Almost a month has already passed since July 1, 2017, when amendments to the Law FZ-152 "On Personal Data" came into force, and along with them requirements for all website owners about liability for violation when interacting with personal data of a client.

It is no longer possible to act as before - just get the personal data of a site visitor by inviting him to subscribe to news or a valuable product. Now we are obliged to warn everyone, without exception, that we will store and process personal data, even if we did not plan to do this.

All reflections and debates on the topic “what kind of data is personal”, “do I need to comply with the requirements of the law if I don’t collect and process customer data”, “I don’t sell anything, I just suggest subscribing to the website news”, “ people make their own decisions when they leave their data in the form of a subscription - I do not force anyone, " these disputes are meaningless. You just need to take the innovations for granted and just take the necessary steps. Personally, I didn't spend a lot of time on such activities - I quickly figured out that in order to avoid fines that had grown to 75,000 rubles, the easiest way was to do as "the law dictates" and started creating legal documents for my sites - the Privacy Policy and the User Agreement.

Since I cannot predict the visit of the Roskomnadzor Inspector to my website in order to fix the violation, it was most logical to eliminate these violations in advance. What I did safely, and I advise everyone who has:

• subscription form on the site
• feedback page
• comment form

How to create a privacy policy and user agreement

I looked at several sites of colleagues who have already made changes and created the necessary documents, studied letters on this topic that came to the mail, and found a simple, understandable and very useful service 152fz.rf, which checked my sites for legal documents, issued its own verdict and offered to entrust him with their creation.

In general, everything suited me, and especially the fact that the text of the documents fully reflected my needs for processing and storing personal data of clients, and the fact that I could use his services for free.

⇓⇓⇓⇓⇓⇓⇓⇓⇓⇓⇓⇓⇓⇓⇓⇓⇓⇓⇓⇓⇓⇓⇓⇓⇓⇓⇓⇓⇓⇓

The service provides in an accessible form all the information about why, to whom and why you need to comply with the requirements of the FZ-152 law. Then you will be shown what fines are threatened for non-compliance, who has already been punished and how, and you will be offered to use one of three tariffs.

For owners of ordinary sites, of which there are a great many on the network, a free plan is suitable. And then, in the pictures, there are step-by-step actions that I have done personally, for greater clarity and so that you have an idea of ​​what information needs to be prepared to create documents.

After all the documents were created, I carefully studied the text of each of them, corrected it a little, and downloaded the pdf files to my computer. Then, using , which became my favorite lifesaver, I translated the PDF to WORD, copied the text and pasted it with a link to the service into the newly created pages of the site. Links to documents are also placed in the footer of the site.

I note right away that I decided to leave the Privacy Policy, which I created a little earlier, unchanged, and take the User Agreement from the 152fz.rf service. But I can change my mind))

You can do the same, or you can use other available methods for posting documents on your site:

1. upload pdf files to the site and place links to these documents in a convenient place
2. install the 152fz.rf widget on the website using the code on the page of ready-made documents

Newsletter subscription form

Another important step that needs to be done is to place the following text in the form of a subscription to new articles on the site or mailing of letters. You can change it if necessary.

By clicking on the button, I accept the user agreement and confirm that I have read and agree with the privacy policy of this site

I was not so lucky with the subscription form as with legal documents - an emergency happened and when the inactive subscription form was deleted, the active one disappeared along with all the subscribers ... me promises to fix a technical problem that arises when creating a new form. Now I think that this text could be placed under the form, the main thing is that it be on the page, but in the form or under the form - there is no difference. Eh, I should have known earlier where to lay the straw ... While I'm worried. I am sure that you will not have such problems when you make changes to the subscription form.

These are the simple steps that every owner of ordinary, small sites had to do before July 1, 2017. Agree, this is not difficult at all and will not take much time. If you are not satisfied with the documents that are now on your site, or you have just returned from vacation, but did not have time to do it on time ..., in any case, on my site for you now there is useful advice on this topic. The piggy bank of tips is replenished ... I wish you all success and the right actions!

I agree to the processing of my personal data in accordance with

This article is devoted to various kinds of services for the automatic generation of a set of internal documents of an organization for the protection of personal data based on some information entered by the user. To be honest, it was originally an angry post. The irritation was caused by the information received through personal channels that representatives of one of these services visit the chief doctors of medical institutions of the city in which I live, and are frightened by the prosecutor's office and punishment for violating the law "On Personal Data" in case of refusal to subscribe to such a service ... But chance intervened - in the process of writing the article, urgent matters arose. And all the scribble that was ready at that time was sent to drafts for a week. During this time, steam has released a little and now I will try to calmly explain why such services will not ensure the proper quality of internal documentation on the protection of personal data, I will tell you about other problems of such portals and at the end I will give a link to some prefabricated hodgepodge of the same documents.

Problem # 1. Misleading the client Lies

Here, it is probably worth starting right away with examples.

On one of the sites on the very first page it is written that the maximum fine for violation of the rules for processing personal data is 300,000 rubles. It is not true. At the moment, article 13.11 of the Code of Administrative Offenses of the Russian Federation provides for the maximum fine for legal entities - 10 thousand rubles. Here, apparently, we are talking about bill No. 683952-6, which provides for the expansion of Article 13.11 of the Administrative Code and indeed increases the maximum fine to 300,000 rubles, but the bill passed the first reading last autumn and was stuck. And whether it will be finally adopted is unknown. Conclusion: the authors of the site are either not aware of the situation, or deliberately try to exploit the feeling of fear of huge fines, which is also not good.

Second example: another service solemnly promises to successfully pass any inspection by any regulatory authorities in the field of personal data protection with their documents. Firstly, the service does not generate such an important document as the "Threat Model", which even Roskomnadzor requires to be shown, and without it, even a documentary check cannot be successfully passed. Secondly, FSTEK and FSB check not only pieces of paper. Thirdly, I already wrote in my old article that in some regions (not all) the cane system operates and it is not possible to successfully pass the test, no matter how well we prepare for it.

Problem # 2. Lack of individualization

Of course, almost all services for preparing a set of documents will tell you about flexible personalization of a set of documents especially for you, but this statement could well be cited as a third example of problem number 1.

To be honest, at one time I myself wrote a similar "filler" of templates in Java, but somehow it didn’t take root in my work, the maximum that can be done is to automatically enter the name of the organization and other frequently repeated things in documents. And that's why - if the goal is to write high-quality documentation, then it will have to be written by hand, taking into account all the features of both the organization's business processes and the features of the IT platform on which the personal data information system is built. At my work, as a rule, this is exactly the task, and who needs to "get away from checking" we give the below set of templates. Is free. But here you need to remember that regulators do not stand still either, and it becomes more and more difficult to pass the test with a set of template, not adapted documents from seven years ago.

Let me explain why template fillers will not help you in developing a complete and useful set of documents. Take, for example, the important and useful Security Administrator's Guide. Of course, when a document is made for show, it contains a lot of water and very little specifics. In the event that we make a full-fledged document, we need to describe all the duties and actions of the security administrator, depending on the conditions for the functioning of the personal data information system. And then it turns out that a huge number of factors affect the content of the document:

Is virtualization used?
- are you using mobile devices?
- backup, by what means is it done, with what frequency, where are the backups stored?
- etc. etc.

Of course, you can try to take all this into account in the template, but then the users of the services will have to collect and enter a huge amount of data, which contradicts the principle "simple and easy, just pay money."

All that the template "filler" can do tolerably well is various orders to appoint responsible persons or any commissions. As soon as questions start related to business processes or the specifics of the IT infrastructure, problems begin.

Problem number 3. Doubtful quality of the documents themselves

In part, the problem has something in common with the previous one, but if in problem No. 2 it was more about the features of automated filling, then here we are talking about the template text that is not subject to change. They manage to screw up in the simplest instructions.

Example. Usually, two persons responsible for the protection of personal data are appointed in the information system - one responsible for organizing personal data (more on organizational issues) and an information security administrator (on technical issues - setting up protection means, etc.). Accordingly, these roles are usually abbreviated as - "Responsible" and "Administrator". So, one of the services called these two friends "responsible for organizing the processing of personal data" and "responsible for ensuring the security of personal data", reduced them, as you might have guessed as "Responsible" and (suddenly!) "Responsible". In the order on the appointment of these responsible, no trick is felt, the tin begins when the authors of the documents begin to describe the interaction of these two different people, it turns out something like "Responsible for Responsible and Responsible drives."

Problem # 4. Security

Oddly enough, services that are designed to increase information security themselves raise a number of questions, ranging from the banal lack of encryption when submitting forms with confidential data, to how this data is stored on the service, how physical access to servers is organized, and much more. At the same time, we remember that so far the services work according to the principle of "easy and simple" and do not collect a large amount of information, but they can also "improve". Nevertheless, at least the personal data of the responsible persons and members of various commissions, as well as basic data on the information system, will have to be provided.

What is all this for?

I am convinced that selling blanks of documents, even under the sauce of an automatic template filler, for money is the last century. I am convinced that bullying and deceiving potential customers is a dead-end marketing model. The cost of a subscription to such services ranges from 10 to 50 thousand rubles per year. For this money, you can attract a specialist who will prepare a high-quality kit with a full audit of business processes and IT infrastructure (yes, in a crisis, an experienced specialist may agree to work even for 10 thousand rubles). But if the choice fell on templates, then I see no point in paying money for it. In addition, various documents can be Google completely free. As I promised, to simplify this task, I have laid out some selection

According to Federal Law No. 152-FZ "On Personal Data", personal data means any information relating directly or indirectly to a specific or identifiable individual (subject of personal data).

• Full Name;
• year, month, date and place of birth;
• the address of the place of registration and residence;
• family, social, property status;
• education, profession, income;
• passport data;
• etc.

Note: The position of the courts is that even a separate email or mobile phone number is also personal data, since it allows you to indirectly identify an individual (subject of personal data) http://bit.ly/delo_provider.

According to Law No. 152-FZ "On Personal Data", the processing of personal data means any action or set of actions with personal data, including collection, recording, systematization, accumulation, storage, clarification (update, change), extraction, use, transfer (distribution , provision, access), depersonalization, blocking, deletion, destruction.

Personal data must be protected in accordance with 152-FZ "On Personal Data", which makes it the responsibility of each company, individual entrepreneur or budgetary organization that processes personal data. The operator of personal data is obliged to take a number of measures to comply with the requirements of the legislation of the Russian Federation regarding the processing and security of personal data.

Otherwise, the operator of personal data and his employees may incur disciplinary, administrative and criminal liability, and a ban on the processing of personal data by Roskomnadzor may lead to the suspension of the company's activities.

There are three main regulators in this area in the Russian Federation:

• The Federal Service for Supervision in the Sphere of Communications, Information Technology and Mass Media (Roskomnadzor) is the authorized body for the protection of the rights of subjects of personal data and exercises control and supervision over the compliance of the processing of personal data with the requirements of the legislation of the Russian Federation in the field of personal data.
• The Federal Service for Technical and Export Control (FSTEC of Russia) exercises control and supervision over organizational and technical measures for protecting personal data.
• The Federal Security Service (FSB of Russia) exercises control and supervision over the protection of biometric personal data and cryptographic measures to protect personal data.

Regulators carry out both scheduled and unscheduled inspections, about which operators of personal data are warned 24 hours in advance.

To comply with the law, it is necessary to have a package of organizational and administrative documentation, appoint responsible persons for organizing the processing and security of personal data, submit a notification about the processing of personal data to Roskomnadzor, determine the level of security of information systems for storing personal data and take organizational and technical measures to ensure security personal data.

Note: You can fulfill the requirements of the law in the following ways:

• Order a comprehensive audit, bring business processes in line with the requirements of Law No. 152-FZ and entrust the development of a set of documents to experts.
• Hire an information security specialist who will independently monitor the implementation of the law. At the same time, no one is responsible for the quality and it is very difficult to find such an employee.
• Use automated document preparation systems, one of which is the B-152 online service.

This is any information relating to an individual, by which it can be directly or indirectly identified.

This information includes, but is not limited to, name, location data, factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of this individual.

Email, IP-address, social network identifier - all of this can be personal data.

GDPR has extraterritorial effect and applies to all companies that process personal data of EU citizens, regardless of the location of such a company.
The GDPR will affect all those who work with European countries in one way or another. These are financial companies, technology, media and telecom companies, pharmaceuticals, transport, online stores.

The GDPR will also apply to all organizations, regardless of location, if they collect, analyze or monitor the behavior of EU residents in any way.

All Russian companies targeting entities in the European Union after May 26, 2018 will be in the scope of the GDPR Regulation. In this regard, according to the requirements of the Regulation, such companies must appoint their representative in the European Union.

A representative is a natural or legal person established in the European Union who represents the controller or processor of personal data in relation to their obligations under the Regulation.

The representative must act on behalf of the controller or processor, may interact with any competent authorities of the European Union, member states, including supervisory authorities.

The representative must carry out his tasks in accordance with the instructions received from the controller or processor and take any action in order to ensure compliance with the GDPR Regulation.

If Russian operators of personal data, for example, providing services via the Internet for persons in the EU countries, have representative offices and branches in the EU countries, then the functions of a representative can be assigned to them.

A representative may not be appointed when the processing is of an accidental nature, does not include large-scale processing of specific categories of personal data, or the processing of personal data is associated with criminal sentences and offenses, or if the controller is a public authority or institution.

2.1. The user agrees with the terms of the Policy and gives the Operator specific and conscious consent to the processing of his personal data by the Operator under the conditions provided for by the Policy and the Law:

• when registering on the Site - for personal data that the User provides to the Operator when filling out the registration form located on the Internet at. The user is considered to have given his consent to the processing of his personal data by checking the box “I accept the terms of the user agreement and consent to the processing of my personal data” at the moment of clicking the “Register” button;
• when entering / changing personal data in the sections "My Profile and Programs" and "Settings" of the Personal Account - for personal data that the User provides when editing information in the Personal Account. The user is considered to have given his consent to the processing of his newly entered or changed personal data at the moment of pressing the “Save” button;
• when filling out the feedback form - for personal data that the User provides to the Operator when filling out the feedback form located on the Internet at http: // site / contacts /. The user is considered to have given his consent to the processing of his personal data entered in the fields of the feedback form at the moment of pressing the “Send” button;
• when joining the team of the Operator's experts - for personal data that the User provides when filling out the application form located on the Internet at http: // site / experts /. The user is considered to have given his consent to the processing of his personal data entered in the fields of the application at the moment of pressing the “Submit” button;
• when filling out an application to the Operator's Postgraduate School - for personal data that the User provides when filling out the application form located on the Internet at http: // website / aspirant /. The user is considered to have given his consent to the processing of his personal data entered in the fields of the application at the moment of pressing the “Submit” button;
• when sending a message to the Operator's Career Development Center - for personal data that the User provides to the Operator when filling out the feedback form located on the Internet at http: // website / career /. The user is considered to have given his consent to the processing of his personal data entered in the fields of the message form at the moment of pressing the “Send” button.

2.2. The period during which the User's consent to the processing of his personal data by the Operator is valid is 10 (ten) years from the day when the User is considered to have given the Operator Consent to the processing of his personal data in accordance with the provisions of clause 2.1. Politicians.

3. TERMS OF PROVISION OF PERSONAL DATA BY THE USER

The Operator proceeds from the fact that when providing his personal data on the Site, the User:

3.1. Is a competent person. In case of incapacity, consent to the processing of personal data is provided by the legal representative of the User who has read and agreed with the terms of the Policy;
3.2. Indicates reliable information about himself in the amount necessary for using the Site and providing services by the Operator to the User;
3.3. Keeps the provided personal data up to date. The consequences of the provision by the User of inaccurate or insufficient information are defined in the User Agreement located on the Internet at the address;
3.4. On a gratuitous basis, he agrees to use his photograph as an image of the User. The User undertakes not to provide photographs of third parties as the User's image;
3.5. Realizes that when using the Site, information on the Site posted by the User about himself may become available to other Site Users, may be copied and distributed by such Users.
3.6. I am familiar with this Policy, expresses my informed and informed consent to it.

4. PERSONAL DATA PROCESSED BY THE OPERATOR

4.1. The personal data of the User processed by the Operator when registering the User on the Site, changing the information in the Personal Account by the User, and the provision of services by the Operator in relation to the User include:

1. Full Name;
2. Telephone number;
3. E-mail address;
4. Account data in social networks (links to the User's profiles on VKontakte, Facebook, LinkedIn, Twitter);
5. Image;
6. Home address;
7. Date of Birth;
8. Place of Birth;
9. Place of work;
10. Position;
11. Profession;
12. Data and a copy of the identity document;
13. Data and a copy of the education certificate;
14. Data and a copy of the marriage certificate (in case of a change of surname);

4.2. The personal data of the User processed by the Operator when the User completes the feedback form, the User's application form for joining the Operator's team of experts, when the User sends a message to the Operator's Career Development Center, include:

1. E-mail address;
2. Data that is automatically transmitted to the Operator in the process of using the Site using the software installed on the User's device, including the IP address, information about the browser and the type of operating system of the User's device, technical characteristics of the equipment and software used by the User, date and time of access to the Site.

4.3. The personal data of the User processed by the Operator when the User completes an application to the Operator's Postgraduate School includes:

1. Town;
2. E-mail address;
3. The name of the course that the User took with the Operator;
4. Link to the User's profile on Facebook;
5. Data that is automatically transmitted to the Operator in the process of using the Site using the software installed on the User's device, including the IP address, information about the browser and the type of operating system of the User's device, technical characteristics of the equipment and software used by the User, date and time of access to the Site.

7. MEASURES TAKEN BY THE OPERATOR TO PROTECT PERSONAL DATA

7.1. The operator takes the necessary and sufficient legal, organizational and technical measures to protect the information provided by the Users from unauthorized or accidental access, destruction, modification, blocking, copying, distribution, as well as from other illegal actions of third parties with it. Such actions include, in particular:

• Appointment of a person responsible for the processing of personal data;
• Registration in the register of personal data operators;
• Application of organizational and technical measures to ensure the security of personal data during their processing in information systems;
• Controlling the facts of unauthorized access to personal data and taking measures to prevent similar incidents in the future;
• Control over the measures taken to ensure the security of personal data and the level of protection of information systems of personal data.

8.USER RIGHTS

When using the Site, the User has the right to:

1. 1. At its own discretion, provide the Operator with personal data for their processing on the conditions specified in the Policy;
   2. Independently make changes and corrections to your personal data in your Personal Account;
   3. Delete your personal data from your Personal Account;
   4. Require the Operator to clarify their personal data, block or destroy them if such data are incomplete, outdated, unreliable, illegally obtained or are not necessary for the stated purpose of processing. The request is made in the manner provided for in section 9 of the Policy;
   5. Send the Operator an application to revoke your consent to the processing of personal data in the manner prescribed in Section 9 of the Policy;
   6. On the basis of a request, receive information from the Operator regarding the processing of his personal data in the manner prescribed in Section 9 of the Policy.

9 USER REFERRALS

1. 1. The User has the right to send his requests and requirements to the Operator (hereinafter - Appeal), including regarding the use of his personal data, as well as withdrawal of consent to the processing of personal data. The user has the right to send requests to the Operator in the following ways:
      1. In writing to the Operator's address specified in section 11 of the Policy;
      2. In the form of an electronic document (scanned or photocopy of a document) sent from the User's email address specified by him during registration on the Site, to the Operator's email address: [email protected]

1. 1. The request or demand sent by the User must contain the following information:
      1. Surname, name, patronymic of the User;
      2. Data of the main identity document of the User or his representative;
      3. Information confirming the participation of the User in relations with the Operator (in particular, the User's login and password on the Site);
      4. The essence of the appeal;
      5. Signature of the User or his representative.

9.3. The Operator undertakes to consider the appeal, send a response to the received appeal and, if there are legal grounds for this, to satisfy the requirement stated by the User within the time frame established by law. The response to the appeal, as well as the notification of the actions taken with the User's personal data upon his appeal, are sent in a form corresponding to the form of the User's appeal.

10. POLICY CHANGE

1. 1. The operator reserves the right to amend the Policy. The User is obliged to familiarize himself with the text of the Policy at each use of the Site or its services.
   2. The new version of the Policy comes into force from the moment it is posted in the appropriate section of the Operator's website. Continuing to use the Site or its services after the publication of a new version of the Policy means acceptance of the Policy and its terms by the User. In case of disagreement with the terms of the Policy, the User must immediately stop using the Site and its services.

11. INFORMATION ABOUT THE OPERATOR