What applies to personal data. To whom can they be transferred, how to store and destroy

What is personal data and what does it include?

Personal data is any information that directly or indirectly relates to an individual and allows him to be identified. This is from Article 3 of the Federal Law “On Personal Data”, dated July 27, 2006 No. 152-FZ (hereinafter referred to as the Law).

Personal data, according to this law, includes:

• Full Name;
• place, date of birth;
• place of permanent or temporary registration;
• a photograph or video recording of a person that allows the person to be identified;
• information about children, relatives, marital status;
• salary information;
• assessment of skills and personal qualities;
• individual personal data (race, nationality, political or religious views, philosophical beliefs; health status);
• information about criminal records, or lack thereof;
• phone number, email address, other social identifiers. networks or instant messengers;
• passport data, SNILS, TIN (although the TIN is a controversial issue);
• biometric data.

But it is worth considering that some of this data by itself, without connection with other data, cannot be personal. If the phone number itself is not personal data, then in the operator’s database, indicating the owner’s full name, it is. The email address in the format also refers to personal data, like the full name, with reference to the Taxpayer Identification Number, telephone number or place of registration.

There is also a classification of personal data. They are divided into:

• public;
• special;
• biometric;
• others.

This classification is given in Government Decree No. 1119 of November 1, 2012.

A little more detail on each category.

Publicly available - those to which the consent of the subject of personal data has been given, and not those that can be found in the public domain on the Internet.

Special - information about race, nationality and religion; political and philosophical views, health, details of personal life,

criminal records.

Biometric - information about the physiological and biological characteristics of a person. These are fingerprints, genetic information, iris patterns, voice samples, photographs.

But here, too, a certain connection to the individual is important. For example, a fingerprint used to identify an employee to enter an office. Or an iris scan.

other data . This is like the "miscellaneous" folder on most computers. Is it email or geolocation,

information about belonging to a particular social group,

work experience, etc.

It is also worth mentioning who is the subject of personal data and who is the operator. Accordingly, the subject is the natural person whose data is processed. For example, they collect and store. And the operator of personal data is legal entities, government organizations or departments. They collect, process, store, transmit and destroy data.

Note! The destruction of personal data must be carried out in such a way that neither attackers nor unscrupulous employees of the organization can subsequently use it, and inspectors have no doubt about the legality of the procedure. Delis Archive will conduct examination of documents, selection and destruction, provide all supporting documents and destroy documents containing confidential information. Read more.

Results

So, the processing and distribution of personal data without the consent of its owner is a violation of the law, which entails holding the violator accountable.
However, situations are possible when the legislator exempts a person authorized to work with personal data from the obligation to obtain consent to their processing. For example, if a person simply cannot imagine it due to health reasons. You can find more complete information on the topic in ConsultantPlus. Free trial access to the system for 2 days.

Processing of personal data

Any contract with an individual containing his personal data (and it will contain it if it is not a public offer) must necessarily contain a section on personal data. Without the written consent of the person, the processing of personal data by the operator, as well as their transfer to third parties, is prohibited.

In general, the processing of personal data is generally any action that is done with it. This includes:

• collection;
• broadcast;
• record;
• storage;
• extraction;
• change;
• depersonalization;
• analysis;
• deletion.

In turn, processing can be carried out in three ways:

• Automated - using computer technology. These are computers, phones and other electronic devices, databases, cryptographic security tools, programs, scripts.
• Mixed - human processing with the participation of computer technology. For example, when the accounting department enters data from a paper vacation application into the program.
• Manual - without automation.

After personal data is processed, it is sent to the archive for storage. This can be a separate specialized room (if we are talking about paper documents) or electronic storage (for example, cloud). In any case, you subsequently need to be able to quickly find the data and destroy it (at the request of the subject) or transfer it (by force of law).

To prevent the search from becoming a quest, we recommend that you properly organize your archive, both regular and electronic. Delis Archive specialists know how to do this.

Determine the document storage period online

What happens if you violate the laws on personal data

The organization that is well-known to many is Roskomnadzor, which monitors compliance with legislation in this area. The applicable article is 13.11 of the Administrative Code.

• processing of personal data incompatible with the purpose of collection - a fine of up to 3 thousand for citizens, up to 10 thousand for officials, up to 50 thousand for organizations .
• processing of personal data without the written consent of the subject - a fine for citizens of up to 5 thousand, up to 20 thousand for officials, up to 75 thousand for organizations .
• failure to publish a document on the operator’s policy regarding the processing of personal data - a fine for citizens of up to 1.% thousand rubles, for officials up to 6 thousand, for individual entrepreneurs up to 10 thousand, and for legal entities - up to 30 thousand .

If you collect personal data about citizens of the Russian Federation on servers located outside the Russian Federation, you will be fined up to 6 million.

Refusal to provide personal data

By and large, consent to the provision of personal data is required only in relation to special and biometric information. To put it simply, publicly available information, i.e. information from your passport, INN, SNILS can be used completely freely, of course, within the law and without violating ethical and moral standards.

But if anyone needed information regarding a person’s religion or nationality, his health or criminal record, relationships with employers (current and former), etc. very personal information - it can only be obtained with the consent of the citizen, in writing.

In accordance with the legislation of the Russian Federation, any person has the full right to refuse to provide this kind of information if he believes that it may lead to an infringement of his rights and interests, or even without giving any reasons. There is no penalty for such refusal.

And even if a representative of an institution demands the provision of such information, threatening to refuse to provide necessary services (educational, medical, etc.), his actions can easily be appealed both at the management level and in the prosecutor’s office or court.

The only thing you need to remember is that when applying to various municipal and budgetary structures, as well as when applying for employment, there is a list of documents established by law, and therefore personal information, without which the conclusion of contracts (civil, labor, etc.) will be simple -simply impossible.

If there are doubts that an employee of a particular organization requires documents beyond the list established by law, you should seek clarification from lawyers or familiarize yourself with the relevant articles of Russian legislation.

From the moment personal data falls into second hands, all responsibility for its disclosure rests with the person who received it.

At the same time, the law regarding persons who disclose someone’s personal information is quite harsh - it provides for punishment, ranging from a large administrative fine to the initiation of criminal cases.

What to do to avoid getting fined

To collect, store and process personal data, you must comply with the requirements of Law No. 152-FZ. Brief checklist:

• Register with Roskomnadzor as a personal data operator.
• Request permission to collect and process data from subjects and not collect unnecessary data from them.
• Respond to requests from subjects and provide them with all information.
• Collect and store information only to achieve certain purposes and for a certain period.
• Store and protect personal data according to the law, ensure the safety, confidentiality and accuracy of data, without transferring it to third parties. And if you transfer, then only with documentary evidence and only certified.
• Clarify, block or destroy PD at the request of the subjects or when the purposes of their collection have been achieved.

See what happens if you store documents incorrectly

New regulations on personal data

On March 1, 2021, the Federal Law of December 30, 2020 No. 519-FZ “On Amendments to the Federal Law “On Personal Data” came into force with the exception of paragraph 10, paragraph 5 of Article 1, which is in force from July 1, 2021.

Federal Law No. 19-FZ dated February 24, 2021 introduced changes to the Code of Administrative Offenses of the Russian Federation, including in terms of administrative responsibility for personal injury ( Article 13.11 ). The new fines are effective from March 27, 2021.

Federal Law No. 248-FZ dated July 31, 2020 defines a new procedure for conducting and passing inspections, including those of Roskomnadzor. The procedure for organizing and implementing state control over the processing of personal data is detailed by Decree of the Government of the Russian Federation dated June 29, 2021 No. 1046. Both regulations came into force on July 1, 2021.

Roskomnadzor Order No. 18 dated February 24, 2021, which came into effect on September 1, 2021, approved the requirements for the content of consent to the processing of PD authorized by the PD subject for distribution.

The rules for using the Roskomnadzor information system, including the procedure for interaction of the PD subject with the operator, are established by Roskomnadzor Order No. 106 dated June 21, 2021, which comes into force on March 1, 2022.

Do you all need to register with Roskomnadzor?

There may be a feeling that for a long time now all employers need to run to Roskomnadzor and register as a personal data operator. However, it is not. Here are the exceptions:

• the collection of personal data of a citizen by the operator is carried out in connection with the establishment of labor relations;
• personal data is collected for the purpose of concluding an agreement, without subsequent transfer and distribution to third parties, it is also provided for the use of personal data only for the execution of an agreement with a citizen;
• processing of personal data that is in the public domain;
• collecting the last name, first name and patronymic of citizens without indicating a telephone number or e-mail;
• personal data is collected for the purpose of allowing a citizen to enter the territory of the operator collecting the data once, or in similar cases;
• collection, processing and storage of personal data is carried out on paper without the use of automation tools. By the way, you can store your paper archive, including personnel documents and personal data, outside the office. This way you can avoid their loss and unauthorized access to information.

In all other cases, registration is required!

Don’t forget that Delis Archive has a “New Year’s” promotion - we give useful gifts to current and future clients!

Other cases of data transfer

In addition to the transfer of information arrays for processing, the legislation provides for some other cases in which the transfer of information to third parties will become permissible. Thus, Article 6 of the law indicates situations in which:

• Providing access to information by the operator to third parties for processing becomes possible if there is consent to this (an example would be filling out a form for a discount card);
• the transfer of data occurs for the purpose of concluding commercial contracts, to which the subject of personal data becomes a party or beneficiary (an example could be the transfer by a bank of the borrower’s information to an insurance company for issuing a life and health insurance policy for the borrower). Based on the same norm, data can be transferred to fulfill obligations under such contracts or under agreements in which the subject has become a guarantor.

The number of legal transfers of data is strictly limited. There is often a need to transfer information when concluding contracts on electronic trading platforms. If the subject has an enhanced electronic signature required to participate in the auction, consent is issued by simple confirmation - by clicking a button on the website.

Any situation beyond the scope of those listed allows a citizen to send an appeal to Roskomnadzor in order to conduct an inspection and take appropriate response measures.

Consent to the processing of PD authorized by the PD subject for distribution. Roskomnadzor service

Any data about a person can be distributed only with his direct consent. Exceptions are possible for cases where there is state, public and public interest.

Requirements for the content of consent to the processing of PD authorized by the PD subject for distribution are determined by Roskomnadzor in Order No. 18 dated February 24, 2021.

A service for PD operators has been launched on the official website of Roskomnadzor, allowing them to create a consent form template. Using the service in a constructor format, the PD operator fills in the required fields. The template generated by the operator will be reviewed by Roskomnadzor specialists, and if necessary, the operator will be given recommendations on how to refine it. The operator will be able to use the template approved by Roskomnadzor as a consent form in his further work (Roskomnadzor information 1046 dated 07/01/2021)

Consent can be provided to the PD operator in two ways:

• directly,
• through the Roskomnadzor information system.

The Rules for using the Roskomnadzor information system can be found; they were approved by Roskomnadzor Order No. 106 dated June 21, 2021, but will come into force on March 1, 2022.

For more information on consent to the processing of PD authorized by the PD subject for distribution, read here

The issue remains insufficiently addressed regarding the operator’s obligation to publish information about the conditions for processing permitted for distribution of PD, about the existence of prohibitions and conditions for processing (clause 10, article 10.1) within no later than three working days from the date of receipt of consent. As part of an online seminar held by Roskomnadzor in August 2021, it was mentioned that such information must be posted on official Internet resources owned by the operator, or in another way that provides unlimited access to the specified information, for example, an information stand.

A new approach to legal checks

Federal Law No. 248-FZ laid the foundations for a new approach to control and supervision in the Russian Federation: the subject of regulation, principles, subject and objects of control, organization of control, participants in these processes, procedure for conducting control, etc. Decree of the Government of the Russian Federation dated June 29, 2021 No. 1046 specified the procedure for organizing and implementing state control by Roskomnadzor over the processing of personal data.

Federal Law No. 248-FZ is aimed at stimulating the integrity of controlled persons and preventing the risk of them causing harm (damage) to legally protected values. Thus, prevention of violations and softer control and supervisory measures are now a priority.

A wide list of preventive measures has been established (Part 1 of Article 45), participation in which is a right and not an obligation of controlled persons. At the same time, interaction is possible only with the consent or on the initiative of the person being inspected.

A list of new control and supervisory measures is provided, in addition to on-site and documentary inspections (Parts 2 and 3 of Article 56).

When exercising control (supervision), a risk-oriented approach is used, systems for assessing and managing the risks of harm (damage) to legally protected values ​​have been introduced.

It has become possible to cancel decisions made as a result of any control and supervisory activity carried out with gross violations. Previously, only the results of checks were allowed to be cancelled.

Federal Law 248-FZ allowed for the possibility of independent assessment of compliance with legal requirements by accredited organizations.