Home-Excel-Processing of personal data for travel agencies registration with Roskomnadzor. How do I know if a notification has been accepted? Checking the activities of personal data operators

Processing of personal data for travel agencies registration with Roskomnadzor. How do I know if a notification has been accepted? Checking the activities of personal data operators

In what cases is it necessary to notify Roskomnadzor about the processing of personal data? The answer is in the article.

Question: Are we required by law to register in the register of personal data operators of Roskomnadzor? in paragraph 2 of Art. 22 of the Law of July 27, 2006 No. 152-FZ “On Personal Data” states that, 2. The operator has the right to process personal data without notifying the authorized body for the protection of the rights of personal data subjects. We are not required to register in the register?

Answer: There is no need to register in the register of personal data operators of Roskomnadzor, since there is no registration procedure. Before processing personal data, the operator is obliged to send a notification to Roskomnadzor (Clause 1, Article 22 of Law No. 152-FZ). Roskomnadzor maintains a register of operators based on notifications.

At the same time, there are exceptions to this rule of law, listed in detail in paragraph 2 of Art. 22 of Law No. 152-FZ.

Rationale

Storage of personal data in Russia. What features are there for employee information?

If the company processes personal data not only of employees and contractors - individuals. That is, virtually any company is obliged to notify officials about the processing of personal data.

As a general rule, the employer is obliged to send a notification to Roskomnadzor about the start of processing personal data (Part 1, Article 22 of Law No. 152-FZ). Many companies still haven't done this. They justify it this way: the employer processes personal data only of its employees. Therefore, the company falls under the exception established in clause 1, part 2, art. 22 of Law No. 152-FZ. According to this standard, the employer has the right to process personal data in accordance with labor legislation without notifying Roskomnadzor.

But in most cases, the position that notification is not required is erroneous. After all, the employer processes data not only of employees, but also of other entities. For example, representatives of counterparties when receiving powers of attorney or employees of other companies belonging to the same group as the employer. In such cases, it is recommended to send a notification to Roskomnadzor.

In what form should Roskomnadzor be notified?

Include in the notification information about the personal data of employees (clause 7 of the Temporary Recommendations for filling out the notification form, approved by Roskomnadzor on December 30, 2014). Exceptions established in Part 2 of Art. 22 of Law No. 152-FZ, in in this case not applicable.

Roskomnadzor will enter the information from the notification into the register of operators within 30 days from the date of receipt of the document. There is no need to pay money for this (Part 4, Part 5 of Article 22 of Law No. 152-FZ).

Employers who have not notified Roskomnadzor risk receiving a letter from officials. In response, employers will be required to send a notice or justify the reasons for not sending it. IN the latter case the risk of Roskomnadzor verifying the validity of this type of justification increases. Thus, according to the annual report for 2014, Roskomnadzor sent more than 58 thousand such letters to operators (

The Law on Personal Data No. 152-FZ of July 27, 2006 obliges you to register with special register everyone involved in the processing of personal data. What kind of register is this, for whom inclusion in it is mandatory, and how the registration procedure occurs - this is what our article is about.

Who is the operator of personal data

Law No. 152-FZ includes government agencies, organizations and individuals who collect personal data as operators, and also independently determine the purposes of collection, the composition of information, and the actions performed with it (Article 3 of Law No. 152-FZ).

Simply put, a personal data operator is someone who uses the personal data of citizens for labor and other relations. Their main task is to maintain the confidentiality of the received personal data, i.e. prohibition to transfer data to third parties and distribute them without the consent of the individual, unless this data is anonymized.

Register of personal data operators of Roskomnadzor

Before starting the processing of personal data, the operator is obliged to notify the government agency authorized to maintain the register of personal data operators - Roskomnadzor (Part 1, Article 22 of Law No. 152-FZ). This federal service oversees the communications sector, mass communications And information technology. State control over the processing of personal data by operators, in accordance with the law, is also carried out by Roskomnadzor. For these purposes, it conducts checks of personal data operators, in accordance with the regulations approved by Order of the Ministry of Telecom and Mass Communications of the Russian Federation dated November 14, 2011 No. 312.

You can view the register of personal data processing operators on the official website of Roskomnadzor; its information is publicly available.

It is enough to submit a notification once during the entire period of operation of the operator. At the same time, the law contains a list of exceptions when it is possible to work with personal data without inclusion in the register of personal data operators (Part 2 of Article 22 of Law No. 152-FZ):

  • when operator-employers process only data obtained in accordance with labor legislation;
  • if the operator received data from the counterparty in connection with the conclusion of an agreement and does not use it for purposes other than execution of the agreement;
  • when the personal data operator is a religious or public organization that processes the personal data of its participants for the purposes provided for by its charter;
  • if the citizen himself has made his personal data publicly available;
  • if the personal data does not include anything other than full name;
  • when data is received for issuing a one-time pass;
  • when processing personal data by state automated information systems;
  • if personal data is processed “on paper”, i.e. without the use of automation;
  • when data is used to ensure the safety of transport systems.

Anyone not listed in this list, a notification for inclusion in the register of personal data operators of Roskomnadzor is required to be submitted. Many individual entrepreneurs and organizations ignore this requirement or they find out about it too late. But you can submit a notification for inclusion in the register later, indicating in it the real date of the start of the processing of personal data, and no penalties will follow for being late.

How to notify Roskomnadzor

To submit a notification about the processing of personal data, the personal data processing operator must fill out an electronic form on the Roskomnadzor website. The notification form contains:

  • information about the operator itself (name, INN, OGRN, location address, telephone number, license numbers, etc.);
  • legal basis and purposes of data processing according to the statute;
  • description of measures and means of protecting personal data;
  • the actual date of commencement of processing of personal data by the operator;
  • the conditions under which processing will be terminated (for example, upon revocation of an operating license), or a specific termination period;
  • categories of personal data that are subject to processing (name, year of birth, marital status, residential address, profession, income, health status, etc.), use of biometric data;
  • actions with personal data and methods of processing them (automated or not, with transmission via the Internet or not, etc.);
  • data of the person responsible for processing personal data.

After filling out the electronic notification, the personal data operator sends it to Roskomnadzor, and another copy is printed on paper. The printed version is signed by the manager and certified with a seal. You need to attach a package to it necessary documents(Regulations on personal data, consent form for processing, order for the appointment of responsible persons, etc.) and send to the territorial office of Roskomnadzor by mail.

30 days are allotted for registration in the register from the date of receipt of the notification by Roskomnadzor. You can track the status of the sent notification on the same website.

If Roskomnadzor considers the information specified in the notification to be incomplete or unreliable, it may request clarification from the operator. If any data changes, the operator must notify the supervisory authority within 10 days to make adjustments to the register.

How to organize the processing of personal data of employees. Register of personal data operators of Roskomnadzor. How to obtain an employee’s consent to the processing of his personal data.

Question: Is a municipal unitary enterprise obligated to register with the register of operators of personal Roskomnadzor data, and also develop a set of documents on the protection of personal data?

Answer: Yes, a municipal unitary enterprise is obliged to register in the register of personal data operators, as well as develop a set of documents on the protection of personal data if the municipal unitary enterprise employs employees and the municipal unitary enterprise processes their personal data or the municipal unitary enterprise processes the personal data of various individuals (clients, partners).

Rationale

How to organize the processing of employee personal data

The concept of personal data

What personal data of an employee is the organization entitled to receive?

Public personal data

Question from practice: what personal data is considered public

Public information is generally known information and other information to which access is not limited. Such information may be used by any persons at their discretion, subject to legal compliance. established restrictions for its distribution. This is stated in paragraphs, Article 7 of the Law of July 27, 2006 No. 149-FZ.

Public personal data is data that the subject of personal data has made available as such. Public personal data may include information available to an unlimited number of persons (for example, data from open directories, address books etc.).

Since anyone has access to them, they no longer require special security.

When processing such data, the operator does not need to notify the authorized body for the protection of the rights of personal data subjects (clause 4, part 2, article 22 of the Law of July 27, 2006 No. 152-FZ).

Consent to personal data processing

How to obtain an employee’s consent to the processing of his personal data

In the course of its activities, the employer needs to process personal data of employees. The processing of such data, with the exception of certain cases, occurs only with the written consent of employees. In this case, consent must include the following information:

  • last name, first name, patronymic, address of the employee, details of the passport (another document proving his identity), including information about the date of issue of the document and the issuing authority;
  • name or surname, first name, patronymic and address of the employer (operator) receiving the employee’s consent;
  • purpose of processing personal data;
  • list of personal data for the processing of which consent is given;
  • name or surname, first name, patronymic and address of the person processing personal data on behalf of the employer, if the processing will be entrusted to such a person;
  • list of actions with personal data for which consent is given, general description methods used by the employer for processing personal data;
  • the period during which the employee’s consent is valid, as well as the method of its withdrawal, unless otherwise established by federal law;
  • employee signature.

Such requirements are established in part 4

If an employee is incapacitated, written consent to the processing of his personal data is given by his legal representative: parent, guardian (Part 6 of Article 9 of the Law of July 27, 2006 No. 152-FZ).

An employee may at any time withdraw consent to the processing of his personal data by sending feedback to the employer in any form. In such a situation, the organization has the right to continue processing personal data without the consent of the employee, taking into account the restrictions specified in paragraphs 2-11 of part 1 of article 6, part 2 of article 10 and part 2 of article 11 of the Law of July 27, 2006 No. 152-FZ, for example, to administer justice or protect the life (health) of the employee himself. This is stated in Part 2 of Article 9 of the Law of July 27, 2006 No. 152-FZ.

It should be noted that if a dispute arises, the obligation to provide evidence that the employee’s consent to the processing of his personal data has been obtained rests with the employer (Part 3 of Article 9 of the Law of July 27, 2006 No. 152-FZ).

With the consent of the employee, the organization also has the right to entrust the processing of personal data to another person (Part 3 of Article 6 of the Law of July 27, 2006 No. 152-FZ). In this case, the employer will continue to be responsible to the employee for the actions of the specified person, and the person processing personal data on behalf of the employer will be responsible directly to the employer (Part 5 of Article 6 of the Law of July 27, 2006 No. 152- Federal Law).

It should be noted that the employer must obtain consent to the processing of personal data not only from employees, that is, persons with whom he has an employment relationship, but also from applicants, as well as from persons with whom civil law contracts have been concluded in the organization. This is stated in paragraph 5 of the clarifications of Roskomnadzor dated December 14, 2012.

Universal Consent

Question from practice: Is it possible, when concluding an employment contract, to obtain written consent from the employee to provide his personal data to third parties in all necessary situations before dismissal?

No, you can't.

To transfer employee data to third parties, the organization is required to obtain the written consent of this employee. Without the written consent of the employee, his personal data may be transferred to third parties when this is necessary in order to prevent a threat to the life and health of the employee, and in other cases provided for by federal laws. Such rules are established by part 1 of article 88 of the Labor Code of the Russian Federation.

The Labor Code of the Russian Federation does not contain requirements for the content of written consent for the transfer of data. However, paragraph 1 of Article 9 of the Law of July 27, 2006 No. 152-FZ establishes that consent to the processing of personal data must be specific, informed and conscious. It follows from this that the organization must request written consent from the employee for each case of transfer of his personal data to a third party. Only under such conditions can the requirement of specificity and informed consent be considered fulfilled. The list of information that must be contained in written consent to the transfer of personal data is established in paragraph 4 of Article 9 of the Law of July 27, 2006 No. 152-FZ.

Processing personal data of performers according to GPA

Question from practice: Is it necessary to obtain written consent for the processing of personal data of citizens with whom civil law contracts have been concluded?

Yes, in general case necessary, in the same manner as with full-time employees.

Processing of personal data is possible only with the written consent of the subject of personal data, with the exception of certain cases when such processing is possible without their consent (). At the same time, the subjects of personal data can be both employees working under an employment contract and citizens with whom the organization has entered into civil law contracts.

Thus, an organization in general must obtain consent to the processing of personal data, including citizens with whom civil law contracts have been concluded, in order to exclude any disputes regarding unauthorized transfer of data outside the scope of the terms of the civil law contract.

The refusal of the performer to give such consent is not an obstacle to concluding a civil contract.

Data processing without consent

In what cases is the employee’s consent to transfer personal data not required?

In some cases, the processing of personal data is possible without the consent of the employee. For example, if the processing of personal data is necessary for the purpose of fulfilling a contract concluded with an employee or to achieve the goals provided for by law for the implementation and fulfillment of the functions, powers and responsibilities assigned by Russian legislation to the operator, it can be carried out without the consent of the employee - the subject of personal data. This is stated in the Law of July 27, 2006 No. 152-FZ.

Such cases include the transfer of information to:

  • Pension Fund of the Russian Federation ();
  • tax authorities ();
  • military commissariats ();
  • other bodies, when the obligation to transfer to them information related to the employee’s personal data is assigned to the employer by law or is necessary to achieve the goals established by law (for example, courts, prosecutor’s office, etc.).

In addition, consent is not required in following cases:

  • the obligation to process is provided for by law, including the publication and posting of personal data of employees on the Internet (for example, Law of November 21, 2011 No. 323-FZ, Law of February 9, 2009 No. 8-FZ and a number of other acts);
  • processing of personal data of close relatives of the employee is carried out to the extent provided for by the personal card (according to the unified form No. T-2 or independently developed form), as well as in cases of receiving alimony, registration social payments and access to state secrets;
  • processing information about the employee’s health status relates to the issue of his ability to perform his job function;
  • data processing is related to the employee’s performance job responsibilities, including during his business trip;
  • the processing of personal data is carried out when implementing access control to the territory of the employer’s office buildings and premises, provided that the organization of access control is carried out by the employer independently.

If the local document provides options for settlements with employees or in general at the moment is not registered, then employees have the right to independently decide whether to receive their salary through a cash register or on a bank card. And if the employer decides to transfer salaries to all employees bank cards, then each employee should be asked to consent to the processing of personal data and their transfer to a third party - the bank. In such a situation, employees have the right not to give consent, and the employer, in the absence of such consent, will not be able to continue processing the data and transfer to the bank information about those employees who refused.

More on the topic: Is it necessary to obtain employee consent again for the processing of personal data when changing banks to transfer salaries?

Question from practice: Is it necessary to obtain employee consent for the processing of personal data again when changing banks to transfer salaries?

No, it is not necessary, provided that the existing consents did not indicate the specific bank to which the data was provided. If the previous consent was drawn up for a specific bank, then the employer will have to obtain a new consent for general rules ().

In addition, there is no need to obtain consent if the organization’s local documents provide for the payment of wages specifically for bank cards and the employee, upon hiring or in the process of work, was familiarized with these documents (Part 2 of Article 9 of the Law of July 27, 2006 No. 152-FZ). See details.

Roskomnadzor notification

How to notify the regulatory agency about the start of processing personal data of employees

Before processing personal data of employees, the employer must notify territorial body Roskomnadzor about the intention to carry out processing. The exceptions are cases of processing personal data:

  • processed in accordance with labor laws;
  • made publicly available by employees;
  • received by the organization in connection with the conclusion of an agreement to which the employee is a party (provided that personal data is not distributed or provided to third parties without the consent of the employee and is used by the employer solely for the execution of the specified agreement and the conclusion of other agreements with the employee);
  • relating to members (participants) of a public association or religious organization;
  • including only last names, first names and patronymics of employees;
  • necessary for the purpose of an employee’s one-time entry into the employer’s territory and for other similar purposes;
  • included in information systems personal data that, in accordance with federal laws, have the status of state automated information systems, as well as state personal data information systems created to protect state security and public order;
  • processed without the use of automation tools in accordance with legislative acts establishing requirements for ensuring the security of personal data during their processing and for respecting the rights of personal data subjects;
  • processed in cases provided for by Russian legislation on transport security.

In case of termination of processing of personal data, the employer is also obliged to notify the authorized body about this. This must be done within ten working days from the date of termination of data processing. The standard form for notification of termination of data processing has not been approved, so the employer can draw it up in any form ().

Question from practice: what should be understood by the processing of employee personal data

Personal data protection

How to organize the protection of personal data of employees in an organization

To prevent disclosure of personal data, create reliable system their protection. The procedure for receiving, processing, transferring and storing such information is established in a local act of the organization, for example in (Article, Labor Code of the Russian Federation,). The regulations are approved by the head of the organization. Familiarize it with the signature of the employees of the organization. This is stated in Part 1 of Article 86 of the Labor Code of the Russian Federation.

It is also necessary to appoint a person in the organization responsible for working with personal data (Part 5 of Article 88 of the Labor Code of the Russian Federation). As a rule, such an employee is a personnel service employee, since it is he who most often comes across personal data of employees in the course of his work. Appoint the person responsible for working with personal data by order in any form.

Specific measures to ensure the security of employees' personal data during their processing are provided for in the Law of July 27, 2006 No. 152-FZ and the Requirements approved. Based on them, the organization can develop its own own system protection of personal data.

Thus, when processing personal data in an information system, it is necessary to ensure the protection and security of personal data. At the same time, a threat to the security of personal data is a set of conditions and factors that create the danger of unauthorized (including accidental) access to personal data during their processing in the system, which may result in:

  • destruction;
  • change;
  • blocking;
  • copying;
  • provision;
  • spreading;
  • others misconduct with personal data.

It should be noted that the choice of specific information security means for the information system for processing personal data is carried out by the employer in accordance with the regulations of the FSB of Russia and FSTEC of Russia. Determining the type of threats to the security of personal data relevant to the system for processing and protecting personal data is made taking into account the assessment of possible harm and in accordance with the regulations of the mentioned bodies (clause , Requirements approved by Decree of the Government of the Russian Federation of November 1, 2012 No. 1119).

When processing personal data in systems, four levels of security can be established depending on the category of data and the number of employees about whom the system contains information. Depending on the level of security, the employer should take various measures to protect personal data processing systems provided for in paragraphs 13-16 of the Requirements approved by Decree of the Government of the Russian Federation of November 1, 2012 No. 1119. For example, establishing a regime for ensuring the security of premises in which personal data is located, appointing persons responsible for ensuring the security of personal data in the information system, etc. Specific requirements for the specified measures to ensure the security of personal data during their processing are established by the composition and content of organizational and technical measures approved by order of the FSTEC of Russia dated February 18, 2013 No. 21.

To control the security of personal data during its processing, the employer or a person authorized by him carries out control checks at least once every three years, the specific timing of which is determined by the employer independently. If necessary, organizations or individual entrepreneurs that have a license to carry out activities can be involved in conducting an inspection on a contractual basis. technical protection confidential information(clause 17 of the Requirements approved by Decree of the Government of the Russian Federation of November 1, 2012 No. 1119).

Statement on personal data

Question from practice: Is the Regulation on working with personal data of employees a mandatory document?

Yes, it is.

The procedure for storing, processing and using personal data of employees is established by the employer, taking into account the requirements of the Labor Code of the Russian Federation and other federal laws (). This means that the employer must independently determine the procedure for such processing and enshrine it in a local regulatory act, in particular, the Regulations on working with personal data of employees. All employees of the organization, when hired, must be familiarized with the Regulations for signature (Part 3 of Article 68 of the Labor Code of the Russian Federation).

Based on the above, it follows that the Regulations on working with personal data are a mandatory document of the organization, and its absence entails administrative liability (). The courts also point to this (see, for example, the resolution of the Federal Antimonopoly Service of the Moscow District dated October 26, 2006 No. KA-A40/10220-06).

An example of the design of the Regulations on working with personal data of employees

The head of the organization approved the Regulations on working with personal data of employees.

There is no personnel service in the organization. Responsible for maintaining personnel records appointed accountant of the organization V.N. Zaitseva.

Question from practice: how to protect personal information located in a computer database

To prevent unauthorized access for personal information located in a computer database, establish in the Regulations a procedure for protecting such information. The higher the risk of unauthorized access to personal data, the more measures must be taken to protect such information. For example, an organization can introduce a system of individual passwords that will change at certain intervals, limit employee access to computers on which personal data is stored, and store disks and floppy disks with such information in locked cabinets.

The processing of personal data in the information system must be carried out in accordance with the provisions of paragraphs 8–16 of the Requirements approved by Decree of the Government of the Russian Federation of November 1, 2012 No. 1119.

An organization can ensure the protection of personal data both independently and with the involvement of third-party organizations licensed to carry out activities to protect confidential information. Such clarifications are given in paragraph 17 of the Requirements approved by Decree of the Government of the Russian Federation of November 1, 2012 No. 1119.

Question from practice: Is it possible for non-HR employees to be given the right to access the personal data of other employees?

Yes, you can if employees need access to such information to perform certain job functions.

Only specially authorized persons who need such access to perform specific functions can have access to personal data of employees. This is stated in the Labor Code of the Russian Federation.

As a rule, due to the specific nature of their activities, employees should have access to personal data:

  • personnel service employees;
  • accounting staff;
  • general manager and, if necessary, his deputies;
  • heads of departments and immediate supervisors.

In this case, each of these categories of employees is assigned its own access level. For example, accounting employees can be given access to the address data of employees and their marital status, heads of departments - in terms of personal information exclusively about their subordinates.

The access levels of certain persons, as well as the specific procedure for transferring personal data of employees within the organization must be prescribed in its local documents, for example, in the Regulations on the protection of personal data of employees (paragraph 5 of Article 88 of the Labor Code of the Russian Federation). Authorized persons must be familiar with the provisions of the document and warned about their rights and obligations, as well as responsibility for using information for other purposes ().

Advice: the conditions for posting personal data of employees on the corporate website are specified in the Regulations on working with personal data. At the same time, make an appendix to it, in which you indicate a list of employees who agree (or disagree) to the posting of personal data. Thus, the requirement will be met, and the organization will be able to post the personal data of employees who agree with such placement on the corporate website.

In order to ensure the rights of its employees, the organization and its representatives, when processing personal data, are obliged to comply with the requirements regulated by the Labor Code of the Russian Federation. Persons guilty of violating the rules governing the protection of personal data are subject to administrative and criminal liability (). Or they may be fired with the wording “for disclosing the personal data of another employee on the basis of subparagraph “c” of paragraph 6 of part 1 of Article 81 of the Labor Code of the Russian Federation.”

Question from practice: does the head of a structural unit have the right to demand from the accounting department to provide monthly information on the accrued salaries of employees subordinate to him

Information about amounts accrued to employees refers to personal data (clause 1, article 3 of Law No. 152-FZ of July 27, 2006). The immediate supervisor can request them if the appropriate permission is established in a local regulatory act and the employee’s consent to the processing of his personal data has been obtained.

At the same time, the staffing table contains information about salaries and bonuses of employees. Staffing table is a local document of the organization and does not relate to personal data. The head of a structural unit, if necessary, can contact this document, if provided job description leader or local act of the organization. This will allow him to get necessary information without contacting the accounting department.

Refusal to process data

Question from practice: what to do if a person refuses to consent to the processing of his personal data

The organization has the right to continue to process a person’s personal data without his consent if there are certain grounds. At the same time, the volume of such processing is quite large and allows the organization to carry out current activities without disruption.

In particular, the employer may not require consent to the processing of personal data from applicants for concluding an employment and civil law contract, sending personalized reports to the authorities Pension Fund RF, tax reporting in the Federal Tax Service of Russia, information about those liable for military service in military commissariats, as well as for storing documents with personal data, including employment and civil contracts, personal cards, personal files, etc. That is, when the employer fulfills the requirements imposed on him by law responsibilities.

Such rules are established in paragraphs 2-11 of part 1 of article 6, part 2 of article 10 and part 2 of article 11 of the Law of July 27, 2006 No. 152-FZ.

To carry out all other actions, the organization must obtain the person’s consent to process his personal data (Part 4 of Article 9 of the Law of July 27, 2006 No. 152-FZ).

Attention: Current legislation does not oblige a person to give consent to the processing of personal data, therefore refusal on his part cannot be considered a violation and grounds for refusal to conclude a contract. A staff employee also cannot be fired or subject to other disciplinary action for refusing to provide consent to the processing of personal data.

Question from practice: what to do if an employee refuses to provide personal data of family members to fill out personnel documents

Depersonalization of personal data refers to actions as a result of which it becomes impossible without the use additional information determine the ownership of personal data to a specific person ().

If it is necessary to depersonalize personal data, the heads of organizations approve:

  • rules for working with anonymized data;
  • list of positions of employees responsible for carrying out measures to anonymize processed personal data.

Such rules are provided for in subparagraph “b” of paragraph 1 of the list approved by Decree of the Government of the Russian Federation of March 21, 2012 No. 211.

Specific requirements and methods for depersonalizing personal data processed in information systems are established in the Requirements and methods approved by Roskomnadzor Order No. 996 dated September 5, 2013.

The main requirement for the depersonalization of personal data is to ensure not only protection from unauthorized use, but also the possibility of their processing. To do this, anonymized data must have properties that preserve the basic characteristics of anonymized personal data. Such properties, in particular, include:

  • completeness, that is, preservation of all information about specific people or groups of people that was available before depersonalization;
  • structure, that is, preservation structural connections between anonymized data specific person or groups of people that existed before depersonalization;
  • applicability, that is, the ability to solve problems of processing personal data without first depersonalizing the entire volume of records about people;
  • anonymity, that is, the impossibility of unambiguously identifying data subjects obtained as a result of depersonalization, without the use of additional information.

The main requirements for methods of anonymizing personal data are:

  • ensuring the required properties of anonymized data;
  • compliance with the requirements for the characteristics of the methods;
  • implementation of methods in various programs;
  • solving the assigned tasks of processing personal data.

To the most promising and convenient for practical application The following depersonalization methods include:

  • method of introducing identifiers, that is, replacing part of the personal data with identifiers and creating a table of identifiers corresponding to the original data;
  • method of changing the composition or semantics, that is, changing the composition or semantics of personal data by replacing them with results statistical processing, generalization or deletion of part of the information;
  • decomposition method, that is, dividing an array of personal data into several parts with subsequent separate storage;
  • mixing method, that is, rearrangement individual records, as well as groups of records in the personal data array.

For the purpose of security of working with personal data of employees, commercial organizations also have the right, but are not obliged, to engage in depersonalization (Clause 3 of Article 3 of the Law of July 27, 2006 No. 152-FZ). If an organization decides to anonymize personal data, then the specific method of anonymization must be enshrined in a local act, for example, in the Regulations on working with personal data of employees (Article , Labor Code of the Russian Federation,).

Checks of compliance with requirements for the processing of personal data

How compliance checks for the processing of personal data are carried out

Roskomnadzor conducts inspections of the employer regarding the processing of personal data. Order No. 312 of the Ministry of Telecom and Mass Communications of Russia dated November 14, 2011 approved the Administrative Regulations for the execution by this service of the functions of exercising state control (supervision).

The subject of control over the employer’s activities related to the processing of personal data are:

  • documents the nature of the information in which suggests or allows the inclusion of personal data;
  • personal data information systems;
  • processing activities.

Roskomnadzor carries out both scheduled and unscheduled inspections in the form of documentary or on-site inspections (Law No. 294-FZ of December 26, 2008). The rights and obligations of Roskomnadzor officials during inspections are determined, respectively, by paragraphs and Administrative regulations, approved by order of the Ministry of Telecom and Mass Communications of Russia dated November 14, 2011 No. 312.

The time frame for checking an employer’s activities in processing personal data during both scheduled and unscheduled checks cannot exceed 20 working days. At the same time, for small businesses, the total period of on-site scheduled inspections cannot exceed one year:

  • 50 hours - for a small enterprise;
  • 15 hours - for a micro-enterprise.

In exceptional cases, the period for conducting an on-site scheduled inspection may be extended, but by no more than 20 working days, and for small and micro enterprises - by no more than 15 hours. This is possible if during the inspection the need arises to:

  • complex and lengthy research and testing;
  • special examinations and investigations.

Only those employees who have undertaken to comply with the rules for working with personal data and have violated them () can be subject to disciplinary liability. Financial liability may arise if direct actual damage is caused to the organization due to violation of the rules for working with personal data ().

For violating the procedure for collecting, storing, using or distributing personal data, the organization and its officials will be fined. During one inspection, Roskomnadzor may detect several different violations. Then he will collect several fines at once.

The amount of fines depends on the type of offense committed. Thus, officials can be fined in the amount of 3,000 to 20,000 rubles, individual entrepreneurs - in the amount of 5,000 to 20,000 rubles, organizations - in the amount of 15,000 to 75,000 rubles. For more information about the fines for violations in working with personal data, see the table.

Such measures of liability are provided for in articles of the Code of the Russian Federation on Administrative Offenses.

Criminal liability for the head of an organization (another person responsible for working with personal data) may arise for illegal:

  • collecting or disseminating information about privacy employee, constituting his personal or family secret, without his consent;
  • dissemination of this information in a public speech, publicly displayed work or media.

For these violations are provided the following measures responsibilities:

  • a fine of up to 200,000 rubles. (or in the amount of the convicted person’s income for a period of up to 18 months);
  • compulsory work for up to 360 hours;
  • correctional labor for up to one year;
  • forced labor for a term of up to two years with or without deprivation of the right to hold certain positions or engage in certain activities for a term of up to three years;
  • arrest for up to four months;
  • imprisonment for a term of up to two years with deprivation of the right to hold certain positions or engage in certain activities for a term of up to three years.

In this case, the same acts committed by a person using his official position are punishable:

  • a fine in the amount of 100,000 to 300,000 rubles. (or in the amount of the convicted person’s income for a period of one to two years);
  • deprivation of the right to hold certain positions or engage in certain activities for a period of two to five years;
  • forced labor for a term of up to four years with or without deprivation of the right to hold certain positions or engage in certain activities for a term of up to five years;
  • arrest for a term of four to six months;
  • imprisonment for a term of up to four years with deprivation of the right to hold certain positions or engage in certain activities for a term of up to five years.

Question from practice: Is it possible to provide for non-disclosure of confidential information in employee employment contracts?

Yes, you can.

But only for those employees who directly work with personal data: HR officers, HR managers, secretaries (). In this case, when hiring, familiarize the employee with the Regulations on working with personal data.

Question from practice: Is it possible to provide information about an employee’s work in an organization by telephone to representatives of other companies, such as banks?

Yes, you can, but only with the written consent of the employee himself.

Personal data means any information directly or indirectly related to a specific individual (subject of personal data) (Part 1 of Article 3 of the Law of July 27, 2006 No. 152-FZ). At the same time, the list of personal data is not exhaustive, that is, any information relating to a specific person is his personal data. Thus, the place of work and the fact of work itself requested from the organization, for example, credit institution to confirm the fact of employment or by a potential employer about a former employee, are personal data. Therefore, it is possible to transfer employee data to other organizations only in compliance with general requirements on the processing of personal data, that is, only with the consent of the employee himself (clause 3, part 1, article 86 of the Labor Code of the Russian Federation,).

Thus, it is possible to provide information about the fact that employees are working by telephone to unidentified persons, including those posing as bank specialists, but only with the written consent of the employee himself, regardless of whether he continues to work in the organization or has already quit.

Question from practice: Is the employer obliged, at the request of the bailiff service, to report the fact of work in the organization of the debtor employee?

The fact of working in an organization refers to the employee’s personal data. The bailiff conducting enforcement proceedings has the right to request from the organization information about the employees in respect of whom the proceedings took place. court decisions on the payment of alimony or other types of awarded payments, including information related to personal data. This request the employer has no right to ignore it. Such rules are established by Law of October 2, 2007 No. 229-FZ.

At the same time, the employer has the right to report the fact of work in the organization of a debtor employee without his consent to transfer personal data to third parties, since in this case the processing of personal data is necessary for the administration of justice, the execution of a judicial act subject to execution in accordance with Russian legislation on enforcement proceedings(clause 3, part 1, article 6, clause 6, part 2, article 10, part 2, article 11 of the Law of July 27, 2006 No. 152-FZ).

Thus, the employer is obliged to respond to the request of the bailiff service about the fact of the work of the debtor employee. Obtain employee consent to

Margarita Orlova answers,

Head of the Department of Administration of Insurance Contributions of the Federal Insurance Service of Russia

“To confirm the main type of activity for a separate division that pays contributions independently, submit the same documents as for the organization as a whole. The only difference is that they reflect information only about the division and submit it to the Social Insurance Fund branch at the place of registration of such division. How to pay contributions until you have received a notification from the Social Insurance Fund about the tariff for the current year - you will find out in the recommendation.”

Roskomnadzor maintains a register of operators - companies that comply with the requirements of the Law “On Personal Data”. To be included in the register, the company submits a notification about the processing of personal data. This can be difficult to do: it is unclear when to submit the notification, how to fill it out, and how to ensure that the information reaches Roskomnadzor.

Is it possible not to submit a notification?

The Personal Data Law requires every company to file a notice.

There are several exceptions in the law that allow some companies to avoid this. In this case, you need to be prepared to legally prove to the regulatory authority that the exceptions apply to the company. This is not so easy to do: lack of notification is one of the most common violations detected during Roskomnadzor inspections.

Most best option- submit a notification and protect the company from questions from the regulatory authority as to why this was not done.

Sometimes companies are afraid that submitting a notification will attract undue attention from Roskomnadzor, and it will come with an inspection. In practice this does not happen.

When should I send the notification?

The notification is submitted before the processing of personal data begins. Based on the letter of the law, this must be done in the first days after state registration legal entity or individual entrepreneur.

Often the decision to file a notice is made when the company has been operating for several months or several years. There is no need to fear a fine or other sanctions for being “late” in submitting a notice. But if Roskomnadzor becomes interested in the company (it comes with an inspection or sends a “letter of happiness” where it demands to submit a notification), then a fine will not be avoided.

An important nuance: even if the notification is submitted “late,” it is better to indicate the date of state registration of the company as the “start date of processing of personal data.”

How to fill out a notification?

The notification must be submitted via the Internet (at electronic form) and send by mail (in printed form).

The electronic notification form is filled out on the Roskomnadzor website. There is quite a lot of information required, and it is not easy to do, despite the presence of hints. You need to be prepared to formulate the legal grounds and purposes of processing personal data, describe the actions performed with them and indicate how their security is ensured.

After submitting the electronic form, the Roskomnadzor website will offer to download the already completed printed form. It will need to be printed, signed and certified with the company’s seal, and then sent by mail to the territorial body of Roskomnadzor. This is necessary to confirm the information submitted online.

You can also fill out the notification electronically on the Public Services Portal, but this is less convenient way.

How do I know if a notification has been accepted?

After filling out the notification on the Roskomnadzor website, the company will receive a notification number and a secret key. With their help, on special page you can clarify the status of the notification and find out when its information will be included in the register of operators.

All information in the register of operators is publicly available, except for information about ensuring the security of personal data. You can find a notification from any operator.

How many times do I need to give notice?

The notification is given only once.

However there is important nuance: The Law “On Personal Data” requires that Roskomnadzor be notified of changes in the information specified in the notification within 10 days after such changes. The notice contains a lot of information about the company, and changes can happen quite frequently. Unfortunately, it can be difficult to monitor them and respond in time.

It is best to submit the notification as early as possible and carefully ensure that the company information in the operator register is up to date. This is very easy to do using our service.

How to become a personal data operator in the Roskomnadzor register

Not all companies individual entrepreneurs know whether they are personal data operators and whether they need to transfer information about themselves to Roskomnadzor. Let's figure out who the service monitors more closely and how to notify about the start of processing personal information citizens.

Who are personal data operators and what do they do?

Most people know that personal data (hereinafter - PD) includes information about the last name, first name and patronymic of a citizen, information from his passport, number mobile phone, residential address, e-mail. What other information could be included in this list? It turns out that any: an exhaustive list is not presented anywhere, and in principle there cannot be one. This is confirmed by the wording in Federal Law No. 152-FZ of July 27, 2006:

Personal data - any information relating to a directly or indirectly identified or identifiable individual (subject of personal data).

It turns out that in some cases the last name, first name and car number will be enough to identify a citizen, while in others you will also need his driver’s license number and registration address.

A personal data operator is a state or municipal body, legal entity or individual who:

  • independently or jointly with other persons organizes and/or carries out the processing of personal data;
  • determines the purposes of working with personal information, its composition, as well as actions (operations) with it.

    • That is, anyone who requests and uses personal data is their operator. And everyone who has access to and processes information by which a citizen can be identified actually works with personal data and is responsible for failure to comply with the law on their protection.

    Let's imagine who might be classified as PD operators. Banks? Yes! Sites that collect material about subscribers? Yes! Legal and accounting companies providing various services? Yes! Shops and beauty salons offering to purchase bonus card? Yes again! Homeowners' associations, universities, kindergartens, travel agencies, medical institutions, automated systems, including government ones? Yes, yes, yes! PD operators - everywhere, in any field!

    Everyone who deals with personal data is obliged to comply with certain rules for collecting, ensuring security, clarifying, blocking and destroying this type of information. According to Law No. 152-FZ, operators must:


    Registration with Roskomnadzor as a personal data operator

    The law stipulates that before starting work with personal information, it is necessary to contact the authorized supervisory authority and notify about the start of work with personal information. This does not mean that every company must be included in the Roskomnadzor register of personal data operators. This list does not include:

  • employers. They collect and store information in accordance with labor laws, for example, when registering employment contracts, various personnel orders;
  • cell phone or landline company telephone communication, if the data is obtained solely for the provision of communication services under a concluded contract, it is not distributed or provided to third parties without the consent of the subject of the personal data;
  • public associations or religious organizations that gain access to the data of their members (participants) to achieve the goals provided for in the constituent documents;
  • organizations and individuals using publicly available information that subjects of personal data themselves disclosed, for example, on personal websites;
  • any companies that operate a pass system. If a citizen’s passport data is copied to obtain a one-time pass to the organization’s territory, there will be no need to register;
  • systems with the status of state automated information systems, as well as government systems Personal data created to protect state security and public order. There are a lot of them, and among them are the Era-Glonass and Management systems, AIS for accounting of non-profit and religious organizations and many others at the federal and regional level;
  • citizens and organizations that process information without the use of automation tools (computers). At the same time, they must be guided by the requirements approved by Government Decree No. 687 of September 15, 2008;
  • organizations that request data to provide safe operation transport complex, for example, when booking and purchasing tickets, including through online services of carriers or intermediaries.

    • Taking into account such formulations, many of the organizations are no longer included in the register of operators processing personal data maintained by Roskomnadzor. But those to whom exceptions do not apply must be on the list of the regulatory authority.

    The registration procedure consists of submitting a notification in a certain form. It can be accessed through the Roskomnadzor personal data register, the government services portal, or using Order of the Ministry of Telecom and Mass Communications of Russia dated December 21, 2011 N 346. Free download required document You can also find it at the end of this article.

    Roskomnadzor recommends submitting a notification on the organization’s letterhead, on paper or electronically. The paper version will need to be filled out, signed and sent to the territorial body of Roskomnadzor (by mail or delivered in person). Electronic document can be submitted directly on the department’s website - in the “Electronic application forms” section.

    Regardless of the method of informing officials, the notification must indicate:

  • full and abbreviated name of the company indicating the organizational and legal form, as well as legal and postal addresses, TIN;
  • the purposes of processing stated in the constituent documents or actually carried out;
  • categories of PD that will be processed;
  • subjects whose PD is planned to be processed, including relationships with them, for example, passenger, borrower, subscriber, depositor, policyholder;
  • the basis on which there is a right to processing (for example, articles of the Air Code of the Russian Federation or the law on acts of civil status on acts of civil status), including the presence of a license for the type of activity being carried out;
  • description of the PD processing methods used and their list: manual, automated or mixed processing;
  • information about the persons responsible for organizing the processing of personal data, their telephone numbers, postal addresses, email;
  • information about encryption (cryptographic) means;
  • start date, as well as conditions and terms for termination of PD processing;
  • information about where the data is stored during its processing, including about the country where the databases with information about the personal data of citizens of the Russian Federation are located;
  • information on ensuring the security of personal data in accordance with the requirements established by Decree of the Government of the Russian Federation of November 1, 2012 N 1119.

    • Please note that registration of a personal data operator on the Roskomnadzor website is carried out within 30 days. If submitted electronic application, the company will have to send an additional paper copy of the notification to the territorial authority. If the information is insufficient, officials will send a request to clarify the submitted documents. It is impossible to refuse to accept a notification and enter information about an organization into the register.

    If, by various reasons, the organization has changed the purposes of processing PD or needs to make other changes, within 10 days it sends a letter to Roskomnadzor in the prescribed form. The document can be found below. In addition, PPT.ru readers can download a form of the document required to exclude a company from the register.

    All services provided by Roskomnadzor in this case are free.

    Current legislation provides for administrative liability for violation of requirements for personal data protection. According to Federal Law No. 13-FZ dated 02/07/2017, which came into force on July 1, 2017, Article 13.11 of the Code of Administrative Offenses of the Russian Federation provides for several offenses for which personal data operators can be fined. Depending on the offense, fines for legal entities under this article they vary from 15,000 to 75,000 rubles, and for individual entrepreneurs - from 5,000 to 20,000 rubles.

    Refusal to register in the register may be regarded as failure to provide information to the regulatory authority. The punishment for this is provided for in Article 19.7 of the Code of Administrative Offenses of the Russian Federation. According to it, officials face a fine of 300 to 500 rubles, and legal entities - from 3,000 to 5,000 rubles.

    Maintaining a register of operators processing personal data

    Entering information about the operator into the register of operators processing personal data (Federal Service for Supervision of Communications, Information Technologies and Mass Communications)

    General information

    Service results

    Who can receive the service

    • Has the status of an entrepreneur
    • Individuals
    • Legal entities

      • How can I submit documents?

    • By mail
    • Through a legal representative

      • How can you get the results of the service?

    • Personally

      • Grounds for refusal to provide services

    • The basis for suspending the deadline for entering information about the Operator into the Register (making changes and excluding information about the Operator from the Register) is the provision by the operator of incomplete or unreliable information. (The basis for suspending the deadline for entering information about the Operator into the Register (amending and excluding information about the Operator from the Register) is the provision by the Operator of incomplete or unreliable information.)

      • Service delivery period

      Service completion time: Provision public services carried out without direct interaction with the applicant.
      Information about the Operator is entered into the register within 15 days from the date of receipt of the notification based on the results of verification of the information contained in the Notification. The date of entering information about the Operator into the Register is considered to be the date of signing the order.
      An application for the provision of a public service is registered no later than the day following the day of its receipt by Roskomnadzor (the territorial body of Roskomnadzor).
      Information on entering information about the Operator into the Register is posted on the official website of Roskomnadzor no later than 3 days from the date of signing the order.

      The basis for considering the issue of entering information about the Operator into the Register is the sending by the Operator of the Notification directly to Roskomnadzor (the territorial body of Roskomnadzor) or the receipt of the Notification in the Unified Information System with Single portal with assignment to him incoming number.
      The notice must contain the following information:

      1. Name (last name, first name, patronymic), address of the Operator.
      2. Purpose of processing personal data.
      3. Categories of personal data.
      4. Categories of subjects whose personal data is processed.
      5. Legal basis for processing personal data.
      6. List of actions with personal data, general description of the methods used by the Operator for processing personal data.
      7. Description of the measures provided for in Articles 18.1 and 19 Federal Law, including information about the availability of encryption (cryptographic) tools and the names of these tools.
      8. Last name, first name, patronymic individual or the name of the legal entity responsible for organizing the processing of personal data, and their numbers contact numbers, postal addresses and email addresses.
      9. Information about the presence or absence of cross-border transfer of personal data in the process of processing.
      10. Information about personnel safety

      www.gosuslugi71.ru

      Articles on the topic

      A personal data controller is any person who collects information about employees and clients. Find out how to submit an application to Roskomnadzor for the processing of personal data, what are the responsibilities of the operator, which can lead to a fine

      Read our article:

      Who is included in the register of personal data operators of Roskomnadzor

      A personal data operator is any person who collects information about employees and clients (Article 3 of Law No. 152-FZ “On Personal Data”).

      New liability for violations of personal data. For what and how much will they now be fined>>>

      An operator (OPD) can be a state or municipal company, a legal entity, a businessman, or even ordinary person, if it collects information about other people and independently determines what data to request, how to process it and what to do with the collected information.

      The law defines personal data as any information that relates directly or indirectly to an identified or identifiable individual (subject of personal data).

      Of course, in most cases, the requested information is limited only to the last name, first name, patronymic, passport details and number cell phone, but sometimes to identify a person you need to find out his car number, driver’s license details or SNILS and other information.

      There is no exhaustive list in the law, so absolutely any information needed for identification can be considered personal data.

      It turns out that anyone who requests and uses such information and has submitted the appropriate application is included in the register of personal data operators of Roskomnadzor. There are already more than 400,000 positions there, and new faces are constantly appearing. Among them are banks, insurance companies, travel agencies, beauty salons, shops, homeowners associations, kindergartens, clinics and many others.

      If any site provides a form feedback, subscription or personal account, in which visitors will leave data, then site owners should also register in the registry.

      The operator cannot process the information received without the consent of the person to whom it belongs.

      But there are also exceptions. If any law provides for such work with information (defining the purpose and content of processing), then consent is not required.

      For example, according to the Law “On Education”, for admission to the Unified State Examination, the transfer, processing and provision of personal data of students without their signature on consent to work with information is provided.

      How to submit a request for the processing of personal data

      The notification can be submitted on the Roskomnadzor website and sent by mail.

      When filling out the electronic notification form, you will need to indicate:

    • TIN, OGRN and other data of the applicant;
    • purposes and legal basis for data processing;
    • indicate exactly what data will be processed and how this will happen;
    • license details (if the applicant’s activities are licensed);
    • measures taken to ensure the safety of the received data;
    • start date of processing and much more (Article 22 of Law No. 152-FZ).

      • After electronic form will be filled out, it can be downloaded from the Roskomnadzor website, printed, signed and sent by mail to the territorial authority. This will confirm the information sent through the site.

      There is an option to fill out an application through the State Services Portal, but this is a less convenient way than communicating with Roskomnadzor through its own website.

      If everything is done correctly, the company will be entered by Roskomnadzor in the register of operators processing personal data.

      The law provides for exceptions when such registration is not required.

      The following may not apply for inclusion in the register:

    • employers collecting information about their employees;
    • those who process only people's full names;
    • those who take information to allow a person into their territory once, etc.

      • The full list of exceptions is described in Part 2 of Art. 22 of Law No. 152-FZ “On Personal Data”. A company that believes that it is on this coveted list will have to argue that this is indeed the case.

      In a private conversation with inspectors, we found out where they will “dig” when a company needs to be fined, but there is no clear reason. Get ready for what they will be looking for - plans for fines are planned to increase.

      Based on the provisions of the law, an application for the processing of personal data must be submitted in the first days after the creation of a legal entity or individual entrepreneur - that is, before starting to work with the information.

      But in practice, the operator has already been working at full speed for several months, or even years, when the idea of ​​registering occurs to the management. If this idea comes to the management before Roskomnadzor arrives, good - it will be possible to avoid a fine or other sanctions.

      And if inspectors arrive before the notification is submitted, you will have to pay for their sluggishness.

      Obligations of the operator when processing personal data

      After a company or businessman has registered with Roskomnadzor as a personal data operator, he will have to fulfill the obligations prescribed in Chapter 4 of Law No. 152-FZ. In particular, the OPD must:

    • explain to the subject from whom they receive information what exactly they are taking and why;
    • explain the consequences of refusing to provide information;
    • ensure recording, systematization, accumulation, storage, clarification, etc. of the information received;
    • provide information about data processing to the subject if it was not received from him;
    • take measures to protect against unauthorized (accidental) access to information, destruction, modification, blocking or copying;
    • appoint a responsible person.

      • Operators must obtain the individual's prior consent to process personal information. It is requested in in writing– the subject signs a paper stating that the data is collected in accordance with Law No. 152-FZ, after receipt it will be properly stored, used, and then destroyed. A special form proposed by Roskomnadzor can be downloaded on its website.

      Responsibility for refusal to register in the register

      If a potential operator has not submitted an application to be included in the Roskomnadzor personal data register, he faces administrative liability. Refusal to register in the register is regarded as failure to provide information to the regulatory authority. Such an offense is punishable under Article 19.7 of the Code of Administrative Offenses of the Russian Federation. Under this clause, a person may be fined in the amount of one hundred to three hundred rubles; for officials - from three hundred to five hundred rubles; for legal entities - from three thousand to five thousand rubles.

      If you do not want to bear responsibility for refusing to register in the register and pay fines (albeit not as large as for other crimes), it is better to comply with the requirements of the law and submit an application on time.

      www.pro-personal.ru

      Register of personal data operators

    In just a couple of days, on July 1, 2017, amendments made to the Code of Administrative Violations and tightening liability for non-compliance (hereinafter referred to as Law No. 152-FZ) will come into force. There was enough information on this topic; “Clerk” also wrote about it.

    But questions still remain.

    It feels like there is just a stir around this topic. What actually happened? In general, the law has not changed. Changes were made to it only in terms of fines.

    Now according to Art. 13.11 of the Administrative Code there is only one violation with a fine of 10,000 rubles for legal entities. After July 1, there will be seven of them and the total fine could be up to 295,000 rubles.

    Why are the authorities taking up personal data now? All fines, which come into force on July 1, are the most common violations identified by Roskomnadzor over the past five years.

    One of the main questions: do all websites really need to register as a personal data operator with Roskomnadzor?

    It turns out not. It is possible to avoid this need. How? Data that comes from users must be processed on the basis user agreement. Subclause 2 of clause 2 of Article 22 of Law No. 152-FZ provides the following.

    We quote:

    “...2. The operator has the right to process personal data without notifying the authorized body for the protection of the rights of personal data subjects:

    …2) received by the operator in connection with the conclusion of an agreement to which the subject of personal data is a party, if personal data is not distributed, and is not provided to third parties without the consent of the subject of personal data and is used by the operator solely for the execution of the specified agreement and the conclusion of agreements with the subject of personal data ;"

    If the website of an organization or individual has a form for collecting visitor data - for example, a feedback form, a line for subscribing to a newsletter, registration or personal account, this is considered the processing of personal data.



    Related publications: