July of 2017 was marked by new changes to the Russian legislation on personal data protection (Federal Law No. 152-FZ of 27 June 2006 with changes and amendments which became effective on 1 July 2017). Changes have been introduced in relation to web-sites of all organizations and individual entrepreneurs processing personal information which includes full name, date and place of birth, address, civil and social condition, property status, education and occupation, information about user behavior on the web-site, geolocation information and IP-address.
“Informauditservice” expert dwells upon most important − from our point of view − novelties related to personal data processing on web-sites and explains how to deal with them to comply with the new legislative requirements and secure your business in Russia.
Server
First of all you have to make sure that the server is physically located in Russia. If not please take all necessary steps to move it to the Russian Federation territory.
Consent to process personal data
A number of new phrases and documents should appear on the web-site and be accessible to its users. First, this is the text of consent to process users’ personal data. Secondly, the personal data processing policy with references to local acts on the protection of personal data and respective information kept on paper in your organization. An e-mail should be provided in both cases where users can write if they wish to change or delete their personal information. Thirdly, the disclaimer (non-responsibility clause) should appear on all web-site pages saying that users’ personal data are being processed and that they should leave the web-site in case they do not want to provide their personal information. The fourth document to appear on your web-site is the document provided by your hosting service to confirm that the data processing center is located on the territory of the Russian Federation.
Notifying Roskomnadzor
You should notify the Federal Service for Supervision of Communications, Information Technology, and Mass Media (Roskomnadzor) about the personal data processing.
New requirements state that companies which are personal data operators should get registered with Roskomnadzor via the submission of a special notification (p. 3, article 22 of Federal Law No. 152-FZ). To do so, one is to fill out an electronic form on the Roskomnadzor personal data portal and submit it to the information system of the authorized body for protecting the rights of personal data subjects. In addition, the form should be printed out and certified, and then sent to the territorial Roskomnadzor body where the company is registered.
Agreement with the web developer
An agreement on personal data security with the web developer or the agency which provides technical support to your web-site is another very important thing. This agreement should state what personal data can be processed, what actions and for what purposes can be taken with regard to personal data. And it certainly should contain a requirement to protect personal information.
SSL-certificate
We would like to draw your attention to yet one more requirement. It is not obligatory but may help to prevent an attempt to replace your web-site with its duplicate. We are talking here about the installation of SSL-certificates. This certificate will help users to understand whether they are dealing with the original web-site on this domain or with its duplicate. The SSL-certificate has two more advantages: it makes it possible to check who the owner of the web-site is and also to install special encryption of the Internet connection. The encrypted connection is necessary to prevent identity theft when transmitting data in the Internet.
Fines
The new legislative norms introduce not only increased fines for the violation of requirements for collecting, keeping and processing personal data (Federal Law No. 13-FZ of 7 February 2017), but also a wider range of corpus delicti related to personal data processing in the Administrative Offenses Code of the Russian Federation (KoAP).
The following fines are envisaged for legal entities depending on the type of violation:
- Up to RUB 50,000 for the processing of personal data in cases which are not envisaged by the RF legislation on personal data, or for the processing of personal data which is not in line with the purposes for which personal data is collected
- (p. 1, art. 13.11 of КоАP).
- Up to RUB 75,000 for the processing of personal data without a respective written consent of the personal data subject in cases where the receipt of such a consent is required by the legislation and if such actions are not considered criminal offence; or for the processing of personal data which involves the violation of the requirements for the information contained in a written consent; for collecting, keeping and processing special personal data (information about health, religion, political views, etc.) without an evident consent for the processing of the data; for the absence of the list of third parties which can receive personal data in the consent or offer; for the violation of the requirements for the form of the consent to process personal data envisaged
- by p. 4, art. 9 of Federal Law No. 152-FZ (p. 2, art. 13.11 of KoAP).
- Up to RUB 30,000 for the absence of a generally accessible link to the organization’s personal data processing policy on the web-site or on the mobile application page (p. 3, art. 13.11 of KoAP).
- Up to RUB 40,000 for neglecting individuals’ requests relating to personal data processing or protection; for the failure to meet deadlines established by the law for replying to such requests; for the provision of false information (p. 4, art. 13.11 of KoAP).
- Up to RUB 45,000 for neglecting requests from individuals and Roskomnadzor to terminate personal data processing and to delete it; for the failure to meet deadlines set for replying to such requests (p. 5, art. 13.11 of KoAP).
- Up to RUB 50,000 for the absence of the list of persons who can process personal data; for the absence of separate storage of personal data (p. 6, art. 13.11 of KoAP).
The article is published on Право.ру