TERMS AND DEFINITIONS
1.1.
For the purposes of the Agreement, the following terms, unless the context and content of the Agreement otherwise require, have the following meaning. 1.1.1. Confidential information – any information about persons, objects, facts, events, phenomena and processes, regardless of the form of their presentation, constituting banking, official and commercial secrets and/or information of any nature (production, technical, economic, organizational and others), including including the results of intellectual activity in the scientific and technical field, as well as information about methods of carrying out professional activities that have actual or potential commercial value due to their unknown to third parties, to which there is no free access legally, protected in accordance with the legislation of the Russian Federation Federation, as well as documents of the Parties on the protection of confidential information. The results of extracting, processing, summarizing, analytical calculations or other use of Confidential Information are also Confidential Information subject to protection under the terms of the Agreement.
1.1.2. Information media are material objects in which Confidential Information is reflected and recorded.
1.1.3. The regime for protecting Confidential Information is a set of legal, organizational, technical and other measures taken by the Parties to protect Confidential Information, including restricting access to Confidential Information, Information Media, in order to ensure its safety and inaccessibility to third parties, provided for by the legislation of the Russian Federation, documents of the Parties on protection of Confidential Information and the Agreement.
1.1.4. Disclosure of Confidential Information - an action or inaction as a result of which Confidential Information in any possible form (oral, written, other form, including using technical means) becomes known to third parties without the consent of the Disclosing Party.
1.1.5. Disclosing Party – the Party providing Confidential Information.
1.1.6. Receiving Party – the Party to which the Confidential Information is provided.
Fines in the field of personal data in 2021
On March 27, 2021, new penalties for violations in the field of personal data came into force in accordance with Federal Law No. 19-FZ of February 24, 2021.
The amounts of fines have been increased by 2 times or more. In addition, for some articles increased penalties for repeated violations have been introduced. The statute of limitations for bringing administrative liability for violations in the field of personal data has also increased. Instead of three months, it is now one year.
Administrative liability under Article 13.11 provides for differentiation depending on the consequences of the violation. Thus, liability for a legal entity provides for the imposition of a fine in the amount of 30 thousand to 6 million rubles, and in case of repeated violation - up to 18 million rubles.
The maximum cumulative fine for an official is 336 thousand rubles, and in case of repeated violation it can exceed 1 million rubles.
Article 13.11 of the Code of Administrative Offenses of the Russian Federation
The Code of Administrative Offenses of the Russian Federation does not impose additional responsibilities on organizations processing personal data and does not change the content of existing requirements that are provided for by legislation in the field of personal data (152-FZ).
It is worth noting that the Code of Administrative Offenses gives officials of the body exercising control and supervision functions in the field of personal data, which is the Federal Service for Supervision of Communications, Information Technologies and Mass Communications (Roskomnadzor), the powers to initiate cases of administrative offenses.
We present to your attention a summary table of fines for violations of legislation in the field of personal data (as amended, effective from 03/27/2021):
| Article | Contents of the Code of Administrative Offenses article | Amount of fine, thousand rubles | |||
| Phys. face | Must face | IP | Legal face | ||
| 13.11 part 1 | Processing of personal data in cases not provided for by the legislation of the Russian Federation in the field of personal data, or processing of personal data incompatible with the purposes of collecting personal data, except for the cases provided for in Part 2 of this article, if these actions do not contain a criminal offense | 2-6 | 10-20 | — | 60-100 |
| 13.11 part 1.1 | Repeated commission of an administrative offense provided for in Part 1 of this article | 4-12 | 20-50 | 50-100 | 100-300 |
| 13.11 part 2 | Processing of personal data without written consent of the subject of personal data for the processing of his personal data in cases where such consent must be obtained in accordance with the legislation of the Russian Federation in the field of personal data, if these actions do not contain a criminal offense, or the processing of personal data in violation requirements established by the legislation of the Russian Federation in the field of personal data for the composition of information included in the written consent of the subject of personal data to the processing of his personal data | 6-10 | 20-40 | — | 30-150 |
| 13.11 part 2.1 | Repeated commission of an administrative offense provided for in Part 2 of this article | 10-20 | 40-100 | 100-300 | 300-500 |
| 13.11 part 3 | Failure by the operator to fulfill the obligation provided for by the legislation of the Russian Federation in the field of personal data to publish or otherwise provide unrestricted access to a document defining the operator’s policy regarding the processing of personal data, or information about the implemented requirements for the protection of personal data | 1,5-3 | 6-12 | 10-20 | 30-60 |
| 13.11 part 4 | Failure by the operator to fulfill the obligation provided for by the legislation of the Russian Federation in the field of personal data to provide the subject of personal data with information regarding the processing of his personal data | 2-4 | 8-12 | 20-30 | 40-80 |
| 13.11 p.5 | Failure by the operator to comply, within the time limits established by the legislation of the Russian Federation in the field of personal data, with the requirements of the subject of personal data or his representative or the authorized body for the protection of the rights of subjects of personal data to clarify personal data, block them or destroy them if the personal data is incomplete, outdated, or inaccurate , illegally obtained or not necessary for the stated purpose of processing | 2-4 | 8-20 | 20-40 | 50-90 |
| 13.11 part 5.1 | Repeated commission of an administrative offense provided for in Part 5 of this article | 12-30 | 30-50 | 50-100 | 300-500 |
| 13.11 p.6 | Failure by the operator, when processing personal data without the use of automation tools, to comply with the conditions that ensure, in accordance with the legislation of the Russian Federation in the field of personal data, the safety of personal data when storing material media of personal data and excluding unauthorized access to them, if this entails unlawful or accidental access to personal data data, their destruction, modification, blocking, copying, provision, distribution or other unlawful actions in relation to personal data, in the absence of signs of a criminal offense | 1,5-4 | 8-20 | 20-40 | 50-100 |
| 13.11 hour 7 | Failure of an operator, who is a state or municipal body, to fulfill the obligation to depersonalize personal data provided for by the legislation of the Russian Federation in the field of personal data, or failure to comply with established requirements or methods for depersonalization of personal data | — | 6-12 | — | — |
| 13.11 h.8 | Failure by the operator when collecting personal data, including through the information and telecommunications network “Internet”, provided for by the legislation of the Russian Federation in the field of personal data, of the obligation to ensure recording, systematization, accumulation, storage, clarification (updating, changing) or retrieving personal data of citizens of the Russian Federation from using databases located on the territory of the Russian Federation | 30-50 | 100-200 | — | 1-6 million |
| 13.11 h.9 | Repeated commission of an administrative offense provided for in Part 8 of this article | 50-100 | 500-800 | — | 6-18 million |
The article has been updated taking into account changes to Article 13.11 of the Code of Administrative Offenses in accordance with Federal Law No. 19-FZ of February 24, 2021.
SUBJECT OF THE AGREEMENT
2.1. The Agreement establishes the obligations of the Parties to ensure the Protection of Confidential Information and to prevent the disclosure of Confidential Information that became known to the Parties during negotiations, conclusion of contracts and (or) agreements, when the Parties fulfill their obligations thereunder.
2.2. The obligations under the Agreement also apply to Confidential Information received by the Parties prior to the conclusion of the Agreement.
2.3. If one of the Parties, in the process of negotiations on the conclusion of any contract (agreement), informs the other that the proposed contract (agreement) will not be concluded or will not come into force, then the Receiving Party is obliged not to use the Confidential Information received during the preparation of this contract (agreement), neither in its own interests nor in the interests of a third party without the prior written consent of the Transferring Party.
2.4. The Receiving Party undertakes to ensure the protection of Confidential Information and take all necessary measures to protect it, which it applies to its own Confidential Information, but not less than the requirements agreed upon in the Agreement: use Confidential Information only for the purposes specified in the Agreement; not to transfer Confidential Information to third parties without the prior written permission of the Disclosing Party, except in cases where this information:
- became known to the Receiving Party from a source other than the Receiving Party prior to the entry into force of the Agreement;
- legally received by the Receiving Party without limitation or violation of the Agreement from third parties who, to the reasonable knowledge of the Receiving Party, do not violate their obligation to the Distributing Party to comply with the Confidential Information Protection Regime;
- independently developed by the Receiving Party, that is, it is the result of internal developments carried out in good faith by its employees before the entry into force of the Agreement;
- authorized for disclosure by written permission of the Disclosing Party in accordance with the terms of the Agreement;
- if the information becomes publicly available after the entry into force of the Agreement, except in cases where this occurred as a result of a violation of its obligations by the Receiving Party.
What is personal data?
Almost all employers deal with personal data. However, not everyone knows what personal data is. As follows from paragraph 1 of Art. 3 of the Law on PD[2], PD means any information that directly or indirectly relates to a specific or identifiable individual - the subject of personal data.
Personal data is included in the List of Confidentiality[3], according to which this is information about the facts, events and circumstances of a citizen’s private life that allow him to be identified, with the exception of data that is subject to dissemination in the media in cases established by law.
The personal data that human resources services or accounting departments most often deal with is last name, first name, patronymic, year, month, date and place of birth; address, telephone number, family, social, property status; education, profession, position, income of the subject.
The processing of personal data (hereinafter referred to as processing) includes any action with it: collection, recording, systematization, accumulation, storage, clarification (updating, changing), extraction, use, transfer (distribution, provision, access), depersonalization, blocking, deletion and destruction (clause 3 of article 3 of the Law on Personal Data). The person carrying out such processing is called the operator.
Some employers believe that personal data only appears if the organization is building a client base. However, it is not. Even if an organization deals only with the personal data of its employees, it is an operator.
For your information:
Additional conditions for the processing of personal data of applicants and employees are established in Chapter. 14 of the Labor Code of the Russian Federation and the Explanation of Roskomnadzor[4].
Please remember that only information that allows the identification of a specific individual is considered personal data. For example, a person’s first and last name can be personal data when they are linked to a specific subject (for example, in the form of a signature under his photograph: Sidorov Ivan Petrovich), but without such a link they are not personal data (as in the list of names and surnames without indicating places of work, addresses and other additional information: you never know there are Sidorov Ivanov Petrovichs in the world). Another common situation is a call to a mobile phone and an address by name and patronymic (“Hello, Ivan Petrovich, you are being disturbed from such and such organization...”) - this is the processing of personal data, namely their use, and a similar call and a faceless address (“Hello , You are being harassed from such and such organization...") do not fall under the category of PD processing.
TRANSMISSION AND RECEIPT OF CONFIDENTIAL INFORMATION
3.1. Information can be transmitted orally, electronically and in writing (in the form of documents). The Party undertakes to treat as Confidential information that will be provided by the other Party subject to the following conditions:
- Confidential Information is provided in written form (in the form of documents) or on an electronic medium; such information or its medium must contain the stamp 'Confidential' or 'Trade Secret';
- Confidential Information is provided visually, orally or by other non-documentary method, it must be clearly identified by the Party as confidential.
3.2. Transfer of Confidential Information in writing between the Parties is carried out by registered mail or directly by representatives of the Parties and in the latter case is accompanied by the signing of a transfer and acceptance certificate.
3.3. Transfer of Confidential Information through open channels of telephone, telegraph and fax communications, as well as using the Internet without taking appropriate protection measures that meet the requirements of the legislation of the Russian Federation, is prohibited.
3.4. When fulfilling obligations under concluded contracts and (or) agreements, the Party may be provided with access to the server containing Confidential Information. This access may be used by the Party solely for programming, subsequent testing of changes, and transmission of information necessary to fulfill obligations under the contract and (or) agreement.
PROTECTION OF CONFIDENTIAL INFORMATION
4.1. Each Party undertakes to use the Confidential Information received from the other Party only for the purpose of concluding contracts (agreements) between the Parties and fulfilling the obligations of the Parties under concluded contracts and (or) agreements.
4.2. Any Confidential Information received by the Parties, including subsequent copying, reproduction and duplication, remains the property of the Disclosing Party and, in the event of a written request for the Information Media by the Disclosing Party, they must be returned in accordance with the Agreement.
4.3. The Receiving Party undertakes not to sell, exchange, publish, or otherwise disclose Confidential Information without the express written consent of the Disclosing Party, which will be valid only if it is signed by a duly authorized representative of the Disclosing Party.
4.4. Confidential information received by the Parties may be transferred to authorized government bodies of the Russian Federation only on the grounds and in the manner established by the legislation of the Russian Federation. In this case, the Receiving Party must notify the Disclosing Party via email about the provision of Confidential Information to the authorized government bodies of the Russian Federation.
4.5. The Agreement should not be construed as granting licenses or authority to the Receiving Party to use Confidential Information, except for cases of use of Confidential Information in the manner and under the conditions provided for in the Agreement.
4.6. If Confidential Information is lost or disclosed, the Receiving Party immediately informs the Disclosing Party about the loss or disclosure of Confidential Information, then both Parties take all necessary measures to prevent any further disclosure, loss or other negative consequences caused by the loss or disclosure of Confidential Information.
4.7. The Parties guarantee that only employees of the Parties have access to Confidential Information within the scope of performing their official duties, who have accepted obligations to protect and not disclose Confidential Information, provided that these obligations are properly formalized (in an employment contract or in another separate document). The Parties are responsible for the actions of any of their employees who have access to Confidential Information.
4.8. The Transferring Party has the right to demand that the Receiving Party return the Storage Media at any time by sending a written notice to the Receiving Party. Within 15 business days after receiving such notification, the Receiving Party must return all originals of the Information Media and destroy, according to the act, all copies of the Information Media it has to the extent that it is impossible to restore the Confidential Information, or delete this information from such Information Media to the extent that it is impossible to restore it.
Company's secret. What does a trade secret hide?
A trade secret can be understood in many ways, since the right to classify information as a trade secret and to determine the list and composition of such information belongs to its owner, taking into account the provisions of the federal law “On Trade Secrets.” Simply put, the head of the enterprise himself determines what is a trade secret in his production and what is not. But most often this is understood as information: scientific, technical, technological, production, financial and economic and - the most common in disclosure - personal data of clients. But in order for information to receive the status of a trade secret, its owner must comply with certain procedures, namely:
- make a list;
- limit access to information;
- apply the stamp “Trade Secret”;
- introduce a record of persons who have access to information;
- regulate relations regarding the use of information.
To ensure the safety of trade secrets, it is necessary to stipulate certain obligations in the employment contract of company employees:
- not transfer to third parties or publicly disclose information constituting a trade secret without the consent of the organization’s administration;
- maintain information that constitutes a trade secret of those organizations with which there are business relations;
- not to use information that constitutes a trade secret of the organization to engage in other activities that, as a competitive action, may cause harm to the organization;
- in the event of an attempt by unauthorized persons to obtain from an employee information that constitutes a trade secret of the organization, immediately notify the relevant official;
- immediately report the loss or shortage of media containing information constituting a trade secret, and other facts that may lead to the disclosure of the organization, as well as the reasons and conditions for a possible leak of information constituting a trade secret;
- in case of dismissal, all media containing information constituting a trade secret of the organization that were at the disposal of the employee must be transferred to the appropriate official.
The portal kdelo.ru, having surveyed 410 respondents, asked them the question: “What are you doing to ensure that secret information does not become the property of competitors?” Let's look at the statistics:
— 73% responded that they oblige employees to not disclose trade secrets;
— 11% said that they have no competitors;
— 9% conduct collective preventive conversations;
— 7% fire employees who are guilty of leaking information so that “others will be discouraged.”
But punishment for disclosing trade secrets can be disciplinary, administrative, civil and even criminal. If a situation involving the disclosure of classified information does occur, the first thing to do is to assess the size of the expected damage and then act according to the situation. The speed of detection of a leak, the degree of importance of the information and the guilt of the employee are of great importance.
Violations of trade secrets can be divided into two types - conscious and unconscious. The unconscious ones are more harmless. This is due to an inactive civic position, little understanding of the employee’s responsibility for storing confidential information and the possible lack of documents regulating actions. Knowing disclosure is associated with a belief in impunity. After all, the general public knows a fairly small number of precedents of punishment for such actions. This happens because not every company wants to declare and discuss in the media that its employee violated a trade secret, thereby causing serious damage to the company.
Disclosures of clients' personal data are common, but in these cases it is quite difficult to find the culprit. Since large corporations that have such secret information have a huge number of employees, it is difficult to find someone who is leaking the data.
American law firm KamberLaw filed a lawsuit against Apple on behalf of Los Angeles suburban resident Jonathan Lalo, Bloomberg reports. The plaintiff accuses Apple of sharing detailed user information with advertising agencies without permission. Lalo said Apple iPhones and iPads provide agencies with information about what apps a user downloads to their mobile device, how often they run them and for how long they use them. “Some apps also transmit information such as the user’s location, age, gender, race, political views and sexual orientation,” the statement said. In particular, the applications targeted were Pandora, Paper Toss, Weather Channel and Dictionary.com, the authors of which the plaintiff also plans to bring to justice, at the same time giving the lawsuit class status. The complainant alleges that Apple violates privacy laws and the federal computer fraud and trade secret laws.
Most often, if the company is small and the damage caused by the employee who violated the trade secret law is small, the punishment can range from a correctional conversation to dismissal. Some companies prefer to impose penalties on chatterboxes.
RESPONSIBILITY OF THE PARTIES
5.1. For failure to fulfill or improper fulfillment of obligations under the Agreement, the Parties are liable in accordance with the legislation of the Russian Federation.
5.2. The Receiving Party, which allowed the loss or disclosure of Confidential Information, is responsible for documented losses (including fines from government agencies) incurred by the Disclosing Party in connection with the loss or disclosure of Confidential Information, in accordance with the legislation of the Russian Federation, except for the cases provided for in paragraphs. .4.4 and 5.3 Agreements.
5.3. In the event of loss or disclosure of Confidential Information, the party that caused its loss or disclosure shall not be liable if this Confidential Information:
5.3.1. became known to the Receiving Party from other sources before the entry into force of the Agreement;
5.3.2. was or became public domain prior to its loss or disclosure from a source other than the Receiving Party;
5.3.3. was received from a third party prior to its receipt from the Distributing Party;
5.3.4. was independently developed by the Receiving Party before the entry into force of the Agreement, that is, it is the result of internal developments carried out in good faith by its employees who did not have access to Confidential Information;
5.3.5. was disclosed with the consent of the Disclosing Party in accordance with the terms of the Agreement.
SETTLEMENT OF DISPUTES
6.1. All disagreements and disputes arising during the execution of the Agreement or in connection with it, the Parties undertake to resolve through negotiations.
6.2. If it is impossible to reach an agreement between the Parties, all disputes, disagreements or claims arising from or in connection with the Agreement, including those relating to its execution, violation, termination or invalidity, shall be resolved in an arbitration court at the location of the plaintiff, in accordance with the legislation of the Russian Federation .
6.3. The Agreement is governed by and construed in accordance with the laws of the Russian Federation.
Examples of PD processing violations
Using examples of court decisions, we will consider cases of PD processing containing violations provided for in the new edition of Art. 13.11 Code of Administrative Offenses of the Russian Federation.
Appeal ruling of the Nizhny Novgorod Regional Court dated October 11, 2016 in case No. 33-12355/2016: a lawyer, as part of the provision of legal services, called the bank from his phone number to obtain information on the debt of a client with whom an agreement was concluded. Subsequently, bank representatives began regularly calling the lawyer regarding debt repayment, without responding to demands to destroy his personal data. The court of first instance, to which the lawyer applied with a demand for the destruction of personal data and the recovery of compensation for moral damage, considered the actions of the bank representatives unlawful. The Court of Appeal upheld this finding.
Let us remind you that the use of PD, including for the purpose of making targeted calls to a subscriber, is one of the types of PD processing. This processing was carried out without the consent of the subject: this is a case not provided for by the PD Law (sanctions under clause 1 of Article 13.11 of the Code of Administrative Offenses of the Russian Federation - a fine for an official of up to 10 thousand rubles, for a bank up to 50 thousand rubles).
The bank considered: since the lawyer’s personal data (including his phone number) is publicly available, that is, on the Internet, consent to their processing is not required. The court indicated that the lawyer’s telephone number was posted on the Internet for the purpose of providing legal services, while the bank used his personal data for another purpose, namely to communicate information to the borrower through the lawyer in connection with the loan debt - sanctions for clause 1 art. 13.11 Code of Administrative Offenses of the Russian Federation.
We see another violation: by virtue of Part 1 of Art. 14 of the Law on Personal Data, the subject has the right to demand from the operator the destruction of his personal data if the personal data was obtained illegally, as well as to take measures provided for by law to protect his rights. The bank did not respond to the lawyer’s request and continued to use the subject’s personal data, which can be regarded as a violation of clause 5 of Art. 13.11 Code of Administrative Offenses of the Russian Federation (fine for an official up to 10 thousand rubles, for an organization - up to 45 thousand rubles).
Resolution of the Volgograd Regional Court dated April 15, 2011 in case No. 7a-391/11: during an inspection of the college by the prosecutor’s office, it was revealed that the organization does not have documents establishing the places of storage of personal data, a list of measures to ensure their safety and exclude unauthorized access to them, not the circle of persons responsible for the implementation of the above measures has been determined. The official was fined 500 rubles. according to Art. 13.11 Code of Administrative Offenses of the Russian Federation. According to the new standards, this is a violation of paragraph 6 of Art. 13.11 of the Code of Administrative Offenses of the Russian Federation, which provides for a fine for officials of up to 10 thousand rubles, for organizations - up to 50 thousand rubles.
