July of 2017 was marked by new changes to the Russian legislation on personal data protection (Federal Law No. 152-FZ of 27 June 2006 with changes and amendments which became effective on 1 July 2017). Changes have been introduced in relation to web-sites of all organizations and individual entrepreneurs processing personal information which includes full name, date and place of birth, address, civil and social condition, property status, education and occupation, information about user behavior on the web-site, geolocation information and IP-address.
“Informauditservice” expert dwells upon most important − from our point of view − novelties related to personal data processing on web-sites and explains how to deal with them to comply with the new legislative requirements and secure your business in Russia.
First of all you have to make sure that the server is physically located in Russia. If not please take all necessary steps to move it to the Russian Federation territory.
Consent to process personal data
A number of new phrases and documents should appear on the web-site and be accessible to its users. First, this is the text of consent to process users’ personal data. Secondly, the personal data processing policy with references to local acts on the protection of personal data and respective information kept on paper in your organization. An e-mail should be provided in both cases where users can write if they wish to change or delete their personal information. Thirdly, the disclaimer (non-responsibility clause) should appear on all web-site pages saying that users’ personal data are being processed and that they should leave the web-site in case they do not want to provide their personal information. The fourth document to appear on your web-site is the document provided by your hosting service to confirm that the data processing center is located on the territory of the Russian Federation.
You should notify the Federal Service for Supervision of Communications, Information Technology, and Mass Media (Roskomnadzor) about the personal data processing.
New requirements state that companies which are personal data operators should get registered with Roskomnadzor via the submission of a special notification (p. 3, article 22 of Federal Law No. 152-FZ). To do so, one is to fill out an electronic form on the Roskomnadzor personal data portal and submit it to the information system of the authorized body for protecting the rights of personal data subjects. In addition, the form should be printed out and certified, and then sent to the territorial Roskomnadzor body where the company is registered.
Agreement with the web developer
An agreement on personal data security with the web developer or the agency which provides technical support to your web-site is another very important thing. This agreement should state what personal data can be processed, what actions and for what purposes can be taken with regard to personal data. And it certainly should contain a requirement to protect personal information.
We would like to draw your attention to yet one more requirement. It is not obligatory but may help to prevent an attempt to replace your web-site with its duplicate. We are talking here about the installation of SSL-certificates. This certificate will help users to understand whether they are dealing with the original web-site on this domain or with its duplicate. The SSL-certificate has two more advantages: it makes it possible to check who the owner of the web-site is and also to install special encryption of the Internet connection. The encrypted connection is necessary to prevent identity theft when transmitting data in the Internet.
The new legislative norms introduce not only increased fines for the violation of requirements for collecting, keeping and processing personal data (Federal Law No. 13-FZ of 7 February 2017), but also a wider range of corpus delicti related to personal data processing in the Administrative Offenses Code of the Russian Federation (KoAP).
The following fines are envisaged for legal entities depending on the type of violation:
Kira Ovanesova, legal counsel, Legal department of BCG “Informauditservice”.
The article is published on Право.ру