the main System Working with personal data - Privacy Policy. Personal data processing policy constructor Processing of anonymized data

Working with personal data - Privacy Policy. Personal data processing policy constructor Processing of anonymized data

At the numerous requests of working webmasters and site owners, we have published a free sample of the Privacy Policy for sites with a form feedback, subscribing or ordering a call.

Decided to take such a step, because given form The policy does not provide for the processing of personal data, and as a result does not imply a large solution variability. It is important to remember that it is not suitable for sites that process personal data. For example, online stores and other services on which, in addition to a phone number or email, the user additionally provides other information about themselves, require more attention to the processing of personal data.

Therefore, we thought about the options for drawing up a "popular" Privacy Policy. A simple template is not enough here. They took as a basis the Roskomnadzor Recommendations published in 2017 (hereinafter referred to as the "Recommendations") on the preparation of a document defining the operator's policy with respect to the processing of personal data (hereinafter referred to as the "Policy") We supplemented it with live examples.

Let's see what happened.

Section 2 cites the basic concepts from the Federal Law "On Personal Data". We skip it as unnecessary. If you wish, it is better to introduce your own terms into the Policy to clarify the legal ones.

In Section 3, the long-awaited advice on the structure and content of the Policy has finally gone. Let's dwell on them in detail.

1. General provisions of the Policy

In this section, it is recommended to describe the purpose of the Policy, as well as include the basic concepts used in it (processing of personal data, operator, subject of personal data, confidentiality of personal data, etc.), list the basic rights and obligations of the operator and subject (s) of personal data.

So let's start with the definitions. In order not to repeat Federal Law 152, we suggest making references to specific paragraphs and sections of the Policy, which concretize the concepts used. Below is an example with terms and definitions of the Privacy Policy for an online store.

1.1. In this document and the resulting or related relations of the Parties, the following terms and definitions are used:

Personal Information- the data provided by the subject of personal data or his representative, the volume and composition of which are indicated in clause X.X. Politicians.

Administration- LLC "Romashka", INN XXX, OGRN XXX, Address: XXXXX, in the legal possession and / or management of which the Site is located. In the cases provided for by this Policy, the Administration acts as the operator of personal data.

User- a person using the Site for the purpose of concluding and / or executing Agreements.

3. Legal basis for the processing of personal data

According to the explanation of Roskomnadzor, the legal basis for the processing of personal data is a set of legal acts, in pursuance of which and in accordance with which the operator processes personal data.

In the presence of the above link, contracts concluded between the operator and the subject of personal data may be indicated as a legal basis for the processing of personal data.

If PD is processed for other purposes, it is necessary to indicate a separate consent to the processing of personal data as a basis.

4. The volume and categories of processed personal data, categories of personal data subjects

Roskomnadzor warns that the content and volume of processed personal data must comply with the stated processing objectives. The processed personal data should not be redundant in relation to the stated purposes of their processing.

First of all, we indicate the data from the fields of the online forms of feedback, order, subscription and registration. Then we pay close attention to the composition of the information entered by the user when filling out the profile in the personal account.

Additionally, we indicate the data that is requested by the support or the sales department when placing or processing orders by phone or at service points.

5. The procedure and conditions for the processing of personal data

We choose. Federal Law 152 provides for the following list of operations with personal data: collection, recording, systematization, accumulation, storage, clarification (update, change), extraction, use, transfer (distribution, provision, access), depersonalization, blocking, deletion, destruction of personal data.

Processing methods may include:

a) automated processing of personal data

b) processing of personal data without using automation tools.

According to the definition given in Federal Law 152, automated processing of personal data is the processing of personal data using computer technology.

It would seem that any actions with PD performed using computer technology fall here. But not everything is so simple. We are looking at the Regulation on the specifics of personal data processing carried out without the use of automation tools, approved by Decree of the Government of the Russian Federation of September 15, 2008 N 687.

Clause 1 states that the processing of personal data contained in information system personal data or extracted from such a system (hereinafter referred to as personal data) is considered carried out without the use of automation tools (non-automated), if such actions with personal data, such as the use, clarification, dissemination, destruction of personal data in relation to each of the subjects of personal data, are carried out with the direct participation of a person.

The processing of personal data cannot be recognized as carried out using automation tools only on the basis that personal data are contained in the personal data information system or were extracted from it (clause 2).

In other words, if PD is not used, not specified, distributed or destroyed in the IPDN of your site in automatic mode without human participation, you can safely choose the second method of processing - the processing of personal data without using automation tools.

The result of this simple action will be a legal refusal to apply the draconian requirements of Federal Law 152 for the processing of automated processing of PNN in the information system.

With regard to the timing of PD processing we propose to indicate at least the term of the agreement, in the execution of which the PD was requested. You can add to the term of the contract 3 years of limitation on the protection of rights in connection with its execution.

Roskomnadzor reminds that when storing personal data, the operator of personal data is obliged to use the databases located on the territory Russian Federation, in accordance with Part 5 of Art. 18 of the Federal Law "On Personal Data". It is not necessary to reflect this paragraph in the Policy, since it is related to factual circumstances. Although for the sake of form, you can include in the Policy a declarative article on the processing of PD on the territory of Russia.

The user has expressed his consent to such actions;
The transfer is required for the conclusion and execution of contracts for or using the Site;
At the request of a court or other authorized state body within the framework of the procedure established by law
To protect the rights and legitimate interests in connection with the violation of agreements concluded with the user.

Within certain limits, this list can be expanded to cover the sale of the Site or the transfer of personal data in an impersonal form.

In addition, Roskomnadzor recommends indicating in this section of the Policy information on compliance with the confidentiality requirements of personal data established by Art. 7 of the Federal Law "On Personal Data", as well as information on the operator's taking the measures provided for in Part 2 of Art. 18.1, part 1 of Art. 19 of the Federal Law "On Personal Data".

In practice, this information boils down to a statement that the Site administration stores Personal Data and ensures its protection from unauthorized access and distribution in accordance with internal rules and regulations.

6. Updating, correcting, deleting and destroying personal data, responding to requests from subjects for access to personal data

Roskomnadzor recommends that the Policy (s) be included in the Policy for responding to requests / appeals of personal data subjects and their representatives, authorized bodies regarding the inaccuracy of personal data, illegal processing, revocation of consent and access of the personal data subject to their data, as well as the corresponding request forms / requests.

In such cases, they usually indicate that the user has the right at any time to independently edit the information provided to him in his personal account. In case of termination of the concluded agreement, the user has the right to delete his own Personal Area by yourself or by contacting the support service at Email [email protected].

If you wish, you can tighten the conditions for processing requests for changing / deleting PD, requiring the user to send valuable letters to your address in Bobruisk.

7. Processing of anonymized data

Noteworthy is the fact that Roskomnadzor, as always, bypassed the issue of processing data that is no less important for users, which are not considered personal. We are talking about information collected on the site automatically: cookie, IP, information about the device and its location, etc.

Apparently, Roskomnadzor stubbornly refuses to disclose the composition of PD, even by exclusion through information that is not personal. However, in practice, it is customary in the Privacy Policy to include a notification and the procedure for processing such data in order to inform the user as fully as possible about the consequences of using the site.

Below is an example of such a notification.

You acknowledge and accept the possibility of using on the Site software third parties, as a result of which such persons can receive and transmit data in anonymized form.
The specified third-party software includes the Google Analytics visit statistics systems.

The composition and conditions for collecting anonymized data using third-party software are determined directly by their copyright holders and may include:

browser data (type, version, cookie);
device data and location;
data operating system(type, version, screen resolution);
request data (time, referral source, IP address).

A full description of the conditions for processing anonymized data can be found in the sample Privacy Policy, with which we began our article.

We wish you success in developing your own Privacy Policy in accordance with the recommendations of Roskomnadzor and the approaches developed in practice.

Privacy policy - how to do it right?

July 2017 still made the site owners pretty nervous. This is due to the amendments to Article 13.11 of the Administrative Offenses Code of the Russian Federation that entered into force on July 1, 2017 (see Federal Law No. 13-FZ of February 7, 2017 "On Amending the Code of Administrative Offenses of the Russian Federation"), which toughen administrative liability for violation of the procedure for processing personal data.

The amount of fines for entrepreneurs varies from 5 thousand rubles. up to 75 thousand rubles. The last figure refers to organizations that have allowed the processing of personal data, for example, without the written consent of the subject of personal data.

Before you sound the alarm and think about what to do and rush to disable feedback forms on the site, you need to diagnose your own site for the presence or absence of documents regulating relations with users, including on the processing of the data they leave, and also evaluate their content in terms of transparency, completeness, consistency and sufficiency.

If you do not know how to do this correctly, and what the privacy policy should include, we suggest paying attention to the following key points.

1. Why do I need a Privacy Policy?

We think that the answer is obvious here. The document regulating the processing of personal data of users and posted on the site is nothing more than the rules of the game, which are established by the owner of the site in relations with users. The purpose of fixing and placing such rules is to reduce the risks from legislation on personal data, if necessary, to rebuff consumer extremism.

2. What is the best name - an offer, an agreement on the processing of personal data or a privacy policy?

From a legal point of view, the name of the document regulating the processing of personal data of users does not matter. The rest is a matter of taste for each site owner. For our part, we can highlight the name "privacy policy" because of its capacity, widespread use and clarity for the user.

3. What is the best way to place it - as a separate document or as part of an offer / user agreement?

There are also no binding rules and no universal template. You can reflect the necessary provisions in a separate document or make it part of, for example, a user agreement.

As a rule, the user agreement contains many features of using the site, which affects the volume of the document. The inclusion of provisions on data processing in the user agreement will clearly overload the document and complicate its perception by the user.

When posting two separate documents on the site (for example, the privacy policy and the user agreement), we recommend checking them for consistency with each other, as well as for the presence of links to each other.

4. Is it necessary, in addition to the Privacy Policy, to post a separate consent form for the processing of personal data?

The answer here is simple. If it is obvious from the Privacy Policy that the user agrees to the processing of what data and for what purpose, then a separate consent form will be superfluous.

5. How do you make the rules work?

The privacy policy is the same offer (agreement), only on issues related to the processing of personal data of users. In order for the user to be considered as accepting the terms of processing his data by the owner of the site, he must accept the proposed rules (accept, agree).

Such an acceptance can be:

b) putting marks in the fields,

c) performing a sequence of actions,

d) use of the site functionality.

"The user agrees with the provisions of this Privacy Policy by clicking the" Accept Privacy Policy "or" Continue "button, by placing a checkmark in the field during Registration, including at any stage of such registration and (or) at any time when using the site."

6. What to include in the Privacy Policy (hereinafter also the Policy)?

There is no universal template for the Privacy Policy. In any case, when drawing up the Privacy Policy, it is worth considering the specifics of the site, its purpose, functionality, the circle of users, the amount of data they leave.

Analysis of the current legislation in the field of personal data processing, as well as our own experience, allowed us to formulate the following recommendations for site owners on the content of the Privacy Policy:

but) turn on if you want section with terms and definitions- is optional. For the convenience of the user and the unification of documents on the site, you can include an appropriate section with concepts and definitions that are common to both the Privacy Policy and the User Agreement (for example, "Privacy Policy", "user", "site", "site owner" , "Personal account", etc.).

The absence of such a section in the Privacy Policy is not associated with risks for the site owner.

b) highlight the general provisions, where we describe:

subject of the Policy ( eg, "Regulates the procedure for processing personal data of users, including with the aim of ensuring the security of processing of personal data of users, ensuring their rights and interests when processing personal data").
user acceptance form with the terms of the Policy and data processing ( an example is given in clause 5 of this article).
place for the resolution of disputes arising from the Policy, with the proviso ( for example, all possible disputes regarding this Privacy Policy and the relationship between the user and the Site Administration will be resolved in accordance with the norms of Russian law in court at the location of the Site Administration,unless otherwise expressly provided by the legislation of the Russian Federation ).

A disclaimer is necessary to comply with applicable law, and an indication of the place of settlement of disputes at the location of the site owner is intended to have a rather preventive effect on the user.

the procedure for changing and updating the Policy ( for example, “The site administration reserves the right to change and (or) supplement this Privacy Policy without any special notice. The new edition of the Privacy Policy comes into force from the moment it is posted on the website page, unless otherwise provided by the new edition of the Privacy Policy. The current edition of the Privacy Policy is always located on the website page at ... ").

It is worth pointing out that the user's silence is regarded as consent to the changes and (or) additions to the Privacy Policy.

lack of access to data that the user leaves on third-party websites. This may be related to the user's payment for services and the provision of their payment information.

In this case, it is worthwhile to clearly state, for example, the following:“The user acknowledges and confirms that any data (including bank card details) directly or indirectly related to payment for services and services are posted by the User on the pages of sites owned by third parties that are not related to the Site Administration; The satya administration does not have access to such information, does not take any action with respect to such data, including their collection, systematization, accumulation, storage, clarification (update, change), use, distribution (including transfer), depersonalization, blocking , destruction, cross-border transfer ”.

c) we record the provision of consent to the processing of personal data. This is simply a "must have" of any privacy policy. We must point out that by giving consent, the user acts of his own free will and in his interest. Consent is given by the user from the moment of registration on the site and (or) performing other actions related to the use of services or site capabilities.

d) indicate the purpose of giving consent. Several options are possible at the same time:

for the purpose of concluding an agreement with the Site Administration, other agreements directly provided for by the Policy, other agreements posted on the website pages, and their further execution,
participation in promotions, decision-making or other actions that give rise to legal consequences in relation to the user or other persons,
to accept, process requests;
informing about the status of the request, services, for example, by means of electronic and SMS-notifications;
improving the quality of the site;
conducting statistical and other studies based on anonymized data.

The key is the first option, indicating the provision of data in order to conclude agreements with the Site Administration and their execution. This option, in the event of problems with Roskomnadzor, will explain the lack of consent to the processing of personal data "on paper", as well as the failure of the site owner to send a notification to Roskomnadzor.

e) we describe the composition of personal data. Remember that not all user data is personal. Personal data includes such a set of data that allows you to identify the user, for example, name and address of residence.

You can indicate that consent applies to the last name, first name, patronymic, address, phone number and any other information related to the user's identity, available or known at any given time Site administration.

f) indicate the period for which consent is given. This option can be described - consent is given by the user before the expiration of the storage time of the relevant information or documents containing the above information, determined in accordance with the legislation of the Russian Federation, after which it can be withdrawn by the user by sending a corresponding written notification to the Administration at least 3 months before the withdrawal of consent.

g) we fix the scope of possible processing actions. Here we assume that the more described possible actions with data, the better. : consent is granted to carry out any actions with respect to personal data that are necessary or desirable to achieve the above goals, including, without limitation: collection, systematization, accumulation, storage, clarification (update, change), use, distribution (incl. transfer), depersonalization, blocking, destruction, cross-border transfer of personal data, as well as the implementation of any other actions with the user's personal data, taking into account the current legislation of the Russian Federation.

h) indicate the methods of data processing.You can specify the following: storage, recording on electronic media and their storage, compilation of lists. Separately, it should be noted that the specified list of processing methods is not exhaustive.

i) we include the right to disclosure to third parties. It is worth recording the right of the Site Administration to transfer data to third parties to achieve the goals specified in the Policy, as well as the user's consent to such a thing.

j) determine the procedure for sending legally significant messages. To regulate the flow of incoming requests from users on data processing issues, it is worth complicating the procedure for interacting with the Site Administration. This can be done by defining the written form for such requests, as well as the method of their submission - sending them to the postal address indicated on the website and / or by courier. Additionally, it is worth pointing out that otherwise, requests and notifications of the user may remain without consideration.

Part 3

Compliance with legal requirements for privacy policy

Do you need a privacy policy? You collect personal information about customers, whether it be operations on a website or a page in social networks? Then you must draw up and comply with a privacy policy. In other words, these will be your conditions for the collection, use, transfer and protection of third party data. The Consumer Rights Office describes the importance of privacy and policy on its website. The US Small Business Administration also recognizes the importance of confidentiality and privacy, as noted on the organization's website.

Explore the types of clauses in the privacy policy. The privacy policy contains a number of different provisions. It includes, but is not limited to, these provisions:

Make sure you don't make promises that you can't deliver. Very often people are seriously mistaken by using a phrase like "We do not share your personal information with third parties." Alas, sales and purchase transactions and online transactions, as such, do not leave an opportunity to avoid the exchange of this information. For example, an intermediary bank processing payments credit card client, must have at least some information about the client. Such statements can cost you dearly, so it is important that the privacy policy is reviewed by a professional lawyer.

Margarita Ledovskikh

I am glad to welcome you to our website. My name is Margarita Ledovskikh, I am a media lawyer. I have been working in the field of information law for 19 years, of which I have been managing the Law on the Net project for 6 years.

Site search

We provide services for registering sites as a media

Preparatory stage First, you need time for preparatory actions. I am writing about this because sometimes these points are not taken into account. Founders individuals at a minimum, you need to visit a bank and a notary to make notarized copies of documents. You will say that you can pay through an online bank without leaving your home, and this is the absolute truth, but even in this case you have to go to [...]

We will prepare documents for your website

When the customer, after you have rendered him a service, signed the act, you have documentary evidence of the fulfillment of obligations in your hands. And if suddenly the customer begins to refuse that he accepted the result of the work, you can remove all the questions with this document. But in the case of distance services such as online education or skype consultations, deeds are not signed. When [...]