Regarding violations of the law on personal data. They will come into force on July 1, 2017 and will affect everyone who collects, processes and stores any personal data.
Fines were divided by type of violation and increased tenfold. For example, if you do not post a privacy policy on the site, individual entrepreneurs can be fined 10 thousand rubles, and the company - 30 thousand. And if you process personal data without the consent of the client of the online store or the subscriber to the information course, then the fine for the legal entity will be up to 75 thousand rubles. The director of the company or the entrepreneur will have to pay up to 20 thousand. If there are several violations, then there will be several penalties.
We urgently need to tidy up our sites. Checks are already underway 💻
Now only the prosecutor's office can issue reports on violations. The fine does not depend on the type of violation and is for an individual entrepreneur or director a maximum of 1000 rubles, and for a legal entity - 10 thousand rubles. The procedure takes a lot of time, the fines are small, so they rarely and not all are checked.
How do I know if I am a personal data controller?
Personal data is any data about a person by which he can be identified. There is no list of such data in the law, so you have to guess for yourself. For example, by name or login you cannot understand what kind of person he is, but by name and phone number or name and e-mail you can.
Most likely, you are the operator of personal data if you somehow receive such information from any people in any combination:
- surname,
- patronymic,
- some kind of physical address,
- email,
- telephone,
- date or place of birth,
- photograph,
- a link to a personal website or social network,
- profession,
- education,
- income level,
- marital status.
This means that all site owners that have personal accounts, feedback forms, subscriptions or registrations where you can buy something, place an ad, fill out a questionnaire are personal data operators. Even if the site only has a button for ordering a call or sending a message, this is also the processing of personal data.
And if I write down a friend's phone number or a girl's email on a dating site, do I need to comply with this law?
There is no need. Personal and family data is not covered by the law. But if you pass a friend's phone number to collectors or publish an ad with a girl's mail on the misogynist forum, this is already a violation.
How to properly work with personal data so as not to violate the law?
At least you need:
- obtain written consent from each visitor, client or subscriber for the processing, storage and distribution of personal data;
- publish in the public domain information about everything related to the personal data of customers and visitors;
- request only the data that is needed for a specific purpose. For example, you cannot ask for a home address or passport details to subscribe to an email newsletter;
- use the data only for the purposes specified in the documents and about which the person was warned;
- inform, at the request of a person, what data you have about him, how and for what they are processed and to whom you transferred them;
- delete on demand the data that is used to send information about discounts and promotions;
- keep databases in a safe place, protect them from hacking and leakage;
- teach employees to work with personal data;
- register with Roskomnadzor.
What? Should I register somewhere else?
Yes, by law, personal data operators must notify Roskomnadzor. Moreover, this must be done before the start of data processing or as soon as possible. Roskomnadzor will enter information about the operator in the general register and will issue it upon request.
You may not submit a notification if:
- only employee data is processed;
- personal data was obtained only for the execution of a specific contract with a specific person and will not be used in any way, and even more so - distributed;
- the person himself published this data in the public domain;
- you only have the client's full name and nothing else.
I have a website and I receive personal data. What should I do?
If you still have not done anything, then you are already breaking the law and you can be fined right now. Even if your site is served by a web studio or a remote IT specialist, the fine will still be written out to the company or individual entrepreneur indicated on the site.
Prepare public documents and place them on the site so that they are available on all pages. It can be a user agreement like Lamoda, sales rules, legal notice like M-video, privacy policy like Resto, Adidas or Ozone. You can prescribe the conditions for processing personal data in a regular contract or offer, as Sberbank does.
Do not use other people's documents. They can be taken as a guide, but you need to write your own list of data and purpose of use. What a bank needs to get a loan or an online store to deliver goods won't be needed for an email newsletter or message board. Requesting unnecessary data is a violation of the law and a reason for a fine.
Implement a solution that makes it clear that the person has agreed to the processing of personal data. This could be a checkmark on the registration form or a warning at checkout. For reliability, have the web pages certified by a notary.
Prepare internal documents on the storage of personal data and the responsibility of employees who work with them. Orders, regulations and job descriptions do not need to be shared.
If necessary, send a notification to Roskomnadzor. If you are sure that you do not need to send a notification, arrange the documents in such a way that it is clear during the check. For example, write in the policy that you use personal data only for the execution of a specific contract. Or indicate that you are creating a resource where data is publicly available at the request of the user.
Is it true that personal data can only be stored on Russian servers? If I have hosting in Europe, am I breaking the law?
There is a lot of incomprehensible in this regard in the law. On the one hand, it is necessary to collect, process and store databases on Russian servers. But at the same time, there is a separate article about cross-border data transfer. The website of the Ministry of Telecom and Mass Communications published explanations on this matter, but there are also many contradictions in them.
Draw your own conclusions about where to store the data. If you do not know what to do, send a request to Roskomnadzor or the Ministry of Telecom and Mass Communications. You can also contact your hoster: most often such companies have ready-made solutions.
Yes, calm down, you all! No one will be fined because of some forms on the site and unnecessary papers.
In the Tambov region, the prosecutor's office fined a law firm for filling out a feedback form without the user's consent to the processing of personal data. The courts upheld.
The directors of the management company were fined for passing on the debtors' data to lawyers in order to draw up statements of claim. He did not receive consent to the processing of personal data from the residents. The Constitutional Court did not help him.
In Astrakhan, prosecutors fine site owners for alphabetical feedback forms.
In addition to fines in favor of the state, for violation of the rules for processing personal data, compensation for moral damage can be collected and even imprisoned.
There are a lot of incomprehensible things in the law about personal data. We figured it out and answered
On April 8, 2017, teachers, students and their parents were asked to independently determinethe level of mastering the knowledge gained during the "Safer Internet Week" using the test "Assessment of the level of digital literacy in managing personal data on the Internet." This test is taken from the educational and methodological manual for employees of the general education system "Practical Security Psychology: Management of Personal Data on the Internet" by the authors Soldatova G.U., Priezzheva A.A., Olkina O.I., Shlyapnikova V.N., Self-Test is aimed at identifying gaps in the knowledge of the test takers and will help in determining a further work plan in the direction of "Ensuring information security of schoolchildren."
DIGITAL LITERACY ASSESSMENT
ON THE MANAGEMENT OF PERSONAL DATA ON THE INTERNET
This test is aimed at assessing the level of digital literacy of schoolchildren in the field of personal data management on the Internet and can be used to assess the effectiveness of students mastering the program. The technique is a set of 20 test items with one correct answer. The test takes 30-40 minutes to complete.
Instructions
You will be offered 20 tasks related to the security of handling personal data on the Internet. The answer options includeonly onecorrect. Your task is to select and mark the option that you think is correct. The entire test takes no more than 40 minutes to complete.
1. What information can be classified as personal data?
A. Surname, name, patronymic.
B. Date and place of birth.
C. Place of study.
D. Political and religious beliefs.
2. Which of the provided personal data allow you to uniquely identify the user in our country?
A. Name, surname, year of birth.
B. Last name, year of birth, school number.
C. Name, passport number of the Russian Federation, city of residence.
D. Name, surname, city of residence.
3. This summer Masha Ivanova went to Tsarskoe Selo with her class. At the end of the excursion, the class teacher took a group photo of the class in front of the Catherine Palace. The photo turned out to be successful, so the teacher posted it on his page on the social network with the caption "9 B" in Tsarskoe Selo "and marked several people on it, including Masha. What information about Masha Ivanova is contained in this entry?
A. External data.
B. Place of study.
C. Location of the excursion.
D. The names of Masha Ivanova's classmates.
E. All options offered.
4. At the weekend, Vasya was visiting his friend Petya. On a couple of occasions, he used a friend's computer to purchase a new computer game from an online store and read the news. What personal information of Vasya could have been saved on Petya's computer?
A. Search history.
B. History of visits to sites.
D. Downloaded files.
E. None of the options offered.
5. Ksyusha, while in a cafe with her friend Sveta, used her laptop to enter the browser. What should Ksenia do to leave a minimum of personal information on Sveta's laptop?
A. Clear the browsing history after exiting the browser.
B. Do not save passwords while browsing the network.
C. Use incognito mode while working in a browser.
D. Change the user on the laptop.
E. Clean up the temporary files folder after working at the computer.
6. Tanya met Kolya on the portal of the popular online game Lineage. For a long time they played for the same team and more than once helped each other out in virtual battles. Once Tanya got ready for another raid, but at the last moment she learned about the geometry test and realized that she would not be able to take part in the battle. Kolya suggested that Tanya give the password to her account to Kolya's friend, who could replace her for a while in the game. What is the best way for Tanya to act in such a situation?
A. Kolya vouched for his friend, so you can safely give him the password.
B. It's okay to give the password to another player - it's just a game.
C. You can transfer your password to your friend's friend - even if he steals your account, you can recover it.
D. Column's offer should be abandoned, since the user agreement prohibits players from transferring their password to third parties.
E. Tanya needs to collect as much information as possible about Colin's friend, and then make a final decision.
7. When registering on the site, you were asked for a phone number. When is it most secure?
A. You register on a large and well-known online resource, for example, on the Mail.ru portal.
B. You are making a purchase for the first time in an online store that has posted positive reviews from other users.
C. You register on the game portal, which was recommended to you by your friends and acquaintances.
D. You want to download a new movie on a file hosting service, and you are required to register in a pop-up window.
E. In all of the above cases.
8. Which of the following passwords can be considered the most secure?
A. Superman Vasya 2005.
B. QwErTy123456.
C. [email protected];).
D. Q1jk45) @da.
E. [email protected][email protected]!
9. What is the safest way to store your account password?
A. In the notebook in the bottom drawer of the desk.
B. In a text file in a hidden folder on your computer.
C. In a special program downloaded for free on the Internet.
D. All of the above methods can be considered completely reliable.
E. All of the above methods cannot be considered completely reliable.
10. One evening Anya discovered that someone had hacked into her account, posted indecent images on her wall and began sending insults to her friends in private correspondence. Anya regained access to her account and changed her password, but it was too late. Many have removed her from their friends and added to the "black list", and some even stopped talking at school. What should Ana do to restore her reputation?
A. Delete all unpleasant messages from your page.
B. Place a post on the page explaining the reasons for the incident and apologize to the readers.
C. Change passwords for all accounts on other online resources.
D. Try to personally talk to your closest friends and explain the situation to them.
11. In the social network Vova received a private message, which reported an attempt to hack his account from someone else's device. Vova was strongly advised to follow the link provided in the message to change his password. What is the right thing to do in such a situation?
B. Ignore the email and add it to spam.
C. Write back an angry letter criticizing the work of the social network.
D. Log in to your social network account yourself and change your password.
E. Reply to this letter and clarify information.
12. Mila decided to start leading a healthy lifestyle. She downloaded a fitness tracker to her smartphone, which allows her to record the distance traveled and the number of calories spent during sports. The application was free, but required access to a certain set of personal data and smartphone functions. Which of these requirements can be
A. Access to the camera and media stored on the device.
B. Information about location and movement.
C. Ability to make in-app purchases.
D. Gender, age, weight, height.
E. All of the listed requirements are reasonable.
13. What personal information posted on an online resource should be removed from the search engine at the user's request?
A. Any group photo that has a picture of this user.
B. Repost of a user post posted in the public domain on the page of this user in the social network.
C. Number of passport or any other official document of the user.
D. No personal information about the user is subject to mandatory deletion.
E. Any personal information must be removed from the Internet at the request of the user.
14. What to do if hackers hacked your account on an online resource and changed the password and mailbox address to which the account was linked?
A. It is not worth spending energy on restoring your account - you can always create a new one.
B. Contact the administration of the resource with a request to restore your access to your account.
C. Contact the cybercriminals with a request to return the account.
D. Contact a familiar hacker with a request to hack your account again and return it to its rightful owner.
E. This is a desperate situation - a lost account, in principle, cannot be returned.
15. Vlad - Natasha's deskmate and a very curious young man. Which of Vlad's actions would be a violation of Natasha's privacy?
A. I told my classmates that Natasha is allergic to sweets.
B. Photographed Natasha sleeping on the desk and posted this photo on a social network.
C. I took Natasha's smartphone from her desk and looked at the call history.
D. I read aloud the note that Natasha wrote before the lesson to Vanya.
E. All of the above options.
16. What types of Natasha's personal data can Vlad disseminate with full confidence that it will not harm her in any way?
A. Phone number, full name parents, home address.
B. Country of residence, school number, information on past illnesses.
C. Hobby, number and address of the school, login from the page on the social network.
D. Age, height and weight, magazine scores.
E. None of the listed types of data.
17. Which statement is completely correct?
A. Everyone needs to protect their personal information and keep as much information about themselves as possible from other people.
B. Each person can independently decide what information and under what conditions can be kept secret or transferred to other people.
C. It is useless to control your personal data on the Internet, so there is no point in worrying about it.
D. Each person should provide as much information about himself as possible, as this allows you to use all the possibilities of the Internet.
E. None of these options.
18. Olya broke up with Vasya and is now meeting with Anton. They often walk, take photos together and post them on the network. Olya still treats Vasya well, but does not want to upset him with photos with a new young man. What is the best way for her to proceed?
A. Restrict access to your photos for Vasya.
B. Stop posting your photos on the social network.
C. Ask Vasya not to visit her page.
D. Remove Vasya from friends.
E. Add Vasya to the "black list".
19. Choose the correct statement. Author's posts posted by users on social networks and blogs ...
A. Show the uniqueness of a person and always have a positive effect on his reputation.
B. They never contain personal information, so their publication does not entail serious consequences.
C. Are rated differently by readers, so it is impossible to predict how the publication of a post will affect the reputation of its author.
D. Always contain unnecessary personal information about a person, which can harm not only his reputation, but also personal safety.
E. They do not contain anything good, because they indicate only a desire to show off.
20. What rules should NOT be followed when publishing information on the Internet?
A. Write posts guided by the first emotional impulse - in order to convey to the reader the storm of your emotions.
B. Publish information and comments about important facts and events only after they have been verified in several sources.
C. Post data about another person to the network only if he has given his prior consent to do so.
D. Evaluate published information from the point of view of various categories of users.
E. All of the above rules are correct.
Right answers
1 - E, 2 - C, 3 - E, 4 - B, 5 - C, 6 - D, 7 - A, 8 - D, 9 - E, 10 - E, 11 -D, 12 - A, 13 - C, 14 - B, 15 - E, 16 - E, 17 - B, 18 - A, 19 - C, 20 - A.
The level of development of the program is assessed
according to the following table:
Number of correct answers Approximate score on a five-point scale
17–20 Excellent
14-16 Good
10-13 Satisfactory
Less than 10 Unsatisfactory
In particular, he expanded the list of grounds for bringing to administrative responsibility for illegal processing of personal data (PD) and increased fines.
Personal data: fines
| Base | Fine amount | |||
| Physical persons | Officials | Legal entity | SP | |
| PD processing in cases not provided for by the legislation of the Russian Federation; PD processing incompatible with the purposes of PD collection | warning or fine - from 1000 to 3000 rubles. | warning or fine - from 5000 to RUB 10,000 |
warning or fine - from 30,000 to 50,000 rubles. | |
| PD processing without the written consent of their subject | from 3000 to 5000 rubles | from 10,000 to 20,000 rubles. | from 15,000 to 75,000 rubles. | |
| Failure to comply with the obligation to publish or provide access to a document defining a policy for PD processing, or information on PD protection | from 700 to 1500 rubles | from 3000 to 6000 rubles | from 15,000 to 30,000 rubles. | from 5,000 to 10,000 rubles. |
| Failure to provide the personal data subject with information on their processing | warning or fine - from 1000 to 2000 rubles. | warning or fine - from 4000 to 6000 rubles. | warning or fine - from 20,000 to 40,000 rubles. | warning or fine - from 10,000 to 15,000 rubles. |
| The operator's failure to comply with the requirement of the PD subject or his representative to clarify, block, destroy (if the PD is incomplete, outdated, inaccurate, illegally obtained, and is not necessary for the stated purpose of processing) | warning or imposition of a fine in the amount of 1,000 to 2,000 rubles. | warning or fine - from 4000 to RUB 10,000 |
warning or fine - from 25,000 to 45,000 rubles. | warning or fine - from 10,000 to 20,000 rubles. |
| Failure by the operator, when processing PD without automation tools, of the obligation to preserve PD, which led to unauthorized or accidental access to PD and became the reason for their destruction, modification, blocking, copying | from 700 to 2000 rubles | from 4000 to RUB 10,000 |
from 25,000 to 50,000 rubles. | from 10,000 to 20,000 rubles. |
| Failure by the operator (state or municipal authority) to anonymize PD; non-compliance with the requirements for anonymization of personal data | warning or imposition of an administrative fine - from 3000 to 6000 rubles. | |||
Please note: it is precisely such a basis as the processing of PD without obtaining the consent of their subject that provides for the largest fines for all categories of violators - up to 75,000 rubles.
In this regard, many questions arise, the most frequently asked:
- Am I a data controller?
- Is my personal data law applicable to me?
- How to notify Roskomnadzor about the processing of personal data?
- What should a website owner do to avoid fines?
Let's deal with all the questions in order.
