1. In the sense of commented law, the sources of personal data are unavowable, access to which is not limited and does not require the prior consent of the personal data entities. Publicly available sources of personal data can be used by any persons at their discretion subject to the restrictions established by federal laws regarding the dissemination of such information.

Creating publicly available sources of personal data is due to the need for information support. Analysis of the current legislation makes it necessary to note that the number of publicly available sources of personal data is currently: reference books, targeted books, encyclopedias, documents accumulated in open funds of libraries and archives, information systems of state authorities, local governments, public associations, organizations, organizations, organizations representing public interest or necessary for the realization of the rights, freedoms and duties of citizens. At the same time, modern science and practice have not yet managed to develop effective criteria, with which it would be possible to clearly distinguish between publicly available and confidential information segments.

The creation of publicly available sources of personal data, which is subject to the inclusion of the name, name, patronymic, year and place of birth, address, subscriber number, information about the profession and other personal data provided by the subject of personal data are carried out with the mandatory consent of the latter. In addition, the personal data entity has the right to demand from individuals that distribute such information, indicate itself as a source of such information.

The use of personal data from public sources implies, in turn, the elimination of the ability to retrieve profits.

In the case of processing publicly available personal data, the obligation to proof that the processed personal data is publicly available to the operator.

2. In order to protect the rights and legitimate interests of the personal data entity, the legislator provides for the possibility of recalling personal data used in publicly available sources. Their exception can be carried out both at the request of the subject of personal data and by the court decision or a specially authorized state body.

"Person" - data that concerns a person, personality, biological organism.

personal data - any information related to a particular or defined physical person on the basis of such information (subject of personal data), including its surname, name, patronymic, year, month, date and place of birth, address, family, social, property situation , education, profession, income, other information;

The address is registration at the place of residence or the place of stay.

publicly available personal data - personal data, the access of an unlimited range of people to which is provided with the consent of the subject of personal data or which in accordance with federal law does not apply to confidentiality compliance.

Publicly available personal data is the data to which voluntary consent is given and are posted in open access.

Often some site owners request information to register that you do not want to provide.

Confidential information - information is provided strictly for certain purposes. Sometimes it can be assembled without a facial knowledge.

Information centers are stored in the Ministry of Internal Affairs

- Personal - belong from birth

- Service - during work, service - cool rank, etc.

- voluntary information provided

- Granted in general procedure in accordance with the law (forcibly)

- collected without the consent of the citizen in accordance with the legislation

- Biometric (Dactyloscopic information)

- processing personal data- actions (operations) with personal data, including the collection, systematization, accumulation, storage, refinement (update, change), use, distribution (including transmission), depersonal, blocking, destruction of personal data;

- distribution of personal data - actions aimed at transferring personal data to a certain circle of persons (transfer of personal data) or familiarize with the personal data of an unlimited range of persons, including the publication of personal data in the media, accommodation in information and telecommunication networks or providing access to personal data - or in other way;

- Using personal data - actions (operations) with personal data performed by the operator in order to make decisions or committing other actions that generate legal implications regarding the subject of personal data or other persons either otherwise affect the rights and freedoms of the subject of personal data or other persons;

- Blocking personal data - temporary termination of collecting, systematization, accumulation, use, distribution of personal data, including their transfer;

The information posted on the Internet often cannot be blocked.

- Store on the computer

- posted on the Internet

Control placement hard

- Destruction of personal data - actions, as a result of which it is impossible to restore the content of personal data in the information system of personal data or as a result of which material carriers of personal data are destroyed; - Situations when the archives burned

- depletion of personal data - actions, as a result of which it is impossible to determine the affiliation of personal data to a specific subject of personal data;

personal data information system - an information system, which is a set of personal data contained in the database, as well as information technologies and technical means to carry out processing such personal data using automation tools or without the use of such funds;

privacy Policy- Mandatory for compliance with the operator or other gained access to a personal data from the requirement to prevent their dissemination without the consent of the subject of personal data or the presence of a different legal basis;

transboundary transfer of personal data - transfer of personal data by the operator through the state border of the Russian Federation to the authority of the authority of the foreign state, the physical or legal entity of the foreign state;

- publicly available personal data - Personal data, the access of an unlimited range of people to which is provided with the consent of the subject of personal data or which in accordance with federal laws does not apply to confidentiality.

1) the legality of the goals and methods of processing personal data and conscientiousness;

2) compliance of the purpose of processing personal data to the objectives, predetermined and declared when collecting personal data, as well as the powers of the operator;

3) compliance with the scope and nature of the processed personal data, the methods of processing personal data goals for processing personal data;

4) the accuracy of personal data, their sufficiency for the purpose of processing, inadmissibility of processing personal data, redundant to the objectives declared when collecting personal data;

5) Inadmissibility of combining the purposes of personal data information systems created for incompatible among themselves.

If someone has once filled a dactyloscopic map, then it is in the information center in their databases. We cannot, for example, combine the databases on ordinary citizens and faces who committed a crime.

1) with the consent of the owner of personal data

2) without the consent of the owner of personal data.

This refers to persons occupying a certain position and position: military personnel, corpses

1) in case of depleting personal data;

2) in relation to publicly available personal data.

- limit access within your own organization

The operator is personal responsibility for distributing personal data.

- establishing access restrictions both indoors and network (bandwidth, card identification system)

For local networks - Login + password

You can restrict biometric information: fingerprint, retina eye.

- about racial affiliation

- About political views

- about religious or philosophical beliefs

- About health

- about intimate life

Their processing is possible only with the consent of the subjects.

1) the availability of written consent of the subject on their processing

2) if the personal data entity made them publicly available

3) If this information relates to the information necessary to protect life, health and other vital interests of the person

Such information may be provided in medical and prophylactic purposes - for example, viral infection.

- concerns only civil servants and municipal employees.

The state authority has its own status, there are independent systems for processing information about state or municipal employees.

1) installed which information is needed within its competence

2) There are still FZ "On the State Civil Service", that is, regulated not only by law on personal data.

Information that characterize the physiological features of a person and on the basis of which its identity can be established (biometric personal data) can be processed only if there is an agreement in the written form of the subject of personal data, except for the following cases:

1) commitment

Treatment of biometric personal data can be carried out without the consent of the subject of personal data in connection with the implementation of justice, as well as in cases provided for by the legislation of the Russian Federation on security, the legislation of the Russian Federation on operational investigation activities, the legislation of the Russian Federation on public service, the criminal executive legislation of the Russian Federation, legislation of the Russian Federation on the procedure for departure from the Russian Federation and entry into the Russian Federation.

- Collection of information from the suspect is illegal

Processing cross-border information.

It is possible to require in order to protect the citizens of the country where is transmitted, is collected only with the written consent of the subject.

1) the right to the subject of personal data on access to its personal data

Cannot call the Ministry of Internal Affairs Center (Chief Information Center and Zonal Information Center)

2) the rights of personal data to the processing of their personal data in order to promote goods, works, services on the market, as well as for political agitation

The accuracy of the information will be checked by other persons.

3) decision making on the basis of exclusively automated processing of personal data. A person may not trust automated processing. You can require that traces of your fingers stored not only in the computer, but also on paper.

- Labor of the Russian Federation is a chapter dedicated to personal data.

Federal Law on State Dactylocopic Registration in the Russian Federation of July 25, 1998 N 128-FZ

Personal Information - any information related to a certain or defined on the basis of such information physical lick , including:

His last name, name, patronymic,

Year, month, date and place of birth,

Address, family, social, property situation, education, profession, income,

other Information (see FZ-152, Article 3).

For example: Passport details, financial statements, medical maps, year of birth (for women), biometrics, other identification information of personal character.

IN publicly available Sources of personal data (address books, lists and other informational support) with written consent individuals may be included in his surname, name, patronymic, year and place of birth, address, subscriber number and other Personal data (see FZ-152, Article 8).

Personal data refer to limited access information and should be secure In accordance with the legislation of the Russian Federation. When forming security requirements, personal data is divided into 4 categories.

Personal data operator - This is usually an organization, or rather the state or municipal authority, a legal or individual organizing and (or) processing personal data, as well as determining the goals and maintenance of personal data processing.

Personal data entity - This is an individual.

The operator is responsible for protecting the personal data of the subject in accordance with the current legislation of the Russian Federation.

In order to attribute type Information system of personal data (CDN) to a particular class necessary:

II. Determine volume Personal data processed in the information system:

volume 3. - In the information system, the data is simultaneously processed. less than 1000 subjects personal data or personal data of personal data entities within a particular organization;

volume 2. from 1000 to 100,000 subjects personal data or personal data of personal data entities working in the industry of the Russian Federation, in the public authority living within the municipality;

volume 1. - In the information system, personal data is processed at the same time. more than 100,000 subjects personal data or personal data of personal data entities within the constituent entity of the Russian Federation or the Russian Federation as a whole;

III. According to the results of the analysis of the source data typical Caiden is assigned one of the following classes (See Table.):

Class 4 (K4) - information systems for which the violation of the specified security characteristics of personal data processed in them does not lead to negative consequences for personal data entities;

Class 3 (K3) - information systems for which the violation of the specified security characteristics of personal data processed in them can lead to minor negative consequences for personal data entities;

Class 2 (K2) - information systems for which the violation of the specified security characteristics of personal data processed in them may result in negative consequences for personal data entities;

Class 1 (K1) - information systems for which the violation of the specified security characteristics of personal data processed in them may result in significant negative consequences for personal data entities.

Information systems of personal data created before the day of entry into force of the Federal Law of the Russian Federation No. 152 "On Personal Data" should be aligned with the requirements of this federal law no later than January 1, 2010 (see FZ-152, Article 25).

This means that personal data operators who failed to fulfill the highly strict requirements of the FZ-152, from January 1, 2010 will carry the relevant civil, administrative, disciplinary, and maybe (God forbid) and the criminal a responsibility .

All information systems that have been commissioned after February-April 2008 (from the date of distribution of Methodological documents of FSTEC of Russia and the FSB of Russia), but not relevant to the requirements of Russian legislation in the field of personal data may suffer the specified responsibility and earlier, for example, tomorrow morning. .

Note. Changes in the Criminal Code of the Russian Federation, substantially tougher responsibility for violations affecting privacy, will also take effect on January 1, 2010.

But as always happens, personal data operators did not move particularly, and few people managed to do everything that is required. On December 16, 2009, the State Duma took in the third reading amendments to articles 19 and 25 of the Law "On Personal Data" (152-ФЗ). The term of bringing information systems of personal data (CDN) in line with this law was postponed by the year - until January 1, 2011. In addition, the norm eliminates the norm, obliging the operator when processing personal data to use encryption (cryptographic) data protection tools.

Main mandatory requirements for the organization of information protection system, depending on the class standard CD:

For dot class 4:

The list of measures to protect personal data is determined by the operator (depending on the possible damage)

For dot class 3:

Declaration of conformity or

Obtaining a license of FSTEC of Russia on technical protection of confidential information (for distributed systems CP3)

For dot class 2:

Mandatory certification for information security requirements

Obtaining a license of FSTEC Russia for technical protection of confidential information for distributed systems

For dot class 1:

Mandatory certification for information security requirements

Events on the protection of personal data from Pamin must be implemented

Receiving a license of FSTEC of Russia for technical protection of confidential information

Sequence of actions when performing the requirements of personal data processing legislation:

1) notification to the authorized body to protect the rights of personal data of personal data on its intention to process personal data using automation tools;

2) the pre-project examination of the information system - collecting source data;

3) classification of personal data processing system;

4) construction of a private model of threats in order to determine their relevance for the information system;

5) the development of a private technical task on the personal data protection system;

6) design of a personal data protection system;

Persons guilty of violating the requirements of the Federal Law 152-FZ "On Personal Data", carry:

- criminal (see Criminal Code of the Russian Federation, Article 137, 140, 155, 183, 272, 273, 274, 292, 293)

Administrative (see the Code of the Russian Federation on Administrative Offenses, Art. 5.27, 5.39, 13.11-13.14, 13.19, 19.4-19.7, 19.20, 20.25, 32.2),

Disciplinary (see Labor Code of the Russian Federation, Article 81; Article 90; Article 195; Article 237; Article 391)

and other responsibility provided for by the legislation of the Russian Federation (see Watch-made acts on working with personal data, which are published in the subjects of the Russian Federation, departments and organizations).

In December 2014, the State Duma in the Third Reading adopted a bill on the storage of personal data of citizens treated on the Internet, on servers in Russia. According to a member of the Committee on Inform Polithika Roman Chuychenko, the main objective of the bill is to strengthen the information security of the country and its citizens. Such a measure was adopted in connection with the complication of the international situation. This bill will come into force on September 1, 2015.

The entry into force of the new provision on the protection of personal data involves providing personal data operators:

  • timely detection of unauthorized access to PDNs;
  • preventing the impact on technical means carrying out automated PD processing;
  • the possibilities of operational response to the fact of unauthorized access and immediate recovery of PDN in cases of their destruction or change;
  • continuous monitoring of the level of security of personal data.

Handling CDN can also be carried out by the "Scope of Processed Personal Data" parameter, which involves the number of subjects processed in the information system, and can take the following values:

  • simultaneous treatment of more than 100 thousand PD entities (performed both within the subject of the Russian Federation and in the Russian Federation as a whole);
  • the simultaneous treatment of PDs from 1 to 100 thousand subjects (performed in the state of the state, working in the field of economy of the Russian Federation);
  • simultaneous treatment of PDs is less than 1 thousand subjects (performed within a particular organization).

The division into categories allows not only to determine the CDM class, but also to establish a set of security measures and protect personal data on the Internet, when processing in infosystems.

The right to protect their personal data has every worker (paragraph 9 of Art. 86 of the Labor Code of the Russian Federation).

In accordance with Art. 89 Labor Code of the Russian Federation, each employee can be implemented by the following actions:

  • free free access to its personal data, including the receipt of a copy of any record, in which the Employee PDNs are contained;
  • defining a personal representative to protect its personal data;
  • obtaining full information about PDNs and their processing;
  • setting the requirements for exclusion or correction of personal data containing incorrect information or if they were processed in violation of the requirements of the legislation;
  • appeal in the court of unlawful actions of the employer, as well as its inaction during processing and protection of PDN.

Based on paragraph 2 of Article 86 of the Labor Code of the Russian Federation, the volume and maintenance of personal data of the employee is determined by the employer in accordance with the Constitution of the Russian Federation, the Labor Code and other federal laws. As a rule, the activities of any organization involves the use of the employer in document flow two main types of documents:

  1. Documents that are provided by an employee at the conclusion of an employment contract (Article 65 of the Labor Code of the Russian Federation). This category includes documents containing the photo image of the employee, name, information about the place and date of birth, citizenship, marital status, place of registration, education, specialty (passport, insurance certificate of state pension insurance, military ID, etc.).
  2. Documents that are formed by the employer independently (primary accounting documentation for labor accounting and payment). This category includes orders or orders for the admission of an employee, termination of the employment contract, the promotion of an employee, a personal card, wage documents.

It should be noted that some sanctions for violation of the individual compounds of offenses are applied both on individuals and officials and on legal.

In accordance with Article 150 of the Civil Code of the Russian Federation, privacy, personal and family secrets are applied to the number of inalienable intangible rights under the protection of existing laws.

It should be noted that the rights and obligations of the employee who are directly related to the PDNs of other employees are determined by the terms of the employment contract and the composition of local regulatory acts that establish the employment functions of the employee and the list of its official duties.

Administrative responsibility For violation of the procedure for collecting, storing and distributing personal data entails a warning or penalty in the amount: from 300 to 500 rubles - for individuals; from 500 to 1000 rubles - officials, from 5 to 10 thousand rubles - for legal entities (Article 13.11 of the Administrative Code of the Russian Federation). Administrative responsibility for the dissemination of information protected by law, in the performance of official and professional duties, entails a penalty in the amount: from 500 to 1000 rubles for individuals, from 4 to 5 thousand rubles - for officials (Art. 13.14 of the Codecha of the Russian Federation) .

A violation of privacy, in particular personal data, a person when using his official position provides for a punishment in the form of:

  • fine in the amount of from 100 to 300 thousand rubles, wages or other revenue of the offender for 1-2 years;
  • deprivation of the right to occupy certain positions for a period of 2 to 5 years;
  • arrest for a period of 4 to 6 months.

Confirm the permit for personal data processing is now asked when concluding contracts, filling out the questionnaires, registration on sites. Most citizens agree automatically, although personal information about a person in the hands of unscrupulous persons is a powerful and dangerous weapon. The article tells about what you need to know about personal data, opening access to them with 3 persons.

The state regulates the sphere of personal data through a number of regulatory acts. The basis constitutes the Constitution of the Russian Federation, the basis - FZ No. 152 of January 27, 2006. The law clarifies what personal data is related to them. This term means information directly or indirectly characterizing the subject of PD is an individual. In simple language, you can accurately determine what we are talking about a particular person.

Indirect mention of personal data is in the Russian Constitution. Articles 23-24 of the Basic Law give citizens the right to the secret of privacy, its integrity and protection. All that is included in the concept of personal data belongs only to their carrier and cannot be controlled by government or 3 persons. Citizens themselves to dispose of this information, prevent the spread or, on the contrary, to transmit it to others. The state, for its part, guarantees and protects this opportunity.

FZ No. 152 defines who are entitled to use personal data besides their carrier, under what conditions for which rules. Only operators with its permission can receive and process personal information about the subject. A citizen signs consent to test the PD when issuing applications for a loan, filling out the questionnaire or admission to work.

Operators get access to the volume of data that is required to solve their tasks. They do not have the right to store and use them after the goal is achieved. For example, the employer must destroy the records, questionnaires - everything that belongs to the personal data of the employee, after his dismissal. Otherwise, threatens responsibility for

The norms of FZ No. 152 should follow all legal entities and individuals. Special rules apply when PD:

  1. get for personal or family needs, if it does not infringe upon the rights of 3 persons;
  2. contained in archival documents;
  3. make up Gostain;
  4. going on a judicial act.

Other legislative acts clarify the provisions on the PD in relation to different situations, the system and classification of the means of protection are introduced. For example, Ch.14 of the Labor Code of the Russian Federation discloses the concept of personal data of the employee. This is information that allows you to characterize it as an employee of a certain organization (salary size, experience, qualifications, information from the FTS and the FIU, etc.), its business qualities. They should be used and kept to help an employee in fulfilling his employment duties, enhance experience and knowledge, promotion, to protect the personnel and property of the company.

FZ No. 152 allocates several types of personal data. You can arrange them according to the degree of "secrecy", complexity in collecting and using 3 persons:

  • impersonal;
  • general;
  • biometric;
  • special.

Common personal data

General personal data is the main information about the person. These include:

The purpose of processing PD in the organization is to issue labor relations with the employee. Without signed consent to treat PD processing, the employer has no right to enter into an employment contract.

  • place of registration and accommodation;
  • passport details;
  • education;
  • contact details;
  • information about work;
  • income size, etc.

Not all of them can be attributed to PD. For example, the law does not define exactly, I lee Phone Number Personal Data. Roskomnadzor in response to the appeal of citizens explained that only by number it is impossible to accurately identify a person. By itself, he is not personnel, and in a bundle with the name of the owner and the city of residence refers to PD. Therefore, the inconsonted distribution of SMS messages is not considered a violation of FZ No. 152.

The general PD is contained in the passport, a military ticket, a diploma, personal card of an employee, an employment book, etc. Written permission is not necessary to obtain this data, quite indirect, for example, a tick opposite the relevant item online questionnaire. The relative simplicity of access often brings problems to the subjects of PD - ordinary citizens: from obsessive advertising until blackmail and fakes of credit applications.

Personal life of a citizen who also includes various types of secrets (medical, tax, secret adoptions and others) is protected from the disclosure of Article 137 of the Criminal Code of the Russian Federation. You can read more in this.

Biometric PD

Biometric data is the physiological and biological characteristics of the subject: Dactyloscopic images, blood type, growth, eye color, weight, DNA analysis, etc. This includes information that can be obtained by photo or video with a person. Biometric PD is often needed in the treatment or device to work in government agencies, registration of foreign passports and visas.

Special PD

Race and nationality, religion, philosophical beliefs, health status, existence, intimate life, sexual preferences relate to special data. They are contained in medical certificates, personal affairs, etc.

Special PD are required to participate in political activities, entry into the armed forces. Get access to these data 3 and individuals can only with the permission of the subject.

Why do I need a law on personal data?

Disconnected PDs are available for any interested party. Sources of information can be:

  • address books;
  • reference books;
  • registries;

Public information that is considered personal data is, for example, the revenues of political figures, representatives of the federal or municipal authorities, officials in senior positions.

In November 2016, the first meeting of the Presidential Administration Working Group was held on the issue of using the provisions of FZ No. 152 to the so-called Big Data.. These are the data that the user comes into the network: IP address, authorization forms, browser history, information that accumulate about the owner of the gadgets and smart household appliances.

Big Data, on the one hand, directly or indirectly indicate a person, that is, fall under the definition of PD. Lawmakers at the same time do not consider Internet data as the property of the individual, since it cannot control them.

All questions of interest can be asked in the comments to the article.

The displaced data include:

  • Name, name and patronymic;
  • Nickname / login subject on the Internet;
  • Email address (without binding to FULL NAME);
  • Position, place of work (without personal data).

The public data includes the subject of the subject that can be obtained in open sources of information, for example, in the telephone directory or address book. In such public bases, the data is made with the written consent of the subject. : Features The peculiarity of publicly available personal data is that they can be placed in open sources of information. That is, if the contact details of officials are indicated in the contact details directory, such as studying and hiring personnel, then such data is considered publicly available.

When forming information systems of personal data (duty), it is recommended to be guided by the order of FSTEC, FSB and the Ministry of Information Technologies and Communications of the Russian Federation No. 55/86/20 from 13.

Inappropriate use of such information is punishable by law. The law on the protection of personal data takes care not only about the physical, but also on legal entities.


Little who will like if information about the financial state of affairs or data of employees of the company will be available to each wishes. This would significantly simplify the life of fraudsters, which are not like ordinary citizens, nor law enforcement officers.

For example, the law does not define exactly whether the phone number is personal data. Roskomnadzor in response to the appeal of citizens explained that only by number it is impossible to accurately identify a person.

By itself, he is not personnel, and in a bundle with the name of the owner and the city of residence refers to PD. Therefore, the inconsonted distribution of SMS messages is not considered a violation of FZ No. 152.

The general PD is contained in the passport, a military ticket, a diploma, personal card of an employee, an employment book, etc. Written permission is not necessary to obtain this data, quite indirect, for example, a tick opposite the relevant item online questionnaire.
The relative simplicity of access often brings problems to the subjects of PD - ordinary citizens: from obsessive advertising until blackmail and fakes of credit applications.

For example, the following:

  • need to store backup copies of the entire database;
  • a specialist is needed, which will be engaged in administering the information system;
  • the costs of specially designed equipment and software will be required;
  • an employee who processes personal data should be extremely visible.

What methods are used to effectively protect personalized employee information?

  • Make premises in which personal data are processed fully closed to access other employees.
  • For any information, employees must receive a special permission.
  • Data storage must be clearly organized.

Considering the presence and disadvantages, and the benefits of each of the methods, as a rule, employers combine them.

Commercial secret salary will not be due to the fact that it refers to the wage system. But this does not exclude it from the list of PD, for the distribution of which the employee can be dismissed according to the Labor Code.

And if the employee starts to challenge this decision in court, then the employer is obliged to prove that disclosing information refers to the secret, whose information employee undertakes to not report anyone. To content types of personal data types can be classified by:

  • Contents laid in them:
  • The discharge, which includes a list specified in Art 10: Race, belonging to the nation, religion, health, personal life, political beliefs. At the same time, according to the FZ-152, there are limitations here, namely, access can be carried out only with the written permission of the owner.

Wages are personal data or not?


For information security purposes, publicly available sources of personal data (including reference books, address books) can be created. In publicly available sources of personal data with the written consent of the subject of personal data, its surname, name, patronymic, year and place of birth, address, subscriber number, profession information and other personal data reported by the subject of personal data can be included.

(as amended by Federal Law of July 25, 2011 N 261-FZ) (see Text in the previous edition) 2. Information about the personal data entity must at any time are excluded from publicly available sources of personal data at the request of a personal data entity or by court decision or other authorized state bodies. (as amended by Federal Law of July 25, 2011 N 261-FZ) (see
  • Biometric. Characterize physiology.
  • Not biometric. Data that do not belong to biometric.

Types of personal data on what types are personal data divided? What applies to them? It is important to understand that all information that is kept in the enterprise with respect to a certain employee can be considered from two different points of view.

  • Data on the marital status and family of an employee (individual members), namely: the presence of dependents, the presence of children, their age and quantity, state of health.
  • Information about a specific employee, namely: FULL NAME (passport), profession, health condition, as well as any particular circumstances.

The head of the enterprise is obliged to form a regulatory act of a local value, which considers the procedure that determines the storage of personal data.

Responsibility for the disclosure is important to consider that 152 FZ "On Protection of Personal Data" provides for only the administrative responsibility of the enterprise for the disclosure of personal data of the employee. So, if an organization is not able to guarantee the absolute protection of their personal information to employees, it is only a penalty. Moreover, the amount of cash punishment for incorrect storage of personal data is absolutely funny. In general, they fluctuate from five to ten thousand rubles. Of course, it is so if we are talking only about single payments. As a rule, in enterprises where there is such a problem, multiple disorders, and therefore, the amounts of the fine increase significantly. However, cash costs are far from the most important consequence that the use of personal data is incorrect. It hits the company's reputation.
  • availability of additional resources for storage, such as special premises, equipment, safes, and so on;
  • labor complexity;
  • special skills require paper documentation.

Sometimes personnel departments prefer to store information about one employee separately (in various thematic folders). So, all employment contracts, questionnaires and other documents for all employees immediately are stored separately. They are numbered for a more convenient search. This method is less labor-intensified than the one that was described above, and does not require any special skills from the personnel officer. Nevertheless, it is not devoid of flaws.
Notifying the processing of personal data of a very frequent error of operators to notify the processing of PD when it was possible to do this. And if you still decided to notify Roskomnadzor, then here are some recommendations:

  • Read very carefully from Part 2 of Article 22 of the FZ of the Russian Federation of June 27, 2006.

    N 152-FZ "On Personal Data".

  • Look at the data that is processed with you. Some cases will require you adjustments with PD carriers.

One of the reasons why it is possible not to notify the processing of PD is indicated in paragraph 2 of Part 2 of Article 22 of the Federal Law and it looks like this: take an example to establish business relationships with the physical person to fulfill the service.

To make it clear that everything is ready and you did not have to just go about a few tens of kilometers, prudent master took your phone number to announce the joyful news.

By placing information about yourself on social networks, not all of our citizens understand that it can be used to compile their profile. The collection and processing of such information was actively involved in the National Bureau of Credit Stories ("NBS").

The Arbitration Court of the city of Moscow in May 2017 considered the case No. A40-5250 / 17, in which the Court had to evaluate the competence of processing such personal data.

In August 2016, the management of Roskomnadzor in the Central Federal District was planned at the National Bureau of Credit History JSC ("NBKI") in terms of compliance with the processing of personal data with the requirements of legislation.

According to the test results, an act of verification was drawn up and an order was issued to eliminate the identified violation.

Regarding the order regarding the need to include in the notice of an authorized body of individuals (customers or potential customers of a financial organization) from open sources of information transmitted by the financial organization received using the Double Data Social Link service - Web link, the result of finding a client or a potential client , and Double Data Social Attributes - Processing the profile of the desired physical person in open sources of information (paragraph 1), as well as in terms of indication of violation of the requirements of the law in the form of a lack of consent to the processing of contained in open sources (social networks: VKontakte, Odnoklassnimi, Moirmir , Instragram, Twitter; Air Portals Avito and Personal data of the client or a potential client of a financial organization, as part of the provision of services based on the Big Data service ( those. "Big Data") - illegal and violating the rights and legitimate interests of society in the field of entrepreneurial and other economic activity, the latter appealed to the arbitration court.

Position of the Arbitration Court of the city of Moscow

For this case, the Court noted that the processing of personal data is allowed in particular in the following cases:

  • PD processing is carried out with the consent of the PDN entity for the processing of its personal data (p. 1 part 1);
  • The processing of personal data is carried out, the access of an unlimited range of persons to which the subject of PDNs is provided or at its request (personal data made by the public PDN subject) (paragraph 10 of part 1);
Thus, speaking of personal data made by the PD entity with publicly available, two conditions are necessary:
  • Personal data is available to an indefinite circle of persons;
  • Personal Information provided directly to the subject.
Without the written consent of the PDN entity, it is not possible to argue that they are provided to them.

According to the court, personal data made by the publicly accessible subject of PDs can only be found in public sources of PDNs.

The court concluded that the subject of the subject (including personal data) contained on social networks (on the Internet) cannot be attributed to the PDs made by the subject with publicly available as social networks are not a source of public PDN With regard to the Regulation of Article 8 of the Law.

The court also noted that the information placed by its owners in the Internet network in the format allowing automated processing without prior changes to the person in order to reuse it is publicly available information posted in the form of open data (Article 7 of the Federal Law No. 27.07.2006 №149-FZ "On information, information technologies and information protection").

Well, here the court slightly "swept"; Open data is a completely different opera!

The court concluded that the personal data was processed by the NBKI JSC in social networks were not made by the publicly available subject of PD in connection with which the applicant's actions are seen by violations of Part 3 of Article 2, and paragraph 1 of Part 1 of the Federal of the Law of July 27, 2006 No. 152-FZ "On Personal Data".

The Arbitration Court refused the full amount to satisfy the statement of the NBKI JSC on the invalidation of paragraphs 1 and 4 of the Prescriptions for the Office of Roskomnadzor on the Central Federal District.

Position of the Ninth Arbitration Court of Appeal

The Ninth Arbitration Court of Appeal July 2017 noted that the society was included in the register of operators engaged in the processing of personal data, at number 08-0031682.

As part of this type of activity, the Company processes in open sources (social networks: VKontakte, classmates, Moirmir, Instragram, Twitter; Internet portals Avito and Personal data of customers, potential customers of financial organizations. Customer acceptance of such data has no such data.

The Company believes that it has the right to process personal data on persons without their consent. According to the court, the following is not taken into account by society.

According to the Court of Appeal, are not publicly accessible by the Company, the personal data contained in open sources (social networks: VKontakte, Odnoklassniki, Moirmir, Instragram, Twitter; Air Portals Avito and In the meaning of the Law on Personal Data, the placement of personal data in these open sources does not make them automatically publicly available. Consequently, the processing of such data without the consent of the subject is not allowed.

The Ninth Arbitration Court of Appeal left unchanged the decision of the Arbitration Court of Moscow, and the appeal - without satisfaction.

Arbitration Court of the Moscow District In November 2017, he left unchanged, the decision of the Arbitration Court of the city of Moscow and the Resolution of the Ninth Arbitration Court of Appeal, and the cassation complaint without satisfaction.

Position of the Supreme Court of the Russian Federation

The judge of the Supreme Court of the Russian Federation in January 2018 (Definition No. 305-kg17-21291) refused the National Bureau of Credit History in the transfer of a cassation complaint to consider the judicial board of the judicial board on economic disputes of the Supreme Court of the Russian Federation.

My comment: Processing of information from social networks is a widespread method of collecting and analyzing information about people and organizations, and the collection of such information about their clients and counterparties is now not engaged in the lazy. The harsh truth of life is that the one who does not check in this way its potential employees, customers and counterparties in fact does not show due business diligence. Those who are styling, try to speak less about this, and if possible, not to pronounce the words "personal data".

The collection of information about citizens inevitably leads to the problem of the legality of such actions, since any information about citizens is their personal data.

I note that whatever regulations Roskomnadzor issued, if the receipt of such information allows commercial organizations to seriously reduce the risks of financial losses, it will still continue processing. Well, except for some more lawyers who come up with legal "cover" for this activity :)