REGISTRATION OF OPERATORS OF PERSONAL DATA (entering information into the register of operators)


What does the law require?

The law came into force on June 7, 2006 and requires each operator to notify Roskomnadzor of its intention to process personal data before processing it.
The notification procedure itself and the list of information that the operator must report to Roskomnadzor are specified in Article 22 of the law. In theory, everything is simple: the notification is submitted on paper or electronically, signed by the head of the organization. Roskomnadzor reviews the notification within 30 days and decides to register the operator in the register. If the information in the notification does not comply with the requirements of the law, the operator receives a refusal with the right to re-register. The information contained in the register of operators, with the exception of information on ensuring the security of personal data, is publicly available.

But in practice everything is more complicated. In order to correctly register in the register of personal data operators, you must first fulfill the requirements: carry out legal and technical preparation of the organization in accordance with Articles 18.1 and 19 of the law. And this requires a lot of time and money.

What is this procedure?

Registration is the voluntary provision of information by an individual or legal entity that plans to process personal data. Those companies and institutions that carried out similar activities before the relevant law was issued are registered after the fact.

The law allows Roskomnadzor up to a month to review the information provided in the operator’s notification. The department does not have the right to refuse, but it has the right to request additional data if the information specified in the notification seems incomplete or unreliable to employees.

If a registered operator changes any data published in the register (obtaining a new or deprivation of a license, making changes to the charter, etc.), he is obliged to notify the supervisory authority within 10 working days.

Stumbling blocks

As a rule, personal data operators face three main problems when registering in the Roskomnadzor register:

  1. They don’t know how to fill out the notification: they write what they think (gag), or, even worse, they copy the notification from other operators. As a result, they are denied registration. Or they end up in the register, but also face penalties, since the information in the register turns out to be inconsistent with reality.
  2. They don’t know how to fill out the notification without first having completed full training on 152-FZ and without having the experience of passing the Roskomnadzor inspection.
  3. They draw up a notification without specifics, describing the protective measures applied, the purposes of processing, the legal basis for the processing of personal data in general terms, without references to specific internal organizational and administrative documents of the organization, legal norms and without indicating specific protective measures.

See full list

Collapse

What's new in the legislation?

Many articles have been written on the topic of personal data protection checks, and many of them were published before 2020. In order to somehow get into the realities, first of all it is necessary to analyze what has changed in recent years in the legislation.

242-FZ

First, let's remember the well-known 242-FZ.
In 2020, it made a lot of noise due to the need to localize personal data of Russian citizens on the territory of the Russian Federation. Four years later, the only major casualty of this law is the social network Linkedin. But there was another side to 242-FZ, which was not so actively disseminated in the media.

242-FZ contained very important changes in the context of the inspections carried out by the RKN on personal data: the activities of Roskomnadzor in the field of protecting the rights of personal data subjects from September 1, 2015 are not covered by Federal Law No. 294-FZ “On the protection of the rights of legal entities and individual entrepreneurs in implementation of state control (supervision) and municipal control.”

What does it mean? For personal data operators, as you might guess, nothing good. Now, as practice has already shown, the number of scheduled inspections has greatly decreased and the number of unscheduled ones has increased proportionately. This is also evidenced by Roskomnadzor’s inspection plans, published at the end of 2020 (and in subsequent years) on the agency’s website. There are only one, two scheduled checks on personal data, and there are no more, unlike in previous years.

The main problem with unscheduled inspections is that you cannot find out about them with a good lead time and, as a result, you cannot prepare as best as possible. For example, previously, when an inspection plan was published, everyone could download it and find out whether the organization was included in it or not. And only those few organizations whose inspection date was listed as January-February could be caught by surprise. The rest had the opportunity to prepare normally, even if up to that point the organization had done nothing at all to protect personal data. Now it is better, of course, to be prepared for an inspection by Roskomnadzor on personal data at any time, that is, to always keep an up-to-date set of documentation on the protection of personal data ready.

13.11 Code of Administrative Offenses of the Russian Federation

Another important legislative change is the change to Article 13.11 of the Code of Administrative Offenses of the Russian Federation “Violation of the legislation of the Russian Federation in the field of personal data.”
These changes have completely transformed the punishment for violation of legislation in the field of personal data protection. Previously, Article 13.11 was not broken down into parts, and the maximum fine was 10 thousand rubles for legal entities. Now there are 7 parts (and expansion is planned), one of which (violation of the rules for processing special categories of personal data) provides for a maximum fine for legal entities - 75,000 rubles. In addition, if inspectors identify different violations, penalties under different parts of the Code of Administrative Offenses article can theoretically add up. Why "theoretically"? Previously, on the websites of regional departments of the RKN in the “News” section, news was constantly published that the regulator conditionally checked 3 organizations for compliance with the legislation on personal data, organization No. 1 was doing well, organization No. 2 was fined 3 thousand rubles, organization No. 3 was fined for 5 thousand rubles. It was possible to collect such news in a heap over the year and compile some statistics on fines. Now there is no such news. If anyone has data on fines for violation of 152-FZ after changes to 13.11 of the Code of Administrative Offenses of the Russian Federation, you can share such information in the comments. It is worth immediately noting here that the original text of the bill to amend Article 13.11 of the Code of Administrative Offenses of the Russian Federation initially included larger amounts of fines, for example, where in the end the maximum fine was set at 75,000 rubles, it was originally planned to punish as much as 300,000 rubles. Solid, but still far from the amounts for violating the GDPR. But, despite the fact that the amount of fines eventually decreased significantly, unfortunately, some sellers of personal data protection services are still trying to intimidate with the figure “300,000”. Be carefull.

So, we are convinced that the increased likelihood of an unscheduled inspection and the many times increased fines for violation of 152-FZ are a good incentive to be ready for an inspection at any time. Let's figure out what we need to do for this.

What to do if you are already processing personal data?

If you are already processing personal data and do not know what to do now regarding registration in the register of personal data operators, then follow this plan:

  1. Collect information on the processing and measures taken to protect personal data (see list of information below).
  2. As soon as possible, prepare and submit a notification about the processing of personal data to Roskomnadzor.
  3. Prepare according to all the requirements of 152-FZ, taking into account the information you specified in the notification (see the information at the link - preparation for 152-FZ).
  4. Correct the information in the Roskomnadzor register based on the results of preparation under 152-FZ by submitting a notice of changes (if necessary).

See full list

Collapse

Types of checks

Before we get into the actual steps to prepare for inspections, let's look at what types of inspections there are and how a typical inspection works.
In general, inspections can be divided into 2 types: documentary and on-site.

Documentary checks

A documentary check most often begins with the organization receiving a letter from the local RKN department with some requirement. If your organization, for example, did not submit a notification about its inclusion in the register of personal data operators, then you may be reminded that it would be a good idea to submit this notification after all. The law requires it. Or justify why your organization can process personal data without notification (152-FZ provides for a number of exceptions). If your organization did submit a notification, then you may be reminded that new fields appear in the register from time to time and they also need to be filled out. For example, you must indicate the location of the data center and whether it is leased or owned. And yes, the 1C database on the chief accountant’s computer, in the understanding of Roskomnadzor, is a data center. About filling out the notification
Practice shows that many personal data operators have questions about how to correctly fill out certain fields of the notification. We will talk a little about the notification of the personal data operator in this article, but the tutorial on how to fill it out already deserves a separate one. You may also be asked to send by mail copies of documents regulating the protection of personal data in the organization - orders, instructions, threat model, and that's all.

So, you received such a letter from Roskomnadzor, what should you do?

In fact, it’s easier to say what you absolutely should not do - ignore these letters. Unfortunately, in practice many people do just that. Someone forgets to answer, someone doesn’t know what to write in response and doesn’t answer, and someone hopes that they will forget about them and everything will go away on its own. No, they won’t forget, not in this case.

It may be common practice among some departments to write a letter to an organization “for show” and forget it, but not with the RKN. Therefore, it is advisable to respond within the time period specified in the letter, otherwise the organization will be punished under Article 19.7 of the Code of Administrative Offenses of the Russian Federation “Failure to submit or untimely submission of information to a state body.” You can go to the website of your regional department of Roskomnadzor (%region_number%.rkn.gov.ru) in the “News” section. In 2020, a good half of the news was devoted to bringing legal entities to justice under that very article of the Code of Administrative Offenses of the Russian Federation. Moreover, each news could feature up to 10-15 organizations. Now there is also such news, but less often, this is most likely due to the fact that the RKN itself has become less active in sending out “chain letters”.

The fine under 19.7 of the Code of Administrative Offenses of the Russian Federation is small - 3-5 thousand rubles, but you need to remember that after you pay the fine, the information requested in the initial letter will still have to be provided.

Screenshot of the website of the Roskomnadzor Office for the Primorsky Territory, 2016


If there is something unclear about the content of the letter sent to you, then at the end the executor of the letter and his contact information are usually indicated. You can always call and clarify what the regulator really wants from you.

There’s probably nothing to add about documentary checks; let’s move on to on-site checks.

On-site inspections

From the name itself it already becomes clear that inspectors will be on your territory at least two or three times. From our experience, we can say that the verification process looks something like this:

  • inspectors come to the organization, meet the manager, hand him a notice of inspection, make an entry in the log of inspections of the legal entity by regulatory authorities (the absence of such a log, by the way, is already a violation);
  • then representatives of the RKN ask to provide documentation that is available in the organization for the protection of personal data, then you drag this whole mountain of documents - orders, instructions, regulations, policies, threat model;
  • Having briefly reviewed the contents of the documents, the inspectors either ask for a room where they will study them, or ask for copies of all documentation and retire to their offices to study the information you provided;
  • in the process of familiarizing yourself with the documents, questions may arise regarding their content or wishes to make any changes to them;
  • on one of the days of the inspection, representatives of the RKN will definitely go through the offices where personal data is processed, inspect the places where personal data is stored on paper - cabinets, safes, shelves (here they will probably hint to you about the need to purchase locked iron cabinets if personal data is stored in some other way ), can also view the information system;
  • at the end, the inspectors make an entry in the same inspection log about the results of the inspection (whether comments were identified or not) and hand over a report on the results of the inspection.

Here, perhaps, it is worth talking about what you need to remember during an on-site inspection.
Firstly, in no case should you go into conflict with the inspectors and in any way interfere with the inspection (“losing” the key to the office with documents and similar tricks). Yes, inspectors can make mistakes too. A striking example of such a mistake associated with an excessive enthusiasm for bans on everything and everything happened in our Primorsky Territory in 2015-2016. No one has canceled the watchman syndrome, and during the inspection process completely illegal and unreasonable demands may be made. But this does not in any way cancel the simple rules of human communication. If you disagree with something, express it calmly, ask for a link to the legislation that explains the dubious requirement.

Secondly, it doesn’t matter what claims the inspectors will make during the inspection, the only important thing is what will be written in the report based on the results of the inspection. Let me give you a simple example: during one of the inspections, representatives of the RKN argued that it was necessary to separate the personal data information systems “Accounting” and “Human Resources” and accordingly describe them separately in documents. The requirement is completely unsupported by law, and the very definition of ISPDn from 152-FZ does not prohibit combining information systems and describing them the way we ourselves want. In a medical institution, we can combine a documented system with medical data with the same personnel records, and say that we have one ISPD. True, in this case, you need to remember that HR accountants will probably have to be protected at a higher level of personal data security, which will be determined for the part of the medical information system. But separating accounting from personnel and separately producing mountains of orders, instructions and threat models for each system, even from the point of view of common sense, is not at all correct. So, the main thing in this story is that in the act following the inspection it was written “no violations of the law were identified.” And this cancels out all the verbal unlawful comments of the inspectors.

Thirdly, it is imperative to instruct all your employees involved in the processing of any personal data on what can and cannot be done and said during the inspection. For example, you can process personal data in accordance with instructions and rules, but you cannot scatter copies of employee passports on your desktop.

Life hack for successful registration in the Roskomnadzor register

If deadlines are running out and you need to register in the registry the first time, then you need to follow the recommendations:

  1. Fill out the notification as thoroughly and accurately as possible, referring to real and current legal provisions, as well as internal organizational and administrative documents.
  2. If your personal data protection system is not yet ready, then you need to write as if it were fully implemented, indicating specific subsystems and means of protection (anti-virus subsystem, intrusion detection subsystem, cryptographic protection subsystem, security analysis subsystem, unauthorized access protection subsystem and etc.).
  3. If you submit a notification for the purpose of registration in the register as an operator of personal data of “clients”, then do not forget to indicate that you are also processing the personal data of employees, since any organization has them. It is necessary!
  4. When describing the legal basis for the processing of personal data, one cannot refer only to 152-FZ, since the law describes the requirements for the processing and protection of personal data, but does not describe the legal basis for processing for certain types of organizations.
  5. When describing the legal basis for processing, do not forget the basic documents that any operator must indicate: the Constitution of the Russian Federation, the Labor Code of the Russian Federation, the Civil Code of the Russian Federation.

See full list

Collapse

Who is a personal data operator

The law understands the concept of personal data operator as a government body or other person, legal or natural, who:

  • collects or receives personal data of citizens;
  • determines the purposes for obtaining this information;
  • independently determines its composition;
  • has the right to carry out any actions (processing) with the information.

In practice, operators include not only educational or medical institutions, social networks, mobile operators, banks that receive personal data of thousands of individuals, but sometimes they also become ordinary companies that receive this information in the process of filling out a job application form and copying employment books. The law sets such organizations the task of ensuring the safety of this information from leaks and other threats that arise during the processing of personal data.

At the same time, the law does not specify what information is considered personal data, suggesting that these are all categories of information associated with a specific individual: from the date of issue of the passport to the license plate number of the car. If such data falls into the hands of criminals, it can help them locate the property of a particular person and cause harm to him or his family, so the information is subject to strict protection. Given that there is a great demand for large volumes of personal data in the shadow market for the sale of information, the degree of their protection and the quality of the information technologies used for this should be the maximum possible for each specific operator.

Registration in the Roskomnadzor register: the price of the issue

There is no state fee for inclusion in the Roskomnadzor register. The operator can submit the notification independently or seek assistance from a competent organization, which will not only prepare the notification, but also help prepare it according to the requirements of the law.

Assistance to commercial organizations in registering in the register costs from 10 to 50 thousand rubles , and with the provision of a basic set of organizational and administrative documentation - from 50 to 150 thousand rubles.

Download the commercial proposal for inclusion in the Roskomnadzor register

What information is included in the notification?

The notice shall contain the following information:

  • name (last name, first name, patronymic), address of the operator;
  • purpose of processing personal data;
  • categories of personal data;
  • categories of subjects whose personal data is processed;
  • legal basis for processing;
  • a list of actions with personal data, a description of the methods used for processing personal data;
  • description of the implementation of measures provided for in Articles 18.1 and 19 of the law;
  • last name, first name, patronymic of the person responsible for organizing the processing of personal data;
  • date of commencement of processing of personal data;
  • term or condition for termination of processing of personal data;
  • information about the presence or absence of cross-border transfer of personal data;
  • information about the location of the database;
  • information about ensuring the security of personal data.

See full list

Collapse

Documentation for verification

I wanted to leave this solemn moment for the end of the article.
But what is there, since we have already moved on to talking about the set of necessary documentation, here is a link to our set of templates. The archive contains 4 folders and a “Threat Models” template. Here we will only talk about documents from the “General” and “PDn” folders. “General” are documents that can be used, plus or minus, for any information systems, and “PDN” is a purely Roskomnadzor part. A full description of the documents in the archive can be found on our website. The article turned out to be quite lengthy, so we won’t go into what specific requirements this or that document (or section of the document) came from here. This is a topic for a separate article. Let's go over the general points.

Composition of documents

So, the first thing the specialist who has been tasked with preparing for the upcoming inspection is faced with is the question of what documents are needed.
The specialist turns to the legislation and... Finds practically nothing useful. Well, not really anything at all. Yes, probably, a specialist will come across a resolution of the Government of the Russian Federation dated February 21, 2012 No. 211 and say: “Well, you were wrong, here, there is a list of documents!” Yes, I have. Only a specialist will find a kind of trap here. If you acquire only documents from this list, the organization will receive an order based on the results of the audit, because the list does not cover even a small part of the legal requirements. Plus, the list contains such absurdities as, for example, the need to separately approve the list of ISPD. Why make a separate document for this, when you can list ISPD in the “Regulations on the processing and protection of ISPD” or in the “Information Security Policy” - it is not clear. And finally, Resolution No. 211 applies only to state and municipal bodies, therefore it is not applicable to the majority of personal data operators. And, by the way, there are no documents on Resolution 211 in our set, since most of the issues are already taken into account in other documents. Okay, let's see what else we have in the legislation.

The federal law “On Personal Data” directly speaks only of the need to develop a “Security Threat Model” (although “directly” is also not entirely correct; the law says that it is necessary to identify threats to the security of personal data) and the publication of a “Policy regarding the processing of personal data”. data."

We may also write in more detail about the process of developing the Threat Model in one of the following articles.

Everything else is described ambiguously, something like this:

The operator is obliged to take measures... Such measures may, in particular, include:
1) appointment by the operator, who is a legal entity, of a person responsible for organizing the processing of personal data;

2) publication by the operator, who is a legal entity, of documents defining the operator’s policy regarding the processing of personal data, local acts on the processing of personal data, as well as local acts establishing procedures aimed at preventing and identifying violations of the legislation of the Russian Federation, eliminating the consequences of such violations ; ... 4) implementation of internal control and (or) audit of compliance of the processing of personal data with this Federal Law and the regulatory legal acts adopted in accordance with it, requirements for the protection of personal data, the operator’s policy regarding the processing of personal data, local acts of the operator;

And so on.
Since there is no direct instruction to issue this or that document, 152-FZ should be read and understood exactly this way: if it is written about the implementation of internal control, then to fulfill this requirement, documents must be developed that define the plan, the procedure for such control, as well as certain acts or journals , which reflect the control results. The inspectors will not be satisfied with the story that you have fulfilled the requirement to appoint someone responsible for organizing the processing of personal data simply by verbally assigning such responsibility to one of the employees. There must be a document! In this particular case, an order to appoint such a responsible person. If there is a person responsible, then he is entitled to instructions - what he is responsible for, and what rights and powers he has. Often such instructions are called “official”, which in our opinion in most cases is not entirely correct. After all, “responsible for organizing the processing of personal data” is, as a rule, not a separate position, but only an additional responsibility that is assigned to one or another employee.

In general, we need to thoroughly study the legislation on the protection of personal data, looking for hints on the need for various documents. In this case, you can write one “Provision on the processing and protection of personal data”, or you can write separately “Provision on the processing...” and “Provision on the protection...”. Here it’s just who you like best.

Contents of documents

Okay, the composition of the documents is clear, but what about the content? And this is even worse. There are rare recommendations from regulators, such as here, but these are rather exceptions. In general, here are some general recommendations:

  • Descriptions of ISPD, protection systems, technological processes for processing PD and other individual things must be specific, reflecting the real picture of what is happening. If all this is described in too general and abstract phrases, you may receive a complaint from the inspector.
  • Various lists (of personal data subjects, personal data themselves) must correspond to reality.
  • Documents must be current. If a long-retired employee is appointed responsible for organizing the processing of personal data, then this is a guaranteed order.
  • The logs must be at least minimally filled out. At least those journals for which it is impossible to justify their absolute purity. For example, there is a log of requests from PD subjects. In fact, it is not such a rare situation when no one has ever approached the operator with such requests. And there is a log of information security briefings. And now, if this journal is clean, there may be questions.
  • The written consent of the subject to the processing of his personal data must comply with Article 9 of the Law “On Personal Data”. For example, many people forget to indicate in the consent the legal address of the operator to whom consent is given. It must also be remembered that consent must be conscious and specific. Previously, many people liked to add the phrase “I give my consent to the transfer of my personal data to third parties.” Now this practice is being suppressed; it is necessary to indicate which personal data will be transferred, to whom exactly and for what purpose.
  • All employees involved in a particular document must be familiar with this document. For example, everyone authorized to process personal data must be familiar with the order approving the relevant list against signature.

At the end of this section, I would also like to ask you not to fall for the mailing lists of various scammers who offer “a certified set of documents for the protection of personal data.” Often such scammers try to impersonate a government organization and sometimes do it very believably. By paying them money, at best you will receive a set of blanks of worse quality than those presented here for free.

Rating
( 2 ratings, average 4.5 out of 5 )
Did you like the article? Share with friends:
Для любых предложений по сайту: [email protected]