- an individual, which are provided by him about himself.
There is free access to publicly available data with the written permission of the subject. This may also include information about the subject that is not provided for by law.
A subject is an individual whose information is collected, stored, processed and used for any purpose by an operator (legal or natural person, municipal or state body).
What types of information are they?
The list of publicly available personal information includes:
Peculiarities
Publicly available personal information is presented in such sources as a passport or other identification card, driver’s license, military ID, work record book, or education diploma.
Not in all cases there is a need for written permission to use them; sometimes a signature or a “tick” in the required box is sufficient (for example, when filling out applications via the Internet).
General information can be placed in publicly accessible sources. They store information about subjects, including various directories with telephone numbers or addresses.
An individual has the right to obtain information about the operator, as well as find out the specific purpose pursued by the operator during processing.
The subject has the full right to submit an application, the approval of which allows you to clarify, block or destroy personal information in the event that it is outdated, invalid, incomplete or its presence is not necessary during processing.
Among other things, an individual has the right to request from the operator access to his personal information, as well as to familiarize himself with the means of processing information. Operators are specialists involved in processing information about a person..
Bodies for processing personal data are all organizations that collect, process, accumulate and store information about employees, clients, and suppliers.
Read more about in what cases an agreement for the processing of personal data is necessary.
When are they included in open sources?
Inclusion of information in publicly available sources occurs in various situations, for example:
- during employment and concluding an employment contract;
- during the census process;
- establishing trade relations, etc.
The subject's personal data is classified according to the amount of personal information about the person and the degree of importance. Any transactions with them are carried out strictly within the framework of legislative acts and are subject to protection.
Operators are required to organize the safety of the work process. They must ensure that subjects' personal information is completely protected from access by unauthorized persons.
During the collection process, the operator is required to obtain written permission for further processing. The processing includes information about the subject and the operator (full name, address), the purpose of processing and a list of necessary information, as well as a description of the operations that will be performed with them.
Adopted by the State Duma on July 8, 2006
Approved by the Federation Council on July 14, 2006
Chapter 1. General provisions
Article 1. Scope of this Federal Law
1. This Federal Law regulates relations related to the processing of personal data carried out by federal government bodies, government bodies of constituent entities Russian Federation, other government bodies (hereinafter referred to as state bodies), local government bodies, municipal bodies not included in the system of local government bodies (hereinafter referred to as municipal bodies), legal entities, individuals using automation tools or without the use of such means, if the processing of personal data without the use of such means corresponds to the nature of the actions (operations) performed with personal data using automation tools.
2. This Federal Law does not apply to relations arising when:
1) processing of personal data by individuals solely for personal and family needs, unless the rights of the subjects of personal data are violated;
2) organizing the storage, acquisition, recording and use of documents of the Archival Fund of the Russian Federation and other archival documents containing personal data in accordance with the legislation on archival affairs in the Russian Federation;
3) processing of information about individuals subject to inclusion in the unified state register of individual entrepreneurs, if such processing is carried out in accordance with the legislation of the Russian Federation in connection with the activities individual as an individual entrepreneur;
4) processing of personal data included in in the prescribed manner to information constituting a state secret.
Article 2. Purpose of this Federal Law
The purpose of this Federal Law is to ensure the protection of the rights and freedoms of man and citizen when processing his personal data, including the protection of the rights to privacy, personal and family secrets.
Article 3. Basic concepts used in this Federal Law
For the purposes of this Federal Law, the following basic concepts are used:
1) personal data - any information relating to an individual identified or determined on the basis of such information (subject of personal data), including his last name, first name, patronymic, year, month, date and place of birth, address, family, social, property status, education, profession, income, other information;
2) operator - a state body, municipal body, legal entity or individual that organizes and (or) carries out the processing of personal data, as well as determining the purposes and content of the processing of personal data;
3) processing of personal data - actions (operations) with personal data, including collection, systematization, accumulation, storage, clarification (updating, changing), use, distribution (including transfer), depersonalization, blocking, destruction of personal data;
4) dissemination of personal data - actions aimed at transferring personal data to a certain circle of persons (transfer of personal data) or to familiarize with personal data of an unlimited number of persons, including the publication of personal data in the media, posting in information and telecommunication networks or providing access to personal data in any other way;
5) use of personal data - actions (operations) with personal data performed by the operator for the purpose of making decisions or performing other actions that give rise to legal consequences in relation to the subject of personal data or other persons or otherwise affecting the rights and freedoms of the subject of personal data or other persons;
6) blocking of personal data - temporary cessation of the collection, systematization, accumulation, use, dissemination of personal data, including their transfer;
7) destruction of personal data - actions as a result of which it is impossible to restore the content of personal data in information system personal data or as a result of which material media of personal data are destroyed;
8) depersonalization of personal data - actions as a result of which it is impossible to determine the ownership of personal data by a specific subject of personal data;
9) information system of personal data - an information system that is a set of personal data contained in the database, as well as information technologies and technical means that allow the processing of such personal data using automation tools or without the use of such tools;
10) confidentiality of personal data - a mandatory requirement for the operator or other person who has access to personal data to not allow their distribution without the consent of the subject of personal data or the presence of another legal basis;
11) cross-border transfer of personal data - transfer of personal data by the operator across the State Border of the Russian Federation to an authority of a foreign state, an individual or legal entity of a foreign state;
12) publicly available personal data - personal data, access to which is granted to an unlimited number of persons with the consent of the subject of personal data or to which, in accordance with federal laws, is not subject to confidentiality requirements.
Article 4. Legislation of the Russian Federation in the field of personal data
1. The legislation of the Russian Federation in the field of personal data is based on the Constitution of the Russian Federation and international treaties of the Russian Federation and consists of this Federal Law and other federal laws defining cases and features of the processing of personal data.
2. On the basis of and in pursuance of federal laws, state bodies, within the limits of their powers, may adopt regulations on certain issues relating to the processing of personal data. Regulatory legal acts on certain issues relating to the processing of personal data cannot contain provisions limiting the rights of personal data subjects.
The specified regulatory legal acts are subject to official publication, with the exception of regulatory legal acts or individual provisions of such regulatory legal acts containing information, access to which is limited by federal laws.
3. Features of the processing of personal data carried out without the use of automation tools may be established by federal laws and other regulatory legal acts of the Russian Federation, taking into account the provisions of this Federal Law.
4. If an international treaty of the Russian Federation establishes rules other than those provided for by this Federal Law, the rules of the international treaty apply.
Chapter 2. Principles and conditions for processing personal data
Article 5. Principles for processing personal data s
1. Processing of personal data must be carried out on the basis of the principles:
1) the legality of the purposes and methods of processing personal data and integrity;
2) compliance of the purposes of processing personal data with the goals predetermined and stated when collecting personal data, as well as with the powers of the operator;
3) compliance with the volume and nature of the personal data processed, methods of processing personal data for the purposes of processing personal data;
4) the reliability of personal data, their sufficiency for the purposes of processing, the inadmissibility of processing personal data that is excessive in relation to the purposes stated when collecting personal data;
5) the inadmissibility of combining databases of personal data information systems created for incompatible purposes.
2. Personal data must be stored in a form that makes it possible to identify the subject of personal data for no longer than required by the purposes of their processing, and they are subject to destruction upon achievement of the purposes of processing or in the event of the loss of the need to achieve them.
Article 6. Conditions for processing personal data
1. Processing of personal data may be carried out by the operator with the consent of the subjects of personal data, except for the cases provided for in part 2 of this article.
2. The consent of the subject of personal data provided for in Part 1 of this article is not required in the following cases:
1) the processing of personal data is carried out on the basis of a federal law establishing its purpose, the conditions for obtaining personal data and the range of subjects whose personal data are subject to processing, as well as defining the powers of the operator;
2) the processing of personal data is carried out for the purpose of fulfilling a contract, one of the parties to which is the subject of personal data;
3) the processing of personal data is carried out for statistical or other scientific purposes, subject to the mandatory anonymization of personal data;
4) the processing of personal data is necessary to protect the life, health or other vital interests of the subject of personal data, if obtaining the consent of the subject of personal data is impossible;
5) processing of personal data is necessary for delivery postal items postal organizations, for telecommunication operators to carry out settlements with users of communication services for rendered communication services, as well as for consideration of claims from users of communication services;
6) the processing of personal data is carried out for the purposes of the professional activities of a journalist or for the purposes of scientific, literary or other creative activities, provided that the rights and freedoms of the subject of personal data are not violated;
7) personal data subject to publication in accordance with federal laws is processed, including personal data of persons holding government positions, positions in the state civil service, personal data of candidates for elected state or municipal positions.
3. Features of the processing of special categories of personal data, as well as biometric personal data, are established respectively in Articles 10 and 11 of this Federal Law.
4. If the operator, on the basis of a contract, entrusts the processing of personal data to another person, an essential condition of the contract is the obligation for the specified person to ensure the confidentiality of personal data and the security of personal data during their processing.
Article 7. Confidentiality of personal data
1. Operators and third parties gaining access to personal data must ensure the confidentiality of such data, except for the cases provided for in part 2 of this article.
2. Ensuring the confidentiality of personal data is not required:
1) in case of depersonalization of personal data;
2) in relation to publicly available personal data.
Article 8. Public sources of personal data
1. For the purpose of information support, publicly available sources of personal data may be created (including directories, address books). To publicly available sources of personal data from written consent of the subject of personal data may include his last name, first name, patronymic, year and place of birth, address, subscriber number, information about profession and other personal data provided by the subject of personal data.
2. Information about the subject of personal data may be excluded at any time from publicly available sources of personal data at the request of the subject of personal data or by decision of a court or other authorized government bodies.
Article 9. Consent of the personal data subject to the processing of his personal data
1. The subject of personal data decides to provide his personal data and consents to their processing of his own will and in his own interest, except for the cases provided for in part 2 of this article. Consent to the processing of personal data may be withdrawn by the subject of personal data.
2. This Federal Law and other federal laws provide for cases of mandatory provision by the subject of personal data of his personal data in order to protect the foundations of the constitutional system, morality, health, rights and legitimate interests of other persons, to ensure the defense of the country and the security of the state.
3. The obligation to provide evidence of obtaining the consent of the subject of personal data to the processing of his personal data, and in the case of processing publicly available personal data, the obligation to prove that the processed personal data is publicly available rests with the operator.
4. In the cases provided for by this Federal Law, the processing of personal data is carried out only with the written consent of the subject of the personal data. The written consent of the personal data subject to the processing of his personal data must include:
1) last name, first name, patronymic, address of the subject of personal data, number of the main document proving his identity, information about the date of issue of the specified document and the issuing authority;
2) name (last name, first name, patronymic) and address of the operator receiving the consent of the subject of personal data;
3) the purpose of processing personal data;
4) a list of personal data for the processing of which the consent of the subject of personal data is given;
5) a list of actions with personal data for which consent is given, a general description of the methods used by the operator for processing personal data;
6) the period during which the consent is valid, as well as the procedure for its withdrawal.
5. To process personal data contained in the subject’s written consent to the processing of his personal data, additional consent is not required.
6. In case of incapacity of the subject of personal data, consent to the processing of his personal data is given in writing by the legal representative of the subject of personal data.
7. In the event of the death of the subject of personal data, consent to the processing of his personal data is given in writing by the heirs of the subject of personal data, if such consent was not given by the subject of personal data during his lifetime.
Article 10. Special categories of personal data
1. Processing of special categories of personal data relating to race, nationality, political views, religious or philosophical beliefs, health status, intimate life is not permitted, except for the cases provided for in part 2 of this article.
2. Processing of the special categories of personal data specified in Part 1 of this article is permitted in cases where:
1) the subject of personal data has given consent in writing to the processing of his personal data;
2) personal data is publicly available;
3) personal data relates to the health status of the subject of personal data and their processing is necessary to protect his life, health or other vital interests or the life, health or other vital interests of other persons, and obtaining the consent of the subject of personal data is impossible;
4) the processing of personal data is carried out for medical and preventive purposes, in order to establish a medical diagnosis, provide medical and medical and social services, provided that the processing of personal data is carried out by a person professionally engaged in medical activities and obliged in accordance with the legislation of the Russian Federation to maintain medical confidentiality ;
5) the processing of personal data of members (participants) of a public association or religious organization is carried out by the relevant public association or religious organization operating in accordance with the legislation of the Russian Federation, to achieve the legal purposes provided for by their constituent documents, provided that personal data will not be disseminated without written consent of the subjects of personal data;
6) processing of personal data is necessary in connection with the administration of justice;
7) the processing of personal data is carried out in accordance with the legislation of the Russian Federation on security, on operational investigative activities, as well as in accordance with the criminal executive legislation of the Russian Federation.
3. Processing of personal data on a criminal record may be carried out by state bodies or municipal bodies within the powers granted to them in accordance with the legislation of the Russian Federation, as well as by other persons in cases and in the manner determined in accordance with federal laws.
4. The processing of special categories of personal data carried out in the cases provided for in parts 2 and 3 of this article must be immediately stopped if the reasons for which the processing was carried out are eliminated.
Article 11. Biometric personal data
1. Information that characterizes the physiological characteristics of a person and on the basis of which his identity can be established (biometric personal data) can be processed only with the consent in writing of the subject of personal data, except for the cases provided for in part 2 of this article.
2. Processing of biometric personal data can be carried out without the consent of the subject of personal data in connection with the administration of justice, as well as in cases provided for by the legislation of the Russian Federation on security, the legislation of the Russian Federation on operational investigative activities, the legislation of the Russian Federation on public service, criminal enforcement legislation of the Russian Federation, legislation of the Russian Federation on the procedure for leaving the Russian Federation and entering the Russian Federation.
Article 12. Cross-border transfer of personal data
1. Before the start of cross-border transfer of personal data, the operator is obliged to ensure that the foreign state to whose territory the transfer of personal data is carried out ensures adequate protection of the rights of the subjects of personal data.
2. Cross-border transfer of personal data on the territory of foreign states that provide adequate protection of the rights of personal data subjects is carried out in accordance with this Federal Law and may be prohibited or limited in order to protect the foundations of the constitutional system of the Russian Federation, morality, health, rights and legitimate interests of citizens , ensuring the country's defense and state security.
3. Cross-border transfer of personal data to the territory of foreign states that do not provide adequate protection of the rights of personal data subjects may be carried out in the following cases:
1) the presence of written consent of the subject of personal data;
2) provided for by international treaties of the Russian Federation on the issue of visas, as well as international treaties of the Russian Federation on the provision of legal assistance in civil, family and criminal cases;
3) provided for by federal laws, if necessary in order to protect the foundations of the constitutional system of the Russian Federation, ensure the defense of the country and the security of the state;
4) execution of a contract to which the subject of personal data is a party;
5) protection of life, health, and other vital interests of the subject of personal data or other persons if it is impossible to obtain consent in writing from the subject of personal data.
Article 13. Features of the processing of personal data in state or municipal personal data information systems
1. State bodies and municipal bodies create, within the limits of their powers established in accordance with federal laws, state or municipal information systems of personal data.
2. Federal laws may establish features of recording personal data in state and municipal information systems of personal data, including the use in various ways designation of the ownership of personal data contained in the relevant state or municipal personal data information system to a specific subject of personal data.
3. The rights and freedoms of a person and a citizen cannot be limited for reasons related to the use of various methods of processing personal data or designating the ownership of personal data contained in state or municipal personal data information systems to a specific subject of personal data. It is not permitted to use methods that offend the feelings of citizens or degrade human dignity to indicate the ownership of personal data contained in state or municipal personal data information systems to a specific subject of personal data.
4. In order to ensure the implementation of the rights of personal data subjects in connection with the processing of their personal data in state or municipal personal data information systems, a state population register may be created, the legal status of which and the procedure for working with which are established by federal law.
Chapter 3. Rights of the subject of personal data
Article 14. The right of the personal data subject to access his personal data
1. The subject of personal data has the right to receive information about the operator, his location, whether the operator has personal data relating to the relevant subject of personal data, as well as to familiarize himself with such personal data, except for the cases provided for in part 5 of this article . The subject of personal data has the right to demand from the operator clarification of his personal data, blocking or destruction of it if the personal data is incomplete, outdated, unreliable, illegally obtained or is not necessary for the stated purpose of processing, as well as take measures provided by law to protect his rights .
2. Information about the availability of personal data must be provided to the subject of personal data by the operator in an accessible form, and it should not contain personal data related to other subjects of personal data.
3. Access to your personal data is provided to the subject of personal data or his legal representative by the operator upon application or upon receipt of a request from the subject of personal data or his legal representative. The request must contain the number of the main document identifying the subject of personal data or his legal representative, information about the date of issue of the specified document and the issuing authority and the handwritten signature of the subject of personal data or his legal representative. The request can be sent electronically and signed electronically digital signature in accordance with the legislation of the Russian Federation.
4. The subject of personal data has the right to receive, when applying or receiving a request, information regarding the processing of his personal data, including containing:
1) confirmation of the fact of processing of personal data by the operator, as well as the purpose of such processing;
2) methods of processing personal data used by the operator;
3) information about persons who have access to personal data or who may be granted such access;
4) a list of personal data being processed and the source of its receipt;
5) terms of processing of personal data, including periods of their storage;
6) information about what legal consequences for the subject of personal data the processing of his personal data may entail.
5. The right of the subject of personal data to access his personal data is limited if:
1) the processing of personal data, including personal data obtained as a result of operational investigative, counterintelligence and intelligence activities, is carried out for the purposes of national defense, state security and law enforcement;
2) the processing of personal data is carried out by authorities that detained the subject of personal data on suspicion of committing a crime, or brought charges against the subject of personal data in a criminal case, or applied a preventive measure to the subject of personal data before bringing charges, with the exception of those provided for by the criminal procedure legislation of the Russian Federation cases where the suspect or accused is allowed to become familiar with such personal data;
3) the provision of personal data violates the constitutional rights and freedoms of other persons.
Article 15. Rights of personal data subjects when processing their personal data for the purpose of promoting goods, works, services on the market, as well as for the purposes of political propaganda
1. Processing of personal data for the purpose of promoting goods, works, services on the market by making direct contacts with potential consumers using means of communication, as well as for the purposes of political propaganda, is permitted only with the prior consent of the subject of personal data. The specified processing of personal data is recognized as carried out without the prior consent of the subject of personal data, unless the operator proves that such consent has been obtained.
2. The operator is obliged to immediately stop, at the request of the personal data subject, the processing of his personal data specified in part 1 of this article.
Article 16. Rights of personal data subjects when making decisions based solely on automated processing of their personal data
1. It is prohibited to make decisions based solely on automated processing of personal data that give rise to legal consequences in relation to the subject of personal data or otherwise affect his rights and legitimate interests, except for the cases provided for in Part 2 of this article.
2. A decision that gives rise to legal consequences in relation to the subject of personal data or otherwise affects his rights and legitimate interests can be made on the basis of exclusively automated processing of his personal data only with written consent of the subject of personal data or in cases provided for by federal laws , which also establish measures to ensure compliance with the rights and legitimate interests of the subject of personal data.
3. The operator is obliged to explain to the personal data subject the procedure for making a decision based solely on automated processing of his personal data and the possible legal consequences of such a decision, provide the opportunity to object to such a decision, and also explain the procedure for the personal data subject to protect his rights and legitimate interests.
4. The operator is obliged to consider the objection specified in part 3 of this article within seven working days from the date of its receipt and notify the subject of personal data about the results of consideration of such an objection.
Article 17. The right to appeal the actions or inactions of the operator
1. If the subject of personal data believes that the operator is processing his personal data in violation of the requirements of this Federal Law or otherwise violates his rights and freedoms, the subject of personal data has the right to appeal the actions or inaction of the operator to the authorized body for the protection of the rights of personal data subjects or to judicial procedure.
2. The subject of personal data has the right to protect his rights and legitimate interests, including compensation for losses and (or) compensation for moral damage in court.
Chapter 4. Operator Responsibilities
Article 18. Obligations of the operator when collecting personal data
1. When collecting personal data, the operator is obliged to provide the subject of personal data, at his request, with the information provided for in Part 4 of Article 14 of this Federal Law.
2. If the obligation to provide personal data is established by federal law, the operator is obliged to explain to the subject of personal data the legal consequences of refusal to provide his personal data.
3. If personal data was not received from the subject of personal data, except for cases where personal data was provided to the operator on the basis of federal law or if personal data is publicly available, the operator, before processing such personal data, is obliged to provide the subject of personal data with the following information:
1) name (last name, first name, patronymic) and address of the operator or his representative;
2) the purpose of processing personal data and its legal basis;
3) intended users of personal data;
4) the rights of the subject of personal data established by this Federal Law.
Article 19. Measures to ensure the security of personal data during their processing
1. When processing personal data, the operator is obliged to take the necessary organizational and technical measures, including the use of encryption (cryptographic) means, to protect personal data from unauthorized or accidental access to it, destruction, modification, blocking, copying, distribution of personal data, and also from other unlawful actions.
2. The Government of the Russian Federation establishes requirements for ensuring the security of personal data during their processing in personal data information systems, requirements for material media of biometric personal data and technologies for storing such data outside personal data information systems.
3. Control and supervision of compliance with the requirements established by the Government of the Russian Federation in accordance with Part 2 of this article is carried out by the federal executive body authorized in the field of security, and the federal executive body authorized in the field of countering technical intelligence and technical protection of information, within the limits of their powers and without the right to familiarize themselves with personal data processed in personal data information systems.
4. The use and storage of biometric personal data outside of personal data information systems can only be carried out on such material storage media and using such storage technology that ensure the protection of this data from unauthorized or accidental access to it, destruction, modification, blocking, copying, distribution.
Article 20. Obligations of the operator when applying or receiving a request from a personal data subject or his legal representative, as well as the authorized body for the protection of the rights of personal data subjects
1. The operator is obliged, in the manner provided for in Article 14 of this Federal Law, to inform the subject of personal data or his legal representative information about the availability of personal data relating to the relevant subject of personal data, as well as provide the opportunity to familiarize himself with them when contacting the subject of personal data or his legal representative representative or within ten working days from the date of receipt of the request of the subject of personal data or his legal representative.
2. In case of refusal to provide the subject of personal data or his legal representative when applying or receiving a request from the subject of personal data or his legal representative, information about the availability of personal data about the relevant subject of personal data, as well as such personal data, the operator is obliged to give a reasoned statement in writing a response containing a reference to the provision of Part 5 of Article 14 of this Federal Law or another federal law, which is the basis for such a refusal, within a period not exceeding seven working days from the date of application of the subject of personal data or his legal representative or from the date of receipt of the request of the subject of personal data or his legal representative.
3. The operator is obliged to provide the subject of personal data or his legal representative, free of charge, with the opportunity to familiarize himself with personal data relating to the corresponding subject of personal data, as well as make the necessary changes to them, destroy or block the relevant personal data upon provision of information by the subject of personal data or his legal representative , confirming that the personal data that relates to the relevant subject and which is processed by the operator is incomplete, outdated, unreliable, illegally obtained or is not necessary for the stated purpose of processing. The operator is obliged to notify the subject of personal data or his legal representative and third parties to whom the personal data of this subject were transferred about the changes made and measures taken.
4. The operator is obliged to provide the authorized body for the protection of the rights of personal data subjects, upon request, with the information necessary to carry out the activities of the said body within seven working days from the date of receipt of such a request.
Article 21. Obligations of the operator to eliminate violations of the law committed during the processing of personal data, as well as to clarify, block and destroy personal data
1. In case of detection of unreliable personal data or unlawful actions with them by the operator when contacting or at the request of the subject of personal data or his legal representative or the authorized body for the protection of the rights of personal data subjects, the operator is obliged to block personal data related to the corresponding subject of personal data, with the moment of such application or receipt of such a request for the period of verification.
2. If the fact of unreliability of personal data is confirmed, the operator, on the basis of documents submitted by the subject of personal data or his legal representative or an authorized body for the protection of the rights of personal data subjects, or other necessary documents, is obliged to clarify the personal data and remove their blocking.
3. If illegal actions with personal data are detected, the operator, within a period not exceeding three working days from the date of such detection, is obliged to eliminate the violations. If it is impossible to eliminate the violations committed, the operator is obliged to destroy the personal data within a period not exceeding three working days from the date of discovery of illegal actions with personal data. The operator is obliged to notify the subject of personal data or his legal representative about the elimination of violations or the destruction of personal data, and if the appeal or request was sent by the authorized body for the protection of the rights of personal data subjects, also the specified body.
4. If the purpose of processing personal data is achieved, the operator is obliged to immediately stop processing personal data and destroy the corresponding personal data within a period not exceeding three working days from the date of achieving the purpose of processing personal data, unless otherwise provided by federal laws, and notify the subject of personal data about this data or his legal representative, and if the appeal or request was sent by the authorized body for the protection of the rights of personal data subjects, also the specified body.
5. If the subject of personal data withdraws consent to the processing of his personal data, the operator is obliged to stop processing personal data and destroy personal data within a period not exceeding three working days from the date of receipt of the said withdrawal, unless otherwise provided by an agreement between the operator and the subject of personal data. The operator is obliged to notify the subject of personal data about the destruction of personal data.
Article 22. Notice about the processing of personal data
1. Before starting the processing of personal data, the operator is obliged to notify the authorized body for the protection of the rights of personal data subjects of his intention to process personal data, except for the cases provided for in part 2 of this article.
2. The operator has the right to process personal data without notifying the authorized body for the protection of the rights of personal data subjects:
1) relating to subjects of personal data who have an employment relationship with the operator;
2) received by the operator in connection with the conclusion of an agreement to which the subject of personal data is a party, if personal data is not distributed or provided to third parties without the consent of the subject of personal data and is used by the operator solely for the execution of the specified agreement and the conclusion of contracts with the subject of personal data;
3) relating to members (participants) of a public association or religious organization and processed by the relevant public association or religious organization operating in accordance with the legislation of the Russian Federation, to achieve the legitimate purposes provided for by their constituent documents, provided that personal data will not be disseminated without written consent of the subjects of personal data;
4) which are publicly available personal data;
5) including only the last names, first names and patronymics of the subjects of personal data;
6) necessary for the purpose of one-time entry of the subject of personal data into the territory where the operator is located, or for other similar purposes;
7) included in personal data information systems that, in accordance with federal laws, have the status of federal automated information systems, as well as in state personal data information systems created to protect state security and public order;
8) processed without the use of automation tools in accordance with federal laws or other regulatory legal acts of the Russian Federation that establish requirements for ensuring the security of personal data during their processing and for respecting the rights of personal data subjects.
3. The notification provided for in Part 1 of this article must be sent in writing and signed by an authorized person or sent in electronic form and signed with an electronic digital signature in accordance with the legislation of the Russian Federation. The notice must contain the following information:
1) name (last name, first name, patronymic), address of the operator;
2) the purpose of processing personal data;
5) legal basis for processing personal data;
6) a list of actions with personal data, a general description of the methods used by the operator for processing personal data;
7) a description of the measures that the operator undertakes to implement when processing personal data to ensure the security of personal data during their processing;
8) date of commencement of processing of personal data;
9) the term or condition for terminating the processing of personal data.
4. The authorized body for the protection of the rights of personal data subjects, within thirty days from the date of receipt of the notification about the processing of personal data, enters the information specified in Part 3 of this article, as well as information about the date of sending the specified notification to the register of operators. The information contained in the register of operators, with the exception of information about the means of ensuring the security of personal data during their processing, is publicly available.
5. The operator cannot be charged with expenses in connection with the consideration of a notification about the processing of personal data by the authorized body for the protection of the rights of personal data subjects, as well as in connection with entering information into the register of operators.
6. In case of provision of incomplete or unreliable information specified in part 3 of this article, the authorized body for the protection of the rights of personal data subjects has the right to require the operator to clarify the information provided before it is entered into the register of operators.
7. In case of changes in the information specified in part 3 of this article, the operator is obliged to notify the authorized body for the protection of the rights of personal data subjects about the changes within ten working days from the date of such changes.
Chapter 5. Control and supervision of the processing of personal data. Liability for violation of the requirements of this Federal Law
Article 23. Authorized body for the protection of the rights of personal data subjects
1. The authorized body for the protection of the rights of personal data subjects, which is entrusted with ensuring control and supervision over the compliance of the processing of personal data with the requirements of this Federal Law, is the federal executive body exercising the functions of control and supervision in the field of information technology and communications.
2. The authorized body for the protection of the rights of subjects of personal data considers requests from the subject of personal data regarding the compliance of the content of personal data and methods of their processing with the purposes of their processing and makes an appropriate decision.
3. The authorized body for the protection of the rights of personal data subjects has the right:
1) request from individuals or legal entities information necessary to exercise their powers, and receive such information free of charge;
2) verify the information contained in the notification about the processing of personal data, or involve other government bodies within the limits of their powers to carry out such verification;
3) demand from the operator clarification, blocking or destruction of inaccurate or illegally obtained personal data;
4) take measures, in accordance with the procedure established by the legislation of the Russian Federation, to suspend or terminate the processing of personal data carried out in violation of the requirements of this Federal Law;
5) file claims in court to protect the rights of personal data subjects and represent the interests of personal data subjects in court;
6) send an application to the body licensing the operator’s activities to consider taking measures to suspend or cancel the relevant license in the manner established by the legislation of the Russian Federation, if the condition of the license to carry out such activities is a ban on the transfer of personal data to third parties without the consent of written form of the subject of personal data;
7) send materials to the prosecutor’s office and other law enforcement agencies to resolve the issue of initiating criminal cases based on crimes related to violation of the rights of personal data subjects, in accordance with jurisdiction;
8) make proposals to the Government of the Russian Federation on improving the legal regulation of the protection of the rights of personal data subjects;
9) bring to administrative responsibility persons guilty of violating this Federal Law.
4. In relation to personal data that has become known to the authorized body for the protection of the rights of personal data subjects in the course of its activities, the confidentiality of personal data must be ensured.
5. The authorized body for the protection of the rights of personal data subjects is obliged to:
1) organize, in accordance with the requirements of this Federal Law and other federal laws, the protection of the rights of personal data subjects;
2) consider complaints and appeals from citizens or legal entities on issues related to the processing of personal data, and also make decisions, within the limits of their powers, based on the results of consideration of these complaints and appeals;
3) maintain a register of operators;
4) implement measures aimed at improving the protection of the rights of personal data subjects;
5) take, in the manner established by the legislation of the Russian Federation, upon the proposal of the federal executive body authorized in the field of security, or the federal executive body authorized in the field of countering technical intelligence and technical protection of information, measures to suspend or terminate the processing of personal data;
6) inform government bodies, as well as personal data subjects upon their requests or requests, about the state of affairs in the field of protecting the rights of personal data subjects;
7) fulfill other duties provided for by the legislation of the Russian Federation.
6. Decisions of the authorized body for the protection of the rights of personal data subjects may be appealed in court.
7. The authorized body for the protection of the rights of personal data subjects annually sends a report on its activities to the President of the Russian Federation, the Government of the Russian Federation and the Federal Assembly of the Russian Federation. This report is subject to publication in the media.
8. The authorized body for the protection of the rights of personal data subjects is financed from the federal budget.
9. An advisory council is created on a voluntary basis under the authorized body for the protection of the rights of personal data subjects, the procedure for the formation and operation of which is determined by the authorized body for the protection of the rights of personal data subjects.
Article 24. Liability for violation of the requirements of this Federal Law
Persons guilty of violating the requirements of this Federal Law bear civil, criminal, administrative, disciplinary and other liability provided for by the legislation of the Russian Federation.
Chapter 6. Final provisions
Article 25. Final provisions
1. This Federal Law comes into force one hundred and eighty days after the day of its official publication.
2. After the day of entry into force of this Federal Law, the processing of personal data included in personal data information systems before the day of its entry into force is carried out in accordance with this Federal Law.
3. Personal data information systems created before the entry into force of this Federal Law must be brought into compliance with the requirements of this Federal Law no later than January 1, 2010.
4. Operators who process personal data before the date of entry into force of this Federal Law and continue to carry out such processing after the day of its entry into force are obliged to send to the authorized body for the protection of the rights of personal data subjects, except for the cases provided for in Part 2 of Article 22 of this Federal Law, the notification provided for in Part 3 of Article 22 of this Federal Law, no later than January 1, 2008.
The president
Russian Federation
V. Putin
The subject's personal data is classified according to the amount of personal information about the person and the degree of importance. Any transactions with them are carried out strictly within the framework of legislative acts and are subject to protection. However, there is a category of publicly available personal data that carries only superficial and impersonal information about a person.
From this article you will learn:
- what is publicly available personal data;
- list of publicly available personal data;
- features of working with publicly available personal data.
When creating any database, including a list of all employees of the enterprise, on initial stage it is necessary to categorize personal data. All personal data of employees is divided into two groups - public and confidential.
Concept and classification of personal data
Personal data (PD) is different kinds information, from full name, date of birth, marital and social status, to registration numbers of documents issued by government agencies and commercial authorities. The operator of personal data is a state, federal, commercial structure, legal entity or individual who has the rights to carry out various activities using personal data.
In labor relations, the owner/subject of personal data is the employee, and the operator is the employer, personnel and accounting departments involved in registering the employee for work and all issues related to personal affairs and legal relations, payroll, benefits, compensation, etc. The subject's personal data is necessary for the employer to connect them with labor relations/agreements (Articles 85, 86 of the Labor Code of the Russian Federation).
The processing of personal data refers to various operations provided for by the legislation of the Russian Federation. Types of PD processing include collection, systematization, accumulation, storage, updating, use, depersonalization, destruction, which are carried out according to the procedures established by regulations. State, federal, municipal bodies and organizations that have such a right by status can carry out transactions with personal data.
All PD are divided into the following sections:
- Special personal data;
- Biometric personal data.
When creating personal data information systems (ISPD), it is recommended to be guided by the Order of the FSTEC, FSB and the Ministry of Information Technologies and Communications of the Russian Federation No. 55/86/20 dated February 13, 2008 “On approval of the Procedure for classifying personal data information systems.” According to this regulatory act, PD is divided into categories:
- Category 1 – special data defining race and nationality, religious and political beliefs, facts of personal life and health status.
- Category 2 – data that makes it possible to identify the subject and obtain information about him Additional information with the exception of factors related to category 1. This section includes full name, home address, passport details, serial numbers documents (medical policy, pension certificate, SNILS, TIN), information from work and medical records.
- Category 3 – data allowing to identify the subject (first name, last name, date of birth).
- Category 4 – anonymized or publicly available personal data from which it is impossible to identify the subject.
Publicly available personal data: list
The list of publicly available personal data includes factors that do not contain information that allows a person to be identified in a database. Anonymized data includes:
- First name, first name and patronymic;
- Nickname/login of the subject on the Internet;
- Email address(without reference to full name);
- Position, place of work (without information about personal data).
Public data includes information about the subject that can be obtained from open sources of information, for example, telephone directory or address book. Data is entered into such publicly accessible databases with the written consent of the subject.
Public personal data: features
The peculiarity of publicly available personal data is that it can be posted in open sources of information. That is, if the organization’s contact directory contains contact information for officials, for example, those involved in training and hiring personnel, then such data is considered publicly available. When a printed publication contains the names and surnames of members of the editorial board, this information is also publicly available.
A feature of publicly available data that allows them to be correctly classified includes the following factor: the first three categories are, to one degree or another, necessary to include a subject in the ISPD, and the fourth category remains outside the requirements of information systems. If only the name and place of work are known about a person, then such information is publicly available.
When systematizing data, more accurate information will be required, which can only be obtained with the written consent of the subject to the processing of personal data. In this case, the operator assumes the responsibility to protect and comply with legally established rules for the processing and storage of personal data.
“Person” - data that relates to a person, personality, biological organism.
What is it, how to collect it, where to store it, how to protect it?
Is a fingerprint card personal data or not?
It contains no personal information.
personal data - any information relating to an individual identified or determined on the basis of such information (subject of personal data), including his last name, first name, patronymic, year, month, date and place of birth, address, family, social, property status , education, profession, income, other information;
Address is registration at the place of residence or place of stay.
Conditional classification of personal data.
1) according to the degree of openness:
publicly available personal data - personal data that is accessible to an unlimited number of persons with the consent of the personal data subject or to which, in accordance with federal laws, is not subject to confidentiality requirements.
Public personal data is data to which voluntary consent is given and is posted in the public domain.
Often, some site owners ask for registration information that they don't want to provide.
Confidential information – information is provided strictly for specific purposes. Sometimes it can be collected without the person's knowledge.
The Ministry of Internal Affairs stores information in information centers
2) by affiliation
- personal - belongs from birth
- official - in the course of work, service - class rank, etc.
3) by method of provision
— voluntarily provided information
- provided in a general manner in accordance with the law (compulsory)
— collected without the consent of the citizen in accordance with the law
4) by the nature of the data
— biometric (fingerprint information)
Basic concepts used when working with personal data.
— processing of personal data— actions (operations) with personal data, including collection, systematization, accumulation, storage, clarification (updating, changing), use, distribution (including transfer), depersonalization, blocking, destruction of personal data;
— distribution of personal data- actions aimed at transferring personal data to a certain circle of persons (transfer of personal data) or to familiarize themselves with personal data of an unlimited number of persons, including the publication of personal data in the media, posting in information and telecommunication networks or providing access to personal data to any -or in any other way;
— use of personal data — actions (operations) with personal data performed by the operator for the purpose of making decisions or performing other actions that give rise to legal consequences in relation to the subject of personal data or other persons or otherwise affect the rights and freedoms of the subject of personal data or other persons;
— blocking of personal data— temporary cessation of the collection, systematization, accumulation, use, dissemination of personal data, including their transfer;
Information posted on the Internet often cannot be blocked.
Most personal data:
- stored on a computer
- posted on the Internet
It’s difficult to control placement
— destruction of personal data— actions as a result of which it is impossible to restore the content of personal data in the personal data information system or as a result of which material media of personal data are destroyed; — situations when archives were on fire
depersonalization of personal data
— depersonalization of personal data— actions as a result of which it is impossible to determine the ownership of personal data to a specific subject of personal data;
— personal data information system— an information system, which is a collection of personal data contained in a database, as well as information technologies and technical means that allow the processing of such personal data using automation tools or without the use of such tools;
— confidentiality of personal data— a requirement for the operator or other person who has gained access to personal data to comply with the requirement not to allow their distribution without the consent of the subject of personal data or the presence of another legal basis;
— cross-border transfer of personal data— transfer of personal data by the operator across the State border of the Russian Federation to an authority of a foreign state, an individual or legal entity of a foreign state;
— publicly available personal data— personal data, access to an unlimited number of persons to which is provided with the consent of the subject of personal data or to which, in accordance with federal laws, is not subject to confidentiality requirements.
Processing of personal data.
1) the legality of the purposes and methods of processing personal data and integrity;
2) compliance of the purposes of processing personal data with the goals predetermined and stated when collecting personal data, as well as with the powers of the operator;
3) compliance with the volume and nature of the personal data processed, methods of processing personal data for the purposes of processing personal data;
4) the reliability of personal data, their sufficiency for the purposes of processing, the inadmissibility of processing personal data that is excessive in relation to the purposes stated when collecting personal data;
5) the inadmissibility of combining databases of personal data information systems created for incompatible purposes.
If at some time someone filled out a fingerprint card, then it is in the information center in their databases. We cannot, for example, combine databases of ordinary citizens and those who have committed a crime.
1) with the consent of the owner of personal data
2) without the consent of the owner of the personal data.
This applies to persons occupying a certain position and position: military personnel, corpses
Confidentiality of personal data:
When not required:
1) in case of depersonalization of personal data;
2) in relation to publicly available personal data.
- the operator who collects and processes personal data.
— limit access within your own organization
The operator is personally responsible for the dissemination of personal data
— establishing access restrictions both indoors and online (pass system, card identification system)
For local networks– system login+ password
You can restrict access using biometric information: fingerprint, retina.
- about race
- about political views
- about religious or philosophical beliefs
- about the state of health
- about intimate life
Their processing is possible only with the consent of the subjects.
1) the presence of written consent of the subject for their processing
2) if the subject of personal data has made them publicly available
3) if this information refers to information necessary to protect the life, health and other vital interests of a person
Such information may be provided for medical and preventive purposes - for example, a viral infection.
Features of the processing of personal data in state or municipal information systems for processing personal data.
- applies only to civil servants and municipal employees.
A government agency has its own status; there are independent systems for processing information about state or municipal employees.
1) it is established what information is needed within its competence
2) there is also the Federal Law “On the State Civil Service”, that is, it is regulated not only by the legislation on personal data.
Information that characterizes the physiological characteristics of a person and on the basis of which his identity can be established (biometric personal data) can only be processed with written consent of the subject of personal data, except for the following cases:
1) committing a crime
Processing of biometric personal data can be carried out without the consent of the subject of personal data in connection with the administration of justice, as well as in cases provided for by the legislation of the Russian Federation on security, the legislation of the Russian Federation on operational investigative activities, the legislation of the Russian Federation on civil service, the criminal executive legislation of the Russian Federation Federation, the legislation of the Russian Federation on the procedure for leaving the Russian Federation and entering the Russian Federation.
- collecting information from a suspect is illegal
Processing of cross-border information.
It can be demanded, in order to protect the citizens of the country to which it is transferred, that it is collected only with the written consent of the subject.
Rights of the subject of personal data.
1) The right of the subject of personal data to access his personal data
You cannot call the information center of the Ministry of Internal Affairs (main information center and zonal information center)
2) The rights of personal data subjects to the processing of their personal data in order to promote goods, works, services on the market, as well as for the purposes of political propaganda
The accuracy of the information will be verified by others.
3) making decisions based solely on automated processing of personal data. A person may not trust automated processing. You can require that fingerprints be stored not only in the computer, but also on paper.
— Labor Code of the Russian Federation - there is a chapter devoted to personal data.
FEDERAL LAW ON STATE FINGERPRINT REGISTRATION IN THE RUSSIAN FEDERATION dated July 25, 1998 N 128-FZ
Public personal data is
Personal Information- any information relating to a specific or determined on the basis of such information to an individual, including:
His last name, first name, patronymic,
Year, month, date and place of birth,
Address, family, social, property status, education, profession, income,
— other information (see Federal Law-152, Article 3).
For example: passport data, financial statements, medical records, year of birth (for women), biometrics, other personal identification information.
IN public sources of personal data (address books, lists and other information support) with written consent of an individual may include his last name, first name, patronymic, year and place of birth, address, subscriber number and others personal data (see Federal Law-152, Article 8).
Personal data is classified as restricted information and must be protected in accordance with the legislation of the Russian Federation. When developing system security requirements, personal data is divided into 4 categories.
What is the operator and subject of personal data?
Personal data operator- this is, as a rule, an organization, or more precisely, a state or municipal body, a legal entity or an individual that organizes and (or) carries out the processing of personal data, as well as determining the purposes and content of the processing of personal data.
Subject of personal data is an individual.
The operator is responsible for the protection of the subject’s personal data in accordance with the current legislation of the Russian Federation.
How to classify a personal data information system?
In order to attribute typical Personal data information system (PDIS) for a particular class requires:
II. Define volume personal data processed in the information system:
volume 3— data is simultaneously processed in the information system less than 1000 subjects personal data or personal data of personal data subjects within a specific organization;
volume 2 from 1000 to 100,000 subjects personal data or personal data of subjects of personal data working in the economic sector of the Russian Federation, in a government body, living within a municipality;
volume 1— personal data is simultaneously processed in the information system more than 100,000 subjects personal data or personal data of subjects of personal data within a subject of the Russian Federation or the Russian Federation as a whole;
III. Based on the results of the analysis of the initial data typical ISPDn is assigned one of the following classes(see table):
Class 4 (K4) - information systems for which violation of the specified security characteristics of personal data processed in them does not lead to negative consequences for the subjects of personal data;
Class 3 (K3) - information systems for which a violation of the specified security characteristics of personal data processed in them may lead to minor negative consequences for the subjects of personal data;
Class 2 (K2) - information systems for which a violation of the specified security characteristics of personal data processed in them may lead to negative consequences for the subjects of personal data;
Class 1 (K1) - information systems for which a violation of the specified security characteristics of personal data processed in them can lead to significant negative consequences for the subjects of personal data.
Judgment Day delayed until January 1, 2011
Personal data information systems created before the entry into force of Federal Law of the Russian Federation No. 152 “On Personal Data” must be brought into compliance with the requirements of this Federal Law no later than January 1, 2010 (see Federal Law No. 152, Article 25).
This means that personal data operators who fail to comply with the very stringent requirements of Federal Law No. 152 will, from January 1, 2010, face appropriate civil, administrative, disciplinary, and perhaps (God forbid) criminal penalties. responsibility .
All information systems that have already been put into operation after February-April 2008 (from the moment of distribution of methodological documents by the FSTEC of Russia and the FSB of Russia), but do not comply with the requirements of Russian legislation in the field of personal data, may incur the specified liability earlier, for example, tomorrow morning .
Note. Changes to the Criminal Code of the Russian Federation, significantly tightening liability for violations affecting privacy, will also come into force on January 1, 2010.
But as always happens, personal data operators did not move much, and few managed to do everything that was required. On December 16, 2009, the State Duma adopted in the third reading amendments to Articles 19 and 25 of the Law “On Personal Data” (152-FZ). The deadline for bringing personal data information systems (PDIS) into compliance with this law was postponed by a year - until January 1, 2011. In addition, the law obliging the operator to use encryption (cryptographic) means to protect data when processing personal data was excluded from the law.
Mandatory requirements for the protection of personal data information systems
Basic mandatory requirements for organizing an information security system depending on the class of a typical ISPD:
For class 4 ISPD:
The list of measures to protect personal data is determined by the operator (depending on the possible damage)
For class 3 ISPD:
Declaration of conformity or
Obtaining a license from FSTEC of Russia for activities related to technical protection of confidential information (for distributed ISPDn K3 systems)
For class 2 ISPD:
Mandatory certification for information security requirements
Obtaining a license from FSTEC of Russia for activities related to technical protection of confidential information for distributed systems
For class 1 ISPD:
Mandatory certification for information security requirements
Measures must be implemented to protect personal data from PEMIN
Obtaining a license from FSTEC of Russia for activities related to technical protection of confidential information
Procedure for protecting the personal data information system
Sequence of actions when fulfilling legal requirements for the processing of personal data:
1) Notification to the authorized body for the protection of the rights of personal data subjects about your intention to process personal data using automation tools;
2) Pre-project survey of the information system - collection of initial data;
3) Classification of the personal data processing system;
4) Construction of a private threat model in order to determine their relevance to the information system;
5) Development of a private technical specification for a personal data protection system;
6) Design of a personal data protection system;
Responsibility for violations of personal data processing
Persons guilty of violating the requirements of Federal Law 152-FZ “On Personal Data” bear:
- criminal (see Criminal Code of the Russian Federation, Art. 137, 140, 155, 183, 272, 273, 274, 292, 293),
Administrative (see Code of the Russian Federation on Administrative Offenses, Articles 5.27, 5.39, 11.13-13.14, 13.19, 19.4-19.7, 19.20, 20.25, 32.2),
Disciplinary (see Labor Code of the Russian Federation, Art. 81; Art. 90; Art. 195; Art. 237; Art. 391)
and other responsibility provided for by the legislation of the Russian Federation (see by-laws on working with personal data, which are published in the constituent entities of the Russian Federation, departments and organizations).
FSTEC- Federal Service for Technical and Export Control.
PEMIN- Side effects Electromagnetic Radiation and Tips
Protection of personal information
In December 2014, the State Duma adopted in the third reading a bill on storing personal data of citizens processed on the Internet on servers in Russia. According to Roman Chuichenko, a member of the information policy committee, the main goal of the bill is to strengthen information security country and its citizens. This measure was taken due to the complication of the international situation. This bill will come into force on September 1, 2015.
The entry into force of the new regulation on the protection of personal data requires that personal data operators provide:
- timely detection of unauthorized access to personal data;
- preventing impact on technical means those carrying out automated processing of personal data;
- the ability to promptly respond to the fact of unauthorized access and immediately restore personal data in cases of their destruction or modification;
- constant monitoring of the level of security of personal data.
Categories of personal data
Processing of ISPD can also be carried out according to the parameter “volume of personal data processed”, which assumes the number of subjects processed in the information system and can take the following values:
- simultaneous processing of more than 100 thousand subjects of personal data (performed both within the subject of the Russian Federation and in the Russian Federation as a whole);
- simultaneous processing of personal data from 1 to 100 thousand subjects (performed in a government agency working in the field of the Russian economy);
- simultaneous processing of personal data of less than 1 thousand subjects (performed within a specific organization).
Division into categories allows not only to determine the class of ISPD, but also to establish a set of measures to ensure the security and protection of personal data on the Internet, when processed in information systems.
Employee personal data
Every employee has the right to protect their personal data (clause 9 of Article 86 of the Labor Code of the Russian Federation).
In accordance with Art. 89 of the Labor Code of the Russian Federation, each employee can exercise his right to the protection and protection of personal data through the following actions:
- free free access to your personal data, including obtaining a copy of any record containing the employee’s personal data;
- determining a personal representative to protect your personal data;
- obtaining complete information about personal data and their processing;
- issuing demands for the exclusion or correction of personal data containing incorrect information or if it was processed in violation of legal requirements;
- appealing in court against the employer’s unlawful actions, as well as his inaction in processing and protecting personal data.
Composition of the employee’s personal data
Based on clause 2 of Article 86 of the Labor Code of the Russian Federation, the volume and content of the employee’s personal data are determined by the employer in accordance with the Constitution of the Russian Federation, the Labor Code and other federal laws. As a rule, the activities of any organization require the employer to use two main types of documents in document flow:
- Documents that are provided by the employee when concluding an employment contract (Article 65 of the Labor Code of the Russian Federation). This category includes documents containing a photograph of the employee, full name, information about the place and date of birth, citizenship, marital status, place of registration, education, specialty (passport, insurance certificate of state pension insurance, military ID, etc.).
- Documents that are generated by the employer independently (primary accounting documentation for recording labor and its payment). This category includes orders or instructions on hiring an employee, terminating an employment contract, rewarding an employee, a personal card, and documents on remuneration.
Protection of personal data, liability for violation of laws
Let us note that some sanctions for violation of certain offenses apply to both individuals and officials, as well as legal entities.
In accordance with Article 150 of the Civil Code of the Russian Federation, the inviolability of private life, personal and family secrets is among the inalienable intangible rights that are protected by current laws.
Let us note that the rights and obligations of an employee that are directly related to the personal data of other employees are determined by the terms of the employment contract and the composition of local regulations establishing the employee’s labor functions and the list of his job responsibilities.
Administrative responsibility Violation of the procedure for collecting, storing and distributing personal data entails a warning or a fine in the amount of: from 300 to 500 rubles - for individuals; from 500 to 1000 rubles - for officials, from 5 to 10 thousand rubles - for legal entities (Article 13.11 of the Code of Administrative Offenses of the Russian Federation). Administrative liability for the dissemination of information protected by law in the performance of official and professional duties entails a fine in the amount of: from 500 to 1000 rubles - for individuals, from 4 to 5 thousand rubles - for officials (Article 13.14 of the Code of Administrative Offenses of the Russian Federation) .
Violation of privacy, in particular personal data, by a person using his official position is punishable by:
- a fine in the amount of 100 to 300 thousand rubles, wages or other income of the offender for 1-2 years;
- deprivation of the right to hold certain positions for a period of 2 to 5 years;
- arrest for a period of 4 to 6 months.
When posting information about themselves on social networks, not all of our citizens understand that it can be used to compile their profile. JSC National Bureau of Credit History (NBKI) was actively involved in the collection and processing of such information.
In May 2017, the Moscow Arbitration Court considered case No. A40-5250/17, in which the court had to assess the legality of processing such personal data.
The essence of the dispute
In August 2016, the Roskomnadzor Office for the Central Federal District conducted a scheduled on-site inspection of JSC National Bureau of Credit History (NBKI) regarding the compliance of personal data processing activities with legal requirements.
Based on the results of the inspection, an inspection report was drawn up and an order was issued to eliminate the identified violation.
Having assessed the prescription regarding the need to include in the notification to the authorized body data of individuals (clients or potential clients of a financial organization) from open sources of information transmitted to the financial organization, obtained using the Double Data Social Link service - web link, search result about the client or potential client , and the Double Data Social Attributes service - processing the profile of the desired individual in open sources of information (clause 1), as well as in terms of indicating a violation of legal requirements in the form of lack of consent to the processing contained in open sources (social networks: VKontakte, Odnoklassnimi, MoiMir , Instragram, Twitter; Internet portals Avito and Avto.ru) personal data of a client or potential client of a financial organization, as part of the provision of services based on the service " big data» ( those. "big data") - illegal and violating the rights and legitimate interests of society in the field of business and other economic activities, the latter filed a claim in the arbitration court.
Position of the Moscow Arbitration Court
In relation to the present case, the court noted that the processing of personal data is permitted in particular in the following cases:
- Processing of PD is carried out with the consent of the PD subject to the processing of his personal data (clause 1, part 1);
- The processing of personal data is carried out, access to an unlimited number of persons is provided by the PD subject or at his request (personal data made publicly available by the PD subject) (clause 10, part 1);
- Personal data is available to an indefinite number of persons;
- Personal Information provided directly by the entity itself.
According to the court, personal data made publicly available by the subject of personal data can only be contained in publicly available sources PDn.
The court came to the conclusion that information about the subject (including personal data) contained in social networks (on the Internet) cannot be classified as personal data made publicly available by the subject, since social networks are not a source of public personal data in relation to the provisions of Article 8 of the Law.
The court also noted that information posted by its owners on the Internet in a format that allows automated processing without prior changes by a person for the purpose of reuse is publicly available information posted in the form of open data (Article 7 of the Federal Law of July 27, 2006 No. 149-FZ “On information, information technology and on information protection").
My comment: Well, here the court slightly “bent”; open data is a completely different story!
The court concluded that the personal data processed by NBKI JSC on social networks were not made publicly available by the subject of personal data and therefore the applicant’s actions constituted violations of Part 3 of Article 22 and Clause 1 of Part 1 of Article 6 of the Federal Law of July 27, 2006 No. 152-FZ “On Personal Data”.
The arbitration court refused in full to satisfy the application of NBKI JSC to invalidate paragraphs 1 and 4 of the order of the Roskomnadzor Office for the Central Federal District.
Position of the Ninth Arbitration Court of Appeal
The Ninth Arbitration Court of Appeal noted in July 2017 that the company was included in the register of operators processing personal data under number 08-0031682.
As part of this type of activity, the company processes personal data of clients and potential clients of financial organizations contained in open sources (social networks: VKontakte, Odnoklassniki, MoyMir, Instragram, Twitter; Internet portals Avito and Avto.ru). The public does not have the consent of clients to process such data.
The Company believes that it has the right to process personal data about individuals without their consent. According to the court, the company did not take into account the following.
According to the court of appeal, personal data processed by the company contained in open sources (social networks: VKontakte, Odnoklassniki, MoyMir, Instragram, Twitter; Internet portals Avito and Avto.ru) are not publicly available. Within the meaning of the Law on Personal Data, posting personal data in these open sources does not automatically make them publicly available. Therefore, the processing of such data without the consent of the subject is not permitted.
The Ninth Arbitration Court of Appeal upheld the decision of the Moscow Arbitration Court, and the appeal was not satisfied.
Arbitration Court of the Moscow District in November 2017, it left unchanged the decision of the Moscow Arbitration Court and the decision of the Ninth Arbitration Court of Appeal, and the cassation appeal was not satisfied.
Position of the Supreme Court of the Russian Federation
A judge of the Supreme Court of the Russian Federation in January 2018 (ruling No. 305-KG17-21291) refused to transfer the cassation appeal to JSC National Credit History Bureau for consideration at a court session of the Judicial Collegium for Economic Disputes of the Supreme Court of the Russian Federation.
My comment: Processing information from social networks is a widespread method of collecting and analyzing information about people and organizations, and only the lazy do not collect such information about their clients and counterparties. The harsh truth life is that anyone who does not check their potential employees, clients and counterparties in this way is in fact not exercising due business diligence. Those who are more cunning try to talk less about this in public, and, if possible, avoid uttering the words “personal data.”
Collecting information about citizens inevitably entails the problem of the legality of such actions, since any information about citizens is their personal data.
I would like to note that no matter what orders Roskomnadzor issues, if obtaining such information allows commercial organizations to seriously reduce the risks of financial losses, its processing will still continue. Well, maybe the lawyers who come up with a legal “cover” for this activity will earn a little extra money :)
