Personal data on the territory of the Russian Federation. Storage and processing of personal data. Instructions. What can businesses expect from the law on personal data storage?

Citizenship

As follows from the provisions of parts 2 and 3 of Article 105 of the Air Code Russian Federation, an agreement for the air carriage of a passenger, an agreement for the air carriage of cargo or an agreement for the air carriage of mail is certified, respectively, by a ticket and a baggage receipt in the case of a passenger transporting luggage, a cargo waybill, or a postal waybill; ticket, baggage receipt, other documents used in the provision of air transportation services for passengers can be issued in in electronic format(electronic transportation document) with placement of information about the terms of the air transportation agreement in the automated information system for registration of air transportation. Thus, in order to implement the above provisions of the law, air carriers are required to carry out activities related to the processing of passenger personal data in order to prepare documents certifying the conclusion of an air carriage agreement.

In accordance with Art. 85.1 of the Air Code of the Russian Federation, in order to ensure aviation security, carriers ensure the transfer of personal data of aircraft passengers to automated centralized databases of personal data about passengers in accordance with the legislation of the Russian Federation on transport security and the legislation of the Russian Federation in the field of personal data, for international air transportation also in authorized bodies foreign states in accordance with international treaties of the Russian Federation or the legislation of foreign states of departure, destination or transit to the extent provided for by law of the Russian Federation, unless otherwise established by international treaties of the Russian Federation. It should be borne in mind that the Russian Federation is a party to a number of international conventions in the field of air transportation, in particular, the Chicago Convention ( The “Convention on International Civil Aviation” was concluded in Chicago on December 7, 1944, came into force for the Russian Federation on August 16, 2005 - “Collection of Legislation of the Russian Federation”, October 30, 2006, No. 44), Warsaw Convention ( “Convention for the Unification of Certain Rules Relating to International Air Transport” was concluded in Warsaw on October 12, 1929, came into force for the USSR on February 13, 1933, Collection of existing treaties, agreements and conventions concluded by the USSR with foreign states, Vol. VIII, - M., 1935, p. 326 - 339.) and the Gualadajara Convention ( “Convention supplementary to the Warsaw Convention for the unification of certain rules relating to international air transport carried out by a person other than the contractual carrier” was concluded in Guadalajara on September 18, 1961, came into force for the USSR on December 21, 1983, “Vedomosti VS USSR” , 02/15/1984, No. 7), which also form an integral part legal regulation activities of air carriers and related information processes.

Based on the above, the requirements of Part 5 of Art. 18 Federal Law “On Personal Data” do not apply to the activities of Russian and foreign air carriers regarding the collection and processing of personal data of citizens-passengers for the purposes of booking, issuing and issuing air tickets to them ( travel tickets), baggage receipts and other transportation documents, since they fall under the exception provided for in clause 2, part 1, art. 6 Federal Law “On Personal Data”.

Requirements of Part 5 of Art. 18 Federal Law “On Personal Data” also do not apply to the activities of persons acting on behalf of the air carrier (authorized agent), whose activities are provided for in paragraph 6 of the General Rules for the Air Transportation of Passengers, Baggage, Cargo and the requirements for servicing passengers, shippers, consignees, approved by the Order of the Ministry of Transport Russia No. 82 dated June 28, 2007 “On approval of Federal Aviation Rules” General rules air transportation of passengers, baggage, cargo and requirements for servicing passengers, shippers, consignees”, as well as other persons, regarding the processing of personal data of citizen passengers solely for the purpose of booking, issuing and issuing air tickets (travel tickets), baggage receipts and other transportation documents, including in electronic form for domestic and international flights, if the above activities of these persons are provided for by the legislation of the Russian Federation or the relevant international treaty, including for the purposes of ensuring aviation security.

If the processing of personal data falls under the exceptions provided for in paragraphs 2, 3, 4, 8 of part 1 of article 6 Federal Law“On personal data”, the provisions of Part 5 of Article 18 152-FZ do not apply. The appropriate qualification of the actions carried out for the processing of personal data and ensuring its compliance with legal requirements is carried out by the personal data operator when providing (organizing provision) for such processing. The correctness of the said qualification and provision of processing in a specific situation is verified by the authorized federal body during control activities.

Goods and services

From the set of provisions of Part 5 of Article 18 of the Federal Law “On Personal Data” (“when collecting personal data, including through the information and telecommunications network Internet, the operator is obliged to ensure recording, systematization, accumulation, storage, clarification (updating, changing), retrieval personal data of citizens of the Russian Federation using databases located on the territory of the Russian Federation, except for the cases specified in paragraphs 2, 3, 4, 8 of part 1 of article 6 of this Federal Law) and paragraph 2 of part 1 of article 6 of the Federal Law “On personal data" (“processing of personal data is necessary to achieve the goals provided for by an international treaty of the Russian Federation or law, to implement and fulfill the functions, powers and responsibilities assigned by the legislation of the Russian Federation to the operator”) it follows that the processing of personal data for the purposes and in accordance with the requirements , established by the Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, ratified by the Russian Federation, does not contradict the legislation of the Russian Federation governing relations in the field of personal data protection. In addition, Part 5 of Article 18 152-FZ does not limit the cross-border transfer of personal data of citizens of the Russian Federation.

The law does not provide for the concept of “primary collection”, but establishes requirements for the processing of personal data for any collection of information, while highlighting such operations with personal data as clarification (updating, changing) of information containing personal data. For the purposes of the law, the process of collecting information also includes procedures for storing and accumulating information, which in itself does not allow the use of such a concept as “primary collection”. Thus, the law imposes an obligation on the operator, when processing collected personal data by systematization, accumulation, storage, clarification, retrieval, to use databases located on the territory of the Russian Federation. Thus, if in order to prepare reports or analyze information containing personal data, the operator needs to carry out the above-mentioned forms of processing personal data, then such actions must be carried out using databases located on the territory of the Russian Federation.

The interpretation regarding the primary collection is incorrect for the following reasons. The law does not provide for the concept of “primary collection”, but establishes requirements for the processing of personal data for any collection of information, while highlighting such operations with personal data as clarification (updating, changing) of information containing personal data. For the purposes of the law, the process of collecting information also includes procedures for storing and accumulating information, which in itself does not allow the use of such a concept as “primary collection”. Thus, the law imposes an obligation on the operator, when processing collected personal data by systematization, accumulation, storage, clarification, retrieval, to use databases located on the territory of the Russian Federation.

In accordance with the provisions of paragraph 7 of part 4 of article 16 of Federal Law No. 149-FZ of July 27, 2006 “On information, information technologies and information protection”, the owner of information, the operator of the information system in cases established by the legislation of the Russian Federation, are obliged to ensure the location on the territory of the Russian Federation, databases of information, with the use of which the collection, recording, systematization, accumulation, storage, clarification (updating, changing), and retrieval of personal data of citizens of the Russian Federation are carried out.

Taking into account also the provisions of Part 5 of Article 18 of Federal Law No. 152-FZ of July 27, 2006 “On Personal Data” (coming into force on September 1, 2015), establishing that when collecting personal data, including through information telecommunications network Internet, the operator is obliged to ensure recording, systematization, accumulation, storage, clarification (updating, changing), retrieving personal data of citizens of the Russian Federation using databases located on the territory of the Russian Federation, we believe that the processing of personal data of citizens of the Russian Federation on the territory of another state can be carried out exclusively in cases provided for in paragraphs 2, 3, 4, 8 of part 1 of article 6 of the Federal Law “On Personal Data”, for which there is an exemption in part 5 of article 18 152-FZ. It should also be taken into account that there is no legislative division between the “main” personal data base and its “copy”. In both cases we're talking about about the database with which personal data is processed. At the same time, the Federal Law does not contain instructions for a general ban on the processing of personal data of citizens of the Russian Federation using databases not located on the territory of the Russian Federation.

In this regard, we believe that the processing of personal data of citizens of the Russian Federation through collection, recording, systematization, accumulation, storage, clarification, retrieval can be carried out using databases not located on the territory of the Russian Federation in the following cases:

• if such activity falls under the cases provided for in paragraphs 2-4, 8 of part 1 of Article 6 152-FZ;
• if such activity does not fall under the cases provided for in paragraphs 2-4, 8 of part 1 of Article 6 152-FZ, and on the territory of the Russian Federation there are databases used for such processing of personal data that contain a larger volume of personal data or equal to that located outside territory of the Russian Federation (in this case, it is unacceptable for personal data to be located outside the territory of the Russian Federation, which at the same time is not located within the territory of the Russian Federation).

Cross-border transfer of personal data is not prohibited provided that the requirements established in Article 12 of Federal Law No. 152-FZ are met. At the same time, cross-border data transfer must have a predetermined processing purpose, upon achievement of which the subject of personal data must be guaranteed destruction of the transferred data in the territory foreign country. Subject to specified requirements liability provided for by Russian legislation is applicable to the operator in case of violation of the procedure and conditions established for the mandate agreement.

In accordance with the provisions of paragraph 2 of Article 3 of the Federal Law “On Personal Data”, the operator is a government body, municipal body, a legal entity or individual who, independently or jointly with other persons, organizes and (or) carries out the processing of personal data, as well as determining the purposes of processing personal data, the composition of personal data to be processed, actions (operations) performed with personal data. Thus, the provisions of Federal Law No. 242-FZ apply to all of the above entities. The adopted federal law does not bind the distribution of Part 5 of Article 18 152-FZ only to operators where the processing of personal data is their main activity, or to operators who process personal data only using information and telecommunication networks.

In accordance with the provisions of paragraph 2 of Article 3 of the Federal Law “On Personal Data”, the operator is a state body, municipal body, legal entity or individual, independently or jointly with other persons organizing and (or) carrying out the processing of personal data, as well as determining the purposes of processing personal data, composition of personal data to be processed, actions (operations) performed with personal data. Thus, the provisions of Federal Law No. 242-FZ apply to all of the above entities. The adopted federal law does not bind the distribution of Part 5 of Article 18 152-FZ only to operators where the processing of personal data is their main activity, or to operators who process personal data only using information and telecommunication networks. The existing plans for legislative activity do not provide for the development of a draft federal law correcting this situation.

The above requirements of the law apply, among other things, to the operator’s processing of personal data obtained as a result of collection, namely recording, systematization, accumulation, storage, clarification (updating, changing), retrieval.

The understanding is correct. 152-FZ does not disclose the term “use of personal data”. For interpretation purposes, “use of personal data” can be understood as actions with personal data that are not related to other forms of processing of personal data, including making decisions based on personal data for which personal data was collected (the purpose of collecting personal data must comply with purposes of using personal data).

The concept of “operator” is contained in Article 3 of Law No. 152-FZ, which is understood as a state body, municipal body, legal entity or individual that independently or jointly with other persons organizes and (or) carries out the processing of personal data, as well as determining the purposes of processing personal data. data, composition of personal data to be processed, actions (operations) performed with personal data. Taking into account that Article 3 of Law No. 152-FZ does not contain exceptions regarding the implementation by a person of certain operations for the processing of personal data, as well as other definitions other than the operator, the person determining the purpose of processing personal data or carrying out individual actions for the processing of personal data in the context of the provisions of Law No. 152-FZ is the operator processing personal data.

— Is it true that repeated or additional notification about the processing of personal data is not required after September 1, 2015? Do I need to additionally disclose where the databases are located?

There is no concept of “repeated” or “additional” notification. Article 22 of the Federal Law “On Personal Data” establishes the obligation of the operator to send a notification before processing personal data. In part 2 the said article There are a number of exceptions where such notice is not required. Federal Law No. 242-FZ amends Part 3, which defines the requirements for the content of the notification. If an organization has previously sent a notification to Roskomnadzor about the processing of personal data, then after the law comes into force, operators, guided by Part 7 of this article, must provide information about the location of the database within ten working days.

— Does the initial collection of personal data on paper with its subsequent entry into an electronic database fall under the requirements of Part 5 of Article 18 of Federal Law No. 152-FZ?

According to the requirements of Part 5 of Article 18 of Federal Law No. 152-FZ, when collecting personal data, including through the information and telecommunications network “Internet”, the operator is obliged to ensure recording, systematization, accumulation, storage, clarification (updating, changing), retrieval of personal data citizens of the Russian Federation using databases located on the territory of the Russian Federation, except for the cases specified in paragraphs 2, 3, 4, 8 of part 1 of article 6 of this Federal Law. A fundamental principle of personal data law is the principle that the processing of personal data should be limited to the achievement of specific, pre-defined and legitimate purposes. In this regard, entering personal data into a personal data information system used for purposes similar to collecting data on paper should be considered as a single process, the implementation of which must be carried out in strict accordance with the requirements of Part 5 of Article 18 of Federal Law No. 152-FZ. The division of this single process into separate actions is not provided for by the legislation of the Russian Federation in the field of personal data. Thus, individual species processing of personal data, provided for by part 5 of Article 18 of Federal Law No. 152-FZ, including the collection of personal data on paper with their subsequent entry into an electronic database, must be carried out as a single process in the legal field legislative norm, obliging the storage of personal data on the territory of the Russian Federation.

The State Duma adopted in the third reading a law on the storage of personal data on the territory of Russia. It will come into force on September 1, 2015, a date the industry calls a compromise

With the onset of autumn, companies will be required to store personal data of Russians processed on the Internet on servers located in Russia. The restriction was initially expected to come into force on September 1, 2016. Then the deputies decided to speed up the process and new edition the date of entry into force of the law was January 1, 2015. The Duma Information Policy Committee introduced this amendment in connection with “the general situation, the increasing frequency of leaks of personal data and issues of state security in general.” On this date, the bill was adopted in the second reading.

After a series of consultations with representatives of the Internet industry, the State Duma decided to return to consideration of the document and postpone the date of entry into force of the norm. Today, deputies adopted the bill immediately in the second and third readings, the final date of entry into force of the law was September 1, 2015.

“This is a compromise option. Apparently, the deputies considered that it was unacceptable for the data of Russians to be stored abroad during 2015, but during discussions with the industry they came to the conclusion that by January 1, 2015, companies would not have time to ensure compliance with the requirements, and they also did not understand many of the mechanisms. prescribed by law,” Alexander Shepilov, secretary of the Federation Council Commission for the Development of the Information Society, previously told RBC.

Director Russian Association electronic commerce (RAEC) Sergei Plugotarenko in an interview with RBC noted that postponing the date of entry into force of the law to September gives the industry time to adjust the document. In this process, he expects to resort to consultations with industry representatives and relevant government agencies.

Many representatives of the IT business expressed their negative attitude towards the bill. RAEC also opposed the adoption of the document in its current version. The position of the organization is reflected on the website.

“Data localization requires the provider information services building physical local infrastructure in every jurisdiction in which it operates, enormously increasing costs and other losses for both providers and consumers of services,” according to RAEC members. They note that the provision of many services in such a situation becomes impossible.

In October 2014, the Association of Companies retail(ACORT), Association of Internet Trade Companies (AKIT) and Association of Computer and Computer Enterprises information technologies(RATEK) prepared a joint appeal to Russian President Vladimir Putin. Due to limited time and the inability to comply with some legal requirements, many companies will be forced to cease their activities in Russia, business representatives argued.

Valentin Krokhin, a representative of the system integrator Jet Infosystems, claims that due to more stringent requirements, storing data in Russia will cost companies 30% more than in foreign data centers. His opinion is quoted by the Vedomosti newspaper. The expert estimated the costs of Russian companies for storing data abroad at tens of millions of dollars. A significant part of the business will not have time to transfer such a volume to Russia, Krokhin believes.

The entry into force of the law will affect not only the IT business. Problems may arise, for example, with insurance and aviation companies, retail businesses, international communication services, postal forwarding, hotel and air ticket bookings.

“The price that Russia will pay will be incomparably higher than the risks that the authors of the law talk about. We do not observe any facts of criminal use of personal data,” Anton Guskov, director of public relations at RATEK, told RBC.

Center Director information security R-Style company Evgeny Akimov in an interview with Kommersant noted that serious problems may arise for companies that use cloud services, for example foreign CRM systems. “A change is practically impossible, since there are no such services in Russia. The problem can be solved by depersonalizing data. You can also change cloud CRM to classic CRM, but this is a technologically difficult task,” he says.​

Text
Oleg Akbarov

Text
Nikolay Udintsev

Before leaving for summer vacation The State Duma The Russian Federation suddenly adopted another series of “prohibitive laws” - the main resonance was caused by the initiative to prohibit Internet services from storing data outside the Russian Federation. It provoked a new wave of conversations about the future of the Internet in our country and that soon, instead of the World Wide Web, we will only be able to use .

What happened?

Today, July 4, amendments to the law “On Personal Data” were adopted in the second and third readings. 325 deputies voted for the document, 65 parliamentarians voted against it. These amendments include, among others, such resources as Facebook, Twitter and Booking.com, as well as thousands of online stores, hundreds of airlines and visa services. Look At Me looks at how this could end for both ordinary people and those whose business is online.

The bill, which comes into force on September 1, 2016, regulates the obligations of the Internet operator “to ensure the recording, systematization, accumulation, storage, clarification (updating, changing), retrieval of personal data of citizens of the Russian Federation in information databases located on the territory of the Russian Federation” . So after specified date Storing any personal data outside the Russian Federation is prohibited.

What is prohibited?

According to the law, Roskomnadzor must limit access to information that is “processed in violation of the law,” that is, not in Russia. To do this, he will send a letter reporting a violation of the law to the service hosting or its owner. If the latter does not take “immediate measures” to eliminate the violation, the department will send a second letter to domestic providers with instructions to block the site.

All violating sites will be included in a new “black list” - the Register of Violators of the Rights of Personal Data Subjects. It is clarified that Roskomnadzor can send a letter only after a court decision. However, the law does not clarify for what reason it will begin. trial- at the request of Roskomnadzor or any other person.

What will come of this
on practice?

Even if individual companies (for example, Google and Microsoft) agree to install their data centers in Russia, some services will not be physically able to comply with the requirements of Russian legislation. For example, domestic experts believe that foreign online stores will not be able to install their servers in Russia, since they must process data in the territory of the country in which they operate.

A similar situation may arise with foreign services for booking airline tickets, hotels (Booking.com), housing (Airbnb), as well as payment instruments (PayPal). They must store their data on international servers so that other companies can access it from any country. The amendments adopted by the State Duma of the Russian Federation do not clarify whether access to information in Russian data centers from abroad will be allowed. And it is not clear how young Internet startups, which do not have the funds to pay so much attention to Russian users, will be able to operate in Russia.

Experts say that the only way to enforce this law against foreign Internet companies such as Google or Facebook is to block access to their services in Russia. This situation arises due to the fact that these companies are outside Russian jurisdiction. However, previously similar restrictions in other countries led to the fact that services simply stopped working in their territory.

Despite the possible departure of foreign services from the Russian market, some officials expect to receive economic benefit. For example, municipal deputy Alexey Lisovenko believes that this can bring

The terminology for storing personal data was formed later.

In 2001 in Labor Code In Russia, Chapter 14 appeared, dedicated to employees, and 15 years later, the government finally formed terms for handling confidential information.

Information storage refers to the way it is distributed in time and space using a specific medium. The main condition and purpose of data storage is to ensure constant access to it or access on demand.

Data storage is integral part information processing. When a citizen gives, we are talking about collecting, accumulating, clarifying, retrieving, updating and storing information.

Where can it be stored in the Russian Federation?

Each operator must have a policy for storing personal information, including the following items:

Electronic

Personal information refers to confidential information, therefore must be protected. For all operations with such statements, including storage, (ISPD) are used.

In Russia, they are usually divided into four categories depending on the importance and volume of information.

• Category 1. Typical Information system personal data with statements of more than 100 thousand subjects. It contains information about race, nationality, political views, religion, intimate life and other information, the dissemination of which will have a clear impact Negative influence for the life of individuals.
• Category 2. The system contains personal statements, the disclosure of which will allow third parties to obtain information about individual additional statements, except for data related to the first category.
• Category 3. A system with personal information that makes it possible to identify an individual.
• Category 4. Provides for storage, the disclosure of which will not have a negative impact.

The storage process begins with the creation of such a system and its verification government agencies Russia. After this, the operator must ensure all requirements for the engineering protection of the premises; the compliance of the system is checked according to:

1. fire safety requirements;
2. security;
3. electrical power;
4. grounding;
5. sanitary requirements.

The last point is certification or certification of ISPD. If the ISPD is ready, then the company will have to register the legal basis for all processes with personal information, which will appear on the website before entering information about the user into the form.

It can be called anything, for example, “Personal Data Processing Policy” or “Consent to the Storage of Personal Information.”

The main thing is that the client can familiarize himself with it and click on the “tick”, thus expressing his consent to provide the operator with information. The entire process of storing such information is regulated by laws on confidential data.

It is prohibited to transfer them to a third party, as well as use for purposes that were not originally specified.

For operators working with electronic media, the instructions will look like this:

1. Access to data must be limited.
2. Transmit information via encrypted channels.
3. Have .
4. Keep records of physical media, if any.
5. Prevent leaks.
6. Separately store information that is processed for different purposes.
7. information after processing after 30 days of storage (preferably) or after six months (mandatory).

Companies can post data at their convenience., including on modern clouds.

The state clearly regulates the processes for storing personal data; all operators of such information must undergo a series of checks and prove their ability to provide information. In case of unauthorized distribution or access to data, the operator bears civil, financial and even criminal liability.

The adopted law “On Amendments to Certain legislative acts Russian Federation (in terms of clarifying the procedure for processing personal data in information and telecommunication networks)” addresses not only the storage locations of databases with personal data of Russians, but also other aspects related to the legislation on personal data.

In 152-FZ, changes affected Art. 18 “Responsibilities of the operator when collecting personal data” (the operator, when collecting personal data of Russians, including via the Internet, must store it in databases located on the territory of the Russian Federation), as well as Art. 22 “Notification about the processing of personal data” (that it is necessary to notify the regulatory authority Roskomnadzor about the location of storage of databases).

Also, the adopted law gives Roskomnadzor the authority to maintain a register of violators of the rights of personal data subjects, limit access to information processed in violation of the legislation on personal data, and the ability to block resources. And, it must be said that formally the controlling body is already vested with such a right under 139-FZ. For example, on July 8, Roskomnadzor blocked the website telkniga.com with cell phone numbers of Russians.

Who will be affected by the law on storing personal data in the Russian Federation?

First of all, the law should affect large Russian companies that store personal data abroad. They will need to move their data centers to Russian territory, which will require large financial costs. After all, hosting on foreign resources is much cheaper. Therefore, it can be assumed that some companies will want to save money and try to circumvent the law. For example, create copies of only part of the database and continue to store the main database abroad. Technically, it is very difficult to determine that data is not stored in Russia. This raises the question of how the supervisory authority will monitor compliance with the law; this seems to be a non-trivial task. But many Russian companies those for whom image is important and who strive to comply with all legal requirements will place databases on the territory of our country.

Let's consider who else it may apply to passed law. According to 152-FZ, the legislation on personal data applies to Russian operators and, in accordance with, to representative offices of foreign legal entities operating in the Russian Federation. That is, on foreign companies that collect personal data of Russians, including using the Internet information and telecommunications network, are not covered by 152-FZ.

If you take any hotel in Turkey, on whose website personal data of Russians is collected, then access to it will be limited due to non-compliance with the requirements of our legislation. But it’s one thing when it concerns the website of some small hotel, and another thing when it comes to the website large company. For a hotel to comply with Russian legislation, it does not make sense to transfer the database to the territory of the Russian Federation from a rational point of view, since this will be too large a financial expense for it. But corporations such as Microsoft, IBM, EMC and many others will want to continue to work for Russian market and will try to retain customers by creating data centers or renting existing ones. And this can be seen as a positive thing: the creation of data centers in Russia will entail the development of the domestic IT industry.

How will control over the processing of personal data change?

The signed law also makes changes to, removing from the scope of this law control and supervision over the processing of personal data and compliance with requirements in connection with the dissemination of information on the Internet information and telecommunications network. This means that if now Roskomnadzor can come to a company with an inspection only once every three years (this is regulated by 294-FZ), then with the law coming into force on September 1, 2016, it can do this at any time. At the same time, Roskomnadzor’s publication of the inspection plan for the next year will become optional, and, therefore, companies will not even know when they will be inspected. For ordinary small and medium-sized businesses, this change is more significant compared to the changes relating to the storage of personal data in Russia.

IN Lately Russian legislation is actively changing, especially in the field of personal data. And there is a possibility that the law, which will come into force on September 1, 2016, will still undergo some changes. Moreover, now there are indeed many unclear points in it, in addition to those listed.

Elena Republican, product expert