Identity theft crimes have been relevant for Russia for several years now, so it has become important to properly process and store personal data, ensure their security and prevent information leaks. In 2006, Federal Law 152-FZ "On Personal Data" entered into force, which obliges all organizations to correctly draw up and maintain up to date documentation related to the protection of personal data.

Registration of documentation on the protection of personal data

The online service is designed to help organizations prepare documentation for the protection of personal data from minimal cost time and money. The procedure for entering and processing information is extremely simple, even an employee who does not have legal training can handle it, it is enough to enter basic data into online forms - information about the organization, a list of those allowed for processing personal information persons, accessible information systems - the service itself will generate all the necessary documents.

By connecting to the service for processing documentation on the protection of personal data, you will receive:

1. Simplified document management system.

The main advantage of this system is the ease of information management. The step-by-step implementation of simple requirements allows you to form and control the process of changing about 100 documents without long-term specialized training.
Depending on the form of ownership of the organization, the staff, the availability of information security tools, the service will prompt the steps necessary to form a package of documents. When you change one of the necessary parameters, you just need to enter the relevant data into the system, and when the legislation is revised, you will receive a timely automatic notification.

2. Information and technical support.

If you have any questions about the operation of the service or need technical support, experts are ready to advise you in an online consultant, by phone or email. In some cases, it is possible for a specialist to visit to resolve emerging issues. In addition, engineers can help you find the right set of information security tools.

3. Security.

In most cases, all you need to do is gain access to an online service. Information is processed on servers, which are accessed through secure channels.
The firmware that protects the server is not only certified for information security requirements, but also provides maximum data protection against unauthorized access. The information is automatically copied to backup media, therefore, in the event of equipment failures, it will be easy to restore it.

4. Remote access.

You can use the services of the service from any computer on which the appropriate software is installed to ensure secure access, on any day of the week, 24 hours a day. This is especially important if you are working on a flexible schedule or if you need to urgently complete a project at an inopportune time.

5. Automatic update.

The relevance of the base is guaranteed by contractual obligations. By subscribing to the use of the service, you receive guarantees from the developer who is responsible for the timely updating of information. When the legal framework changes, users who have access to the organization's account receive special notifications about the need to correct data.

6. Guarantees of the developer's organization.

GK "Information Security Center" has a staff of experienced engineers who monitor the latest changes in legislation. Taking into account the changes, the online service document templates are promptly adjusted.

7. Possibility of free testing of the service.

The opportunity to use the demo version of the service for free for 1 month will allow you to evaluate the benefits of the service.

1. General

1.1. The Regulation regarding the processing of personal data (hereinafter - the Regulation) is aimed at protecting the rights and freedoms individuals whose personal data is processed by Limited Liability Company "Turbodok" (hereinafter referred to as the Turbodok service).

1.2. The regulation was developed in accordance with clause 2, part 1 of Art. 18.1 of the Federal Law of July 27, 2006 No. 152-FZ "On Personal Data" (hereinafter - the Federal Law "On Personal Data").

1.3. The regulation contains information to be disclosed in accordance with Part 1 of Art. 14 of the Federal Law "On Personal Data", and is a publicly available document.

2. Information about the processing of personal data

2.1. The Turbodok service processes personal data on a legal and fair basis in order to fulfill the functions, powers and duties assigned by law, to exercise the rights and legitimate interests of the Turbodok service, Turbodok service employees and third parties.

2.2. The TurboDoc service receives personal data directly from the subjects of personal data.

2.3. The TurboDoc service processes personal data in automated and non-automated ways, using computer technology and without using such means.

2.4. Actions for the processing of personal data include collection, recording, systematization, accumulation, storage, clarification (update, change), extraction, use, transfer (distribution, provision, access), depersonalization, blocking, deletion and destruction.

2.5. Databases of information containing personal data of citizens Russian Federation are located on the territory of the Russian Federation.

3. Information about the Turbodok service

3.1. Full corporate name of the legal entity: Limited Liability Company "Turbodok".

3.2. Turbodok service address: 127006, Moscow, st. Dolgorukovskaya house 35, pom. 51.

3.3. TIN 7707847355, KPP 770701001.

3.4. Responsible for organizing the processing of personal data: Osmolovsky Dmitry Nikolaevich.

3.5. The address of the Turboodok service on the Internet at.

3.6. The database of information containing personal data of citizens of the Russian Federation is located at: City of St. Petersburg, Bolshoi Sampsonievsky Prospect, 77. Center of Dedicated Servers LLC (License for Telematic Communication Services No. 123019).

4. Information on ensuring the security of personal data

4.1. The Turbodok service appoints a person responsible for organizing the processing of personal data to fulfill the obligations provided for by the Federal Law "On Personal Data" and the regulatory legal acts adopted in accordance with it.

4.2. The Turbodok service applies a set of legal, organizational and technical measures to ensure the security of personal data to ensure the confidentiality of personal data and their protection from illegal actions:

- provides unlimited access to the text of the Regulations on the promo site of the Turbodoc service http: // site / position-personal-data-turbodoc;

- in pursuance of the Regulation, approves and enforces the document "Regulation on the processing of personal data" and other local acts;

- familiarizes employees with the provisions of the legislation on personal data, as well as with the Regulation;

- carries out the admission of employees to personal data processed in information system service Turboodok, as well as to their material carriers only for the performance of labor duties;

- establishes the rules for accessing personal data processed in the information system of the Turboodok service, and also ensures registration and accounting of all actions with them;

- assesses the harm that may be caused to subjects of personal data in case of violation of the Federal Law "On Personal Data";

- identifies threats to the security of personal data during their processing in the information system of the Turbodok service;

- applies organizational and technical measures and uses information security tools necessary to achieve the established level of protection of personal data;

- detects facts of unauthorized access to personal data and takes response measures, including the restoration of personal data modified or destroyed due to unauthorized access to them;

- evaluates the effectiveness of measures taken to ensure the security of personal data prior to the commissioning of the information system of the Turbodok service;

- carries out internal control over the compliance of the processing of personal data with the Federal Law "On Personal Data", adopted in accordance with it, the requirements for the protection of personal data, the Policy, the Regulations and other local acts, including control over the measures taken to ensure the security of personal data and their the level of security during processing in the information system of the Turboodok service.

5. Rights of subjects of personal data

5.1. The personal data subject has the right:

- to receive personal data related to this subject, and information regarding their processing;

- to clarify, block or destroy his personal data if they are incomplete, outdated, inaccurate, illegally obtained or are not necessary for the stated purpose of processing;

- to revoke his consent to the processing of personal data;

- to protect their rights and legitimate interests, including compensation for damages and compensation for moral damage in court;

- to appeal against the actions or inaction of the Turbodok service to the authorized body for the protection of the rights of subjects of personal data or in court.

5.2. To exercise their rights and legitimate interests, personal data subjects have the right to contact the Turbodok service or send a request personally or with the help of a representative. The request must contain the information specified in Part 3 of Art. 14 of the Federal Law "On Personal Data".

2.1. The user expresses his consent to the terms of the Policy and gives the Operator specific and conscious consent to the processing of his personal data by the Operator under the conditions provided for by the Policy and the Law:

• when registering on the Site - for personal data that the User provides to the Operator when filling out the registration form located on the Internet at. The user is considered to have given his consent to the processing of his personal data by checking the box “I accept the terms of the user agreement and consent to the processing of my personal data” at the moment of clicking the “Register” button;
• when entering / changing personal data in the sections "My Profile and Programs" and "Settings" of the Personal Account - for personal data that the User provides when editing information in Personal account... The user is considered to have given his consent to the processing of his newly entered or changed personal data at the moment of clicking the “Save” button;
• when filling out the form feedback- for personal data that the User provides to the Operator when filling out the feedback form located on the Internet at http: // site / contacts /. The user is considered to have given his consent to the processing of his personal data entered in the fields of the feedback form at the moment of pressing the “Send” button;
• when joining the team of the Operator's experts - for personal data that the User provides when filling out the application form located on the Internet at http: // site / experts /. The user is considered to have given his consent to the processing of his personal data entered in the fields of the application at the moment of pressing the "Send" button;
• when filling out an application to the Operator's Postgraduate School - for personal data that the User provides when filling out the application form located on the Internet at http: // website / aspirant /. The user is considered to have given his consent to the processing of his personal data entered in the fields of the application at the moment of pressing the “Send” button;
• when sending a message to the Operator's Career Development Center - for personal data that the User provides to the Operator when filling out the feedback form located on the Internet at http: // website / career /. The user is considered to have given his consent to the processing of his personal data entered in the fields of the message form at the time of pressing the "Send" button.

2.2. The period during which the User's consent to the processing of his personal data by the Operator is valid is 10 (ten) years from the date when the User is considered to have given the Operator Consent to the processing of his personal data in accordance with the provisions of clause 2.1. Politicians.

3. TERMS OF PROVISION OF PERSONAL DATA BY THE USER

The Operator proceeds from the fact that when providing his personal data on the Site, the User:

3.1. Is a competent person. In case of incapacity, consent to the processing of personal data is provided by the legal representative of the User who has read and agreed with the terms of the Policy;
3.2. Indicates reliable information about himself in the amount necessary for using the Site and providing services by the Operator to the User;
3.3. Keeps the provided personal data up to date. The consequences of the provision by the User of inaccurate or insufficient information are defined in the User Agreement located on the Internet at the address;
3.4. On a gratuitous basis, he agrees to use his photograph as an image of the User. The User undertakes not to provide photographs of third parties as the User's image;
3.5. Realizes that when using the Site, information on the Site posted by the User about himself may become available to other Site Users, may be copied and distributed by such Users.
3.6. I am familiar with this Policy, expresses my informed and informed consent to it.

4. PERSONAL DATA PROCESSED BY THE OPERATOR

4.1. The personal data of the User processed by the Operator when registering the User on the Site, changing the information in the Personal Account by the User, and the provision of services by the Operator in relation to the User include:

1. Full Name;
2. Telephone number;
3. Address Email;
4. Account data in social networks(links to the User's profiles on VKontakte, Facebook, LinkedIn, Twitter);
5. Picture;
6. Home address;
7. Date of Birth;
8. Place of Birth;
9. Place of work;
10. Position;
11. Profession;
12. Data and a copy of the identity document;
13. Data and a copy of the education certificate;
14. Data and a copy of the marriage certificate (in case of a change of surname);

4.2. The personal data of the User processed by the Operator when the User completes the feedback form, the User's application form for joining the Operator's team of experts, when the User sends a message to the Operator's Career Development Center, include:

1. E-mail address;
2. Data that is automatically transmitted to the Operator in the process of using the Site using the installed on the User's device software, including IP address, browser and view information operating system User's devices, specifications equipment and software used by the User, the date and time of access to the Site.

4.3. The User's personal data processed by the Operator when the User completes an application to the Operator's Postgraduate School includes:

1. City;
2. E-mail address;
3. The name of the course that the User took with the Operator;
4. Link to the User's profile on Facebook;
5. Data that is automatically transmitted to the Operator in the process of using the Site using the software installed on the User's device, including the IP address, information about the browser and the type of operating system of the User's device, technical characteristics of the equipment and software used by the User, date and time of access to the Site.

7. MEASURES TAKEN BY THE OPERATOR TO PROTECT PERSONAL DATA

7.1. The operator takes the necessary and sufficient legal, organizational and technical measures to protect the information provided by the Users from unauthorized or accidental access, destruction, modification, blocking, copying, distribution, as well as from other illegal actions of third parties with it. Such actions include, in particular:

• Appointment of a person responsible for the processing of personal data;
• Registration in the register of personal data operators;
• Application of organizational and technical measures to ensure the security of personal data during their processing in information systems;
• Controlling the facts of unauthorized access to personal data and taking measures to prevent similar incidents in the future;
• Control over the measures taken to ensure the security of personal data and the level of protection of information systems of personal data.

8.USER RIGHTS

When using the Site, the User has the right to:

1. 1. At its own discretion, provide the Operator with personal data for their processing on the conditions specified in the Policy;
   2. Independently make changes and corrections to your personal data in your Personal Account;
   3. Delete your personal data from your Personal Account;
   4. Require the Operator to clarify their personal data, block or destroy them if such data are incomplete, outdated, unreliable, illegally obtained or are not necessary for the stated purpose of processing. The request is made in the manner provided for in section 9 of the Policy;
   5. Send the Operator an application to revoke your consent to the processing of personal data in the manner provided for in Section 9 of the Policy;
   6. On the basis of a request, receive information from the Operator regarding the processing of his personal data in the manner prescribed in Section 9 of the Policy.

9 USER REFERRALS

1. 1. The user has the right to send his requests and requirements to the Operator (hereinafter - Appeal), including regarding the use of his personal data, as well as withdrawal of consent to the processing of personal data. The user has the right to send requests to the Operator in the following ways:
      1. In writing to the Operator's address specified in section 11 of the Policy;
      2. In the form of an electronic document (scanned or photocopy of a document) sent from the email address of the User specified by him during registration on the Site, to the email address of the Operator: [email protected]

1. 1. The request or demand sent by the User must contain the following information:
      1. Surname, name, patronymic of the User;
      2. Data of the main identity document of the User or his representative;
      3. Information confirming the participation of the User in relations with the Operator (in particular, the User's login and password on the Site);
      4. The essence of the appeal;
      5. Signature of the User or his representative.

9.3. The Operator undertakes to consider the appeal, send a response to the received appeal and, if there are legal grounds for this, to satisfy the requirement stated by the User within the time frame established by law. The response to the appeal, as well as notification of the actions taken with the User's personal data upon his appeal, are sent in a form corresponding to the form of the User's appeal.

10. POLICY CHANGE

1. 1. The operator reserves the right to make changes to the Policy. The User is obliged to familiarize himself with the text of the Policy every time he uses the Site or its services.
   2. The new version of the Policy comes into force from the moment it is posted in the corresponding section of the Operator's website. Continued use of the Site or its services after the publication of a new version of the Policy means acceptance of the Policy and its conditions by the User. In case of disagreement with the terms of the Policy, the User must immediately stop using the Site and its services.

11. INFORMATION ABOUT THE OPERATOR

This article is devoted to various kinds of services for the automatic generation of a set of internal documents of an organization for the protection of personal data based on some information entered by the user. To be honest, it was originally an angry post. The irritation was caused by the information received through personal channels that representatives of one of these services visit the chief doctors of medical institutions of the city in which I live, and are frightened by the prosecutor's office and punishment for violating the law "On Personal Data" in case of refusal to subscribe to such a service ... But chance intervened - in the process of writing the article, urgent matters arose. And all the scribble that was ready at that time was sent to drafts for a week. During this time, steam has released a little and now I will try to calmly explain why such services will not ensure the proper quality of internal documentation on the protection of personal data, I will talk about other problems of such portals and at the end I will give a link to some prefabricated hodgepodge of the same documents.

Problem # 1. Misleading the client Lies

Here, it is probably worth starting right away with examples.

On one of the sites on the very first page it is written that the maximum fine for violation of the rules for processing personal data is 300,000 rubles. It is not true. On the this moment Article 13.11 of the Code of Administrative Offenses of the Russian Federation provides for the maximum fine for legal entities - 10 thousand rubles. Here, apparently, we are talking about bill No. 683952-6, which provides for the expansion of Article 13.11 of the Administrative Code and indeed increases the maximum fine to 300,000 rubles, but the bill passed the first reading last autumn and was stuck. And whether it will be finally adopted is unknown. Conclusion: the authors of the site are either not aware of the situation, or deliberately try to exploit the feeling of fear of huge fines, which is also not good.

Second example: another service solemnly promises to successfully pass any inspection by any regulatory authorities in the field of personal data protection with their documents. Firstly, the service does not generate such an important document as the "Threat Model", which even Roskomnadzor requires to be shown, and without it, even a documentary check cannot be successfully passed. Secondly, FSTEK and FSB check not only pieces of paper. Thirdly, I already wrote in my old article that in some regions (not all) the cane system operates and it is not possible to successfully pass the test, no matter how well we prepare for it.

Problem # 2. Lack of individualization

Of course, almost all services for preparing a set of documents will tell you about flexible personalization of a set of documents especially for you, but this statement could well be cited as a third example of problem number 1.

Honestly, at one time I myself wrote a similar "filler" of templates in Java, but somehow it did not take root in the work, the maximum that can be done is to automatically enter the name of the organization and other frequently repeated things in the documents. And that's why - if the goal is to write high-quality documentation, then it will have to be written by hand, taking into account all the features of both the organization's business processes and the features of the IT platform on which the personal data information system is built. At my work, as a rule, this is exactly the task, and who needs to "get away from checking" we give the below set of templates. Is free. But here you need to remember that regulators do not stand still either, and it becomes more and more difficult to pass the check with a set of template, not adapted documents from seven years ago.

Let me explain why template fillers will not help in developing a complete and useful set of documents. Take, for example, the important and useful Security Administrator's Guide. Of course, when a document is made for show, a lot of water and very little specifics are written in it. In the event that we make a full-fledged document, we need to describe all the duties and actions of the security administrator, depending on the conditions for the functioning of the personal data information system. And then it turns out that a huge number of factors affect the content of the document:

Is virtualization used?
- are you using mobile devices?
- backup, by what means it is produced, with what frequency, where are they stored backups?
- etc. etc.

Of course, you can try to take all this into account in the template, but then users of the services will have to collect and enter a huge amount of data, which contradicts the principle of "simple and easy, just pay money."

All that the template "filler" can do tolerably well is various orders to appoint responsible persons or any commissions. As soon as questions start related to business processes or the specifics of the IT infrastructure, problems begin.

Problem number 3. Doubtful quality of the documents themselves

In part, the problem has something in common with the previous one, but if in problem No. 2 it was more about the features of automated filling, then here we are talking about the template text that is not subject to change. They manage to screw up in the simplest instructions.

Example. Usually, two persons responsible for the protection of personal data are appointed in the information system - one responsible for organizing personal data (more on organizational issues) and an information security administrator (on technical issues - setting up protection means, etc.). Accordingly, these roles are usually abbreviated as - "Responsible" and "Administrator". So, one of the services called these two friends "responsible for organizing the processing of personal data" and "responsible for ensuring the security of personal data", reduced them, as you probably already guessed as "Responsible" and (suddenly!) "Responsible". In the order on the appointment of these responsible, no trick is felt, the tin begins when the authors of the documents begin to describe the interaction of these two different people, it turns out something like "Responsible for Responsible and Responsible drives."

Problem # 4. Security

Oddly enough, services that are designed to improve information security, themselves raise a number of questions, ranging from the banal lack of encryption when submitting forms with confidential data, to how this data is stored on the service, how physical access to servers is organized, and much more. At the same time, we remember that so far the services work according to the principle of "easy and simple" and do not collect a large amount of information, but they can also "improve". But nevertheless, at least the personal data of the responsible persons and members of various commissions, as well as basic data on the information system, will have to be provided.

What is it all about?

I am convinced that selling blank documents, even under the sauce of an automatic template filler, for money is the last century. I am convinced that bullying and deceiving potential customers is a dead-end marketing model. The cost of a subscription to such services ranges from 10 to 50 thousand rubles per year. For this money, you can attract a specialist who will prepare a high-quality kit with a full audit of business processes and IT infrastructure (yes, in a crisis, an experienced specialist may agree to work even for 10 thousand rubles). But if the choice fell on templates, then I don't see any point in paying money for it. In addition different documents you can google it for free. As I promised, to simplify this task, I have laid out some selection

Almost a month has already passed since July 1, 2017, when amendments to the Law FZ-152 "On Personal Data" came into force, and along with them requirements for all website owners about liability for violation when interacting with personal data of a client.

It is no longer possible to act as before - just get the personal data of a site visitor by inviting him to subscribe to news or a valuable product. Now we are obliged to warn everyone, without exception, that we will store and process personal data, even if we did not plan to do this.

All reflections and debates on the topic “what kind of data is personal”, “do I need to comply with the requirements of the law if I don’t collect and process customer data”, “I don’t sell anything, I just suggest subscribing to the website news”, “ people make their own decisions when they leave their data in the form of a subscription - I do not force anyone, ”etc., etc., remain in the past - there is a lot of information on the Internet where you can find answers to these questions, and these disputes are meaningless. You just need to take the innovations for granted, and just take the necessary steps. Personally, I didn't spend a lot of time on such activities - I quickly figured out that in order to avoid fines, which had grown to 75,000 rubles, the easiest way was to do as "the law dictates" and started creating legal documents for my sites - the Privacy Policy and the User Agreement.

Since I cannot predict the visit of the Roskomnadzor Inspector to my website in order to fix the violation, it was most logical to eliminate these violations in advance. What I did safely, and I advise everyone who has:

• subscription form on the site
• feedback page
• comment form

How to create a privacy policy and user agreement

I looked at several sites of colleagues who have already made changes and created the necessary documents, studied letters on this topic that came to the mail, and found a simple, understandable and very useful service 152fz.rf, which checked my sites for legal documents, issued its own verdict and offered to entrust him with their creation.

In general, everything suited me, and especially the fact that the text of the documents fully reflected my needs for processing and storing personal data of clients, and the fact that I could use his services for free.

⇓⇓⇓⇓⇓⇓⇓⇓⇓⇓⇓⇓⇓⇓⇓⇓⇓⇓⇓⇓⇓⇓⇓⇓⇓⇓⇓⇓⇓⇓

The service provides in an accessible form all the information about why, to whom and why you need to comply with the requirements of the FZ-152 law. Then you will be shown what fines are threatened for non-compliance, who has already been punished and how, and you will be offered to use one of three tariffs.

For owners of ordinary sites, of which there are a great many on the network, suitable free tariff... And then, in the pictures, there are step-by-step actions that I have done personally, for greater clarity and so that you have an idea of ​​what information needs to be prepared to create documents.

After all the documents were created, I carefully studied the text of each of them, slightly corrected, and downloaded the pdf files to my computer. Then, using , which became my favorite lifesaver, I translated the PDF to WORD, copied the text and pasted it with a link to the service into the newly created pages of the site. Links to documents are also placed in the footer of the site.

I note right away that I decided to leave the Privacy Policy, which I created a little earlier, unchanged, and take the User Agreement from the 152fz.rf service. But I can change my mind))

You can do the same, or you can use other available methods for posting documents on your site:

1. upload pdf files to the site and place in convenient place links to these documents
2. install the 152fz.rf widget on the website using the code on the page of ready-made documents

Newsletter subscription form

Another important step that needs to be done is to place the following text in the form of a subscription to new articles on the site or mailing of letters. You can change it if necessary.

By clicking on the button, I accept the user agreement and confirm that I have read and agree with the privacy policy of this site

I was not so lucky with the subscription form as with the legal documents - an emergency happened and when the inactive subscription form was deleted, the active one disappeared along with all subscribers ... It was not possible to restore, just like creating a new subscription form, and the sendpulse mailing service is still only feeding me promises to fix a technical problem that arises when creating a new form. Now I think that this text could be placed under the form, the main thing is that it should be on the page, and there is no difference in the form or under the form. Eh, I should have known earlier where to lay the straw ... While I'm worried. I am sure that you will not have such problems when you make changes to the subscription form.

These are the simple steps that every owner of ordinary, small sites had to do before July 1, 2017. Agree, this is not difficult at all and will not take much time. If you are not satisfied with the documents that are now on your site, or you have just returned from vacation, but did not have time to do it on time ..., then in any case, on my site there is now for you helpful advice and on this topic. Piggy bank of tips is replenished ... I wish you all success and correct actions!

I agree to the processing of my personal data in accordance with