The personal data operator is Functions and responsibilities, features

2024 Author: Howard Calhoun | [email protected]. Last modified: 2023-12-17 10:16

Personal data operator - who is this? Not everyone knows what kind of activity this is. Meanwhile, in the age of technology, it is increasingly in demand. So who is the operator of personal data? Let's talk about it in the article. And to make it clearer, let's start with a definition.

Definition

A personal data operator is a natural or legal person, as well as a municipal or state institution that processes and receives personal information, determines the purposes and procedures for the provided data.

The operator has the right to work autonomously, or may turn to third parties for help. The latter are also considered operators in this case.

What is personal data

We figured out who is processing personal information. This is the operator of personal data. But what is meant by personal data? The law does not have a list that would clearly answer this question. As a rule, personal information includes passport data, identification number, seniority, placeregistration and residence, place of work, family composition, education. In rare cases, this may include data on benefits or he alth status.

In fact, a personal data operator is an institution that accepts personal information from a person. Even if it is only passport data, the organization is still considered the operator of personal data.

The most famous examples of such operators can be given. These are banks that work with clients and information about taxpayers, travel agencies. This also includes sites that require information about the subscriber for registration, stores where discount cards are issued. The list also includes clinics that have access to medical cards. This is not a definitive list, it is simply impossible to list all organizations and institutions that process personal information.

Where the information is found

Naturally, such a volume of information must be contained somewhere. For this reason, a register of personal data operators was introduced. This is a specific base of Roskomnadzor, which reflects all legal entities and individuals who are considered operators.

To be included in the database, it is enough to independently declare to the Roskomnadzor authorities by submitting a written application or sending an e-mail. And you can also notify the authorities on the letterhead of the enterprise. This procedure was described in detail in the order of the Russian Ministry of Telecom and Mass Communications of 2011.

Since all operators are included in the register of personal data operators, they are required to notify Roskomnadzor of all changes,relating to operations with personal information, its processing. The latter, in turn, controls the work of operators and periodically conducts checks.

The list of personal data operators of Roskomnadzor is available to everyone, it can be viewed on the official website of the service.

By the way, the body cannot refuse a legal or natural person to be entered in the register. If this happens, then the service violates the law, which means that a fine is imposed on Roskomnadzor. The amount of the latter can reach five hundred thousand rubles.

Obligations of operators

As with any activity, working with personal information is subject to obligations and rights. Consider the responsibilities of personal data operators.

Roskomnadzor obliges to notify the service that they have begun to process information. This obligation is imposed in accordance with Article 22 of the Law "On Personal Data". The notice must contain the following information:

1. Operator's address, name or first name, surname, patronymic.
2. Basis for processing personal information.
3. Personal information category.
4. Category of the subject whose personal data is to be processed.
5. Link to regulatory documents that allow the processing of information.
6. List of actions that the operator will perform for the processing of personal data, as well as a description of the methods that he will use in the process.
7. Measures taken to protect information.
8. Name of legal entitythe person or name, surname and patronymic of the individual responsible for organizing the processing process. In addition, contact phone numbers, email address and postal address must be provided.
9. Date from which data processing begins.
10. Terms for processing and conditions under which it is terminated.
11. Information about whether or not there is a cross-border data transfer at the time of processing.
12. Information about where the database is located, which contains the personal information of citizens of our country.
13. Data about the security of information and whether it meets the requirements set by the government of our country.

This does not mean that in any situation, personal data processing operators must notify Roskomnadzor. There are times when this is not necessary at all. For example, there is no need for notification if an employer processes information about its employees. This also includes the situation when a contract is concluded with a client for something. In this case, the rule works only as long as the information is not provided to third parties without the consent of the client. There is no need to write a notice to those who issue a one-time pass to some territory, process the data that is freely available, use only the first name, surname and patronymic of a person.

The register of personal data operators of Roskomnadzor imposes an obligation in the form of ensuring the confidentiality of personal information. That is, it is impossible to distribute any information about a person without his consent. itone of the main requirements for operators.

Obligations of employers

There are points that employers must comply with when transferring data:

1. Do not disclose information about an employee to third parties without his consent. It is important to remember that consent must be given in writing. But this does not apply to situations where the voicing of information helps to prevent a threat to the he alth and life of an employee or it is required to transfer data to government services. The latter include the Pension Fund, law enforcement agencies, the Federal Judicial Service, military commissariats, the prosecutor's office and other bodies.
2. Warn persons who receive personal information that it can only be used for its intended purpose. By the way, the employer has every right to demand confirmation of compliance with this rule.
3. Transfer personal data within only one enterprise or one entrepreneur. This should take place in accordance with an internal document that the employee has studied and signed under it.
4. Allow only authorized persons to deal with personal information. This does not mean that these people can request any information, they have the right to use only the data that is needed to perform certain tasks.
5. Do not touch upon the he alth of an employee if this does not affect his direct work duties.
6. Limit the information an employee representative receives to only what is needed to perform the functions specified by the representative.

All these norms are defined by the Law "On Personal Data" and some articles of the Labor Code. Let's return to the register of personal data operators of Roskomnadzor and their duties.

Other duties

We have already mentioned above what operators should do. Let's get back to this issue.

Operators are required to take steps to ensure the security of personal information. For this purpose, the company selects a person who is responsible for organizing the processing of personal data. This person must control the performance of duties by the operator of personal data, compliance with the latter's requirements for the security of using information. The same person is obliged to acquaint the employees involved in the processing with the new amendments to the Law "On Personal Data", as well as internal acts on processing issues. He is also charged with organizing the processing of appeals and requests from people whose data is being processed, as well as receiving these appeals. In addition to briefing, it is necessary to monitor the use of technical security equipment and issue documents that regulate the company's policy on this issue.

As for the policy of the personal data operator, it should be public. To do this, the document is posted on the operator's website, and everyone who needs it can familiarize themselves with it. If the site is not available, then you can install a stand with the necessary information in such a place that all clients and visitors of the organization can familiarize themselves with it.

It is important to remember that forfor those personal data operators whose documents are requested via the Internet, the option is only possible with publication on the website. On the Roskomnadzor website, you can find information regarding the operator's policy.

Often there is a substitution of concepts about the policy of the enterprise and the provisions on the storage, protection and processing of personal information. The last document is considered an internal act, so only employees of the enterprise get acquainted with it, after which they sign it.

Another responsibility of the operator is to comply with the requirements for the localization of personal information of citizens of our country. The fact is that since 2015, all operators, while collecting personal information, are obliged to process them using databases that are located in our country. As soon as the law was passed, there were a lot of ambiguities, but over time they were resolved. Now it is known for sure that, for example, operators of personal data by communication are obliged to use information bases.

The last duty is the need to stop processing personal information in time. If the information has been used and the person whose data was being processed decides to withdraw consent to the processing, then the operator must stop processing the data and delete it within a month. It is important to understand that a different term may be specified in the agreement, which is why it is so important to read the documents.

Operator rights

Besides duties, operators have their own rights. True, they are few, but nevertheless, they should not be forgotten. The list of personal data operators gives the latter only onethe right to receive information about changes in the law if they relate to personal data.

Who is included in the base

We have already said above that not everyone needs to be entered into the register of personal data operators. Who should file the notification?

1. Internet resources. This includes portals, social networks, forums, because registration requires personal data, albeit a little.
2. Online shopping. They need this because buyers leave a contact phone number for a callback or postal address when ordering.
3. Sites that publish information about the subject or send it to e-mail. And also here you can include those sites that already contain personal information.
4. Organizations, companies or entrepreneurs who are constantly processing data. These are accounting and legal offices, travel agencies, housing and communal services, registrars, registrars, medical institutions and banks, educational institutions, companies that provide services and issue club cards.
5. Organizations that work under civil law contracts with freelancers.
6. Firms that use CRM systems.

Attention! Roskomnadzor may block an Internet resource if the latter violates the law in the field of data processing.

Employer - operator or not?

We have already indicated that everyone should make changes to the register of personal data operators, but opinions about employers are still different. Howas a rule, they are classified as personal data operators, but there are exceptions. For example, these are those managers who store and collect information only in order to draw up an employment contract or an internal order in accordance with the law.

Who is not considered an operator

Registration of a personal data operator is not necessary for all people and organizations. Who can do without it?

1. Telephone companies that use subscriber data only to provide communication services.
2. Religious and social organizations that use personal information about members only for the purposes specified in the founding documents.
3. Institutions and individuals who use the data that the subject has self-disclosed.
4. Companies that issue one-time passes.
5. Public data systems designed to protect and maintain public order.
6. Organizations processing data without automated systems.
7. Transport companies that receive information for issuing travel tickets.

It is important to understand that for Roskomnadzor it does not matter whether an organization or person is included in the register of operators processing personal data or not. The service has the right to pay an inspection visit to any institution. That is, even those who are not legally considered operators may be liable for non-compliance with the requirements for the protection of personal data.

How to get the right to process personal information

To ensure the security of the transmission and storage of personal information, a licensing and certification process has been developed for organizations that store and collect data.

To obtain a license, it is not enough to send employees for training, you also need to purchase technical means of protection. Obtaining a license takes place in several stages:

1. Sending a notification to the register of personal data processing operators regarding the existing intention to process.
2. Passing a preliminary survey of information systems available to the enterprise.
3. Designing a protection system taking into account the infrastructure of automation and computer equipment.
4. Procurement and implementation of protective equipment.
5. Bringing the premises in line with the requirements for security, fire safety, power supply.
6. Training employees or improving their skills in the field of personal data protection with subsequent certification.

If all points are met, then the storage and protection of personal information will be effective.

It is important to understand that all points relate to the processing of information in electronic form, although this method cannot be called safe for stored data.

Checking the activities of operators

The operator who processes personal data is periodically subjected to inspection by Roskomnadzor. The latter can be carried out according to the plan, or it can be based on the complaint of the person who suffered from the illegal actions of the operator.

There are three departments that control compliance with the law on the processing of personal data:

1. Roskomnadzor. He performs compliance checks and is also responsible for conducting the checks.
2. Federal Service for Export and Technical Control. This service protects the data that is in computers within the organization, and their transmission channels. The latter only occurs when the information is not encrypted.
3. Federal Security Service. Controls encryption means of transmission and processing of personal information. She also develops and distributes these products.

You can check which organization this or that operator belongs to yourself. To do this, go to the Roskomnadzor website and find the register of operators.

To view the information, you just need to enter the registration number of the company or its name. A tax identification number will work too.

You can also find out how legitimately the information was requested. If the company is not on the list, then you can contact Roskomnadzor. He will either include it in the registry, or prohibit illegal activities to collect personal data.

Inspection is carried out on the basis of an appeal from citizens or at the initiative of a departmental body, for example, the prosecutor's office. For violation of the processing and storage of personal information, liability is provided. Punishment can be administrative, criminal or disciplinary, it all depends on how serious the violation is.

How are yousecure?

In theory, to avoid such problems, citizens are advised to check the organization for being on the relevant list before giving consent to the processing of personal information.

In fact, people rarely do this, if only because most people don't even know about the existence of such a registry.

It is especially worth looking at small organizations that do not always have the appropriate conditions for processing information. If there are suspicions about this, then consent is not necessary. Let them refuse you in one place, but you can find a more suitable organization and you will not have any problems.

Data subject rights

Despite the fact that each operator has its own personal data policy, it should not go against the law. That is, all rights of people who provide personal information about themselves must be respected.

Fundamental rights include:

1. The right to access your own information. That is, a person has the right to know who processes his data, for what purpose and who will see the information. A person may require clarification of data, block it or delete it altogether. To get access to your data, you need to submit a request to the operator. This can be done both by the subject himself and by his representative. There are also restrictions on this right, for example, if the data affects the security of the state, violates constitutional freedoms and the rights of third parties, or interferes with operational-search activities.
2. The right to process personal information for the promotion of goods, services or works on the market or for the purposes of political campaigning. Data processing takes place only if the subject agrees to this. In the event of a conflict, the processing is deemed to have taken place without the consent of the client, unless the operator has been able to prove otherwise. As soon as the subject requests to stop processing data, the operator is obliged to do so.
3. The subject's right to make decisions based on automated processing of personal information. It is prohibited by law to process data without the written consent of a person, only on the basis of automated processing. Exceptions are provided by federal law.
4. Right to appeal the operator's inaction or action. A person has the right to apply to the authorized body for the protection of the rights of subjects of personal information or to the court. However, there must be grounds for such treatment, for example, violation of rights or improper processing of data.

The subject may also seek damages or material compensation in court.

Conclusion

As you can see, this issue is heavily regulated. Indeed, it is precisely because of the uncontrolled receipt of personal information that citizens of our country become victims of fraudsters and simply dishonest people. The state is trying to tighten the requirements as much as possible so that you can at least somehow guarantee the security of storing data.

Various protective systems are being developed, enterprisesare being certified and licensed precisely to make life easier for ordinary citizens.

However, people should not be idle either. After all, our own well-being depends on us. In the article, we described how you can check whether an organization is in the register or not. Use this information, do not consent to the processing of data by dubious institutions, and then you will not have to prove that your rights have been violated. The troubles of most of us are due to inattention, and all because they are not used to reading documents before signing them. Meanwhile, this must be taught from the cradle, as well as take care of the legal knowledge of the child. The sooner we start preparing children for adulthood, the easier it will be for them.