Menu
homeMicrosoft

Registration of the operator of personal data for internal use. Obligations of the operator when processing personal data

February 21, 2014 at 11:45 pm

Or maybe not notify about the processing of personal data?

  • Information Security

Part one of Article 22 of the Federal Law of July 27, 2006 N 152-FZ “On Personal Data” (hereinafter in the article - the Law) provides for the obligation of the operator processing personal data to notify the Roskomnadzor authority before processing begins. Immediately (in the second part of the article) the Law proposes the grounds on which the operator has the right not to notify about processing. These cases are quite common. But since the Law does not prohibit notification even if there are such cases, a number of operators choose to take the notification route. It may be worth not giving notice, or even thinking about how to qualify for the “exceptions.” There are at least 3 reasons for this.

It is difficult to answer the question “Why?” for all those who decided to send a notification to the Roskomnadzor body if it was possible not to do this. Of course, marketing campaigns (image, openness) cannot be ruled out. However, in a number of cases they notify out of ignorance or based on the position “It’s better to play it safe.” I would like to draw attention to the well-known right of operators processing personal data not to notify Roskomnadzor authorities about processing and here are several reasons for this.

  1. The person who submitted the notification about the processing of personal data must bear the burden of constantly updating the submitted information. This obligation is provided for in Part 7. Art. 22 Laws. If the operator processing personal data does not submit a notification of a change in information (change of the operator’s address, change in the categories of personal data being processed, change of the person responsible for processing personal data and his contacts, etc.), then he may be brought to administrative liability. It would seem that it was difficult: something changed in the organization, I took and sent a letter. As practice shows, in most cases this is forgotten. For example, those who entered the Register (the Register includes everyone who submitted a notification about processing) of operators processing personal data before July 1, 2011 were required to additionally send the information provided for in clauses 5, 7.1, 10 and 11 by January 1, 2013 3 of Article 22 of the Law (legal basis for the processing of personal data, full name of the person responsible, etc.). As can be seen from the Roskomnadzor register of personal data operators, more than half of the operators have not done this to date. The idea that all these organizations have not undergone any internal changes related to the processing of personal data is also questionable. I suggest you think about whether you will timely monitor the relevance of entries in the Register in the long term, if there is an opportunity not to do this at all?
  2. Roskomnadzor authorities plan inspections of operators processing personal data using the departmental unified information system - UIS. All operators who submitted notifications are already in it, and therefore the likelihood of being included in the inspection plan increases many times over. Organizations inspected by Roskomnadzor in other areas (communication services, distribution networks, media, broadcasting) are automatically checked for compliance with legislation in the field of personal data if they have notified Roskomnadzor about the processing.
  3. If the personal data operator decided to notify the Roskomnadzor body about processing, although he had the right not to do so, then it will not be possible to be excluded from the Register due to the fact that he could not notify at all. This possibility is not provided for either by the Law or the relevant Administrative Regulations. Or rather, it is provided only for general reasons.
If you were planning to send a notification, but the above somehow caught your attention, the general recommendations are simple.
  1. Carefully read (understand) Part 2 of Art. 22 of the Federal Law of the Russian Federation of July 27, 2006 N 152-FZ “On Personal Data”.
  2. See what personal data is processed on you and in connection with what.
  3. In some cases, it may be necessary to adjust your work with personal data carriers. I'll give an example to make it clear what I mean.
One of the possibilities not to notify about the processing of personal data is provided for in clause 2, part 2, art. Law 22 goes like this
received by the operator in connection with the conclusion of an agreement to which the subject of personal data is a party, if personal data is not distributed or provided to third parties without the consent of the subject of personal data and is used by the operator solely for the execution of the specified agreement and the conclusion of contracts with the subject of personal data

So, you entered into an agreement with an individual for some service. They took the person’s mobile phone number to inform them that the service was ready. In most cases, a mobile phone number is not needed for the purpose of fulfilling the contract. If a client’s mobile phone number is taken, his consent to the processing of personal data is additionally required. However, in this case, you do not fall under the exception in the Law, which allows you not to notify about the processing of personal data.
If the contract with this individual stipulates the need to have a mobile phone number for the purposes of fulfilling the contract, then you are already claiming the right to fall under the exception.
You can play with the need to have a mobile phone number for the purposes of fulfilling a contract something like this: “The organization undertakes to notify the client by phone No. x... x about readiness...”.

In what cases is it necessary to notify Roskomnadzor about the processing of personal data? The answer is in the article.

Question: Are we required by law to register in the register of personal data operators of Roskomnadzor? in paragraph 2 of Art. 22 of the Law of July 27, 2006 No. 152-FZ “On Personal Data” states that, 2. The operator has the right to process personal data without notifying the authorized body for the protection of the rights of personal data subjects. We are not required to register in the register?

Answer: There is no need to register in the register of personal data operators of Roskomnadzor, since there is no registration procedure. Before processing personal data, the operator is obliged to send a notification to Roskomnadzor (Clause 1, Article 22 of Law No. 152-FZ). Roskomnadzor maintains a register of operators based on notifications.

At the same time, there are exceptions to this rule of law, listed in detail in paragraph 2 of Art. 22 of Law No. 152-FZ.

Rationale

Storage of personal data in Russia. What features are there for employee information?

If the company processes personal data not only of employees and contractors - individuals. That is, virtually any company is obliged to notify officials about the processing of personal data.

As a general rule, the employer is obliged to send a notification to Roskomnadzor about the start of processing personal data (Part 1, Article 22 of Law No. 152-FZ). Many companies still haven't done this. They justify it this way: the employer processes personal data only of its employees. Therefore, the company falls under the exception established in clause 1, part 2, art. 22 of Law No. 152-FZ. According to this standard, the employer has the right to process personal data in accordance with labor legislation without notifying Roskomnadzor.

But in most cases, the position that notification is not required is erroneous. After all, the employer processes data not only of employees, but also of other entities. For example, representatives of counterparties when receiving powers of attorney or employees of other companies belonging to the same group as the employer. In such cases, it is recommended to send a notification to Roskomnadzor.

In what form should Roskomnadzor be notified?

Include in the notification information about the personal data of employees (clause 7 of the Temporary Recommendations for filling out the notification form, approved by Roskomnadzor on December 30, 2014). Exceptions established in Part 2 of Art. 22 of Law No. 152-FZ are not applicable in this case.

Roskomnadzor will enter the information from the notification into the register of operators within 30 days from the date of receipt of the document. There is no need to pay money for this (Part 4, Part 5 of Article 22 of Law No. 152-FZ).

Employers who have not notified Roskomnadzor risk receiving a letter from officials. In response, employers will be required to send a notice or justify the reasons for not sending it. In the latter case, the risk of Roskomnadzor verifying the validity of this type of justification increases. Thus, according to the annual report for 2014, Roskomnadzor sent more than 58 thousand such letters to operators (

From July 1, 2017, liability for violation of the legislation on personal data has become stricter. What personal data do management organizations have to deal with, what should they do if the owners do not consent to the processing of personal data?

We talked about this with Dmitry Yuryevich Artyukhin, head of the Federal Service for Supervision of Communications, Information Technologies and Mass Communications in the Republic of Karelia.

About the processing of personal data

Dmitry Yuryevich, tell us what personal data is and is it available in the housing and communal services sector?

Personal data is any information on the basis of which a specific person can be uniquely identified.

Processing of personal data is any action, automated or non-automated, that is performed with personal data. This is the collection, recording, systematization, accumulation, storage and clarification of data.

We include the last name, first name, patronymic, date and place of birth of a person, and details of an identity document as personal data. And a lot of other information, on the basis of which you can directly or indirectly identify a specific person.

It should be borne in mind that if it is impossible to identify a specific person without obtaining additional information, then such information is not personal data.

For example, lists of debtors are published in the media. They contain last names and initials. The person cannot be identified based on this information. It’s a completely different matter if the management organization places these lists in the entrance of the house in which a person lives.

Of course, MKD management activities are associated with the processing of personal data. Each form of management: management organization, HOA or even direct management involves the collection and processing of personal data.

Management organizations enter into agreements with the owners of premises for the management of apartment buildings, in which personal data must be indicated. In addition, management companies, as legal entities, have legal relations with their employees, which are regulated by labor legislation. Therefore, management organizations are operators for the processing of personal data.

About the operator for processing personal data

Who is the operator of personal data?

In accordance with the law, a personal data operator is a state body, municipal body, legal entity or individual who, alone or with other persons, processes personal data. Such a person determines the purposes of PD processing and their composition.

Any legal entity, including management entities, homeowners' associations and cooperatives, automatically becomes an operator of personal data.

Who should the MA notify that it is the operator of personal data?

There is no need to notify Roskomnadzor if the operator receives personal data under an agreement with the subject of personal data, provided that the PD is not distributed or transferred to third parties.

The same rule applies if the personal data relates to members of a public association or religious organization, is publicly available and consists of a last name, first name and patronymic. The full list can be read in Part 2 of Article 22 N 152-FZ.

The decision to send a notification to the authorized body is made by the personal data operator. Whether the operator sends or does not send a notification, he still remains the operator of personal data.

We regularly remind legal entities of the need to send us notifications (Article 22 N 152-FZ). If a legal entity is not included in the register of personal data operators, this does not exempt it from control and supervisory measures.

Rather, on the contrary, those legal entities that, from our point of view, may be operators of personal data, process personal data and are not included in the list that excludes the need to send a notification, but did not send a notification, will most likely be included in the inspection plan.

The requirements for notification to Roskomnadzor are listed in Part 3 of Article 22 N 152-FZ.

About consent to the processing of personal data

When do you need to obtain consent to process personal data?

The personal data operator must understand that the processing of personal data can only be carried out with the consent of the subject of personal data or if there are other legal grounds. At the same time, it should be noted that each individual case is individual.

Who is responsible for personal data if the management company, which processes the personal data of the owners, transfers it under a contract to a third party?

If the management organization plans to entrust the processing of personal data to third parties, it must have the consent of the subject of personal data. If there is no such consent, the operator will be held accountable. There is no need to obtain consent if this is established by federal laws.

A person who processes personal data on behalf of an operator is not required to obtain the consent of the subject of personal data to process his personal data. The management organization is responsible in this situation.

What should the management organization do if the owner does not consent to the processing of personal data?

There is no way to force the owner; you need to try to convince, tell what consequences may arise for the subject in case of refusal to provide consent. But in any case, processing of personal data without consent in the absence of other legal grounds for processing personal data is not allowed.

The burden of proving consent to PD processing lies with the personal data operator.

On liability for violation of laws on personal data

What fines exist and who issues them?

Until July 1, 2017, administrative liability was established for violation of the established procedure for the collection, storage, use or distribution of personal data under Article 13.11 of the Administrative Code of the Russian Federation. For legal entities, this is a warning or the imposition of an administrative fine from five thousand to ten thousand rubles.

The mechanism was as follows: Roskomnadzor carried out control and supervisory activities in the field of PD. If during the activities he discovered violations, he reported them to the prosecutor’s office for action. The prosecutor's office reviewed the report and, if a violation was recognized, issued a decision to initiate an administrative case and sent it to court.

Since the first of July the situation has changed. The new version of Article 13.11 of the Code of Administrative Offenses of the Russian Federation is more detailed; it now contains seven clauses, all of them related to the processing of personal data. Fines are increasing, Roskomnadzor has the authority to draw up protocols, that is, initiate cases of administrative offenses, bypassing the prosecutor's office.

The maximum fine provided for in Article 13.11 of the Code of Administrative Offenses of the Russian Federation as amended is 75,000 rubles. It will be possible to obtain it for the processing of personal data without obtaining the consent of the subject of personal data in writing, if it is provided for by law.

As a general rule, personal data operators are required to send a notification to Roskomnadzor before processing this data. At the same time, the law contains a number of exceptions in which it is not necessary to notify Roskomnadzor.

If a company plans to collect information about individuals, it must notify Roskomnadzor immediately after registration. Moreover, the agency must be notified of the intention to process the personal data of citizens before processing the information begins (Article 22 of the Federal Law of July 27, 2006 No. 152-FZ “On Personal Data”). On July 1, 2017, increased administrative fines were introduced for non-compliance with the requirements of Federal Law No. 152-FZ.

You can send a message to Roskomnadzor via the Internet on the official website of the department. The notice indicates the legal basis for the processing of personal data, the purpose of data collection, the start date of processing and measures to ensure the safety of the information received. Data collection is considered to be the collection from individuals of any information that allows them to be identified.

At the same time, the law contains a number of exceptions in which it is not required to notify Roskomnadzor. The list of such restrictions is established in Art. 22 of the Federal Law of July 27, 2006 No. 152-FZ. Notification is not required in the following cases:

  • When collecting and processing personal data without the use of automation tools. If processing is carried out without a computer and electronic databases, there is no need to notify Roskomnadzor. At the same time, the data operator must comply with the requirements of the Government of the Russian Federation of September 15, 2008 No. 687 “Regulations on the specifics of processing personal data carried out without the use of automation tools.” If a company uses computers, this does not mean that data processing is carried out using automation tools. Non-automated processing of personal data is the use, clarification, distribution, destruction of personal data that is carried out with the direct participation of a person.
  • When collecting personal information from employees as part of an employment relationship. This applies only to the data that must be provided to the employer when drawing up an employment and collective agreement. Roskomnadzor must be notified about the collection and processing of information that does not relate to labor relations. You also need to notify if the employer intends to process the data of dismissed employees (clause 1, part 2, article 22 of the Federal Law of July 27, 2006 No. 152-FZ).
  • When a company enters into an agreement with an individual. In this case, there is no need to notify Roskomnadzor if the contractor/seller/supplier does not intend to transfer personal data to third parties (clause 2, part 2, article 22 of the Federal Law of July 27, 2006 No. 152-FZ). Personal data must be used solely for the performance of the contract in connection with which it was obtained.
  • When collecting information by a public association or religious organization. Processing of information from members of such organizations is carried out without notification, unless personal data is distributed or disclosed to third parties without the written consent of the subjects of personal data (clause 3, part 2, article 22 of the Federal Law of July 27, 2006 No. 152-FZ).
  • When collecting and processing information that the individual himself has made publicly available (clause 4, part 2, article 22 of the Federal Law of July 27, 2006 No. 152-FZ).
  • When collecting personal data that includes only the first name, patronymic and last name of an individual (clause 5, part 2, article 22 of the Federal Law of July 27, 2006 No. 152-FZ).
  • Upon receipt of information for a one-time entry of an individual into the territory of the data operator (clause 6, part 2, article 22 of the Federal Law of July 27, 2006 No. 152-FZ).
  • When processing data included in personal data information systems that have the status of state automated information systems (clause 7, part 2, article 22 of the Federal Law of July 27, 2006 No. 152-FZ).
  • When collecting information by transport companies to ensure the safe functioning of the transport complex, protecting the interests of the individual, society and the state in the field of the transport complex.

In all other cases, notification of data processing is mandatory. To clarify whether your organization is required to submit a notification, you can contact Roskomnadzor.

To learn how to protect your business from fines under Law No. 152-FZ, read the article

This portal was created to provide citizens with information regarding the activities of Roskomnadzor in various areas. In addition, through this website it is easy to access any other data processor.

What it is

Roskomnadzor’s personal data portal is a tool that allows for thorough control of both ordinary citizens and individual entrepreneurs and commercial organizations. Any company processing personal data must first register with Roskomnadzor, and only then begin relevant activities.

What is it needed for


Any information that can be used to identify a specific person is considered personal information.. The portal is needed to make it easier for users to interact with operators who process any data and carry out various actions for this.

You can also inform the monitoring organization itself if any violations are identified. In this case, appropriate penalties are applied.

Who can use

A specialized portal operates in the public domain. So any citizen can take advantage of its capabilities and posted information. It is enough to enter the name of the operator of interest or use its TIN. The search result will be information relating to a particular market participant.

Operator register

Personal information can include a large number of phenomena, including:

  1. E-mail address.
  2. An accurate description of your current place of residence.
  3. Mobile phone numbers.
  4. Information from certificates.
  5. Full name of the citizen.

Any information relating to a particular person can be considered personal. In some cases, your full name and car number are enough for identification. In other circumstances, a registration address and driver's license information are required.

  1. They process personal data independently or team up with other persons for this purpose.
  2. They themselves determine the operations with data, their composition, and the goals of the work.

An operator will be considered anyone who uses personal data and sends relevant requests. Such companies operate in all areas. It is the data about them that is entered into the register. Clients can study the TIN and permitting documentation themselves and so on.

Video showing how to register in the register of personal data processing operators of Roskomnadzor.

registration on the site

Registration on the portal is not required, all information is publicly available, no additional actions are required. The same applies to various documents devoted to the protection of visitor information.

Interface, use

There is nothing complicated here. The registry search button is located at the very top of the main page of the portal. In this line you enter any data known for a particular company. Just below is a link with an advanced search. That is, you can enter not only the name, but also the TIN and registration number, if available.

Regulatory regulation

Regulates the activities of Roskomnadzor related to monitoring the implementation of legislation on the personal data of citizens. But the text of the article itself does not contain the exact name of the body vested with the relevant powers. Therefore, it is also allowed to use as support the Decree of the Government of the Russian Federation No. 228 “On the register of persons dismissed due to loss of trust,” issued in 2009. It is in this text that the powers are assigned specifically to Roskomnadzor.

According to the law, representatives of this institution have the following powers and rights:

  1. Independent bringing to administrative liability when violations related to personal data are detected.
  2. Appeal to law enforcement agencies and courts in order to protect the interests of citizens. The same can be done if any violations are detected.
  3. Restriction of access to information in the presence of violations on the part of the operator. Or issuing demands with requests to block, destroy or clarify certain information.
  4. Request for information related to the processing of personal data.

Conducting inspections by Roskomnadzor

There are special regulations for holding such events. It was approved by the relevant Order of the Ministry of Communications No. 312 of 2011. Paragraph 32 of this regulation is devoted to situations when scheduled inspections must be carried out in relation to operators:

  1. When a company is just starting to process personal data.
  2. After 3 years have passed since the previous inspection. Or from the moment the activity began.

The organization must be notified of the upcoming inspection at least 3 days before the actual organization of the event.

Roskomnadzor has the right to conduct unscheduled inspections. For example, if there are requests from citizens and other organizations regarding violations of rights. Or when there is a threat to life or health. In this case, notification must be received 24 hours before the event.

According to the results of the inspection, specialists draw up the corresponding act. If there are violations, the latter are described in detail in the accompanying document. The persons responsible for certain violations must be indicated. A description of the legal grounds for holding citizens or companies accountable is provided.

When consent to data processing is required

Processing of information can only be carried out if the previous owner gives his consent or when there are other legal grounds. Each individual case is considered individually:

  1. In the housing and communal services sector, the consent of residents is not required when management companies engage paying agents to pay for the use of services.
  2. Some situations require written permission. This is especially true for special categories of personal data. For example, when it comes to biometric information.

Responsibility for violations

- the main document that until recently established penalties for violations in this area. Legal entities could face fines in the amount of 5,000 - 10,000 rubles or a warning issued by the competent authorities.

To identify violations, control measures were carried out in the form of inspections. Regarding violations, special messages were sent to representatives of the prosecutor's office. If the application is approved, judicial proceedings are organized.

But recently the situation has changed. Now laws have begun to describe the relevant procedures in more detail. The changes concern the following areas:

  1. Increased fines.
  2. The emergence of powers to draw up protocols and initiate cases without contacting the prosecutor's office.

About registering as an operator


This event is not mandatory for the following categories of the population and market participants:

  1. Companies requesting data, for example, to purchase tickets. This applies to any carriers operating online.
  2. Those who process data without the use of computer technology.
  3. Systems that have received the status of state automated information systems. Or organizations created to protect society and order.
  4. Any companies with a valid pass system. There is no need to register if the citizen's information is read only once to receive a pass.
  5. Companies and individuals using information disclosed by citizens themselves.
  6. Those who use information to achieve the purposes described in the founding documents.
  7. Cellular companies that need data solely to provide services.
  8. Heads of enterprises.

Therefore, many companies may not be included in the register located on the official website of Roskomnadzor. To complete the registration procedure, it is enough to submit an application following the established requirements. It is recommended to submit applications electronically or using letterhead.