Step-by-step instructions for protecting personal data on the website

Is your organization a personal data controller?

Does your company keep personnel records of employees and recruit personnel using automation tools (information systems)? Does your company transfer personal data of employees or clients to other organizations using automation tools (information systems)? Does your company have clients who are individuals?

Every organization that deals with the processing and storage of personal information about its employees, clients, etc. using automation tools is the operator of Personal Data .

IMPORTANT! Article 22 of the Federal Law “On Personal Data” established the obligation for operators, before starting the processing of personal data, to inform the authorized body for the protection of the rights of personal data subjects about their intention to carry out such a process. Those. you are required to send a Notification to Roskomnadzor about registration as a PD operator and the start of PD processing.

The grounds under which an employer has the right to process personal data (abbreviated as PD) without notifying Roskomnadzor are listed in Part 2 of Art. 22 of the Federal Law of July 27, 2006 No. 152-FZ “On Personal Data”.

What it is

The legislation classifies as personal information any information that is related to a specific person. Moreover, we are talking not only about that which directly relates to him, but also about any indirect data. This definition is very broad. It should be noted that it does not say that the data must necessarily identify a specific person.

With this approach, it is very difficult to find information that is not subject to the law.

In order to more accurately understand what constitutes personal data, you can make a request to the appropriate authority for clarification. As is known, Roskomnadzor is dealing with this issue.

A request was made as to whether there is a minimum set of data about a particular person that can be classified as personally identifiable information. Roskomnadzor reviewed this appeal and responded as follows. Legislation was monitored and it turned out that there are dozens of regulations that include various lists of information as personal data.

At the same time, it was indicated that this issue is considered in a large number of existing documents . These include the following regulations:

250 documents issued by the Government of the Russian Federation;
75 international regulations;
more than a hundred federal laws;
13 Codes.

The expanded understanding of what is involved in such data is much broader than what might be expected. At the same time, the list of personal data exceeds the minimum set of information on the basis of which a specific individual can be identified.

https://youtu.be/1C6rcr_GVaM

In connection with the above, the question arises about the need to define a clearer framework of what belongs to personal information and what is not included in it. The question of whether passport data is included in this category has an affirmative answer, but in most cases the question is much more complex.

ATTENTION! The scientific and practical commentary of Roskomnadzor indicates which approach should be followed in each specific case in order to determine what is included in personal data. To do this, you need to consider a specific list of personal data and decide whether the presented set is sufficient to identify an individual.

If this is so, then all information included in this list is considered personal. If this condition is not met, these data are not subject to the relevant law.

Protection of personal data in the organization.

Personal data of citizens is classified as information that is especially protected by Russian law. The legislation of the Russian Federation (Federal Law of July 27, 2006 No. 152-FZ “On Personal Data”) strictly defines the requirements for the protection of personal data, the features and rules for their processing without the use of automation tools and in personal data information systems.

Responsibility for the collection, processing, storage and protection of personal data of employees, clients and other persons lies entirely with the employer. Therefore, any enterprise must establish a procedure for working with personal data and develop documents and measures to organize the protection of personal data.

To do this, the enterprise must develop and approve in accordance with the law a Regulation that establishes the procedure for processing and protecting personal data.

IMPORTANT! Article 19. Federal Law No. 152-FZ. Measures to ensure the security of personal data during their processing.

When processing personal data, the operator is obliged to take the necessary legal, organizational and technical measures or ensure their adoption to protect personal data from unauthorized or accidental access to it, destruction, modification, blocking, copying, provision, distribution of personal data, as well as from other unlawful actions regarding personal data.

How consent to processing is drawn up

Consent should be drawn up according to a template, or in any form, but in compliance with all basic requirements. The form can be downloaded from the Internet, or you can use one that was created specifically for a specific organization.

In this case, the document must contain the following information:

The name of the company where the employment is carried out.
Date and place of document preparation.
Full name of the employee, information about his place of residence and passport details.

After specifying the basic information, the second part of the document should list the following information:

What personal data should be protected?
How is it permissible to use them, for what purposes?
Validity period of the document. The possibility of revoking consent is separately indicated, despite the fact that this was initially provided for by law.

Separately, a mandatory note must be made that the document was drawn up and signed without any coercion from the outside, on voluntary terms. Only after this can you put your signature in the place intended for it.

Sample consent:

You can download a blank form to fill out using the link.

Nuances you need to know when drawing up consent:

You can receive an application from the data owner for processing on the website, in electronic form, or in printed form - in the form of a contract - agreement.
Some Internet users check the “consent to data processing” box without reading the terms and conditions, and thus give the right to use the data without knowing it.
The request for information provided must be as complete, informative and meaningful as possible.
The easiest way is to use a ready-made form and enter all the basic information into the document.

The actions that are performed with personal information include the following: data collection, systematization and accumulation, distribution, use and retrieval.

Administrative responsibility for disclosure of personal data.

From July 1, 2020, fines for violation of the Federal Law “On Personal Data” dated July 27, 2006 N 152-FZ in the field of the procedure for collecting, storing, using or distributing personal data will increase.

Amendments to the Code of Administrative Offenses of the Russian Federation were introduced by Federal Law No. 13-FZ dated 02/07/2017. Based on Federal Law No. 13-FZ dated 02/07/2017, seven offenses and fines are introduced for officials and legal entities for non-compliance with the law on personal data.

Organization of personal data protection in the organization.

A general list of documents that a personal data operator must have in order to comply with the requirements of legislation in the field of personal data.

1.	Notice about the processing of personal data. Base: Federal Law of July 27, 2006 No. 152-FZ “On Personal Data”. Article 22. Notification about the processing of personal data. Part 1. Before starting the processing of personal data, the operator is obliged to notify the authorized body for the protection of the rights of personal data subjects of his intention to process personal data, except for the cases provided for in part 2 of this article.
2.	Changes to the notice on the processing of personal data. Base: Federal Law of July 27, 2006 No. 152-FZ “On Personal Data”. Read also: Account 52 in accounting - postings and subaccounts Article 22. Notification about the processing of personal data. Part 7. In the event of a change in the information specified in Part 3 of this article, as well as in the event of termination of the processing of personal data, the operator is obliged to notify the authorized body for the protection of the rights of personal data subjects within ten days from the date of such changes or from the date of termination processing of personal data. Article 25. Final provisions. part 2_1. Operators who processed personal data before July 1, 2011 are required to submit to the authorized body for the protection of the rights of personal data subjects the information specified in paragraphs 5, 7_1, 10 and 11 of part 3 of Article 22 of this Federal Law no later than January 1, 2013 .
3.	Order on organizing the processing of personal data.
4.	Order (instruction) on the appointment of a person responsible for organizing the processing of personal data by the operator. Base: Federal Law of July 27, 2006 No. 152-FZ “On Personal Data”. Article 22_1. Persons responsible for organizing the processing of personal data in organizations. Part 1. The operator, being a legal entity, appoints a person responsible for organizing the processing of personal data.
5.	Consent of the subject of personal data to the processing of his personal data. Base: Federal Law of July 27, 2006 No. 152-FZ “On Personal Data”. Article 9. Consent of the subject of personal data to the processing of his personal data. Part 1. The subject of personal data decides to provide his personal data and consents to their processing freely, of his own free will and in his own interest. Consent to the processing of personal data must be specific, informed and conscious. Consent to the processing of personal data can be given by the subject of personal data or his representative in any form that allows confirmation of the fact of its receipt, unless otherwise provided by federal law.
6.	Consent in writing of the subject of personal data to the processing of his personal data. Base: Federal Law of July 27, 2006 No. 152-FZ “On Personal Data”. Article 9. Consent of the subject of personal data to the processing of his personal data. Part 4. In cases provided for by federal law, the processing of personal data is carried out only with the written consent of the subject of personal data.
7	Documents confirming the provision of the information specified by the Federal Law “On Personal Data” to the subject of personal data, if the personal data was not received from the subject of personal data. Base: Federal Law of July 27, 2006 No. 152-FZ “On Personal Data”. Article 18. Obligations of the operator when collecting personal data. Part 3. If personal data is not received from the subject of personal data, the operator, except for the cases provided for in part 4 of this article, before processing such personal data begins, is obliged to provide the subject of personal data with the following information: 1) name or surname, first name, patronymic and address of the operator or his representative; 2) the purpose of processing personal data and its legal basis; 3) intended users of personal data; 4) the rights of the subject of personal data established by this Federal Law; 5) source of obtaining personal data.
8.	Documents defining the operator’s policy regarding the processing of personal data. Note: fulfill the requirement of Part 2 of Art. 18_1 publish or otherwise provide unrestricted access to the document Base: Federal Law of July 27, 2006 No. 152-FZ “On Personal Data”. Article 18_1. Measures aimed at ensuring that the operator fulfills the obligations provided for by this Federal Law. Part 1, paragraph 2) publication by the operator, who is a legal entity, of documents defining the operator’s policy regarding the processing of personal data, local acts on the processing of personal data, as well as local acts establishing procedures aimed at preventing and identifying violations of the legislation of the Russian Federation , eliminating the consequences of such violations. Read also: Order on approval of the Regulations on remuneration - sample
9.	Documents containing provisions on the adoption by the PD operator of legal, organizational and technical measures to protect personal data. Base: Federal Law of July 27, 2006 No. 152-FZ “On Personal Data”. Article 19. Measures to ensure the security of personal data during their processing. Part 1. When processing personal data, the operator is obliged to take the necessary legal, organizational and technical measures to protect personal data from unauthorized or accidental access to it, destruction, modification, blocking, copying, provision, distribution of personal data, as well as from other unlawful actions regarding personal data.
10.	Documents on organizing the reception and processing of requests and requests from personal data subjects. Base: Federal Law of July 27, 2006 No. 152-FZ “On Personal Data”. Article 22_1. Persons responsible for organizing the processing of personal data in organizations. Part 4. The person responsible for organizing the processing of personal data is, in particular, obliged to: clause 3) organize the reception and processing of requests and requests from subjects of personal data or their representatives and (or) exercise control over the reception and processing of such requests and requests.
11.	Documents defining the categories of personal data processed, features and rules for their processing without the use of automation tools. Base: REGULATIONS on the specifics of processing personal data carried out without the use of automation tools APPROVED by Decree of the Government of the Russian Federation dated September 15, 2008 No. 687. clause 6. Persons processing personal data without the use of automation tools (including employees of the operator organization or persons carrying out such processing under an agreement with the operator) must be informed of the fact of their processing of personal data, the processing of which is carried out by the operator without the use automation tools, categories of personal data processed, as well as the features and rules for such processing.
12.	Documents defining the categories of personal data processed, features and rules for their processing using automation tools. Base: Resolution No. 1119 of November 1, 2012 On approval of requirements for the protection of personal data during their processing in personal data information systems. clause 2. The security of personal data when processed in the information system is ensured using a personal data protection system that neutralizes current threats identified in accordance with Part 5 of Article 19 of the Federal Law “On Personal Data”. The personal data protection system includes organizational and (or) technical measures determined taking into account current threats to the security of personal data and information technologies used in information systems.
13.	The composition and content of organizational and technical measures to ensure the security of personal data during their processing in personal data information systems. Base: FSTEC Order No. 21 dated February 18, 2013. 1. Approve the attached composition and content of organizational and technical measures to ensure the security of personal data during their processing in personal data information systems.
14.	Documents on the classification of information systems. Base: Resolution No. 1119 of November 1, 2012 on approval of requirements for the protection of personal data during their processing in personal data information systems. Clause 8 When processing personal data in information systems, 4 levels of personal data security are established.
15.	Standard forms of documents. Base: REGULATIONS on the specifics of processing personal data carried out without the use of automation tools APPROVED by Decree of the Government of the Russian Federation dated September 15, 2008 No. 687. clause 7. When using standard forms of documents, the nature of the information in which suggests or allows the inclusion of personal data in them (hereinafter referred to as the standard form), certain conditions must be observed.
16.	A document establishing requirements for maintaining journals (registers, books...) containing personal data necessary for a one-time entry of the subject of personal data into the territory. Base: REGULATIONS on the specifics of processing personal data carried out without the use of automation tools APPROVED by Decree of the Government of the Russian Federation dated September 15, 2008 No. 687. clause 8. When maintaining journals (registers, books) containing personal data necessary for a one-time pass of the subject of personal data to the territory where the operator is located, or for other similar purposes, certain conditions must be observed.
17.	Documents establishing requirements for the storage of tangible media containing personal data. Base: REGULATIONS on the specifics of processing personal data carried out without the use of automation tools APPROVED by Decree of the Government of the Russian Federation dated September 15, 2008 No. 687. clause 15. When storing material media, conditions must be observed to ensure the safety of personal data and prevent unauthorized access to them. The list of measures necessary to ensure such conditions, the procedure for their adoption, as well as the list of persons responsible for the implementation of these measures are established by the operator.
18.	Documents on ensuring the security of personal data using CIPF. Base: Order of the FSB of Russia dated July 10, 2014 N 378 “On approval of the composition and content of organizational and technical measures to ensure the security of personal data during their processing in personal data information systems using cryptographic information protection tools necessary to fulfill the requirements established by the Government of the Russian Federation protection of personal data for each level of security.” Clause 1. This document defines the composition and content of organizational and technical measures to ensure the security of personal data during their processing in personal data information systems (hereinafter referred to as the information system) using cryptographic information protection tools (hereinafter referred to as cryptographic information protection) necessary to fulfill those established by the Government Russian Federation requirements for the protection of personal data for each level of security.
19.	A list of persons who need access to personal data processed in the information system, approved by the operator or authorized person.
20.	Documents establishing the procedure for processing personal data of employees. Base: LABOR CODE of the Russian Federation of December 30, 2001 No. 197-FZ. Article 86. General requirements for the processing of employee personal data and guarantees of their protection: employees and their representatives must be familiarized with the employer’s documents, against signature, establishing the procedure for processing personal data of employees, as well as their rights and obligations in this area. Article 87. Storage and use of personal data of employees; Article 88. Transfer of personal data of employees.
21.	Fixation of measures aimed at ensuring that the operator fulfills the obligations provided for by Federal Law No. 152-FZ of July 27, 2006. The operator’s employees who directly process personal data must be familiar with the provisions of the legislation of the Russian Federation on personal data, including requirements for the protection of personal data, documents defining the operator’s policy regarding the processing of personal data, local acts on the processing of personal data and (or) must be trained (clause 6, part 1, article 18_1).

IMPORTANT! For reference, we recommend that you read the document:

The procedure for implementing measures to protect personal data contained in information systems.

Order of the Ministry of Internal Affairs of the Russian Federation dated July 6, 2012 N 678 “On approval of the Instructions for organizing the protection of personal data contained in the information systems of internal affairs bodies of the Russian Federation”

Clause 2. This Instruction determines the procedure for implementing measures to protect personal data contained in the information systems of the internal affairs bodies of the Russian Federation, establishes measures to ensure the security of personal data during their processing in personal data information systems, and also determines the responsibilities of officials.

Approximate list of documents on the protection of personal data.

No. _ _ _	Title of the document	Document number, date
1.	Act of classification and determination of the level of security of ISPDn “Accounting”.
2.	The act of determining the level of ISPD security “________”.
3.	The act of determining the level of ISPD security “……”.
4.	An act on the allocation for destruction of documents not subject to storage.
5.	An act of carrying out work on a personal computer that is part of the personal data information system.
6.	Acts of destruction of personal data.
7.	Description of the personal data information system “Employees”.
8.	Description of the personal data information system “Clients”.
9.	Description of the personal data information system “…..”.
10.	Model of threats to the security of personal data during their processing in the “Employees” ISPD.
11.	Model of threats to the security of personal data during their processing in the “Clients” ISPD.
12.	Model of threats to the security of personal data during their processing in the ISPD “…..”.
13.	Instructions for backup and recovery of personal data processed in personal data information systems.
14.	Instructions for the user of the personal data information system.
15.	Instructions for organizing anti-virus protection.
16.	Instructions for the security administrator of the personal data information system.
17.	Instructions for the administrator of the personal data information system.
18.	User instructions for processing personal data without automation tools.
19.	Instructions for use of computer storage media.
20.	Plan of internal audits of the personal data protection regime.
21.	Sample Personal Data Processing Policy
22.	Regulations on the implementation of internal control of compliance of the processing of personal data with the requirements for the protection of personal data.
23.	Regulations on the delimitation of access rights to processed personal data in LLC “….”
24.	Regulations on ensuring the security of personal data.
25.	Regulations on the processing of personal data in LLC “….”
26.	Regulations on the person responsible for the processing of personal data at LLC “….”
27.	Regulations on the assessment of harm that may be caused to subjects of personal data in case of violation of the Federal Law of July 27, 2006 No. 152-FZ “On Personal Data”.
28.	Regulations on the commission of LLC “….” on information security issues, composition of the commission.
29.	Order to begin processing of personal data.
30.	Order on those responsible and the information security commission.
31.	Order on the appointment of employees with access to personal data. - a list of employees.
32.	An order approving the list of storage locations for physical storage media of personal data. — list of storage locations for ISPD.
33.	Order on the list of personal data of PDn IS, list of PDn IS.
34.	Controlled area order: — Border diagram. — List of persons authorized to open the premises. — List of persons allowed to be in the premises.
35.	List of personal data.
36.	List of personal data information systems.
37.	The employee’s consent to the processing of his personal data.
38.	The client's consent to the processing of his personal data.
39.	Agreement …. to process his personal data.
40.	Information log for employees directly involved in the processing of personal data.
41.	Journal of copy-by-copy accounting of information security tools, operational and technical documentation for them, key documents.
42.	Journal of copy-by-copy accounting of cryptographic information protection means, operational and technical documentation for them, key documents.
43.	Journal of personal accounts of users of cryptographic information protection tools.
44.	Journal of registration and issuance of computer media of personal data.
45.	Logbook of inspections carried out by state control (supervision) bodies.
46.	A log of requests from personal data subjects to gain access to their personal data.
47.	Log of registration of incoming confidential documents.
48.	Log of outgoing confidential documents
49.	Journal of registration and issuance of seals of sealing devices.
50.	Inventory journal of documents of limited distribution.
51.	Journal of registration of issuance and acceptance of keys to premises, storage rooms (safes).
52.	A log of cases of unauthorized access to personal data and measures taken.
53.	Storage (safe) log book.
54.	Key information log.
55.	Logbook for recording the movement of material media of personal data.
56.	Logbook for recording the destruction of personal data and (or) tangible media containing personal data.
57.	A journal for informing individuals about the fact of their processing of personal data, the processing of which is carried out by the Operator without the use of automation tools.

In the near future, templates for documents on the protection of personal data will be presented in the table.

Obtaining personal data

The employer should remember that all personal data of the employee should be obtained from him (Clause 3, Article 86 of the Labor Code of the Russian Federation).
In some cases, consent to the processing of personal data of an employee (applicant) is not required if this information is received:

from the documents presented when concluding an employment contract;
based on the results of a mandatory preliminary medical examination regarding the state of health;
to the extent provided for by personal card N T-2, incl. personal data of close relatives;
from a recruitment agency acting on behalf of the applicant;
from the applicant’s resume posted on the Internet and accessible to an unlimited number of people.

If the employee’s personal data can only be obtained from a third party, the employee must be notified in advance and his written consent must be obtained.