Home-Windows-Roskomnadzor register of operators processing personal data. Stages of registering an ISPDN operator with Roskomnadzor

Roskomnadzor register of operators processing personal data. Stages of registering an ISPDN operator with Roskomnadzor

Legal requirements for the personal data operator

The operator is obliged to ensure the confidentiality of personal data. Article 7 of the Federal Law of the Russian Federation of July 27, 2006 N 152-FZ “On Personal Data” (hereinafter referred to as FZ-152) states that the operator is not obliged to protect personal data if it is anonymized or publicly available. The personal data operator does not have the right to process data without the consent of the personal data subject, that is, the person to whom this data belongs. However, in Art. 6 Part 2 of Federal Law-152 provides for a number of cases when the consent of the subject is not required.
In particular, the consent of the subject is not required if his personal data is processed on the basis of the Federal Law defining the purpose and content of such processing (Article 6, paragraph 2, part 2). For example, according to Federal law No. FZ-3266-1 “On Education”, graduates of secondary educational institutions do not have to obtain consent to the processing of their personal data for admission to the Unified State Exam. Bodies and organizations involved in conducting the Unified State Exam carry out “...transfer, processing and provision of results received in connection with the conduct of the Unified State Exam<…>personal data of students, participants of the unified state exam<…>in accordance with legal requirements Russian Federation in the field of personal data without obtaining the consent of these persons to process their personal data” (Article 15, clause 5.1). The April issue of the magazine “Personal Data” contains a large material devoted specifically to this problem.
Another case when the processing of personal data does not require the consent of the subject: the execution of a contract, one of the parties to which is the subject of personal data. For example Any will do an agreement between a company and an individual for the provision of services. Mass useful information on this topic can be found in the specialized press. The operator must also provide the necessary organizational and technical measures to suppress attempts of illegal access to personal data.

Required documents

Each personal data operator is required to have a package of documents confirming the protection of personal data of employees and clients.

Scroll necessary documents may vary depending on the specifics of personal data processing, organizational structure and other features of each individual enterprise.

In accordance with this package of documents, the enterprise must implement technical means protection of personal data.

Preparation of documents necessary to protect personal data

There are several ways to prepare documents in accordance with the requirements of 152-FZ “On Personal Data”:

Protective equipment

Almost every organization has a personal data information system (abbreviated ISPDn), which may contain, for example, the employee’s last name, first name, passport data, TIN, etc. An operator works with this information system. Depending on what data is contained in the ISPD of a particular organization, this ISPD may belong to one of four classes, each of which provides various means to protect personal data.

See also

Links

  • www.rsoc.ru Register of operators processing personal data
  • www.pd.rsoc.ru Personal data portal of the Authorized body for the protection of the rights of personal data subjects
  • www.privacy-journal.ru Information and analytical journal "Personal Data"

Wikimedia Foundation. 2010.

See what a “Personal Data Operator” is in other dictionaries:

    Personal data operator- 2) operator government agency, municipal body, legal entity or individual, independently or jointly with other persons organizing and (or) carrying out the processing of personal data, as well as determining the purposes of processing... ... Official terminology

    Any action (operation) or set of actions (operations) performed using automation tools or without the use of such means with personal data, including collection, recording, systematization, accumulation, storage, ... ... Wikipedia

    The subject of personal data is an individual who is directly or indirectly identified or determined using personal data. Contents 1 Interaction with the subject of personal data ... Wikipedia

    A set of measures of a technical, organizational and organizational technical nature aimed at protecting information relating to a specific or determined on the basis of such information individual (subject of personal... ... Wikipedia

    This article or section describes the situation in relation to only one region. You can help Wikipedia by adding information for other countries and regions. Contents 1 Definition ... Wikipedia

    Number: 152 Federal Law Adoption: by the State Duma on July 26, 2006 Entry into force: January 26, 2007 Federal Law of the Russian Federation of July 27, 2006 No. 152 Federal Law “On Personal Data” is a federal law regulating processing activities (using ... Wikipedia

    Basic model of threats to the security of personal data during their processing in personal data information systems (extract)- Terminology Basic model threats to the security of personal data during their processing, including information systems personal data (extract): Automated system a system consisting of personnel and a set of automation equipment... ...

    RIGHTS OF PERSONAL DATA SUBJECTS WHEN MAKING DECISIONS BASED ON EXCLUSIVELY AUTOMATED PROCESSING OF THEIR PERSONAL DATA- according to the Federal Law “On Personal Data” dated July 27, 2006 No. 152 FZ, consist in prohibiting acceptance on the basis solely automated processing personal data decisions that generate legal consequences regarding... ...

    operator- 4.22 operator: Any object that carries out the operation of the system. Note 1 The operator role and the user role may be assigned simultaneously or sequentially to the same person or organization. Note 2 In the context of this... ... Dictionary-reference book of terms of normative and technical documentation

    OPERATOR- according to the Federal Law “On Personal Data” dated July 27, 2006 No. 152 FZ, - a state body, municipal body, legal entity or individual organizing and/or carrying out the processing of personal data, as well as determining the purposes... Records management and archiving in terms and definitions

In what cases is it necessary to notify Roskomnadzor about the processing of personal data? The answer is in the article.

Question: Are we required by law to register in the register of personal data operators of Roskomnadzor? in paragraph 2 of Art. 22 of the Law of July 27, 2006 No. 152-FZ “On Personal Data” states that, 2. The operator has the right to process personal data without notifying the authorized body for the protection of the rights of personal data subjects. We are not required to register in the register?

Answer: There is no need to register in the register of personal data operators of Roskomnadzor, since there is no registration procedure. Before processing personal data, the operator is obliged to send a notification to Roskomnadzor (Clause 1, Article 22 of Law No. 152-FZ). Roskomnadzor maintains a register of operators based on notifications.

At the same time, there are exceptions to this rule of law, listed in detail in paragraph 2 of Art. 22 of Law No. 152-FZ.

Rationale

Storage of personal data in Russia. What features are there for employee information?

If the company processes personal data not only of employees and contractors - individuals. That is, virtually any company is obliged to notify officials about the processing of personal data.

By general rule the employer is obliged to send a notification to Roskomnadzor about the start of processing personal data (Part 1, Article 22 of Law No. 152-FZ). Many companies still haven't done this. They justify it this way: the employer processes personal data only of its employees. Therefore, the company falls under the exception established in clause 1, part 2, art. 22 of Law No. 152-FZ. According to this standard, the employer has the right to process personal data in accordance with labor legislation without notifying Roskomnadzor.

But in most cases, the position that notification is not required is erroneous. After all, the employer processes data not only of employees, but also of other entities. For example, representatives of counterparties when receiving powers of attorney or employees of other companies belonging to the same group as the employer. In such cases, it is recommended to send a notification to Roskomnadzor.

In what form should Roskomnadzor be notified?

Include in the notification information about the personal data of employees (clause 7 of the Temporary Recommendations for filling out the notification form, approved by Roskomnadzor on December 30, 2014). Exceptions established in Part 2 of Art. 22 of Law No. 152-FZ, in in this case not applicable.

Roskomnadzor will enter the information from the notification into the register of operators within 30 days from the date of receipt of the document. There is no need to pay money for this (Part 4, Part 5 of Article 22 of Law No. 152-FZ).

Employers who have not notified Roskomnadzor risk receiving a letter from officials. In response, employers will be required to send a notice or justify the reasons for not sending it. IN the latter case the risk of Roskomnadzor verifying the validity of this type of justification increases. Thus, according to the annual report for 2014, Roskomnadzor sent more than 58 thousand such letters to operators (

This portal was created to provide citizens with information regarding the activities of Roskomnadzor in various areas. In addition, through this website it is easy to access any other data processor.

What is it

Roskomnadzor’s personal data portal is a tool that allows for thorough control of both ordinary citizens and individual entrepreneurs, commercial organizations. Any company processing personal data must first register with Roskomnadzor, and only then begin relevant activities.

What is it for?


Any information that can be used to identify you is considered personal. specific person . The portal is needed to make it easier for users to interact with operators processing any data, carrying out various actions for this.

You can also inform the monitoring organization itself if any violations are identified. In this case, appropriate penalties are applied.

Who can use

The specialized portal operates in open access . So any citizen can take advantage of its capabilities and posted information. It is enough to enter the name of the operator of interest or use its TIN. The search result will be information relating to a particular market participant.

Operator register

Personal information may include large number phenomena, including:

  1. Email address.
  2. An accurate description of your current place of residence.
  3. Mobile phone numbers.
  4. Information from certificates.
  5. Full name of the citizen.

Any information related to one or another can be considered personal. to a specific person. In some cases, your full name and car number are enough for identification. In other circumstances, a registration address and driver's license information are required.

  1. They process personal data independently or team up with other persons for this purpose.
  2. They themselves determine the operations with data, their composition, and the goals of the work.

An operator will be considered anyone who uses personal data and sends appropriate requests. Such companies operate in all areas. It is the data about them that is entered into the register. Clients can study the TIN and permitting documentation themselves and so on.

Video showing how to register in the register of personal data processing operators of Roskomnadzor.

Registration on the site

Registration on the portal is not required, all information is in the public domain, additional actions no need to implement. The same applies to various documents devoted to the protection of visitor information.

Interface, use

There is nothing complicated here. The registry search button is located at the very top home page portal. In this line you enter any data known for a particular company. Just below is a link with an advanced search. That is, you can enter not only the name, but also the TIN and registration number, if available.

Regulatory regulation

Regulates the activities of Roskomnadzor related to monitoring the implementation of legislation on the personal data of citizens. But the text of the article itself does not contain the exact name of the body vested with the relevant powers. Therefore, it is also allowed to use as support the Decree of the Government of the Russian Federation No. 228 “On the register of persons dismissed due to loss of trust,” issued in 2009. It is in this text that the powers are assigned specifically to Roskomnadzor.

According to the law, representatives of this institution have the following powers and rights:

  1. Independent bringing to administrative liability when violations related to personal data are detected.
  2. Appeal to law enforcement agencies and judicial authorities in order to protect the interests of citizens. The same can be done if any violations are detected.
  3. Restriction of access to information in the presence of violations on the part of the operator. Or issuing demands with requests to block, destroy or clarify certain information.
  4. Request for information related to the processing of personal data.

Conducting inspections by Roskomnadzor

There are special regulations for holding such events. It was approved by the relevant Order of the Ministry of Communications No. 312 of 2011. Paragraph 32 of this regulation is devoted to situations when scheduled inspections must be carried out in relation to operators:

  1. When a company is just starting to process personal data.
  2. After 3 years have passed since the previous inspection. Or from the moment the activity began.

The organization must be notified of the upcoming inspection at least 3 days before the actual organization of the event.

Roskomnadzor has the right to conduct unscheduled inspections. For example, if there are requests from citizens and other organizations regarding violations of rights. Or when there is a threat to life or health. In this case, notification must be received 24 hours before the event.

According to the results of the inspection, specialists draw up the corresponding act. If there are violations, the latter are described in detail in the accompanying document. The persons responsible for certain violations must be indicated. A description of the legal grounds for holding citizens or companies accountable is provided.

When consent to data processing is required

Information processing can only be carried out if previous owner gives his consent or when there are others legal grounds. Each individual case is considered individually:

  1. In the housing and communal services sector, the consent of residents is not required when management companies involve paying agents to pay for the use of services.
  2. Some situations require permission from in writing. This is especially true for special categories of personal data. For example, when it comes to biometric information.

Responsibility for violations

- the main document that until recently established penalties for violations in this area. Legal entities could face fines in the amount of 5,000 - 10,000 rubles or a warning issued by the competent authorities.

To identify violations, control measures were carried out in the form of inspections. About violations were sent special messages representatives of the prosecutor's office. If the application is approved, judicial proceedings are organized.

But recently the situation has changed. Now laws have begun to describe the relevant procedures in more detail. The changes concern the following areas:

  1. Increased fines.
  2. The emergence of powers to draw up protocols and initiate cases without contacting the prosecutor's office.

About registering as an operator


This event is not mandatory for the following categories of the population and market participants:

  1. Companies requesting data, for example, to purchase tickets. This applies to any carriers operating online.
  2. Those who process data without the use of computer technology.
  3. Systems that have received the status of state automated information systems. Or organizations created to protect society and order.
  4. Any companies with a valid pass system. There is no need to register if the citizen's information is read only once to receive a pass.
  5. Companies and individuals using information disclosed by citizens themselves.
  6. Those who use information to achieve the purposes described in the founding documents.
  7. Companies from the field cellular communication who need the data solely to provide services.
  8. Heads of enterprises.

Therefore, many companies may not be included in the register located on the official website of Roskomnadzor. To complete the registration procedure, simply submit an application by following established requirements. It is recommended to apply to electronic form or using company letterhead.

In just a couple of days, on July 1, 2017, amendments made to the Code of Administrative Violations and tightening liability for non-compliance (hereinafter referred to as Law No. 152-FZ) will come into force. There was enough information on this topic; “Clerk” also wrote about it.

But questions still remain.

It feels like there is just a stir around this topic. What actually happened? In general, the law has not changed. Changes were made to it only in terms of fines.

Now according to Art. 13.11 of the Administrative Code there is only one violation with a fine of 10,000 rubles for legal entities. After July 1, there will be seven of them and the total fine could be up to 295,000 rubles.

Why are the authorities taking up personal data now? All fines, which come into force on July 1, are the most common violations identified by Roskomnadzor over the past five years.

One of the main questions: do all websites really need to register as a personal data operator with Roskomnadzor?

It turns out not. It is possible to avoid this need. How? Data that comes from users must be processed on the basis user agreement. Subclause 2 of clause 2 of Article 22 of Law No. 152-FZ provides the following.

We quote:

“...2. The operator has the right to process personal data without notifying the authorized body for the protection of the rights of personal data subjects:

…2) received by the operator in connection with the conclusion of an agreement to which the subject of personal data is a party, if personal data is not distributed, and is not provided to third parties without the consent of the subject of personal data and is used by the operator solely for the execution of the specified agreement and the conclusion of agreements with the subject of personal data ;"

If on the organization's website or individual there is a form for collecting visitor data - for example, a form feedback, a line to subscribe to the newsletter, register or personal account, this is considered the processing of personal data.



Related publications: