Reasons for drawing up the document
In accordance with Part 1 of Art. 22 152-FZ “On Personal Data”, the organization is obliged to notify Roskomnadzor that it wants to work with such information even before processing begins .
If your company is already working or is just planning to interact with data that allows you to identify a person (employee, client, applicant, counterparty), you must fill out and send to Roskomnadzor a notification about the processing of personal data (you can download the form and sample filling below) as soon as possible.
What you need to know about Roskomnadzor’s notification on the processing of personal data
In May 2020, Roskomnadzor approved guidelines on how to notify about the processing of information that companies receive from employees and clients. Let's consider in what cases notification of Roskomnadzor about the processing of personal data is required and how to prepare the document. The rules for processing personal data and the responsibilities of operating companies are set out in “On Personal Data”.
In particular, in Art. 22 of this law indicated that the operating company is obliged to notify Roskomnadzor before starting its activities. Notification of Roskomnadzor about the processing of personal data is carried out in accordance with ..., approved. by order of Roskomnadzor dated May 30, 2020
No. 94. Please note that according to order No. 94, approved. Roskomnadzor dated January 29, 2020. Also, as of August 21, 2017, the order of the Russian Ministry of Telecom and Mass Communications is no longer valid.
✔ Reminders for working with personal data Everyone must send a notification about the processing of personal data to Roskomnadzor. A company is an operator if, in one form or another, it interacts with information that it receives from citizens and which is included in such data. In particular, if the company receives information from clients about their place of residence, passport data, etc.
etc., she is an operator. There are exceptions to the general rule. There is no need to notify Roskomnadzor if:
- personal data is used only in contractual work - for example, the personal data of the counterparty’s representative is indicated in the contract;
- the company receives and processes information only about;
- automation tools are not used when processing data (see).
Ch.
2 tbsp. 22 of Law No. 152-FZ contains a list of exceptions. In all other cases, Roskomnadzor must receive notification of the processing of personal data.
You need to notify Roskomnadzor about the processing of personal data using a document drawn up according to the form. Use the department’s website to prepare a Roskomnadzor notification on the processing of personal data, document form.
The agency maintains a register of personal data operators. After a notification about the processing of personal data is sent to Roskomnadzor, within 30 days the document must be processed and information about the company must be placed in the register.
We recommend reading: Interdepartmental Commission for the Protection of State Secrets reducing restrictions on aykzh
The company's inclusion in the list of operators can be checked on the website. Information about the file If Roskomnadzor will be notified electronically, you need to:
- print the resulting document;
- sign and send to the territorial body of the department at the location of the company.
- fill out the sample processing notification form available on the website;
You can submit a notification to the department not only through the Roskomnadzor portal; notification of the processing of personal data will be accepted on. You can also use a paper document form to notify Roskomnadzor: fill it out and send it by mail.
In the notification for the processing of personal data, Roskomnadzor included sections that relate to the nature of the information, the purpose of its collection, and work methods.
Content
In order to get into the register of personal data operators (PD), you must provide the following information:
- name (or full name), address;
- purpose of processing;
- PD categories;
- categories of subjects whose personal data is processed;
- legal basis;
- list of actions with personal data and their processing methods;
- description of the measures provided for in Article 18.1 and Article 19 of Federal Law No. 152-FZ, including information on the availability of encryption tools;
- data of the individual or legal entity responsible for organizing the processing of personal data;
- start date of information processing;
- term or condition for termination of processing;
- information about the presence or absence of cross-border transfer of personal data during their processing;
- information about the location of the information database containing personal data of citizens of the Russian Federation;
- information about ensuring the security of personal data.
How to submit a notification to Roskomnadzor
Cross-border transfer of personal data:
Not implemented.
The specified notification must be sent in writing and signed by an authorized person or sent in electronic form and signed with an electronic digital signature in accordance with the legislation of the Russian Federation.
See also:
Sample of filling out a notification form for the processing of personal data On ensuring the security of personal data during their processing in information systems of personal data of an educational institution Rules for the processing of personal data when conducting medical research Tips for ensuring requirements for data processing Sending notifications Instructions for operators on the processing of personal data on a personal computer User instructions when processing personal data at computer facilities General provisions Regulations on personal data of an employee Instructions for the user processing personal data Regulations on the processing and protection of personal data of employees and students of an educational institution I. General provisions Regulations “On the protection, storage, processing and transfer of personal data employees of municipal educational institutions" Regulations on the processing and protection of personal data Regulations "On the processing of personal data of students of MBOU secondary school No. 40"
Recommendations for design
ATTENTION : As a rule, filling out a notification about the processing of personal data to Roskomnadzor and sending the compiled document is carried out by an information protection specialist, a security administrator or someone responsible for organizing the processing of personal data.
But when filling out a notification of intention to process personal data for an LLC in Roskomnadzor (you can download the form and an example of filling it out below), you must also follow the rules:
- Check that all items are completed completely and correctly. Answers to questions not marked with an asterisk are not required.
- If the notification is sent late, the date of commencement of work with PD will correctly indicate the date of registration of your company.
- Please note that when filling out the electronic notification form on the website of the Federal Service for Supervision of Communications, Information Technology and Mass Communications, it must be printed, signed and sent to the territorial authority.
- All changes relating to the systems specified in the document must be notified to the territorial department of Roskomnadzor within 10 days.
Information letter Roskomnadzor
Contents Roskomnadzor maintains a register of operators - companies that comply with the requirements of the Law “On Personal Data”. To be included in the register, the company submits a notification about the processing of personal data.
This can be difficult to do: it is unclear when to submit the notification, how to fill it out, and how to ensure that the information reaches Roskomnadzor. The Personal Data Law requires every company to file a notice.
There are several exceptions in the law that allow some companies to avoid this. In this case, you need to be prepared to legally prove to the regulatory authority that the exceptions apply to the company. This is not so easy to do: lack of notification is one of the most common violations identified during Roskomnadzor inspections.
The best option is to file a notification and protect the company from questions from the regulatory authority as to why this was not done.
Sometimes companies are afraid that submitting a notification will attract undue attention from Roskomnadzor, and it will come with an inspection.
In practice this does not happen. The notification is submitted before the processing of personal data begins.
Based on the letter of the law, this must be done in the first days after state registration of a legal entity or individual entrepreneur.
Often the decision to file a notice is made when the company has been operating for several months or several years. There is no need to fear a fine or other sanctions for being “late” in submitting a notice. But if Roskomnadzor becomes interested in the company (it comes with an inspection or sends a “letter of happiness” where it demands to submit a notification), then a fine will not be avoided.
An important nuance: even if the notification is submitted “late,” it is better to indicate the date of state registration of the company as the “start date of processing of personal data.”
The notice must be submitted online (electronically) and sent by mail (hardcopy).
The electronic notification form is filled out on the Roskomnadzor website.
There is quite a lot of information required, and it is not easy to do, despite the presence of hints. You need to be prepared to formulate the legal grounds and purposes of processing personal data, describe the actions performed with them and indicate how their security is ensured. After submitting the electronic form, the Roskomnadzor website will offer to download the already completed printed form.
It will need to be printed, signed and certified with the company’s seal, and then sent by mail to the territorial body of Roskomnadzor. This is necessary to confirm the information submitted online.
You can also fill out the notification electronically on the Public Services Portal, but this is a less convenient method.
After filling out the notification on the Roskomnadzor website, the company will receive a notification number and a secret key. With their help, on a special page you can clarify the status of the notification and find out when its information will be included in the register of operators. All information in the register of operators is publicly available, except for information about ensuring the security of personal data.
How to fill it out correctly?
Now let’s look at the rules for filling out the document (and a sample of a completed notification about the processing of personal data to Roskomnadzor can be found below):
- The first paragraphs of the electronic notification form contain information about the operator - the organization itself, which will be it. Name, type, address, contact information, INN, and optional items: OGRN, OKVED, OKFS, OKOGU, OKOP, list all branches of the company.
- Legal basis . The paragraph specifies all regulations relating to personal data. For example, 152-FZ “On Personal Data”, the Labor Code, the Charter of the organization, the basic laws governing the activities of the company, including the need to collect and process information about people, allowing them to be identified.
- Target . It is important to indicate all the purposes for processing information, since working with an excessive amount of personal data is a serious violation, which will be followed by a fine. As a rule, the purpose is to provide or conduct personnel and accounting activities, and provide certain services.
- Description of measuresprovided for in Article 18.1 and Article 19 of the Federal Law “On Personal Data”. It is important here to describe all the measures listed in the law as they have been implemented.
IMPORTANT: The implementation of all measures specified in clauses 18.1 and 19 is mandatory!A number of internal documents have been developed: regulations on the processing of personal data, a list of information systems, a list of personal data subject to protection, and others. It is necessary to list all documents developed in accordance with the law.
Order number N has appointed an employee responsible for the processing of personal data. All employees are familiar with the instructions for working in ISPD, and timely training of new personnel is carried out. Secured access to data is ensured, implemented using established certified information security tools (ISIS), and the ability to restore them in case of loss.
When working with documents, an electronic signature and licensed anti-virus software are used.
- Security Information . Here you need to list all the information security tools used, you can specify information about licenses and certificates. The specified item in the questionnaire will not be publicly available, so the completed information will not affect the security of your system.
- Processing start date . As a rule, the date coincides with the time the company started operating; it should be indicated.
- Term or condition for termination of processing . The most common example of filling: “Shutdown.
- Categories of personal data . Check the boxes for the information that you actually process. If the organization works with categories not listed, list them below. No need for points. Only what really exists. Processing an excessive amount of information that allows you to identify a person may result in a fine.
- Categories of subjects whose data is processed . For example, company employees, their family members, job seekers, clients of the organization.
- List of actions . According to 152-FZ, this can be collection, recording, systematization, accumulation, storage, clarification. Remove unnecessary items.
- Processing method . Most often, the systems are mixed, less often automated, with transmission over the internal network of a legal entity and without transmission over the Internet.
- Implementation of cross-border information transfer . This section indicates whether you are sending information abroad. If yes, all countries must be listed.
- Use of encryption tools . If they are installed, you must check the box and list the name and class of information security tools.
- Information about the location of the information database containing personal data of citizens of the Russian Federation . The country, address and whether the data processing center (DPC) is owned by the company are indicated. The last point is optional; it is not necessary to provide unnecessary information. Even the user’s personal computer can act as a data center.
- Next, you need to enter the details of the employee responsible for organizing the processing of personal data , appointed by the relevant order (indicate the number, date of signing), or the legal entity with whom the contract for work in this area was concluded. This contact information will be publicly available, please notify your colleague about this.
It is not necessary to indicate the details of the performer, especially if the performer was the employee mentioned above. You will be able to check whether your data has been entered into the register of operators in a couple of weeks.
Read more about how to correctly fill out the Roskomnadzor notification form about the processing of personal data here.
Notification of personal data to Roskomnadzor sample filling
One of the main questions that personal data operators face is whether or not to submit a notification to Roskomnadzor about the processing of personal data? The main reason why organizations processing personal data are in no hurry to submit a notification: reluctance to attract the gaze of a supervisory eye ( Roskomnadzor). The state, represented by the authorized body (Roskomnadzor), combats the passivity of operators in this matter with regular measures - selective distribution of official requests is carried out. Many legal entities have already encountered such requests. These are requests from an authorized body regarding the submission of a notification about the processing of personal data. It is important to note here that Roskomnadzor’s request is an official request from a government body, ignoring which, as well as an incorrect response, may entail administrative liability . Two situations are possible: First, let's consider the first situation. You have received a request from an authorized body that information about you as a personal data operator is not in the register of operators and you need to submit a notification in order to register as a personal data operator. In accordance with Part 4 of Article 20 of the Federal Law “On Personal Data” requires a response to the request within 30 days.
Those who do not respond to the request make a mistake immediately, because... In accordance with Article 19.7 of the Administrative Code of the Russian Federation, administrative liability is provided for failure to provide information on time. Many organizations submit a notice without understanding the law, putting themselves at risk because quick notices often contain errors or incomplete information. Another common mistake is an ill-thought-out response.
You should pay attention to whether all points of the notification are completed. Article 19.7 of the Code of Administrative Offenses of the Russian Federation provides for liability for submitting a notification incompletely. In turn, a sudden refusal to submit a notification may also contain many errors. Thus, some organizations processing data not only their employees (for example, educational or medical institutions), in their response they refer only to paragraph 1, part 2, article 22 of the Federal Law “On Personal Data”. To avoid these mistakes, we advise you not to rush after receiving a request. First of all, find the direct notification form - it is located on the Roskomnadzor website. Having studied the form, you will understand that filling out the notification is a serious job, and if you have not done anything before regarding the regulation of the processing and protection of personal data, now you will have to take up this seriously . First of all, you need to perform a self-examination.
The notification form will serve as a starting point for this. It clearly shows what needs to be determined: As an assistant in difficult situations, you can use
“Recommendations for filling out a sample form for notification of processing (of intention to process) personal data”
approved by order of Roskomnadzor from the city. These recommendations contain what Roskomnadzor wants to see from you in the notification. If you managed to conduct a full examination and you have identified the most important thing - the purposes of processing personal data, then you should then refer to Part 2 of Article 22 of the Federal Law "On personal data."