The operator of personal data is ... Functions and responsibilities, features

Who is the personal data operator? Not everyone knows what kind of activity this is. Meanwhile, in the age of technology, it is increasingly in demand. So who is a personal data operator? We will tell about this in the article. And to make it clearer, let's start with the definition.

Definition

A personal data operator is an individual or legal entity, as well as a municipal or state institution that processes and receives personal information, determines the goals and procedures for dealing with the data provided.

The operator has the right to work autonomously, and may turn to third parties for help. The latter in this case are also considered operators.

What is personal data?

We figured out who is involved in the processing of personal information. This is a personal data operator. But what is meant by personal data? The law does not have a list that clearly answers this question. As a rule, passport data, identification number, seniority, place of registration and residence, place of work, family composition, education are referred to personal information. In rare cases, this may include data on benefits or health status.

In fact, the operator of personal data is an institution that accepts personal information from a person. Even if this is only passport data, the organization is still considered the operator of personal data.

The most famous examples of such operators can be given. These are banks that work with clients and information about taxpayers, travel agencies. This also includes sites that require subscriber information for registration, stores where discount cards are issued. The list also includes clinics that have access to medical records. This is a non-exhaustive list, it is simply impossible to list all the organizations and institutions that process personal information.

Where information is contained

Naturally, information in such a volume should be contained somewhere. For this reason, a registry of personal data operators has been introduced. This is a specific base of Roskomnadzor, which reflects all legal entities and individuals that are considered operators.

In order for you to be included in the database, it is enough to independently file with the authorities of Roskomnadzor by submitting a written application or sending an email. And you can also notify authorities on company letterhead. This procedure was described in detail in the order of the Ministry of Communications of Russia of 2011.

Since all operators are included in the register of personal data operators, they are obliged to notify Roskomnadzor of all changes that relate to operations with personal information and its processing. The latter, in turn, controls the work of operators and periodically conducts checks.

The list of personal data operators of Roskomnadzor is available to everyone, it can be viewed on the official website of the service.

By the way, the body cannot refuse to enter the register to a legal entity or an individual. If this happens, then the service violates the law, which means that a fine is imposed on Roskomnadzor. The size of the latter can reach five hundred thousand rubles.

Operator Responsibilities

Like any activity, work with personal information is subject to obligations and rights. Consider the responsibilities of personal data operators.

Roskomnadzor obliges to notify the service that they have begun to process information. This obligation is imposed in accordance with Section 22 of the Law on Personal Data. The notification should contain the following information:

1. Operator's address, name or first name, last name, patronymic.
2. The basis for the processing of personal information.
3. Personal Information Category.
4. The category of the subject whose personal data is to be processed.
5. Link to regulatory documents that allow you to process information.
6. A list of actions that the operator will process personal data, as well as a description of the methods that he will use in the process.
7. Measures taken to protect information.
8. The name of the legal entity or the name, surname and patronymic of the physical person responsible for organizing the processing process. In addition, you need to specify contact numbers, email address and postal address.
9. The date on which data processing begins.
10. The terms of the processing and the conditions under which it is terminated.
11. Information on whether or not cross-border data transfer occurs during processing.
12. Information about where the database is located, which contains personal information of citizens of our country.
13. Data on ensuring the security of information and whether it complies with the requirements established by the government of our country.

This does not mean that in any situation, personal data processing operators must notify Roskomnadzor. There are times when doing this is not necessary. For example, there is no need for notification if the employer processes information about its employees. This also includes the situation when a contract is concluded with a client for something. In this case, the rule only works until the information is provided to unauthorized persons without the consent of the client. It is not necessary to write a notification to those who draw up a one-time pass to some territory, processes the data that is in the public domain, uses only the person’s name, surname and patronymic.

The registry of personal data operators of Roskomnadzor imposes an obligation in the form of ensuring the confidentiality of personal information. That is, it is impossible to disseminate any information about a person without his consent. This is one of the main requirements for operators.

Employer Responsibilities

There are points that employers must observe when transmitting data:

1. Do not disclose information about the employee to third parties without his consent. It is important to remember that consent must be given in writing. But this does not apply to situations where scoring information helps to prevent a threat to the health and life of the employee or if data is required to be transferred to public services. The latter include the Pension Fund, law enforcement agencies, the Federal Judicial Service, military commissariats, prosecutors and other bodies.
2. Warn individuals who receive personal information that it can only be used for its intended purpose. By the way, the employer has every right to demand confirmation of compliance with this rule.
3. Transfer personal data within only one enterprise or with one entrepreneur. This should be in accordance with an internal document that the employee has reviewed and signed.
4. Allow only authorized persons to deal with personal information. This does not mean that these people can request any information, they have the right to use only the data that is needed to perform certain tasks.
5. Do not address the issue of employee health if this does not affect his direct work responsibilities.
6. Limit the information that a representative of an employee receives to only what is needed to perform the functions indicated by the representative.

All these norms are defined by the law "On Personal Data" and some articles of the Labor Code. Let us return to the register of personal data operators of Roskomnadzor and their responsibilities.

Other duties

We have already mentioned what operators must do. Let us return to this question.

Operators are required to take measures to ensure the security of personal information. For this purpose, the company selects the person who is responsible for organizing the processing of personal data. This person should control the performance of duties by the operator of personal data, the latter's compliance with the security requirements for the use of information. The same person must familiarize the employees involved in the processing with the new amendments to the Law "On Personal Data", as well as internal acts on processing issues. He is also charged with organizing the processing of appeals and requests of people whose data is being processed, as well as the reception of these appeals. In addition to the briefing, it is necessary to monitor the use of technical means of ensuring security and publish documents that govern the enterprise’s policy on this issue.

As for the policy of the operator of personal data, it should be public. For this, the document is posted on the operator’s website, and everyone who needs it can familiarize themselves with it. If the site is not available, then you can set up a stand with the necessary information in such a place so that all customers and visitors of the organization can familiarize themselves with it.

It is important to remember that for those personal data operators whose documents are requested via the Internet, the option is possible only with publication on the site. On the website of Roskomnadzor you can find information regarding the operator’s policy.

Often there is a substitution of concepts regarding the policy of the enterprise and the provisions on the storage, protection and processing of personal information. The last document is considered an internal act, therefore only employees of the enterprise get to know it, after which they put a signature.

Another responsibility of the operator is to comply with the requirements for the localization of personal information of citizens of our country. The fact is that since 2015, all operators during the collection of personal information are required to process them using databases that are located in our country. As soon as the law was passed, a lot of ambiguities remained, but over time they were resolved. Now it is precisely known that, for example, operators of personal data on communication are obliged to use information databases.

The last obligation is the need to stop processing personal information in time. If the information was used, and the person whose data was processed decided to cancel the consent to the processing, the operator should stop processing the data and delete it within a month. It is important to understand that a different term may be specified in the agreement, therefore it is so important to read the documents.

Operator Rights

In addition to duties, operators have their own rights. True, they are few, but nevertheless it is impossible to forget about them. The list of operators of personal data gives the latter only one right - to receive information about changes in the law if they relate to personal data.

Who joins the database

We have already said above that not everyone needs to enter personal data into the registry of operators. Who should file a notice?

1. Internet resources. This includes portals, social networks, forums, because registration requires personal data, albeit a little.
2. Online Stores. They need it, because buyers leave a contact phone number for a call back or a mailing address when ordering.
3. Sites that publish information about the subject or send it by e-mail. And also those sites that already contain personal information can be attributed here.
4. Organizations, companies or entrepreneurs engaged in continuous data processing. These are accounting and legal offices, travel agencies, housing and communal services, registrars, registrars, medical institutions and banks, educational institutions, companies that provide maintenance services and issue club cards.
5. Organizations that work under civil law contracts with non-staff employees.
6. Firms that use CRM systems.

Attention! Roskomnadzor may block the Internet resource if the latter violates the law in the field of data processing.

Is the employer an operator or not?

We have already indicated that everything should make changes to the register of personal data operators, but there are still different opinions about employers. As a rule, they are ranked as personal data operators, but there are some exceptions. For example, these are the leaders who store and collect information only in order to draw up an employment contract or internal order in accordance with the law.

Who is not considered an operator

Registration of a personal data operator is not necessary for all people and organizations. Who can do without it?

1. Telephone companies that use subscriber data only to provide communication services.
2. Religious and public organizations that use personal information about members only for the purposes specified in the constituent documentation.
3. Institutions and persons who use the data that the subject has disclosed independently.
4. Companies for which one-time passes are issued.
5. State personal data systems that are created to protect and maintain public order.
6. Organizations that process data without automated systems.
7. Transport companies that receive travel information.

It is important to understand that it is not important for Roskomnadzor whether an organization or a person is included in the register of operators that process personal data or not. The service has the right to pay a visit to any institution. That is, even those who, from the point of view of the law are not considered operators, can be held responsible for non-compliance with the requirements for the protection of personal data.

How to get the right to process personal information

To ensure the security of the transfer and storage of personal information, a procedure was developed for obtaining a license and certification for organizations that store and collect data.

To get a license, it’s not enough to send employees to training, you still need to purchase technical protection. Obtaining a license takes place in several stages:

1. Sending a notification to the register of personal data processing operators regarding the existing intention to process.
2. Passing a preliminary examination of the enterprise’s information systems.
3. Designing a security system taking into account the infrastructure of automation and computer equipment.
4. The acquisition and implementation of protective equipment.
5. Bringing the premises in accordance with the requirements for protection, fire safety, power supply.
6. Conducting training for employees or improving their skills in the field of personal information protection with subsequent certification.

If all points are observed, then the storage and protection of personal information will be effective.

It is important to understand that all points relate to the processing of information in electronic form, although this method cannot be called safe for stored data.

Checking the activities of operators

The operator that processes personal data is periodically checked by Roskomnadzor. The latter can be carried out according to the plan, or maybe on the complaint of a person who suffered from illegal actions of the operator.

Three departments control compliance with the law on the processing of personal data:

1. Roskomnadzor. He carries out verification of compliance with regulatory requirements of the legislation, and is also responsible for conducting the audit.
2. Federal Service for Export and Technical Control. This service protects data that resides on computers within the organization and their transmission channels. The latter occurs only in cases where the information is not encrypted.
3. Federal Security Service. Carries out the control of encryption means of transmission and processing of personal information. She also develops and distributes these tools.

You can check which organization one or another operator belongs to. To do this, go to the website of Roskomnadzor and find the registry of operators.

To see the information, you just need to enter the registration number of the company or its name. A tax identification number will do.

You can also find out how legitimately requested information. If the company is not listed, then you can contact Roskomnadzor. He will either include it in the registry or prohibit illegal activities to collect personal data.

The audit is carried out on the basis of an appeal from citizens or at the initiative of a departmental body, for example, the prosecutor's office. For violation of the processing and storage of personal information, liability is provided. The punishment can be administrative, criminal or disciplinary, it all depends on how serious the violation is.

How to protect yourself?

, , , , .

, , .

, . , . , .

, . , .

:

1. . , , . , . , . , . , , , - .
2. , . , . , . , .
3. , . , . .
4. . . , , .

.

Conclusion

, . - . , - .

, , .

However, people should not be inactive either. After all, our own well-being depends on ourselves. In the article, we talked about how you can check whether an organization is in the registry or not. Use this information, do not give consent to the processing of data by questionable institutions, and then you will not have to prove that your rights are violated. The trouble for most of us comes from inattention, and all because we are not used to reading documents before signing them. Meanwhile, this needs to be taught from the cradle, as well as taking care of the legal knowledge of the child. The sooner we start preparing children for adulthood, the easier it will be for them.