What is the personal information posted online. Assessment of the level of digital literacy

The Law "On Personal Data" was adopted several years ago. If the site does not have a privacy policy, consent to the processing of personal data has not been obtained, fines are provided, and they can be summed up.

- any information directly or indirectly related to a specific physical. face.

What exactly on the site is subject to personal data:

• Subscription form, when the user enters his nickname and email.
• In the shape of feedback the user also specifies a name (often made up) and mail. In judicial practice, there is a case when a feedback form was attributed to personal data, in which there was only a name and a message.
• Comments and messages on the site when it is required to provide a name and mail.
• Registration on the site given in personal account (address, city of residence, full name, post office, year of birth).
• Ordering goods through the site, buying in an online store without registering, the user indicates the name and phone number, sometimes mail.
• Callback form when you need to provide your name and phone number.
• Moneyback, i.e. money back for the purchased goods. The user specifies the full name and bank details.
• Questionnaires, tests and questionnaires based on the results of trainings, purchases made - full name and mail.
• Applications for offline events: holding holidays, parties, weddings, etc. Here the user indicates his contact information.
• Reviews on the site. User photo, email - collection of personal data.
• Personal data in an article about a person, for example, during an interview, when asked about the details of his personal life.
• Application for publication of an announcement - on the website of announcements, media.

On your Internet resource, you need to determine where your personal data collection points are. Even if you are physical. person and own the site, you are still personal data operator, which means you fall under the Federal Law "On Personal Data" and are responsible. The only plus is fines for individuals. persons are small, in contrast to individual entrepreneurs and legal entities. persons.

Roskomnadzor monitors compliance with the applicable law on all sites. The site owner sends a notification there about the processing of personal data. A register of operators is maintained based on the notifications. The office also considers all users' complaints about the illegal use of their personal information. Some users even sue.

How do we process personal data?

On the site:

Better to make the consent a separate document. If on the site you have several places for entering personal data (registration, comments, reviews, subscription), then there should be several options for consent - for each case.

The consent must indicate the specific volume of processed personal data, in what form and for what purposes they will be processed. The goals can be different: targeted advertising, mailing, customer feedback, market research, money back for goods, if it is an online store.

Consent text on the site

I consent to the Site Administration for _______ (processing methods) of the following personal data: _______ (name and email), for the purposes of _______ (for example, sending information about site news, new services, special offers, other useful information from the Administration of the resource or its partners).

Consent to the processing of personal data is not indefinite, it can be revoked at any time.

Roskomnadzor notification... Notification can be sent by email, simple by registered mail, and you are included in a single register as the operator of personal data.

You do not need to send a notification if you only use the user's full name, if his data is publicly available, if you are acting under a previously concluded agreement (on the website) and do not distribute information to third parties.

It is possible to store personal data of citizens of the Russian Federation only on the territory of the Russian Federation. By law, only domestic hosting can be used.

You must delete or change personal data at the request of their owner. It is better to do this at the first request, otherwise a person may complain to Roskomnadzor about the site or go to court. Or upon completion of the contract with the user.

privacy policy... It is better to make it a separate document and place the link in the footer of the site so that it can be accessed from all pages of the resource.

privacy policy

The main provisions of the document:

• in what cases the user gives his personal data to the Site Administration;
• 2 types of information are collected: information that the user gave himself and technical information (ip-address, browser, software, screen resolution, gender, age, location, etc.);
• what data we receive from the user and where on the site (subscription form, registration, commenting);
• indication of personal data when using some services on the site; when filling out a form on a specific page, when writing a claim;
• card details when paying for goods to the administration of the site are not available and are processed by a payment integrator (Interkassa, for example);
• regulations on registration on the site through social networks;
• if the site uses a system for identifying users through cookies, you need to tell about it;
• guarantee of the safety of personal data of users and non-transfer of data to third parties without the consent of users; provide for those cases of transfer of personal data, whenever possible;
• for what purposes personal data is collected;
• data processing time: from user registration to deletion account from the website;
• where to contact if the user wants to delete his personal data, indicate the email of the administration;
• the user can change, supplement or partially delete his data - how to do it;
• information about mailing to users, the ability to unsubscribe.

User registration on the site _______ can be carried out through the social network ______. This method registration is chosen by the user himself by performing actions on the site at the time of registration.

When registering through the social network _____ site, in order to automatically fill in similar data about the user, as well as to optimize the site filter according to the appropriate criterion, it collects the following information about the user from the social network: full name, nickname, gender, location (city, town).

Penalties

Penalties effective from January 1, 2017 for violation of legislation in the field of personal data.

As you can see from the table, fines for physical. people are small, so many webmasters do not bother with the implementation of the law on the collection and storage of personal data.

Notification to Roskomnadzor

The notification is submitted before the processing of personal data begins. It is submitted simultaneously via the Internet (email) and sent by registered mail with a list of attachments and a return receipt to the territorial body of Roskomnadzor (addresses on the official website).

The notification is sent once, but if some information has changed, it is necessary to send an information letter about the changes in the information in the register by the operator of personal data.

After filling out on the site, you will receive a notification number and a secret key. From it you will find out when you will be included in the register of personal data operators.

If you are in a contractual relationship with someone or provide services on the site, you do not need to notify Roskomnadzor.

• Where are you sending this notification.
• Operator type:
  • physical person (indicate full name);
  • legal entity person (full name, abbreviated name, branches).
• Operator's address: legal and postal address for legal entities, TIN, OGRN or OGRNIP for individual entrepreneurs, links to OKVED codes.
• Legal basis for the processing of personal data. We indicate the laws on the basis of which we collect personal data.
• For what purposes we process personal data.
• Whose personal data we process: employees, customers, subscribers, site users.
• If you collect data online, a privacy policy must be posted on the site.
• What personal data do you process and in what way (with transfer to third parties, with transfer via the Internet or not, with or without transfer inside legal entity, automated system whether manual).
• Terms and conditions for termination of the processing of personal data.

Alternatively, a different approach can be considered. What does your site render free information services... This is stated in the privacy policy. In this case, you do not need to worry about storing personal data at all and notify Roskomnadzor.

For example, you provide area on your site for rent: a person wrote a review - you published it on the site, posted a photo and indicated your full name with mail - you published it on the site, the user subscribed to the newsletter - received free materials (service).

Processing of personal data of legal entities individuals and individual entrepreneurs

Personal data of employees:

• can be processed for strictly limited purposes: assistance in employment, promotion, personal safety, control of work performed, ensuring the safety of the company's property;
• all data can be obtained directly from the employee himself;
• it is forbidden to process data on nat. affiliation, religious and philosophical views, intimate life, health status, membership in organizations;
• you cannot transfer personal data without written consent, unless this is necessary in order to prevent his life and health or within the framework of the law.

Director of company must approve the provision on personal data of employees, familiarize all employees with it against receipt. It is necessary to prepare a list of persons who have access to this information. Usually this is a director, accountant, lawyer and HR manager. But here it is important to distinguish between what personal data this or that employee has access to, what he needs in his work. Further, these data can be provided to the employee himself upon request.

Employee has the right to receive information about who else has access to his data, where and how long this data is stored, how it is processed.

Employees authorized to process datamust sign a nondisclosure obligation of information containing personal data. It can be made as a separate document or made as a separate chapter in an employment contract or job description.

Responsible employees:

• Responsible for the processing of personal data (appointed by order) monitors compliance by all employees with the procedure for processing personal data.
• Security Administrator information systems personal data (assigned by order) ensures the security of personal data in the organization, keeps logs. It can be 1 or more people. These instructions are best written as an addition to the employment contract.
• Employees must take measures to prevent access to personal data of unauthorized persons, must record all facts of violations.

The company must adopt a regulation on the processing of personal data: what data is processed, for what purpose, the processing procedure.

Documents for legal entities and individual entrepreneurs

All necessary document templates for the processing of personal data for legal entities. persons you can download below.

On April 8, 2017, teachers, students and their parents were asked to independently determine the level of mastering the knowledge gained during the "Week safe internet", Using the test" Assessment of the level of digital literacy in personal data management on the Internet. " This test is taken from the educational and methodological manual for employees of the general education system "Practical Security Psychology: Management of Personal Data on the Internet" by the authors of Soldatova G.U., Priezzheva A.A., Olkina O.I., Shlyapnikova V.N., Self-Test is aimed at identifying gaps in the knowledge of test takers and will help in determining a further work plan in the direction of "Ensuring information security schoolchildren ".

ASSESSING THE LEVEL OF DIGITAL LITERACY

ON THE MANAGEMENT OF PERSONAL DATA ON THE INTERNET

This test is aimed at assessing the level of digital literacy of schoolchildren in the field of personal data management on the Internet and can be used to assess the effectiveness of the development of the program by students. The technique is a set of 20 test items with one correct answer. The test takes 30-40 minutes to complete.

Instructions

You will be offered 20 tasks related to the security of handling personal data on the Internet. The answer options includeonly oneright. Your task is to select and mark the option that you think is correct. The entire test takes no more than 40 minutes to complete.

1. What information can be classified as personal data?

A. Surname, name, patronymic.

B. Date and place of birth.

C. Place of study.

D. Political and religious beliefs.

2. Which of the provided personal data allow you to uniquely identify the user in our country?

A. Name, surname, year of birth.

B. Last name, year of birth, school number.

C. Name, Russian passport number, city of residence.

D. Name, surname, city of residence.

3. This summer Masha Ivanova went to Tsarskoe Selo with her class. At the end of the excursion, the class teacher took a group photo of the class in front of the Catherine Palace. The photo turned out to be successful, so the teacher posted it on his page on the social network with the caption "9 B" in Tsarskoe Selo "and marked several people on it, including Masha. What information about Masha Ivanova is contained in this entry?

A. External data.

B. Place of study.

C. Location of the excursion.

D. The names of Masha Ivanova's classmates.

E. All options offered.

4. At the weekend Vasya was visiting his friend Petya. On a couple of occasions, he used a friend's computer to purchase a new computer game from an online store and read the news. What personal information of Vasya could be saved on Petya's computer?

A. Search history.

B. History of visits to sites.

D. Downloaded files.

E. None of the options offered.

5. Ksyusha, while in a cafe with her friend Sveta, used her laptop to enter the browser. What should Ksyusha do to leave a minimum of personal information on Sveta's laptop?

A. Clear your browsing history after exiting the browser.

B. Do not save passwords while browsing the network.

C. Use incognito mode while working in a browser.

D. Change the user on the laptop.

E. Clean up the temporary files folder after working at the computer.

6. Tanya met Kolya on the portal of the popular online game Lineage. For a long time they played for the same team and more than once helped each other out in virtual battles. Once Tanya was going to another raid, but at the last moment she found out about test work in geometry and realized that she could not take part in the battle. Kolya suggested that Tanya give the password to her account to Kolya's friend, who could replace her for a while in the game. What is the best way for Tanya to act in such a situation?

A. Kolya vouched for his friend, so you can safely give him the password.

B. It's okay to give the password to another player - it's just a game.

C. You can give a password to your friend's friend - even if he steals your account, you can recover it.

D. Column's offer should be abandoned, as the user agreement prohibits players from transferring their password to third parties.

E. Tanya needs to collect as much information as possible about Colin's friend, and then make a final decision.

7. When registering on the site, you were asked for a phone number. When is it most secure?

A. You register on a large and well-known online resource, for example, on the Mail.ru portal.

B. You are making a purchase for the first time in the online store on the website of which positive reviews other users.

C. You register on the game portal that your friends and acquaintances have recommended to you.

D. You want to download a new movie on a file hosting service, and you are required to register in a pop-up window.

E. In all of the above cases.

8. Which of the following passwords is the most secure?

A. Superman Vasya 2005.

B. QwErTy123456.

C. [email protected];).

D. Q1jk45) @da.

E. [email protected][email protected]!

9. What is the safest way to store your account password?

A. B notebook in the bottom drawer of the desk.

B. B text file in hidden folder on the computer.

C. B special programdownloaded for free on the Internet.

D. All of the above methods can be considered completely reliable.

E. All of the above methods cannot be considered completely reliable.

10. One evening Anya discovered that someone had hacked into her account, posted indecent images on her wall and began sending insults to her friends in private correspondence. Anya regained access to her account and changed her password, but it was too late. Many have removed her from their friends and added to the "black list", and some even stopped talking at school. What should Ana do to restore her reputation?

A. Delete all unpleasant messages from your page.

B. Place a post on the page explaining the reasons for the incident and apologize to the readers.

C. Change passwords for all accounts on other online resources.

D. Try to personally talk to your closest friends and explain the situation to them.

11. In the social network Vova received a private message, which reported an attempt to hack his account from someone else's device. Vova was strongly advised to follow the link provided in the message to change his password. What is the right thing to do in such a situation?

B. Ignore the email and add it to spam.

C. Reply with an angry letter criticizing the social network.

D. Log in to your social network account yourself and change your password.

E. Reply to this letter and clarify information.

12. Mila decided to start leading a healthy lifestyle. She downloaded a fitness tracker to her smartphone that allows her to record the distance traveled and the number of calories burned during sports. The application was free, but required access to a certain set of personal data and smartphone functions. Which of these requirements can be

A. Access to the camera and media stored on the device.

B. Information about location and movement.

C. Ability to make in-app purchases.

D. Gender, age, weight, height.

E. All of these requirements are reasonable.

13. What personal information posted on the online resource should be removed from search engine by user request?

A. Any group photo that has a picture of this user.

B. Repost a user post posted in open access on the page of this user in the social network.

C. Number of passport or any other official document of the user.

D. No personal information about the user is subject to mandatory deletion.

E. Any personal information must be removed from the Internet at the request of the user.

14. What to do if hackers hacked your account on an online resource and changed your password and address mailboxto which the account was linked?

A. You shouldn't waste energy on account recovery - you can always create a new one.

B. Contact the administration of the resource with a request to restore your access to your account.

C. Contact the attackers with a request to return the account.

D. Contact a familiar hacker with a request to hack your account again and return it to its rightful owner.

E. This is a hopeless situation - in principle, a lost account cannot be returned.

15. Vlad - Natasha's deskmate and a very curious young man. Which of Vlad's actions would be a violation of Natasha's privacy?

A. I told my classmates that Natasha is allergic to sweets.

B. Photographed Natasha sleeping on the desk and posted this photo on a social network.

C. I took Natasha's smartphone from her desk and looked at the call history.

D. I read aloud the note that Natasha wrote before the lesson to Vanya.

E. All of the above options.

16. What types of Natasha's personal data can Vlad disseminate with full confidence that it will not harm her in any way?

A. Phone number, full name parents, home address.

B. Country of residence, school number, information on past illnesses.

C. Hobby, school number and address, login from social network page.

D. Age, height and weight, magazine scores.

E. None of the listed types of data.

17. Which statement is completely correct?

A. Everyone needs to protect their personal information and keep as much information about themselves as possible from other people.

B. Each person can independently decide what information and under what conditions can be kept secret or transferred to other people.

C. It is useless to control your personal data on the Internet, so there is no point in worrying about it.

D. Each person should provide as much information about themselves as possible, as this allows you to use all the possibilities of the Internet.

E. None of these options.

18. Olya broke up with Vasya and is now meeting with Anton. They often walk, take photos together and post them on the network. Olya still treats Vasya well, but does not want to upset him with photographs with a new young man. What is the best way for her to proceed?

A. Restrict Vasya's access to your photos.

B. Stop posting your photos on the social network.

C. Ask Vasya not to visit her page.

D. Remove Vasya from friends.

E. Add Vasya to the "black list".

19. Choose the correct statement. Author's posts posted by users in social networks and blogs ...

A. Show the uniqueness of a person and always have a positive effect on his reputation.

B. They never contain personal information, so their publication does not entail serious consequences.

C. Are rated differently by readers, so it is impossible to predict how the publication of a post will affect the reputation of its author.

D. Always contain unnecessary personal information about a person, which can harm not only his reputation, but also personal safety.

E. They do not contain anything good, because they show only a desire to show off.

20. What rules should NOT be followed when publishing information on the Internet?

A. Write posts, guided by the first emotional impulse - in order to convey to the reader a storm of their emotions.

B. Publish information and comments about important facts and events only after checking them in several sources.

C. Post data about another person to the network only if he has given his prior consent to do so.

D. Evaluate published information from the point of view of various categories of users.

E. All of the above rules are correct.

Right answers

1 - E, 2 - C, 3 - E, 4 - B, 5 - C, 6 - D, 7 - A, 8 - D, 9 - E, 10 - E, 11 -D, 12 - A, 13 - C, 14 - B, 15 - E, 16 - E, 17 - B, 18 - A, 19 - C, 20 - A.

The level of development of the program is assessed

according to the following table:

Number of correct answers Approximate score on a five-point scale

17–20 Excellent

14-16 Good

10-13 Satisfactory

Less than 10 Unsatisfactory

In particular, he expanded the list of grounds for bringing to administrative responsibility for illegal processing of personal data (PD) and increased fines.

Personal data: fines

Please note: it is precisely such a basis as the processing of personal data without obtaining the consent of their subject that provides for the largest fines for all categories of violators - up to 75,000 rubles.

In this regard, many questions arise, the most frequently asked:

• Am I a data controller?
• Is my personal data law applicable to me?
• How to notify Roskomnadzor about the processing of personal data?
• What should a website owner do to avoid fines?

Let's deal with all the questions in order.

Imagine the situation.

Your prospect has heard about your company, but he does not know the address of your site, or where you are, or how to contact you.

What will he do in this case?

The answer is simple: he will go to google and start looking for information about you. And your task is to make the search for a potential client as easy as possible. This means that your company, in addition to its own website, must be represented in all popular online resources.

Which ones?

This is what will be discussed today!

Preparation

Before you start actively registering on online resources, you need to collect as much information as possible about your company in order to fill out your profile completely.

Think about the search terms a potential customer can find you.

For example, a dry cleaner, which is located in the center of Kiev, potential customers can search for by request “ Dry cleaning center Kiev" or " Where can you wash a suit Kiev».

It is imperative to identify all popular search queries and add as many as possible to your company description. To do this, use the Wordstat service from Yandex or AdWords from Google.

Also take care of reviews from real customers, collect quality photos and videos that can put your business in a good light.

I recommend that you create a separate document that will store all the necessary information about your company. This will greatly simplify registration - you just need to copy and paste information from the document into your company's online profile.

Having finished with the preparation, we turn to the study of the most popular online resources, where your company must be represented.

10 online resources where your company must be represented

Now we will move on to review the most popular online resources, where you definitely need to register your company. The site rating is based on the rating of the international research company Alexa (you can see the rating results), which analyzes the popularity and influence of sites around the world.

IN Facebook for business there are much more opportunities than in the same In contact with ... You can create a community page, personal page, company page or its brands.

Having created a page, do not forget to update it regularly. If a user visits your page and sees that the information on it was last updated 3 months ago, this will give reason to think that your company is not popular enough.

No. 6 - Prom.ua

Prom.ua is an online resource where you can create a complete profile of your company, describe your products and services, and place a product catalog along with a price list. Thus, a potential customer can immediately receive information about both the product itself and its price.

The resource is more suitable for Ukrainian trading companies.

No. 7 - Allbiz

Allbiz is an international analogue of the Ukrainian Prom.ua. With the help of Allbiz you can easily find foreign partners and buyers.

The annual audience of Allbiz has reached more than 220 million people, which allowed the resource to become the leaders of the Internet space. To date, the Allbiz online catalog contains over 20 million products and services from more than 1.3 million companies from 90 countries.

So be sure to join this resource.

# 8 - Foursquare

Foursquare is a very popular resource among young people. With check-ins, ratings, reviews and photos, you can easily draw attention to your company. Add a small check-in bonus and you are guaranteed a flow of visitors.

Today we want to talk with you about personal data, privacy policy, user agreement and upcoming changes. Maybe you know, or maybe not, but from July 1, 2017, amendments to Article 13.11 of the Administrative Code of the Russian Federation come into force. Operators of personal data, all owners of sites with feedback forms, as well as persons who process personal data, need to make adjustments in order to avoid the imposition of fines in the future, increased by the latest legislative changes.

Violation of the procedure established by law for collecting, storing, using or distributing information about citizens (personal data) - entails a warning or the imposition of an administrative fine on citizens in the amount of three hundred to five hundred rubles; for officials - from five hundred to one thousand rubles; for legal entities - from five thousand to ten thousand rubles.

[collapse]

Article 13.11. Violation of the procedure established by law for the collection, storage, use or dissemination of information about citizens (personal data)

1. The processing of personal data in cases not provided for by the legislation of the Russian Federation in the field of personal data, or the processing of personal data incompatible with the purposes of collecting personal data, with the exception of the cases provided for in part 2 of this article, if these actions do not contain a criminal offense, - shall entail a warning or the imposition of an administrative fine on citizens in the amount of one thousand to three thousand rubles; for officials - from five thousand to ten thousand rubles; for legal entities - from thirty thousand to fifty thousand rubles.

2. The processing of personal data without the consent in writing of the subject of personal data to the processing of his personal data in cases where such consent must be obtained in accordance with the legislation of the Russian Federation in the field of personal data, if these actions do not contain a criminal offense, or the processing of personal data data in violation of the requirements established by the legislation of the Russian Federation in the field of personal data for the composition of information included in the written consent of the personal data subject to the processing of his personal data - entails the imposition of an administrative fine on citizens in the amount of three thousand to five thousand rubles; for officials - from ten thousand to twenty thousand rubles; for legal entities - from fifteen thousand to seventy-five thousand rubles.

3. Failure by the operator to comply with the obligation stipulated by the legislation of the Russian Federation in the field of personal data to publish or otherwise provide unrestricted access to a document defining the operator's policy regarding the processing of personal data, or information on the requirements for the protection of personal data being implemented - entails a warning or imposition of an administrative fine on citizens in the amount of seven hundred to one thousand five hundred rubles; for officials - from three thousand to six thousand rubles; for individual entrepreneurs - from five thousand to ten thousand rubles; for legal entities - from fifteen thousand to thirty thousand rubles.

4. Failure by the operator of the obligation stipulated by the legislation of the Russian Federation in the field of personal data to provide the subject of personal data with information regarding the processing of his personal data - entails a warning or the imposition of an administrative fine on citizens in the amount of one thousand to two thousand rubles; for officials - from four thousand to six thousand rubles; for individual entrepreneurs - from ten thousand to fifteen thousand rubles; for legal entities - from twenty thousand to forty thousand rubles.

5. Failure by the operator, within the time limits established by the legislation of the Russian Federation in the field of personal data, to meet the requirements of the subject of personal data or his representative or the authorized body for the protection of the rights of subjects of personal data to clarify personal data, block or destroy it if the personal data is incomplete, obsolete, inaccurate, illegally obtained or not necessary for the stated purpose of processing - entails a warning or the imposition of an administrative fine on citizens in the amount of one thousand to two thousand rubles; for officials - from four thousand to ten thousand rubles; for individual entrepreneurs - from ten thousand to twenty thousand rubles; for legal entities - from twenty five thousand to forty five thousand rubles.

6. Failure by the operator, when processing personal data without using automation tools, to comply with the conditions ensuring, in accordance with the legislation of the Russian Federation in the field of personal data, the safety of personal data when storing tangible media of personal data and excluding unauthorized access to them, if this entailed illegal or accidental access to personal data, their destruction, alteration, blocking, copying, provision, distribution or other illegal actions in relation to personal data, in the absence of signs of a criminal offense - entails the imposition of an administrative fine on citizens in the amount of seven hundred to two thousand rubles; for officials - from four thousand to ten thousand rubles; for individual entrepreneurs - from ten thousand to twenty thousand rubles; for legal entities - from twenty five thousand to fifty thousand rubles.

7. Failure by the operator, which is a state or municipal body, provided by the legislation of the Russian Federation in the field of personal data, of the obligation to depersonalize personal data, or failure to comply with the established requirements or methods for depersonalizing personal data - entails a warning or the imposition of an administrative fine on officials in the amount of three thousand to six thousand rubles.

[collapse]

Thus, from July 1, 2017, the regulatory authorities have a wide field of application of penalties against personal data operators, from one to SEVEN grounds. And the total amount of fines will increase from 10,000 rubles to 290,000 rubles. It's up to you to decide whether it's a lot or a little, but it's still worth reading our article.

So that you are aware of and understand how to act and for what you may face a fine, we offer the following FAQ:

1. What is personal data?
This is any information about a person together or separately, whether it is name, surname, phone number, his email etc. Since today almost all Internet resources have subscriptions to the newsletter, user registration forms or feedback forms that in one way or another collect personal data of users, automatically almost all site owners are operators of personal data, even if they do not even suspect about it.

2. Privacy policy, what is it?
This is a local act that states how you work with personal data. You must provide unlimited access to this document and, if you have a site, place it in the "basement" of your site. And as you understand, otherwise you can be brought to administrative responsibility according to 13.11 of the Administrative Code of the Russian Federation.

3. Should a privacy policy be posted on any site?
No, not at any. It is worth posting a policy if you are the operator of personal data, that is, in any way you receive personal data of users.
On this moment most internet sites collect personal data through registration forms, feedback and order forms, etc.

4. Do I need to obtain consent for the processing of personal data?
Necessarily! This is required by the provisions of the Federal Law "On Personal Data". On Internet sites, this is implemented by including in feedback forms, mailing list subscription forms, user registration forms and other forms of links to the privacy policy and the corresponding text.

5. What is the name of the document?
The Federal Law "On Personal Data" says that "An operator collecting personal data using information and telecommunication networks is obliged to publish a document on the relevant information and telecommunications network that defines its policy regarding the processing of personal data ...". Therefore, we will call the document "policy regarding the processing of personal data."

6. Is there a generally accepted policy of the organization regarding the processing of personal data (document template)?
There are enough similar templates on the Internet, such a document contains: general provisions, information about the operator, methods of processing personal data, a list of processed personal data by subjects of personal data, purposes of processing personal data, the rights of subjects of personal data and the operator of personal data, etc. Nevertheless, when developing a policy, one should proceed from the specifics of the activities of a particular organization, goals receiving and processing personal data. Free templates should be used wisely as always.

7. Notice about the processing of personal data, what is it, how to submit it, etc.?
You must notify Roskomnadzor of your intention to process personal data, and the latter, in turn, must include you in the register of personal data operators.
You can submit a notification by filling out the form at the link, in addition, sending the notification through the Russian Post is also correct, you never know what can happen to them. They even block themselves already, and losing the base is quite easy.

8. Can I not submit a notification about the processing of personal data?
Notifying Roskomnadzor is an OBLIGATION of the personal data operator. All the few exceptions are indicated in the Federal Law "On Personal Data".

9. Who can initiate a review?
A check can be assigned at the request of any personal data subject whose personal data you are processing. That is, any "well-wisher" may well add "a little" extra trouble to you.

10. Is it necessary to make adjustments to the templates of contracts taking into account the requirements of the Federal Law "On the processing of personal data"?
Yes. This is due to the fact that, in one case or another, you not only process, but also use the personal data of contractors, and sometimes transfer this data to third parties.

In accordance with Article 20 of the Federal Law "On Personal Data", you are given 30 days to provide information at the request of Roskomnadzor. You probably thought that you will definitely have time to prepare in 30 days? Don't jump to conclusions. The privacy policy and user agreement are just a small part of the documents that Roskomnadzor may request from you.

An indicative list of documents that Roskomnadzor may request for verification

1. General information
1.1. A copy of the document on the appointment of the legal representative of the Operator, authorized to represent the interests of the legal entity during the audit.
1.2. Certificate of the Operator's status as a small business entity indicating the type of business (small business, micro-business, etc.).
1.3. A copy of the Articles of Association of the legal entity.
1.4. For each of the activities of the Operator listed in the Charter of the Company, indicate:
- categories of PD subjects whose PD is processed;
- a list of processed categories of PD separately for each category of PD subjects;
- the purposes of PD processing for each category of PD subjects;
- PD information system (hereinafter - PDIS), in which PD processing is carried out, separately for each category of PD subjects;
- the legal basis for the processing of personal data (consent, contract, norm / article / clause of the law or by-law, otherwise).
1.5. Information on the legal basis for PD processing without submitting a Notification of PD processing with supporting documents attached (in case of failure to submit a Notification);
1.6. Documents allowing to establish the address of the location, the territorial location of buildings, structures, premises, offices, etc., owned by the Operator or leased by the Operator and subleased to other persons. Attach copies of lease agreements with all attachments in relation to the address of the actual implementation of activities, documents and diagrams that allow you to accurately delineate office premises (workplaces) used by the Operator alone and / or jointly with sub-tenants.
1.7. A copy of the staffing table (valid at the time of verification).
1.8. Help, in accordance with the staffing table, about structural unitsin which the Operator organizes the processing of PD: their location address, floor, office number, contact information.
1.9. A copy of the document on the appointment of a person responsible for organizing PD processing. A copy of the job description (job description) or job description of the person responsible for organizing PD processing.
1.10. Copies of documents defining the Operator's policy in relation to PD processing;
1.11. All current local acts issued by the Operator reflecting the following issues of PD processing (if a general document is issued, indicate the relevant paragraph, section, etc.):
1) Purposes of PD processing;
2) The legal basis for the processing of personal data (consent, agreement, norm / article / clause of the law or by-law);
3) Categories of PD subjects, whose PD is processed;
4) PD categories for each category of PD subjects, respectively;
5) Description of the order, methods and methods of PD depersonalization, for what purposes PD depersonalization is carried out, in relation to which PD subjects and categories of PD is depersonalization;
6) The term for processing PD of PD subjects (in electronic form, on tangible media);
7) The storage period for PD subjects of PD (in electronic form, on tangible media);
8) Places of storage of material carriers of personal data;
9) Conditions for the destruction of PD of PD subjects and the procedure for its implementation (in electronic form, on tangible media), copies of acts on the destruction of PD;
10) The list of persons who have access and are directly admitted to work with PD of PD subjects (in electronic form, on tangible media).
1.12. Copies of local acts establishing procedures aimed at preventing and detecting violations of the legislation of the Russian Federation, eliminating the consequences of such violations.
1.13. Copies of documents confirming the application of legal, organizational and technical measures to ensure PD security;
1.14. Copies of documents confirming the implementation of internal control and (or) audit of compliance with PD processing Federal law "On personal data" and the regulatory legal acts adopted in accordance with it, the requirements for the protection of personal data, the operator's policy regarding the processing of personal data, local acts of the operator.
1.15 Copies of documents confirming the familiarization of the operator's employees who directly process personal data with the provisions of the legislation of the Russian Federation on personal data, including requirements for the protection of personal data, documents defining the operator's policy regarding the processing of personal data, local acts on processing personal data, and (or) training of these employees.
1.16. Typical forms of documents (questionnaires, questionnaires, etc.), the nature of the information in which suggests or allows the inclusion of PD. Orders approving the specified standard forms.
1.17. Copies of journals (registers, books) containing PD required for a single pass of the PD subject to the territory on which it is located
Operator.
1.18. Documents confirming the adoption of measures in the processing of personal data to ensure, in relation to each category of personal data, the ability to determine the storage locations of personal data (material carriers) and establish a list of persons who process personal data or have access to them.
1.19. Documents confirming the adoption of measures to ensure the separate storage of personal data (material media), the processing of which is carried out for various purposes.
1.20. Documents confirming the adoption of measures to comply with the conditions to ensure the safety of personal data and exclude unauthorized access to them when storing material media. Provide a list of measures established by the Operator to ensure such conditions, the procedure for their adoption, and also provide a list of persons responsible for the implementation of these measures.
1.21. Documents confirming informing the persons processing PD without using automation tools (the Operator's employees and (or) persons carrying out such processing under an agreement with the Operator) about the fact of processing of PD by them, the processing of which is carried out by the Operator without using automation tools, the categories of PD processed, and also about the peculiarities and rules of such processing, established by the regulatory legal acts of federal executive bodies, executive bodies of the constituent entities of the Russian Federation, as well as local legal acts of the Operator (if any).
1.22. Copies of signed written consent of PD subjects (one for each category of PD subjects) for the processing of their PD, including copies of signed written consent of PD subjects for the processing of biometric PD, special categories of PD, for making decisions based solely on automated processing PD, for the implementation of cross-border transfer of PD to the territory of a foreign state that does not provide adequate protection of PD.
1.23. Material media (completed questionnaires, applications, resumes, etc.) containing PD received from PD subjects, separately for each category of subjects.
1.24. Material media (completed questionnaires, applications, resumes, etc.) containing personal data obtained legally (agreement, law, etc.), separately for each category of subjects.
1.25. Electronic media (completed questionnaires, registers, applications, resumes, etc.) containing personal data received from subjects and / or on a legal basis (agreement, law and other), separately for each category of subjects.
1.26. Information confirming the legality of processing biometric PD. Attach supporting documents.
1.27. Information confirming the legality of processing special categories of PD. Attach supporting documents.
1.28. Information confirming the legality of decision-making on the basis of exclusively automated processing of PD. Attach supporting documents.
1.29. Information confirming the legality of the cross-border transfer of personal data. Attach supporting documents.
1.30. Information confirming the legality of the processing of personal data in order to promote goods, works, services on the market by making direct contacts with a potential consumer using communication means, as well as for political campaigning. Attach supporting documents.
1.31. Information on the procedure for obtaining by the Operator the consent of the PD subject to provide access to an unlimited number of persons to his PD if such access is necessary.
1.32. Information on the procedure for processing PD in cases necessary to protect the life, health or other vital interests of PD subjects.
1.33. Copies of contracts, one of the parties to which is the PD subject (employee, client, etc.), one contract for each category of subjects.
1.34. Copies of all agreements concluded with third parties concerning the order (ordering processing to another person and processing on behalf of another person) for the processing of personal data, one agreement for each category of subjects.
1.35 Copies of applications from citizens (for the last two calendar years, including the current one) on issues of clarification, deletion, destruction of PD, considered by the Operator. Copies of the Operator's responses and measures taken for citizens' appeals with the attachment of copies of documents on the measures taken.

2. Personnel block
2.1. Help on the procedure for the search and selection of personnel with the attachment of supporting documents. In the certificate regarding the PD of applicants for filling vacant positions, indicate: the source of obtaining PD; the legal basis for the processing; the purpose of the processing; the procedure for obtaining, recording, using storage (storage location, data storage); persons with access; procedure and conditions for destruction. In addition, indicate the persons to whom the PD is transferred, as well as the order for the processing of PD, attach copies of contracts with all attachments.
2.2. The form of the applicant's consent to fill a vacant position for PD processing. A copy of the completed form containing the applicant's personal data.
2.3. The consent form of the office visitor for PD processing. A copy of the completed form containing the visitor's personal data.
2.4. The consent form of the Operator's employee for the processing of personal data. A copy of the completed form containing the employee's personal data.
2.5 Form of consent of employees' relatives to PD processing. A copy of the completed form containing the personal data of the employees' relatives.
2.6 Information on the composition of documents included in the personal file of the Operator's employee.
2.7 Information on the procedure for transferring personal data of employees to third parties. With the attachment of supporting documents.
2.8 Information on the procedure for registering a salary project with the following documents attached. Attach a copy of the agreement concluded with the bank.
2.9. Certificate of health insurance for employees and their relatives with a copy of the contract attached.
2.10. Information on the procedure for registration and booking of hotel rooms, travel tickets, etc. when sending employees with supporting documents attached.
2.11 Information on the storage time of the personal files of the dismissed employees of the Operator until they are transferred to archival storage, carried out in accordance with the legislation on archiving in the Russian Federation (hereinafter - the archive), as well as until the storage of personal files is entrusted to a third party. Indicate the composition of the documents of employees transferred to the archive (to a third party who stores documents on behalf of the Operator). Copies of documents establishing the procedure for maintaining (referring to the archive) archival storage in accordance with the legislation on archiving in the Russian Federation (if any).
2.12. Copies of agreements concluded with third parties regarding the order to process personal data of employees, relatives of employees.
2.13. Certificate on the procedure for processing personal data of dismissed employees.

3. PD information systems
3.1. The list of PD information systems that process PD of all categories of PD subjects.
3.2 Information about the location (address) of the Operator's information databases containing personal data of citizens of the Russian Federation. Description of information systems, indicating the name, software version, software developer, location of components.
3.3. The list of PD subjects, a list of groups of PD subjects processed in the ISPD, if the PD subjects are combined into groups.
3.4. Sources of obtaining PD for each category of PD subjects, respectively (the subject himself provided them or they were obtained in another legal way).
3.5. a list of PD categories of PD subjects processed in the ISPD.
3.6. Description and purpose of ISPD, in which PD processing is carried out for each category of PD subjects. Instruction to ISPD, user manual and any similar documents on ISPD functionality, access procedure, reservation.
3.7. The list of operations, actions performed with the PD of PD subjects in the PDIS.
3.8. Description of the procedure for processing personal data ( step by step description the order of entering, collecting, downloading, storing, reading, using, transferring, accessing, distributing, changing, deleting, destroying) in the ISPD for each category of PD subjects, respectively.
3.9. Order information reserve copy information, including the frequency of copying, the order and storage location backups and the procedure for destroying backups.
3.10. Description of technological and informational support for ISPDN.
3.11. Copies of lease agreements for server capacities used to host PD databases.
3.12. Copies of documents confirming the availability of our own server facilities, which host the PD databases;
3.13. Information and documents about the person (persons) in charge of maintenance, administration, use of server facilities, which host the subscribers' personal data base.
3.14. A certified block diagram of the exchange of information containing PD of PD subjects, reflecting the directions of information flows and participants in information exchange, indicating the name of the ISPD, the address of the database and server capacities.

4. Internet services (Yandex.Metrica, Google Analytics etc.), mobile applications.
4.1. Information about the Internet services used on the Operator's sites, developed and owned by the Operator, as well as developed and owned by third-party organizations, with the help of which data about visitors and users of the Operator's sites are processed, indicating the purpose and functionality of Internet services.
4.2. Attach copies of agreements concluded with third-party organizations specified in clause 4.1 and all published annexes to agreements.
4.3. Help on the functionality of the Internet services used in terms of collecting data about visitors on the sites and in the Operator's mobile applications, separately for each service.
4.4. A list of data about visitors and registered users of sites and mobile applications Operator obtained using the specified services, separately for each service. Attach supporting documents.
4.5. Information about the databases (their address, who owns it) on which the data obtained using Internet services is stored, when and how the data is destroyed.
4.6. Copies of documents and local acts issued by the Operator on the processing of personal data of mobile users software applications Operator. Copies of technical documentation on the functionality of the Operator's mobile applications. Information about the content of user data processed in the Operator's mobile applications for operating systems iOS, Android, Windows, indicating data storage locations, processing purposes, persons to whom data is transferred, processing and storage periods, procedure and conditions for destruction;
4.7. Copies of agreements with all attachments concluded with third parties, on the basis of which advertising services are provided, the data of visitors, users of sites, clients (individuals) of the Operator is transferred. Copies of contracts on the basis of which the transfer of statistical anonymized data obtained after aggregation and any other modification (change) of data of visitors, users of sites, clients of the Operator is carried out.
4.8. List of sites owned by the Operator.
The data of visitors and registered users of the Operator's websites and mobile applications means all data about visitors collected using the functionality of these services, as well as the data that the services themselves collect and process on their computing power, namely: the user's pseudonym, user's address or address the user's device, through which the user entered the Operator's website, as well as information about the user, including the ip-address, the user's search queries, the Internet addresses of the web pages visited by the user, the subject of information posted on the Internet resources of the Operator visited by the user, the user ID , converted by the Operator using a hash function or other modifications, the geographical address of the point of connection of the user to the Internet, information that does not allow the unique identification of the user or a specific individual, but providing the formation of advertising information sufficient to provide the user.
4.9 Documents establishing the procedure for backing up information containing PD.

[collapse]

And now you are sure that you will have time to prepare everything and everyone in 30 days?

Our services:

• filing a notification with Roskomnadzor;
• analysis of the site for compliance with the provisions of the Law;
• analysis of finished documents for compliance with the Law;
• development of a standard package of documents;
• development of a turnkey package of documents (a package of documents is developed after a preliminary detailed analysis of the organization's activities);
• analysis of civil contracts for compliance with the requirements of the Law, recommendations for bringing them into compliance;
• counseling.