  1. The name of the document is “Notice on the processing of personal data.”
  1. The name of the operator, its legal address.
  1. Legal basis, purposes of data processing.
  1. Types of data processed.
  1. Categories of persons who become subjects of personal data.
  1. Data processing methods.
  1. Measures to ensure the security of data processing.
  1. Information about the location of servers on which personal data is stored.
  1. Dates for the start of data processing.
  1. Conditions for termination of data processing.

The full name and position of the author of the notification shall be indicated. He puts down the date the document was drawn up and signs it.

Thus, the law imposes an impressive amount of obligations on online store owners. And the sanctions for failure to comply are quite serious. Let's study them.

Liability and new fines

For violation of legal requirements on this issue, the following sanctions are provided:

  1. Administrative fines.

Their main list is defined in Art. 13.11 Code of Administrative Offenses of the Russian Federation. But some are spelled out in corresponding articles of the Code.

Typical fines include:

  • for processing personal data without the consent of their owner - up to 20 thousand rubles for officials and individual entrepreneurs, up to 75 thousand rubles - for legal entities (Article 13.11 of the Code of Administrative Offenses of the Russian Federation);
  • for refusal to provide an individual with information with which he has the right to become acquainted by law - up to 10 thousand rubles for officials and individual entrepreneurs (Article 5.39 of the Code of Administrative Offenses of the Russian Federation);
  • for unlawful (not provided for designated purposes) processing of personal data - up to 10 thousand rubles for officials and individual entrepreneurs, up to 50 thousand rubles for legal entities (Article 13.11 of the Code of Administrative Offenses of the Russian Federation);
  • for the absence of a published Confidentiality Policy - up to 6 thousand rubles for officials, for individual entrepreneurs - up to 10 thousand rubles, for legal entities - up to 30 thousand rubles (Article 13.11 of the Code of Administrative Offenses of the Russian Federation);
  • for refusal to familiarize an individual with information about the processing of his personal data - up to 6 thousand rubles for officials, up to 15 thousand rubles for individual entrepreneurs, up to 40 thousand rubles for legal entities (Article 13.11 of the Code of Administrative Offenses of the Russian Federation).
  1. Criminal liability.

In accordance with Art. 137 of the Criminal Code of the Russian Federation, the illegal collection of personal data that constitutes a citizen’s personal secret can lead to a fine of up to 200 thousand rubles or the assignment of correctional labor, disqualification, or imprisonment for up to 2 years.

  1. Determined in civil proceedings.

Here we can talk about a variety of sanctions, but typical ones include:

  • obligation to compensate for losses caused to the PD subject as a result of the operator’s violation of the provisions of Law No. 152-FZ;
  • obligation to compensate for moral damage to the subject of the personal data.

One way or another, most likely, if an online store violates the norms of Law No. 152-FZ, administrative sanctions will be applied to it. At the same time, it should be borne in mind that the most stringent of them - in particular, a fine for failure to obtain consent to data processing (up to 75 thousand rubles) are applied in case of violation of the requirements for written consent to the processing of personal data. If it is permissible to obtain consent in any reliable form, then if such consent is not obtained, a sanction is applied in the form of a fine for unlawful processing of data (up to 50 thousand rubles).

There is a possibility that a number of additional administrative sanctions will be applied to the operator. For example:

  • in the form of a fine for non-compliance with data protection requirements - up to 2 thousand rubles for officials and individual entrepreneurs, up to 15 thousand rubles for legal entities (Article 13.12 of the Code of Administrative Offenses of the Russian Federation);
  • in the form of a fine for failure to provide notification to Roskomnadzor - up to 500 rubles for officials and individual entrepreneurs, up to 5,000 rubles for legal entities (Article 19.7 of the Code of Administrative Offenses of the Russian Federation).

It is theoretically possible to block an online store's website by a court decision. For example, if he allows the unlawful publication of personal data of customers without their consent in reviews of purchases.

Depending on the specific violation and the scope of legal relations in which the violation was committed, various sanctions may thus be initiated against the personal data operator.

From July 1, 2017, liability for violations when interacting with personal data of individuals has been significantly tightened. This follows from the provisions of Federal Law dated 02/07/2017 No. 13-FZ). The changes will affect all employers without exception who are involved in the processing of personal data of employees and individual contractors. Moreover, we can say that the amendments apply to almost the entire business community that interacts with the personal data of individuals (for example, owners of websites that collect personal data of visitors). How to prepare for changes? Will fines increase? Who will detect violations in the processing of personal data? Let's figure it out.

Personal data: special information

Personal data of employees is any information necessary for the employer in connection with labor relations and relating to a specific employee (Clause 1, Article 3 of the Federal Law of July 27, 2006 No. 152-FZ “On Personal Data”).

For an employer (organization or individual entrepreneur), the personal data of employees is most often summarized in their personal cards and personal files. At the same time, almost every human resources manager or HR specialist knows that personal data can only be obtained personally from employees. If personal information is possible to obtain only from third parties, then Russian legislation obliges to notify the employee about this and obtain written consent from him (clause 3 of part 1 of Article 86 of the Labor Code of the Russian Federation).

Employers do not have the right to receive and process personal data that does not directly relate to labor activity person. That is, it is impossible to collect information, for example, about the religion of employees. After all, such information constitutes a personal or family secret and cannot in any way be connected with the performance of work duties (clause 4 of part 1 of Article 86 of the Labor Code of the Russian Federation).

Having received personal data, the employer, by virtue of legal requirements, is obliged not to distribute it or disclose it to third parties without the employee’s consent (Article 7 of the Federal Law of July 27, 2006 No. 152-FZ).

Personal data can be understood as any information directly or indirectly related to a specific individual (subject of personal data) - paragraph 1 of Article 3 of the Federal Law of July 27, 2006 No. 152-FZ. Examples of such information may be last name, first name, patronymic, date and place of birth, place of residence, etc.

How an employer is obliged to protect personal data

In order to protect and limit access to personal data, the employer must provide a high-quality and modern system for their protection. How exactly to do this? Each employer decides this issue independently. At the same time, the procedure for receiving, processing, transferring and storing personal data must be enshrined in a local act of the organization, for example in the Regulations on the processing of personal data of employees (Article 8, 87 of the Labor Code of the Russian Federation, clause 2, part 1, article 18.1 of the Federal Law of 27 July 2006 No. 152-FZ).

Also, the employer must officially appoint an employee who is responsible for working with personal data (Part 5 of Article 88 of the Labor Code of the Russian Federation). This could be, for example, an employee of the HR department who interacts with personal files, obtains employee consent for processing, maintains employee cards, etc.

Inspections of the employer regarding the processing of personal data are carried out by departments of Roskomnadzor. Order No. 312 of the Ministry of Telecom and Mass Communications of Russia dated November 14, 2011 approved the Administrative Regulations for the execution by Roskomnadzor of functions for the implementation of state control (supervision).

What responsibilities apply to employers

For violation of the procedure for receiving, processing, storing and protecting personal data of employees, disciplinary, material, administrative and criminal liability is provided (Article 90 of the Labor Code of the Russian Federation, Part 1, Article 24 of the Federal Law of July 27, 2006 No. 152-FZ). Let's look at each of these types of responsibility.

Disciplinary responsibility

Employees who, due to labor relations, are obliged to comply with the rules for working with personal data, but have violated them (Article 192 of the Labor Code of the Russian Federation) can be held accountable for violations when working with personal data. That is, you can hold accountable, for example, the HR manager who is entrusted with the relevant work. For a disciplinary offense of collecting, processing and storing personal data, the employer can punish his employee by applying one of the following penalties to him (Part 1 of Article 192 of the Labor Code of the Russian Federation):

  • comment;
  • rebuke;
  • dismissal.

Material liability

An employee’s financial liability may arise if, in connection with a violation of the rules for working with personal data of the organization, direct actual damage is caused (Article 238 of the Labor Code of the Russian Federation). Let’s assume that the responsible employee of the HR department committed a gross violation - he distributed the personal data of employees on the Internet. The workers, having learned about this, filed a lawsuit against the employer, which ruled: “to pay monetary compensation to the injured workers - 50,000 rubles each.” In such a situation, the employer has the opportunity to impose limited financial liability on the guilty HR department employee within the limits of his average monthly earnings (Article 241 of the Labor Code of the Russian Federation). Recovery of damage caused can be carried out by order of the manager no later than one month from the date of final determination of the amount of damage caused by the employee. If the month period has expired, then the damages will have to be recovered through the court. This procedure is provided for in Article 248 of the Labor Code of the Russian Federation.

Read also Who should conduct civil defense and emergency training?

With full financial liability, the employee will have to fully compensate the organization for the entire amount of damage incurred in connection with violations in the field of personal data (Articles 242 and 243 of the Labor Code of the Russian Federation). However, as a rule, employees responsible for processing personal data are not given full financial responsibility.

An employer (for example, a commercial organization) applies disciplinary and financial liability solely at its discretion. State regulatory authorities (including Roskomnadzor) do not take part in this process.

Administrative responsibility

For violation of the procedure for collecting, storing, using or distributing personal data of the employer and officials, regulatory authorities may impose administrative liability in the form of fines, which may amount to:

  • for officials (for example, general director, chief accountant, personnel officer or individual entrepreneur): from 500 to 1000 rubles;
  • for an organization: from 5,000 to 10,000 rubles.

A separate (independent) fine for officials for disclosing personal data in connection with the performance of official or professional duties ranges from 4,000 to 5,000 rubles. Such penalties are described in Articles 13.11 and 13.14 of the Code of the Russian Federation on Administrative Offences.

Criminal liability

Criminal liability for the director, chief accountant or head of the company's human resources department or other person responsible for working with personal data may arise for illegal actions:

  • collection or dissemination of information about the private life of an employee, constituting his personal or family secret, without his consent;
  • distribution of information about the employee in public speaking, publicly displayed work or media.

For such violations regarding the handling of personal data, the following criminal penalties are permitted:

  • a fine of up to 200,000 rubles (or in the amount of the convicted person’s income for a period of up to 18 months);
  • compulsory work for up to 360 hours;
  • correctional labor for up to one year;
  • forced labor for a term of up to two years with or without deprivation of the right to hold certain positions or engage in certain activities for a term of up to three years;
  • arrest for up to four months;
  • imprisonment for a term of up to two years with deprivation of the right to hold certain positions or engage in certain activities for a term of up to three years.

The same acts committed by a person using his official position are punished more severely:

  • a fine of 100,000 to 300,000 rubles. (or in the amount of the convicted person’s income for a period of one to two years);
  • deprivation of the right to hold certain positions or engage in certain activities for a period of two to five years;
  • forced labor for a term of up to four years with or without deprivation of the right to hold certain positions or engage in certain activities for a term of up to five years;
  • arrest for a term of four to six months;
  • imprisonment for a term of up to four years with deprivation of the right to hold certain positions or engage in certain activities for a term of up to five years (Article 137 of the Criminal Code of the Russian Federation).

What will change from July 1, 2017

Federal Law of 07.02. 2017 No. 13-FZ expanded the list of grounds for bringing an employer to administrative liability in the field of personal data protection, and also increased the amount of administrative fines. This law comes into force on July 1, 2017. Let us say right away that administrative responsibility in the field of personal data has been significantly tightened. At the same time, the following is important: instead of the only type of administrative liability described in Article 13.11 of the Code of Administrative Offenses of the Russian Federation, seven will appear. Thus, different fines can be applied for different violations by employers in the field of personal data. If several violations are detected for different offenses, then the number of fines may increase accordingly. Let us explain the new offenses in more detail.

Violation 1: processing of personal data for “other” purposes

From July 1, 2017, the processing of personal data in cases not provided for by law, or the processing of personal data incompatible with the purposes of collecting personal data are independent types of administrative violation (Part 1 of Article 13.11 of the Code of Administrative Offenses of the Russian Federation). Let's give an example: an employing organization collects personal data of employees and transfers this data to third-party companies for advertising purposes (full name, telephone numbers, regions of residence, income level are transferred). Then advertising firms begin sending various spam and advertising offers to employees by phone, e-mail and home addresses. If such actions of the employer do not reveal a criminal offense, then administrative liability can be applied. From July 1, 2017, administrative penalties may be as follows:

  • or warning;
  • or fines.

Violation 2: processing of personal data without consent

Processing of personal data by the employer, according to general rule, is possible only with the written consent of the employees. Such consent must include the following information (part 4 of article 9 of the Law of July 27, 2006 No. 152-FZ):

  • Full name, address of the employee, passport details (other document proving his identity), including information about the date of issue of the document and the issuing authority;
  • name or full name and address of the employer (operator) receiving the employee’s consent;
  • purpose of processing personal data;
  • list of personal data for the processing of which consent is given;
  • name or full name and address of the person processing personal data on behalf of the employer, if the processing will be entrusted to such a person;
  • a list of actions with personal data for which consent is given, a general description of the methods used by the employer for processing personal data;
  • the period during which the employee’s consent is valid, as well as the method of its withdrawal, unless otherwise established by federal law;
  • employee signature.

From July 1, 2017, the processing of personal data without the employee’s written consent, or if the written consent does not contain the information indicated above, is an independent administrative violation provided for in Part 2 of Article 13.11 of the Code of Administrative Offenses of the Russian Federation. Penalties are possible for this:

Violation 3: access to the personal data processing policy

The personal data operator (for example, an employer or website) is obliged to publish or otherwise provide unrestricted access to the document defining its policy regarding the processing of personal data, to information about the implemented requirements for the protection of personal data. The operator collecting personal data on the Internet (for example, through a website) is obliged to publish on the Internet a document defining its policy regarding the processing of personal data and information about the implemented requirements for the protection of personal data, as well as provide the ability to access the specified document. This is provided for in paragraph 2 of Article 18.1 of the Law of July 27, 2006 No. 152-FZ.

Many Internet users are faced with fulfilling this obligation in practice. So, for example, when you leave any application on the websites and indicate your full name and e-mail, you can pay attention to the link to similar documents: “Personal Data Processing Policy”, “Regulations on the Processing of Personal Data”, etc. . However, it is worth recognizing that some sites neglect this and do not provide any links. And it turns out that a person leaves a request on the site, does not know for what purposes the site collects personal data.

Some employers also display available vacancies on their websites and invite candidates to fill out an “About Me” form. In such cases, the website must also provide access to the “Personal Data Processing Policy”.

Since July 1, 2017, Part 3 of Article 13.11 of the Code of Administrative Offenses of the Russian Federation has identified an independent offense - failure by the operator to fulfill the obligation to publish or provide unlimited access to a document with a policy for the processing of personal data or information on their protection. Liability under this article may look like a warning or administrative fines:

Violation 4: concealment of information

The subject of personal data (that is, individual who owns this data) has the right to receive information regarding the processing of his personal data, including information containing (Part 7 of Article 14 of the Law of July 27, 2006 No. 152-FZ):

  1. confirmation of the fact of processing of personal data by the operator;
  2. legal grounds and purposes of processing personal data;
  3. the purposes and methods of processing personal data used by the operator;
  4. name and location of the operator, information about persons (except for the operator’s employees) who have access to personal data or to whom personal data may be disclosed on the basis of an agreement with the operator or on the basis of federal law;
  5. processed personal data related to the relevant subject of personal data, the source of their receipt, unless a different procedure for the presentation of such data is provided for by federal law;
  6. terms of processing of personal data, including periods of their storage;
  7. the procedure for the exercise by the subject of personal data of the rights provided for by this Federal Law;
  8. information about completed or intended cross-border data transfers;
  9. name or surname, first name, patronymic and address of the person processing personal data on behalf of the operator, if the processing has been or will be assigned to such a person;
  10. other information provided for by the Federal Law or other federal laws.

As of July 1, 2017, changes to Art. 13.11 Code of Administrative Offenses of the Russian Federation on administrative liability for violation of legislation on personal data of individuals. Since the amendments affect everyone who uses personal data, we will consider these innovations in our article.

Processing of personal data – 2017

Personal data is any information directly or indirectly related to a specific individual (name, residential address, date of birth, passport details, telephone number, photo, address Email, etc.). An organization, government agency or individual that collects and processes personal data is called an operator (Law on Personal Data dated July 27, 2006 No. 152-FZ). These include employers, as well as everyone who receives personal data from citizens - medical institutions, educational institutions, online stores, etc.

For the employer, such data is necessary in connection with employment relations. They can only be received personally from the employee himself, and from third parties - with his written consent. The individual gives written consent to the processing of personal data. The form is not approved by law; you can draw it up yourself, taking into account the requirements of paragraph 4 of Art. 9 of Law No. 152-FZ (Clause 3, Part 1, Article 86 of the Labor Code of the Russian Federation, Clause 1, Article 9 of Law 152-FZ).

Consent to the processing of personal data (sample)

It is unacceptable to collect and process employee personal data that is not related to his work activity, for example, about participation in public associations, religion, personal life, etc. The same applies to other operators who request data that is not related to the purpose of their processing (for example, indicating passport data in a questionnaire about assessing the site’s performance). The received data should not be disclosed to third parties or distributed without the consent of the individual (Article 7 of Law No. 152-FZ).

The operator is obliged to provide adequate protection to the data, for which it establishes the procedure for their receipt, processing and storage in the Regulations on Personal Data or other internal regulations. The document defines the necessary measures and also assigns a person responsible for processing. Access to such data should be allowed only to authorized persons, and they have the right to receive only the information necessary to perform specific functions (Article 88 of the Labor Code of the Russian Federation, Article 18.1 of Law No. 152-FZ).

The regulations on personal data or another document on the policy for their processing are in the public domain and are presented at the request of authorized bodies - this applies to both employers and other operators (Parts 2 and 4 of Article 18.1 of Law No. 152-FZ).

Personal data – 2017: new in administrative responsibility

Law No. 13-FZ dated 02/07/2017 adopted a new version of Article 13.11 of the Code of Administrative Offenses of the Russian Federation. If previously the article contained one single element - violation of the Federal Law on personal data, now it is a whole list of seven grounds for administrative liability and, accordingly, various fines. It is likely that if several violations are detected by one operator, he will face several fines, not just one.

Also, Articles 28.3 and 28.4 of the Code of Administrative Offenses of the Russian Federation have undergone changes, simplifying the process of bringing operators to justice: from 07/01/2017, protocols on violations of Law 152-FZ on personal data are drawn up by Roskomnadzor employees, and not by the prosecutor, as before. The period for bringing to justice remained the same - 3 months.

What are they fined for now?

So, here are the grounds on which entrepreneurs and organizations processing personal data can now be held administratively liable:

  • Data is processed in cases not provided for by the Federal Law on personal data or their processing is incompatible with the purposes of collection (Part 1 of Article 13.11 of the Code of Administrative Offenses of the Russian Federation). Illegal use of personal data, if it does not entail criminal liability, is subject to a warning or a fine: for individuals in the amount of 1,000-3,000 rubles, for officials - 5,000-10,000 rubles, for organizations - 30,000-50,000 rubles.
  • Processing of data without written consent required by law (clause 2 of article 13.11 of the Code of Administrative Offenses of the Russian Federation). Consent to processing must contain the information specified in Part 4 of Art. 9 of Law 152-FZ on personal data. The 2017 changes provide for a fine for its absence from July 1 in the following amount: for violators of individuals - 3,000-5,000 rubles, for officials - 10,000-20,000 rubles, for organizations - 15,000-75,000 rubles.
  • Lack of unlimited access to the operator’s policy in the field of processing personal data (clause 3 of article 13.11 of the Code of Administrative Offenses of the Russian Federation). The obligation to provide access is established in clause 2 of Art. 18.1 of Law 152-FZ on personal data. The inability to familiarize yourself with such a document on paper or on a website, if the data is collected via the Internet, will cost operators: 700-1500 rubles. - individuals, 3000-6000 rubles. – officials, 5,000-10,000 rubles. – Individual entrepreneur, 15,000-30,000 rubles. – organizations, and in best case scenario Everything will be done with a warning.
  • Failure to provide a person with information regarding the processing of his personal data (clause 4 of article 13.11 of the Code of Administrative Offenses of the Russian Federation). The procedure for requesting such information is prescribed in Article 14 of Law 152-FZ. Changes from 07/01/2017 are as follows: violation is subject to a warning or a fine of 1000-2000 rubles. – individuals, 4000-6000 rubles. - officials, 10,000-15,000 rubles. – Individual entrepreneur, 20,000-40,000 rub. – organizations.
  • Failure to comply within the established time frame with the requirement to block, change or destroy personal data (Clause 5 of Article 13.11 of the Code of Administrative Offenses of the Russian Federation). An individual or his representative may make such demands if the data is incomplete, inaccurate, obtained in violation of the law, or is out of date, this is established by Article 21 of the Law on Personal Data No. 152-FZ. Violators will receive a warning or a fine: 1000-2000 rubles. for individuals, 4,000-10,000 rubles. officials, 10,000-20,000 rubles. – Individual entrepreneur, 25,000-45,000 rubles. organizations.
  • Failure to comply with the conditions ensuring the safety of personal data during non-automated processing (Clause 6, Article 13.11 of the Code of Administrative Offenses of the Russian Federation). This applies to “paper” data, unauthorized access to which has caused its destruction, damage, illegal distribution, etc. Failure to ensure personal data protection in 2017 entails a fine of 700-2000 rubles. for citizens, 4,000-10,000 rubles. for officials, 10,000-20,000 rubles. for individual entrepreneurs and 25,000-50,000 rubles. for organizations.

These are the changes in the protection of personal data in 2017, effective from July 1. As we can see, the offenses have become more specific, and the fines for operators have become noticeably tougher.

We recommend other articles

Innate immunity against HIV People immune to HIV

Innate immunity against HIV People immune to HIV

Causes of balanoposthitis in men and methods of its treatment How to treat ulcerative balanoposthitis

Causes of balanoposthitis in men and methods of its treatment How to treat ulcerative balanoposthitis