When does Roskomnadzor conduct scheduled inspections?
The main activity of Roskomnazdor is information protection. Every enterprise works with it to one degree or another - any employer needs information about employees, contractors, etc. To ensure that these files are not used to the detriment of their owners, an audit by Roskomnadzor is appointed.
Roskomnadzor control
There are four types of inspections, the main one being planned. They occur strictly according to the schedule, which can be seen on the website and prepare for them in advance. The frequency of inspections is once every 3 years; when working with some categories of information, inspections occur more often - once every 2 years. If the organization is young, the first meeting with inspectors will take place only 3 (or 2) years after opening.
Other types of checks:
- unscheduled;
- documentary – documents are sent according to the list, can only be planned;
- visiting – employees come to the enterprise (scheduled or unscheduled).
To check an organization, there must be good reasons. The director must be aware of what exactly caused the attention of the regulatory authorities.
Subject of Roskomnadzor inspection
The areas of activity of legal entities and individual entrepreneurs, which are supervised by Roskomnadzor, are listed in clause 5 of the regulation approved by the Decree of the Government of the Russian Federation “On Federal...” dated March 16, 2009 No. 228. In accordance with it, Roskomnadzor carries out inspections of compliance with legislation in various areas, in particular, such as:
You can find more complete information on the topic in ConsultantPlus. Full and free access to the system for 2 days.
- activities of the media, television channels, periodicals, electronic and other publications;
- informatization and information protection;
- organization and operation of radio and television broadcasting;
- communications and mass communications;
- organization and activities of postal operators;
- processing and protection of personal data of citizens.
Who does Roskomnadzor check?
Based on the list of areas under the jurisdiction of Roskomnador, it is possible to determine the range of organizations and individual entrepreneurs to which its employees can come for inspection. This:
- mass media (editorial offices of newspapers, magazines, television and radio companies, electronic media);
- telecom operators (TV, radio, etc.);
- Internet providers;
- organizations providing postal services, etc.
Important! In addition to specialized supervision in the areas under its jurisdiction, Roskomnadzor has the right to inspect all personal data operators. Such due to the requirements of paragraphs. 2 and 3 hours 1 tbsp. 3 of the Law “On Personal Data” dated July 27, 2006 No. 152-FZ are any organizations and individual entrepreneurs that, in the course of their activities, process, use, collect, and store personal data of citizens.
It turns out that the object of inspection by Roskomnadzor can be any entrepreneur or legal entity that hires personnel, maintains client databases, or processes personal data of citizens for other purposes.
Roskomnadzor inspection: how to prepare and avoid fines
What Rospotrebnadzor checks: how often inspections are carried out
According to the law, a personal data operator is any organization that interacts with people and their documents, i.e. This definition includes all enterprises with more than one person on staff. The check applies not only to legal entities, but also to individual entrepreneurs who have at least one hired employee, and even to individuals if they work with someone else’s cards.
Important! If the documents are kept in order, then special preparation for the Roskomnadzor audit will not be required.
It’s best to start preparing by studying Roskomnadzor’s inspection plan for 2020. If it does not have the necessary organization, then this year there is no need to be afraid. You will receive an additional warning about a scheduled inspection 3 days before, but just in case, it is better to keep your documents in order at all times.
Personal card
Conducting an internal inspection
The first step is to appoint a person in charge. Authorized employees must be responsible for the processing and security of personal data. Depending on the size of the company, this may be a manager, accountant or HR person who does this as an additional responsibility, or an employee or department specifically hired for this.
The second step is to find out exactly what data the enterprise is dealing with. The person responsible for personal data must know what exactly he is collecting and why. Based on this, the manager draws up internal instructions for working with personal data and develops a policy for their processing. All employees for whom this is important must be familiar with these documents. The last step is to notify Roskomnadzor that the company is working with people’s personal data.
Important! Documentary inspection can only be scheduled; this is the main type of inspection for small enterprises.
All these actions need to be done as soon as the company plans to work with personal data. They will allow you to avoid accusations of business non-transparency, as well as urgent preparation for inspections and endless stress. If the documentation is done carefully, the inspection will not take much time and nerves.
Employees must be prepared
Employees of the institution must know who exactly is responsible for personal data. The person in charge should regularly report to management on how the information is used. He must also ensure the safety of data - paper documents should be kept in safes with locks, and electronic documents should be kept in files without public access.
Employees should be warned that during Roskomnazdor inspections according to the plan they need to behave calmly. Excessive nervousness and sloppiness in documents may lead inspectors to believe that things in the organization or department are not going as well as they would like to appear.
Employees and inspection
Checks and plans of the Grandfather of Roskomnadzor for 2020
Grandfather Roskomnadzor spends the whole year looking for personal data operators who, from the point of view of the law, “behave badly” and issues them orders. In this article we would like to talk about how this happens, and also reveal a little more about the “grandfather’s” plans for 2020. It would be great if this helps someone prepare in advance and avoid problems.
Article 23 of the Federal Law of July 27, 2006 “On Personal Data” No. 152-FZ identifies two areas of activity of Roskomnadzor: protection of the rights of subjects of personal data; control and supervision of compliance of personal data processing with legal requirements. To perform these functions, this article of the law gives Roskomnadzor certain powers. Let's look at what we think are the most important of them.
Roskomnadzor:
- checks the information specified by the organization in the Notification;
- may require the operator to destroy inaccurate or illegally obtained personal data;
- may restrict access to information processed in violation of the law;
- has the right to file claims in court to protect the rights of personal data subjects and represent them in court;
- vested with the authority to bring to administrative responsibility persons guilty of violating this Federal Law;
- is obliged to consider complaints and appeals on issues related to the processing of personal data, as well as make decisions on them within the limits of his powers.
- In practice, the main actions of Roskomnadzor in accordance with the federal law “On Personal Data” are as follows:
- work with citizens' requests and complaints;
- carrying out control and supervisory activities;
- maintaining the Register of personal data operators.
Roskomnadzor considers complaints in accordance with the law of May 2, 2006 No. 59-FZ “On the procedure for considering appeals from citizens of the Russian Federation.” Complaints can be sent either in writing or through a special form on the Roskomnadzor website or the State Services portal.
The period for consideration of the application is 30 calendar days, except for cases established by law. The Government is now awaiting approval of the draft new Administrative Regulations. But at the moment, Roskomnadzor is carrying out verification activities on the basis of the Administrative Regulations approved by Order of the Ministry of Telecom and Mass Media of the Russian Federation No. 312 dated November 14, 2011. As part of its activities to control and supervise the procedure for processing personal data, Roskomnadzor carries out scheduled and unscheduled inspections.
Scheduled checks
Scheduled inspections are carried out on the basis of an annual plan, which can be found at rkn.gov.ru/plan-and-reports
The inspection plan for the next year is usually posted on the websites of territorial departments in mid-December of the current year. Since since September 1, 2020, Roskomnadzor has not coordinated plans for inspections on personal data with the Prosecutor’s Office, there are no inspections on this topic in the consolidated plan of inspections for all bodies on the latter’s website. The current Administrative Regulations state that the territorial department of Roskomnadzor is required to notify you of a scheduled inspection no later than three working days before the start of the inspection.
The subject of Roskomnadzor's inspection is:
- activities related to the processing of personal data;
- documents the nature of the information in which suggests or allows the inclusion of personal data;
- personal data information systems.
Accordingly, Roskomnadzor does not check the presence and condition of technical protection of personal data information systems. Its main task is to verify the legal basis for the processing of personal data.
Contrary to popular belief, regulations, instructions, orders and other documents are not the most important object of inspections. The authorized body is more interested in the personal data itself and the compliance of the volume of this data with the purposes of processing.
The notice of a scheduled inspection usually states that the person being inspected must submit:
- a copy of the document appointing an official or authorized representative who will represent the interests of the legal entity during the inspection;
- documents the nature of the information in which suggests or allows the inclusion of personal data. Roskomnadzor usually includes statements, questionnaires, magazines, etc. as such documents;
- documents confirming the destruction of personal data to achieve the purpose of processing. Unfortunately, not all personal data operators understand that in every case of personal data processing there is (or should be) a processing purpose, upon achievement of which the data must be destroyed; written consent of personal data subjects to the processing of their personal data;
- documents confirming compliance with the requirements of the legislation of the Russian Federation when processing personal data, including special categories and biometric personal data;
- documents confirming the location of databases (information systems) of personal data. This requirement appeared when amendments were made to the legislation on the localization of personal data of Russians; documents confirming that employees directly involved in the processing of personal data are familiar with the legislation and local regulations of the operator on the processing of personal data;
- local acts of the operator regulating the procedure and conditions for the processing of personal data.
In total approximately 31 documents are requested
, the following can be distinguished from the main and significant ones (the points concerned both automated and non-automated processing):
- Notification about PD processing
- A document identifying the person responsible for organizing the processing of personal data
- List of employees authorized to process personal data
- Document defining storage locations for personal data
- Certificate on the processing of special and biometric categories of personal data
- Certificate of cross-border transfer of personal data
- Standard forms of documents with PD
- Procedure for destruction of personal data
- Procedure for transferring PD to third parties
- Standard form of consent to personal data processing
- The procedure for recording requests from PD subjects
- List of personal data information systems (ISPD)
- Documents regulating data backup in ISPDn
- List of information security tools used
- Access Matrix
- Threat model
- A document defining the security levels for each ISPD in accordance with PP-1119 dated November 1, 2012 “On approval of requirements for the protection of personal data during their processing in personal data information systems”
- Logbook of computer media PDn
The inspection plan includes legal entities that submitted a Notification about the processing of personal data to the register of operators, and those who did not. That is, they can check everyone. The duration of both scheduled and unscheduled inspections cannot exceed 20 working days.
Unscheduled inspections of Roskomnadzor
Unscheduled inspections can be documentary or on-site. Documentary tests are carried out in the form of a request by Roskomnadzor for the necessary documents and your provision of these documents within the time period specified in the request. The operator is notified of an unscheduled inspection no later than 24 hours before its start by any available means. This is usually done by telephone or fax.
Such checks can be carried out in most cases for the following reasons:
- if the deadline for the operator to comply with a previously issued order to eliminate the identified violation has expired. Usually, after a scheduled inspection, Roskomnadzor conducts an unscheduled inspection to find out how the violation was eliminated. Such an inspection is rarely carried out on-site. It is carried out in documentary form, that is, Roskomnadzor will ask you for information about eliminating violations, and you must provide the necessary documents;
- if the service or its territorial bodies have received an appeal from citizens, legal entities, individual entrepreneurs, information from government bodies, local governments, or from the media. In 2011, the service received approximately 1,500 complaints. In 2020 - approximately 33,000;
- by order of the head of Roskomnadzor or the head of the territorial department.
- upon detection
of violations of mandatory requirements as a result of systematic monitoring
Systematic observation activities
Another type of control is systematic observation activities. The main difference is that the activities are carried out without interaction with the persons being inspected. In recent years, this has been the most popular type of control over the processing of personal data. The popularity of such events is due to the fact that the labor costs of territorial departments to conduct them are much less than scheduled inspections, and the efficiency is much greater. In a short period of time, each territorial department of Roskomnadzor can check dozens or even hundreds of organizations, usually starting with checking their Internet sites.
The concept of “systematic surveillance activities” was added in 2020. Systematic surveillance is dangerous because no one is obliged to notify the company about it. Based on the results, if violations are detected, an unscheduled inspection is carried out in accordance with the Administrative Regulations. Systematic monitoring activities are carried out on the basis of an order from the head of the territorial authority and are fixed in the annual activity plan of the territorial administration for the next year. We analyzed the data available on the Roskomnadzor website. Here are some interesting results:
In total, measures are planned for about 900 personal data operators. Geographically, these are the most diverse organizations “from Kliningrad to Vladivostok.” To identify the most “tested” industries, we used information about the main type of activity of companies according to OKVED.
The “traditional” industries for RKN inspections are in the lead in the plans: education, medicine, tourism and management companies.
About 38% of operators in systematic surveillance plans are government organizations. Accordingly, commercial organizations account for more than 62% of events. Almost 99.8% are legal entities, not individual entrepreneurs.
In order to somehow describe the size of companies that will come under systematic observation in 2020, we used information on the size of their authorized capital as an indirect indicator.
RKN plans for companies of all sizes.
The most popular violation identified during systematic monitoring activities is the absence on the site of a document defining the operator’s policy regarding the processing of personal data, if a case of collection of personal data is detected on the site (for example, an application form, registration or feedback with a specific set of requested information).
Roskomnadzor may also request legal grounds for posting someone’s personal data. Such requests have already been received, for example, by educational organizations when personal data about schoolchildren and their success in Olympiads was posted on their website. So, when posting personal data of your employees or other persons on the site, ensure compliance with the requirements of the law.
What to pay attention to
Processing of personal data is the daily activity of any legal entity. We constantly work with the data of our employees and clients (patients, students, buyers, applicants, site users, borrowers, policyholders, spectators, etc.). We process the same data of the same person in different cases. And consent taken in one case may not apply to another.
Accordingly, in order to prevent negative consequences, we must pay attention to the legal basis for the processing of personal data in each specific case of processing, i.e. understand whether we have contracts, consents or even regulations that Roskomnadzor recognizes when checking as a legal basis for processing personal data. And a check can occur at any time. For example, you have a website. You collect data on it through various forms. Accordingly, you may be audited during systematic surveillance activities, or if a visitor to your site files a complaint against you. Also, your client or employee may be dissatisfied with you (a former one may also), who have the opportunity to complain to Roskomnadzor, and he, in turn, is obliged to respond to such complaints. So your job is to provide a legal basis for each processing case.
Administrative liability for violation of legislation in the field of personal data is established by Article 13.11 of the Code of Administrative Offenses of the Russian Federation. Fines for legal entities for each violation established by Article 13.11 range from 15,000 to 75,000 rubles.
Inspections of the State Labor Inspectorate
In the Labor Code of the Russian Federation, Chapter 14 is called: “Protection of employee personal data.” The State Labor Inspectorate carries out control and supervisory measures regarding compliance with the requirements of the entire Labor Code and, accordingly, cannot ignore Chapter 14. During inspections, attention is paid to the requirement of paragraph 8 of Article 86:
“employees and their representatives must be familiarized, against signature, with the employer’s documents establishing the procedure for processing personal data of employees, as well as their rights and obligations in this area.”
Thus, they check the presence of such a document and the fact that all employees are familiar with it.
Administrative liability for violation of these requirements is provided for in Article 5.27. Code of Administrative Offenses - a fine in the amount of 30,000 to 50,000 rubles.
Inspections by FSTEC and FSB
Article 19 of the Federal Law “On Personal Data” establishes measures to ensure the security of personal data during their processing.
Part 3 of Article 19 states that the Government of the Russian Federation establishes the levels of protection of personal data during their processing in personal data information systems (hereinafter referred to as ISPD) and the requirements for the protection of personal data in ISPD. Thus, we have Government Decree No. 1119 dated November 1, 2012, defining these requirements.
Part 4 of Article 19 establishes that the composition and content of the organizational and technical measures necessary to fulfill the requirements established by the Government to ensure the security of personal data when processed in ISPD are established by the FSTEC and the FSB within the framework of their powers. To fulfill this requirement, we have:
- order of the FSTEC of Russia dated February 18, 2013 No. 21 “On approval of the composition and content of organizational and technical measures to ensure the security of personal data during their processing in personal data information systems”;
- Order of the FSB of the Russian Federation dated July 10, 2014 No. 378 “On approval of the composition and content of organizational and technical measures to ensure the security of personal data during their processing in personal data information systems using cryptographic information protection tools necessary to fulfill the protection requirements established by the Government of the Russian Federation.”
In fact, the FSB and FSTEC have divided powers in this area, where the FSB determines measures to protect ISPD when using cryptographic protection means, and FSTEC determines measures for all other security issues.
Part 8 of Article 19 of the Federal Law “On Personal Data” enshrines an important point:
“Control and supervision over the implementation of organizational and technical measures to ensure the security of personal data established in accordance with this article when processing personal data in state personal data information systems is carried out by the federal executive body authorized in the field of security and the federal executive body , authorized in the field of countering technical intelligence and technical protection of information, within the limits of their powers and without the right to familiarize themselves with personal data processed in personal data information systems.”
It turns out that the FSB and FSTEC can only inspect organizations that operate government information systems. For other information systems, control is not enshrined in law. It is only said that FSTEC AND FSB
“by decision of the Government of the Russian Federation, taking into account the significance and content of the personal data being processed, they may be vested with the authority to monitor the implementation of organizational and technical measures... when processing them in personal data information systems operated in the implementation of certain types of activities and that are not state personal data information systems ..."
Inspections by FSTEC and FSB can be either scheduled or unscheduled.
As part of its inspections, the FSB pays attention to:
- the presence of a model of the intruder and threats, developed taking into account the requirements of the FSB;
- organizational measures established in accordance with FSB Order No. 378 (appointment of responsible persons, local regulations, procedure for admitting employees to ISPD, physical protection of facilities, etc.);
- availability of cryptographic information protection means, the procedure for their recording and operation;
- documentation for cryptographic information protection means (licenses, certificates, forms, etc.).
As part of its inspections, FSTEC pays attention to:
- the presence of a model of an intruder and threats, acts of establishing security levels for ISPD;
- availability of information security means, the procedure for their recording and operation;
- documentation for information security tools (licenses, certificates, forms, etc.);
- organizational measures established in accordance with Order No. 21 of the FSTEC of Russia (appointment of responsible persons, local regulations, procedure for admitting workers to ISPD, physical protection of facilities, etc.);
- materials of certification tests (in GIS).
- For violation of these requirements, liability is established in accordance with Article 13.12 of the Code of Administrative Offenses of the Russian Federation:
- for the use of uncertified information systems, databases and data banks, as well as uncertified information security tools, if they are subject to mandatory certification - a fine of up to 25,000 rubles for legal entities;
- for violation of requirements for the protection of information (except for information constituting a state secret) established by federal laws and other regulatory legal acts of the Russian Federation adopted in accordance with them - a fine of up to 15,000 rubles for legal entities.
Conclusion
After the amendments to Article 13.11 of the Code of Administrative Offenses of the Russian Federation come into force, control and supervisory activities will not change dramatically, but due to a significant increase in fines, the approach of organizations to meeting the requirements of the law and preparing for inspections will change. If previously organizations believed that it was easier to do nothing and that they could wait for a probable inspection and, based on its results, pay a small fine (up to 10,000 rubles), now companies will fight for their rights, which means this will have a positive impact on the rather ambiguous judicial practice on these issues.
The worst situation is for those organizations for which inspections begin at the very beginning of the year. They have minimal time to prepare for an inspection or observation. However, it is worth remembering that PD processing can also be carried out by a person on behalf of the operator
. With automated processing, you can contact us and save yourself at least some of the headaches regarding compliance and reduce your costs. We offer several solutions that allow you to get closer to the image of the “ideal operator”, the main one is “Cloud Federal Law 152”.
Sources:
rkn.gov.ru fstec.ru www.fsb.ru www.anti-malware.ru
Author: Cloud4Y
Source
Roskomnadzor: what it checks and what it pays attention to
Labor protection measures: plan at the enterprise
First of all, experts look at the correspondence of what is written in the notification and the real state of affairs. Any changes to the data processing policy must be notified by email or registered mail.
During a scheduled audit it is important:
- what data the company processes;
- who is responsible for processing;
- where you can read the company’s policy (including on the website);
- to whom the data is transferred;
- how data relating to employee health is processed (especially for schools and other educational institutions);
- how documents are stored and how access is controlled in these premises;
- to what extent does all of the above correspond to what is stated in the documents.
They can be fined for discrepancies between the papers submitted for the register of operators and reality. Fines are also imposed for indiscriminate access to information, changes that were not notified to regulatory authorities in a timely manner, insufficient transparency and the collection of information that is not related to the company’s activities.
What does the inspector require?
Administrative Regulation No. 312 defines the sequence of actions (administrative procedures) of Roskomnadzor and its territorial bodies.
In particular, the subject of state control (supervision) over the compliance of the processing of personal data with the requirements of the legislation of the Russian Federation in the field of personal data are (clause 5 of Administrative Regulation No. 312):
- documents , the nature of the information in which suggests or allows the inclusion of personal data (for example, personal files of employees)
- information systems (for example, rules for maintaining electronic document management in the 1C program)
- activities related to the processing of personal data (for example, local regulations on the protection of personal data, consent to the processing of personal data, etc.)
The general list of documents subject to verification is not defined by law.
Here is a sample list of documents :
- Constituent documents of the company (certificate of state registration, TIN, Unified State Register of Legal Entities, charter, etc.)
- List of PD processed by the employer
- List of employees with access to personal data, order for their access
- Instructions for employees who, in the course of their work activities, process personal data and ensure information protection
- Regulations on the responsibility of employees for disclosure of personal data and violation of the ban on access to them
- Local regulations on the protection of personal data
- Documents characterizing the personal data protection system (action plan, act of determining the level of security)
- Regulations relating to information security (about antiviruses, passwords, instructing employees on information security requirements)
- Non-disclosure agreements of personal data signed by employees
- Employee consent forms for the processing of their personal data
- Logs of employee briefings on information security and other internal control measures of the protection regime
- Logs of all storage media, as well as information system security measures
A specific list of documents must be given in the manager’s order.
What is personal data
What data has the status of personal? In fact, any that are related to a person. Everything from first and last names to DNA testing and tax debts falls into this category. They are necessary for the operation of organizations, except for those that operate completely anonymously.
What does Roskomnadzor check regarding personal data? This question can also be answered – everything. Organizations need personal cards to identify their own employees and contractors, but each type requires the consent of the person to whom this data belongs.
Important! If there is no agreement, penalties may follow - fines, blocking of the site, suspension of work, revocation of the license.
Everything must be kept in a safe
How is Roskomnadzor checking for the protection of personal data?
The program provides for step-by-step interaction:
- the enterprise receives a notification (for a scheduled inspection - 3 days in advance, for an unscheduled inspection - 24 hours in advance), it indicates the date of the inspection and the order number;
- during a documentary check (planned only), a request and a list of documents that need to be submitted are sent. The manager sends copies certified by his signature;
- during an on-site inspection (scheduled or unscheduled, it can follow the documentary one if shortcomings are identified), two inspectors arrive who check the compliance of the documents with the real state of affairs;
- the supervisory authority makes a decision and gives instructions;
- the company complies with the requirements.
Important! If the instructions are fulfilled on time, the company continues its activities without penalties.
Is it possible to appeal the results?
If the inspection was not carried out according to the rules, the head of the enterprise can appeal its results. It is important to pay attention to notification periods, accreditation of inspectors, and their compliance with inspection rules. If any of this was violated and the company was damaged, you can file an objection within 15 days.
No need to be afraid of inspection
Everyone works with personal information - education, healthcare, catering, and even a small individual entrepreneur with one employee. The leakage of personal cards can cause serious harm, and it is precisely this that the Roskomnadzor inspection is aimed at preventing.
https://youtu.be/0ExTrlxO_lI