Menu
homeTechnique

List of personal data operators Roskomnadzor. How compliance checks for the processing of personal data are carried out. Maintaining a register of operators processing personal data

Legal requirements for the personal data operator

The operator is obliged to ensure the confidentiality of personal data. In Article 7 Federal Law RF dated July 27, 2006 N 152-FZ “On Personal Data” (hereinafter referred to as FZ-152) states that the operator is not obliged to protect personal data if it is anonymized or publicly available. The personal data operator does not have the right to process data without the consent of the personal data subject, that is, the person to whom this data belongs. However, in Art. 6 Part 2 of Federal Law-152 provides for a number of cases when the consent of the subject is not required.
In particular, the consent of the subject is not required if his personal data is processed on the basis of the Federal Law defining the purpose and content of such processing (Article 6, paragraph 2, part 2). For example, according to Federal Law No. FZ-3266-1 “On Education”, graduates of secondary educational institutions do not have to obtain consent to the processing of their personal data for admission to the Unified State Exam. Bodies and organizations involved in conducting the Unified State Exam carry out “...transfer, processing and provision of results received in connection with the conduct of the Unified State Exam<…>personal data of students, participants of the unified state exam<…>in accordance with legal requirements Russian Federation in the field of personal data without obtaining the consent of these persons to process their personal data” (Article 15, clause 5.1). The April issue of the magazine “Personal Data” contains a large material devoted specifically to this problem.
Another case when the processing of personal data does not require the consent of the subject: the execution of a contract, one of the parties to which is the subject of personal data. For example Any will do an agreement between a company and an individual for the provision of services. Mass useful information on this topic can be found in the specialized press. The operator must also provide the necessary organizational and technical measures to suppress attempts of illegal access to personal data.

Required documents

Each personal data operator is required to have a package of documents confirming the protection of personal data of employees and clients.

Scroll necessary documents may vary depending on the specifics of personal data processing, organizational structure and other features of each individual enterprise.

In accordance with this package of documents, the enterprise must implement technical means protection of personal data.

Preparation of documents necessary to protect personal data

There are several ways to prepare documents in accordance with the requirements of 152-FZ “On Personal Data”:

Means of protection

Almost every organization has a personal data information system (abbreviated ISPDn), which may contain, for example, the employee’s last name, first name, passport data, TIN, etc. An operator works with this information system. Depending on what data is contained in the ISPD of a particular organization, this ISPD may belong to one of four classes, each of which provides various means to protect personal data.

see also

Links

  • www.rsoc.ru Register of operators processing personal data
  • www.pd.rsoc.ru Personal data portal of the Authorized body for the protection of the rights of personal data subjects
  • www.privacy-journal.ru Information and analytical journal "Personal Data"

Wikimedia Foundation.

2010.

    See what a “Personal Data Operator” is in other dictionaries: Personal data operator - 2) operator, government agency municipal body , legal or individual , independently or jointly with other persons organizing and (or) carrying out the processing of personal data, as well as determining the purposes of processing... ...

    Official terminology

    Any action (operation) or set of actions (operations) performed using automation tools or without the use of such means with personal data, including collection, recording, systematization, accumulation, storage, ... ... Wikipedia

    The subject of personal data is an individual who is directly or indirectly identified or determined using personal data. Contents 1 Interaction with the subject of personal data ... Wikipedia

    This article or section describes the situation in relation to only one region. You can help Wikipedia by adding information for other countries and regions. Contents 1 Definition ... Wikipedia

    Number: 152 Federal Law Adoption: by the State Duma on July 26, 2006 Entry into force: January 26, 2007 Federal Law of the Russian Federation of July 27, 2006 No. 152 Federal Law “On Personal Data” is a federal law regulating processing activities (using ... Wikipedia

    Basic model of threats to the security of personal data during their processing in personal data information systems (extract)- Terminology Basic model threats to the security of personal data during their processing in personal data information systems (extract): Automated system a system consisting of personnel and a set of automation equipment... ...

    RIGHTS OF PERSONAL DATA SUBJECTS WHEN MAKING DECISIONS BASED ON EXCLUSIVELY AUTOMATED PROCESSING OF THEIR PERSONAL DATA- according to the Federal Law “On Personal Data” dated July 27, 2006 No. 152 FZ, consist in prohibiting acceptance on the basis solely automated processing personal data decisions that give rise to legal consequences in relation to... ...

    operator- 4.22 operator: Any object that carries out the operation of the system. Note 1 The operator role and the user role may be assigned simultaneously or sequentially to the same person or organization. Note 2 In the context of this... ... Dictionary-reference book of terms of normative and technical documentation

    OPERATOR- according to the Federal Law “On Personal Data” dated July 27, 2006 No. 152 FZ, - a state body, municipal body, legal entity or individual organizing and/or carrying out the processing of personal data, as well as determining the purposes... Records management and archiving in terms and definitions

1. These Regulations on maintaining the register of operators carrying out processing (hereinafter referred to as the Regulations) were developed in accordance with the Federal Law of July 27, 2006 N “On Personal Data” (hereinafter referred to as the Law) (Collected Legislation of the Russian Federation, July 31, 2006, N 31 (1 part), Article 3451), to exercise the powers to maintain a register of operators processing personal data (hereinafter referred to as the Operator), assigned to the Federal Service for Supervision of mass communications, communications and protection of cultural heritage (hereinafter referred to as the Service) in accordance with the Regulations on the Service, approved by Decree of the Government of the Russian Federation of 06.06.2007 N 354 (Collection of Legislation of the Russian Federation, 06.11.2007, N 24, Art. 2923; N 52, Art. 6462).


2. This Regulation establishes the procedure for maintaining a register of operators processing personal data (hereinafter referred to as the Register).

3. Concepts used in these Regulations:

register - list, list of operators processing personal data;

maintaining a register of operators - the activities of the Service, including the collection, recording, processing, storage and provision of data that constitute the system for maintaining a register of operators processing personal data;

operator - a state body, municipal body, legal entity or individual that organizes and (or) carries out the processing of personal data, as well as determining the purposes and content of the processing of personal data;

processing of personal data - actions (operations) with personal data, including collection, systematization, accumulation, storage, clarification (updating, changing), use, distribution (including transfer), depersonalization, blocking, destruction of personal data.

II. Composition of information included in the register

4. The register contains the following information about Operators:

A) registration number;

b) name (last name, first name, patronymic), address of the operator;

c) addresses of branches (representative offices) of the operator processing personal data (if any);

d) date of sending the notification;

e) the purpose of processing personal data;

h) legal basis for processing personal data;

i) list of actions with personal data, general description methods used by the operator for processing personal data;

j) a description of the measures that the operator undertakes to implement when processing personal data to ensure the security of personal data during their processing;

k) date of commencement of processing of personal data;

m) the term or condition for terminating the processing of personal data;

m) date and reasons for inclusion in the register of operators;

o) date and reason for exclusion from the register of operators;

o) changes made.

III. Conditions for including operators in the register

5. Operators are included in the Register if the following conditions are met:

Sending a notification about the processing (of the intention to process) personal data to the territorial administration of the Service (hereinafter referred to as the Notification). The information specified in the Notification must comply with Part 3 of Article 22 of the Law;

Registration of the received Notification in the territorial administration of the Service, its processing to make a decision on approval or rejection;

Signing of an order by the head of the Service or deputy head to include the Operator in the Register.

6. The original of the Notification sent by the Operator with the attachment of all received documents must be stored in the relevant territorial department of the Service.

IV. The procedure for including operators in the register

7. Service based on the results of analysis of processed territorial departments Notification Services have the right to verify the accuracy and completeness of the information contained in the Notification provided by the Operators, or to involve other government bodies within their powers to carry out such verification. The Service also has the right to request from individuals or legal entities information necessary to exercise their powers, and receive such information free of charge, including if it is necessary to clarify or supplement missing information.

8. Based on the results of checking the information contained in the processed Notification, the Service, within thirty days from the date of receipt of the Notification, makes a decision to include the Operator in the Register, which is issued in the form of an order from the head of the Service or the deputy head of the Service to include the Operator in the Register.

9. Based on the issued order, an entry about the Operator is made in the Register, which is assigned a registration number.

10. The date of entry of the Operator into the Register is the date of signing the order.

11. Information about the inclusion of the Operator in the Register must be published on the official website of the Service no later than three days from the date of signing the order.

V. Procedure for maintaining the Register

12. The Register is maintained using a single information system(hereinafter referred to as the UIS) in electronic form.

13. The Register is maintained by the Service, which, subject to the conditions defined by these Regulations, includes Operators in the Register by making appropriate entries in the Register, changes the information contained in the specified entries, excludes Operators from the Register by adding previously entries made information about the exclusion of Operators from the Register.

14. If the information contained in the Notification changes after the Operator is included in the Register, he is obliged to notify the Service about the changes within ten working days from the date of such changes. Making these changes to the Register is made on the basis of an order from the head of the Service or deputy head and does not lead to a change in the registration number of the corresponding entry in the Register.

15. The information contained in the Register, with the exception of subparagraph “k” of paragraph 4 of these Regulations, is publicly available.

16. Information about the Register is published on the official website of the Service.

17. Operators included in the Register have the right to receive an extract from the Register upon written application to the Service no later than thirty days.

VI. The procedure for excluding operators from the Register

18. The issue of excluding the Operator from the Register is considered in the following cases:

Receipt by the Service or its territorial departments of a written application (application) from the Operator included in the Register for exclusion with justification attached;

Taking measures by the Service or its territorial departments to suspend or terminate by the Operator the processing of personal data carried out in violation of the requirements of the Law.

19. Operators are excluded from the Register when one of the following conditions occurs:

Liquidation of the Operator;

Termination of the Operator's activities as a result of its reorganization, with the exception of reorganization in the form of transformation;

Cancellation of a license to carry out licensed activities of the Operator, if the condition of the license to carry out such activities is a ban on the transfer of personal data to third parties without consent writing subject of personal data;

The arrival of the deadline or conditions for termination of the processing of personal data specified in the Notification;

A court decision on the operator’s termination of activities related to the processing of personal data;

Others established by the legislation of the Russian Federation in the field of personal data.

20. The decision to exclude the Operator from the Register is formalized by order of the head of the Service or the deputy head of the Service.

Based on the issued order, information about the exclusion of the Operator from the Register is entered into the Register. After the Operator is excluded from the Register, the registration number of the corresponding entry is not used in the future.

21. Information about the exclusion of the Operator from the Register must be published on the official website of the Service on the Internet no later than three days from the date of signing the order.

Working with personal data imposes a number of responsibilities on the operator. Let's look at a few of the most significant of them.

Notify Roskomnadzor about the start of processing personal data (). Such notification must be sent to the agency before data processing begins, indicating in it:

  • name (full name), address of the operator;
  • purpose of processing personal data;
  • categories of personal data;
  • categories of subjects whose personal data is processed;
  • legal basis for processing personal data;
  • a list of actions with personal data, a general description of the methods used by the operator for processing personal data;
  • measures to protect personal data;
  • Full name of the individual or name of the legal entity responsible for organizing the processing of personal data, and their numbers contact numbers, postal addresses and addresses Email;
  • date of commencement of processing of personal data;
  • term or condition for termination of processing of personal data;
  • data on the presence or absence of cross-border transfer of personal data during their processing;
  • information about the location of the information database containing personal data of Russians;
  • information about ensuring the security of personal data in accordance with the requirements for the protection of personal data established by the Government of the Russian Federation (we are talking, in particular, about personal data depending on security threats, personal data, the execution of which is ensured by set levels security of personal data, as well as technologies for storing such data outside personal data information systems).

At the same time, there are situations when it is not necessary to notify Roskomnadzor about the processing of personal data. This, for example, is the processing of employee data by the employer, the receipt by the operator of the client’s data when concluding an agreement with him (if this information is not provided to third parties without the consent of the subject and is used exclusively for the execution of the specified agreement), the processing of publicly available personal data, issuing a one-time pass to a person territory of the operator, using only the full name of the subject, etc. ().

Ensure the confidentiality of personal data. This means that they cannot be distributed without the consent of the subject (). This duty persons who have access to personal data is one of the main ones. In particular, when transferring personal data of employees, the employer is obliged to:

  • do not disclose the employee’s personal data to a third party without his written consent (except for cases when this is necessary in order to prevent a threat to the life and health of the employee, and in other cases provided for by law - for example, when transferring data to the Social Insurance Fund, Pension Fund of the Russian Federation, tax authorities, military commissariats , prosecutor's office, law enforcement agencies, GIT, etc.);
  • warn persons receiving the employee’s personal data that this information can only be used for the purposes for which it was communicated - moreover, the employer may even require such persons to confirm that this rule has been complied with;
  • transfer personal data of an employee within one organization, from one individual entrepreneur in accordance with local regulations, with which the employee must be familiarized with his signature;
  • allow access to personal data of employees only specifically authorized persons, and they should have the right to receive only those employee data that are necessary to perform specific functions;
  • do not request information about the employee’s health status, with the exception of information that relates to the issue of the employee’s ability to perform a job function;
  • limit the information transmitted to employee representatives to only those employee data that are necessary for the said representatives to perform their functions ().

Take measures to ensure the security of personal data (). To do this, the organization should appoint a person responsible for organizing the processing of personal data (). Such a person is obliged to exercise internal control over compliance by the operator and his employees with the requirements for the protection of personal data, bring to the attention of employees the provisions and local regulations on the processing of personal data, as well as organize the reception and processing of requests and requests from subjects of personal data. In addition, for the same purposes, technical measures should be applied to ensure the security of processing, as well as documents should be issued defining the company’s policy regarding the processing of personal data, etc.

At the same time, the organization must make its personal data processing policy public (). Most in the best possible way is to post the document on the operator’s website. But in cases where this is not possible, it is enough to install a “pocket” with the policy on paper in any place accessible to visitors to the organization. The exception is for operators who collect personal data directly via the Internet - they need to publish the policy on the website and provide the ability to access the specified document. On the official website of Roskomnadzor you can find recommendations for drawing up a policy regarding the processing of personal data.

Do not confuse the policy, which applies mainly to third parties (counterparties, clients, etc.), with the Regulations on the protection, storage, processing and transfer of personal data of employees - this document, unlike the policy, is a local regulatory act, so it should not be made public necessary, but it is mandatory to familiarize employees with it against signature ().

MATERIALS ON THE TOPIC

Read about what problems an operator may encounter when complying with the requirements for the localization of personal data and how to most effectively solve them in our material "".

Comply with the requirements for localization of personal data of Russians. From September 1, 2015, all operators when collecting personal data are required to ensure their processing using databases located in Russia (). The so-called localization of personal data initially caused a great resonance among specialists and operators - the requirements of the law were formulated in such a way that experts had a lot of concerns. Among them is the lack of clarity about which personal data will be covered. this requirement, which operators this will affect, whether the processing of personal data is allowed simultaneously on Russian and foreign servers, how to determine the citizenship of the subject, etc. Roskomnadzor answered most of these questions even before the new legal requirements came into force. For example, the agency gave operators the right to independently decide the issue of determining the citizenship of the person whose data is being processed, or to apply the localization requirement to the personal data of all subjects. In addition, Roskomnadzor clarified that in the case when personal data was recorded in Russian base data, they can be further processed in electronic database located outside the country.

Both in the personal data processing policy and in the Regulations on the protection, storage, processing and transfer of personal data of employees, it should be stated that when collecting personal data, the operator undertakes to ensure recording, systematization, accumulation, storage, clarification (updating, changing), retrieval of personal data Russians using databases located on the territory of Russia, and also indicate the location of such a database.

Stop processing personal data in a timely manner. If the purpose of processing personal data is achieved or the subject has withdrawn his consent to their processing, the operator must stop processing this data and delete it within 30 days, unless another period is specified in the agreement ().

February 21, 2014 at 11:45 pm

Or maybe not notify about the processing of personal data?

  • Information Security

Part one of Article 22 of the Federal Law of July 27, 2006 N 152-FZ “On Personal Data” (hereinafter in the article - the Law) provides for the obligation of the operator processing personal data to notify the Roskomnadzor authority before processing begins. Immediately (in the second part of the article) the Law proposes the grounds on which the operator has the right not to notify about processing. These cases are quite common. But since the Law does not prohibit notification even if there are such cases, a number of operators choose to take the notification route. It may be worth not giving notice, or even thinking about how to qualify for the “exceptions.” There are at least 3 reasons for this.

It is difficult to answer the question “Why?” for all those who decided to send a notification to the Roskomnadzor body if it was possible not to do this. Of course, marketing campaigns (image, openness) cannot be ruled out. However, in a number of cases they notify out of ignorance or based on the position “It’s better to play it safe.” I would like to draw attention to the well-known right of operators processing personal data not to notify Roskomnadzor authorities about processing and here are several reasons for this.

  1. The person who submitted the notification about the processing of personal data must bear the burden of constantly updating the submitted information. This obligation is provided for in Part 7. Art. 22 Laws. If the operator processing personal data does not submit a notification of a change in information (change of the operator’s address, change in the categories of personal data being processed, change of the person responsible for processing personal data and his contacts, etc.), then he may be brought to administrative liability. It would seem that it was difficult: something changed in the organization, I took and sent a letter. As practice shows, in most cases this is forgotten. For example, those who entered the Register (the Register includes everyone who submitted a notification about processing) of operators processing personal data before July 1, 2011 were required to additionally send the information provided for in clauses 5, 7.1, 10 and 11 by January 1, 2013 3 of Article 22 of the Law (legal basis for the processing of personal data, full name of the person responsible, etc.). As can be seen from the Roskomnadzor register of personal data operators, more than half of the operators have not done this to date. The idea that all these organizations have not undergone any internal changes related to the processing of personal data is also questionable. I suggest you also think about whether you will timely monitor the relevance of entries in the Register in the long term, if there is an opportunity not to do this at all?
  2. Roskomnadzor authorities plan inspections of operators processing personal data using the departmental unified information system - UIS. All operators who submitted notifications are already in it, and therefore the likelihood of being included in the inspection plan increases many times over. Organizations inspected by Roskomnadzor in other areas (communication services, distribution networks, media, broadcasting) are automatically checked for compliance with legislation in the field of personal data if they have notified Roskomnadzor about the processing.
  3. If the personal data operator decided to notify the Roskomnadzor body about processing, although he had the right not to do so, then it will not be possible to be excluded from the Register due to the fact that he could not notify at all. This possibility is not provided for either by the Law or the relevant Administrative Regulations. Or rather, it is provided only for general reasons.
If you were planning to send a notification, but the above somehow caught your attention, general recommendations simple.
  1. Carefully read (understand) Part 2 of Art. 22 of the Federal Law of the Russian Federation of July 27, 2006 N 152-FZ “On Personal Data”.
  2. See what personal data is processed on you and in connection with what.
  3. In some cases, it may be necessary to adjust your work with personal data carriers. I'll give an example to make it clear what I mean.
One of the possibilities not to notify about the processing of personal data is provided for in clause 2, part 2, art. Law 22 goes like this
received by the operator in connection with the conclusion of an agreement to which the subject of personal data is a party, if personal data is not distributed or provided to third parties without the consent of the subject of personal data and is used by the operator solely for the execution of the specified agreement and the conclusion of contracts with the subject of personal data

So, you entered into an agreement with an individual for some service. Took a person's number mobile phone, to inform about the readiness of the service. In most cases, a mobile phone number is not needed for the purpose of fulfilling the contract. If the client’s mobile phone number is taken, his consent to the processing of personal data is additionally required. However, in this case, you do not fall under the exception in the Law, which allows you not to notify about the processing of personal data.
If the contract with this individual stipulates the need to have a mobile phone number for the purposes of fulfilling the contract, then you are already claiming the right to fall under the exception.
You can play with the need to have a mobile phone number for the purposes of fulfilling a contract something like this: “The organization undertakes to notify the client by phone No. x... x about readiness...”.

From July 1, 2017, liability for violation of the legislation on personal data has become stricter. What personal data do management organizations have to deal with, what should they do if the owners do not consent to the processing of personal data?

We talked about this with Dmitry Yuryevich Artyukhin, head of the Department federal service for supervision in the field of communications, information technologies and mass communications in the Republic of Karelia.

About the processing of personal data

Dmitry Yuryevich, tell us what personal data is and is it available in the housing and communal services sector?

Personal data is any information on the basis of which you can uniquely identify specific person.

Processing of personal data is any action, automated or non-automated, that is performed with personal data. This is the collection, recording, systematization, accumulation, storage and clarification of data.

We include the last name, first name, patronymic, date and place of birth of a person, and details of an identity document as personal data. And a lot of other information, on the basis of which you can directly or indirectly identify a specific person.

It should be borne in mind that if without receiving additional information It is impossible to identify a specific person, then such information is not personal data.

For example, lists of debtors are published in the media. They contain last names and initials. The person cannot be identified based on this information. It’s a completely different matter if the management organization places these lists in the entrance of the house in which a person lives.

Of course, MKD management activities are associated with the processing of personal data. Each form of management: management organization, HOA or even direct management involves the collection and processing of personal data.

Management organizations enter into agreements with premises owners MKD management, in which personal data must be indicated. In addition, management companies, as legal entities, have legal relations with their employees, which are regulated by labor legislation. Therefore, management organizations are operators for the processing of personal data.

About the operator for processing personal data

Who is the operator of personal data?

In accordance with the law, a personal data operator is a state body, municipal body, legal entity or individual who, alone or with other persons, processes personal data. Such a person determines the purposes of PD processing and their composition.

Any legal entity, including management entities, homeowners' associations and cooperatives, automatically becomes an operator of personal data.

Who should the MA notify that it is the operator of personal data?

There is no need to notify Roskomnadzor if the operator receives personal data under an agreement with the subject of personal data, provided that the PD is not distributed or transferred to third parties.

The same rule applies if the personal data relates to members of a public association or religious organization, is publicly available and consists of a last name, first name and patronymic. The full list can be read in Part 2 of Article 22 N 152-FZ.

The decision to send a notification to the authorized body is made by the personal data operator. Whether the operator sends or does not send a notification, he still remains the operator of personal data.

We regularly remind legal entities of the need to send us notifications (Article 22 N 152-FZ). If a legal entity is not included in the register of personal data operators, this does not exempt it from control and supervisory measures.

Rather, on the contrary, those legal entities that, from our point of view, may be operators of personal data, process personal data and are not included in the list that excludes the need to send a notification, but did not send a notification, will most likely be included in the inspection plan.

The requirements for notification to Roskomnadzor are listed in Part 3 of Article 22 N 152-FZ.

About consent to the processing of personal data

When do you need to obtain consent to process personal data?

The personal data operator must understand that the processing of personal data can only be carried out with the consent of the subject of personal data or if there are other legal grounds. At the same time, it should be noted that each individual case is individual.

Who is responsible for personal data if the management company, which processes the personal data of the owners, transfers it under a contract to a third party?

If the management organization plans to entrust the processing of personal data to third parties, it must have the consent of the subject of personal data. If there is no such consent, the operator will be held accountable. There is no need to obtain consent if this is established by federal laws.

A person who processes personal data on behalf of the operator is not required to obtain the consent of the subject of personal data to process his personal data. The management organization is responsible in this situation.

What to do management organization, if the owner does not consent to the processing of personal data?

There is no way to force the owner; you need to try to convince, tell what consequences may arise for the subject in case of refusal to provide consent. But in any case, processing of personal data without consent in the absence of other legal grounds for processing personal data is not allowed.

The burden of proving consent to PD processing lies with the personal data operator.

On liability for violation of laws on personal data

What fines exist and who issues them?

Until the first of July 2017 for violation established order administrative liability was established for the collection, storage, use or dissemination of personal data under Article 13.11 of the Code of Administrative Offenses of the Russian Federation. For legal entities, this is a warning or the imposition of an administrative fine from five thousand to ten thousand rubles.

The mechanism was as follows: Roskomnadzor carried out control and supervisory activities in the field of PD. If during the activities he discovered violations, he reported them to the prosecutor’s office for action. The prosecutor's office considered the message and, if a violation was recognized, issued a decision to initiate an administrative case and sent it to court.

Since the first of July the situation has changed. The new version of Article 13.11 of the Code of Administrative Offenses of the Russian Federation is more detailed; it now contains seven clauses, all of them related to the processing of personal data. Fines are increasing, Roskomnadzor has the authority to draw up protocols, that is, initiate cases of administrative offenses, bypassing the prosecutor's office.

The maximum fine provided for in Article 13.11 of the Code of Administrative Offenses of the Russian Federation as amended is 75,000 rubles. It will be possible to obtain it for the processing of personal data without obtaining the consent of the subject of personal data in writing, if it is provided for by law.