Roskomnadzor identified violations in terms of compliance of activities for processing personal data with legal requirements based on the results of a scheduled on-site inspection of one of the credit history bureaus. The bureau tried to challenge these results in the Moscow Arbitration Court (decision of the Moscow Arbitration Court dated May 5, 2017 in case No. A40-5250/17-144-51).

The essence of the violations identified by Roskomnadzor was as follows:

• the financial organization did not submit a notification to the authorized body about the use of the Double Data Social Link and Double Data Social Attributes services, which transferred to the financial organization the data of individuals or potential clients from open sources of information (hereinafter referred to as Law No. 152-FZ);
• there was no consent to the processing of personal data contained in open sources - on social networks and Internet portals ().

The Moscow Arbitration Court determined that the processing of personal data is permitted in cases where personal data is available to an indefinite number of persons, there is consent from the owner of the data, and the information is provided directly by the subject himself (,).

The court emphasized that without the written consent of the subject of personal data, it cannot be asserted that the specified person has provided consent. In his opinion, if the owner has made personal data publicly available to everyone, then it can only be contained in publicly available sources (). According to the court, social networks are not such sources of obtaining personal data; accordingly, information about a person posted on them cannot be classified as publicly available.

The arbitration decision states that publicly available sources of personal data may include the last name, first name, patronymic, year and place of birth, address, subscriber number, information about profession and other personal data of their owner with his written consent and communicated by him. The court concluded that the owners of personal data did not make the information publicly available, which was processed by credit bureaus on social networks (,). In connection with this, the court recognized Roskomnadzor’s order as legal and refused to satisfy the financial institution’s claims.

Can a company be held liable for using an individual's image without their consent if it has posted photos of employees on social media? The answer to this and other practical questions is in "Legal Consulting Service Knowledge Base" in the Internet version of the GARANT system. Get full access for 3 days free!

The appellate court agreed with the conclusions of the lower court, emphasizing that posting personal data on social networks does not automatically make it publicly available, therefore, the consent of the subject to the processing of information is required (ruling of the Ninth Arbitration Court of Appeal dated July 27, 2017 in case No. A40-5250/ 17). Court of Cassation and Supreme Court Russian Federation sided with Roskomnadzor and found no grounds for canceling the appealed judicial acts (resolution of the Moscow District Arbitration Court dated November 9, 2017 in case No. A40-5250/2017, Ruling of the RF Armed Forces dated January 29, 2018 in case No. 305-KG17-21291) .

Thus, the courts have decided that personal data is publicly available if two conditions are met: it is provided by the owner and is accessible to an indefinite number of persons. In their opinion, due to the lack of consent of the owner of personal data to post information about him on social networks, they [social networks] cannot be classified as publicly available sources. In this case, the operator has the right to continue processing personal data without the consent of the subject of personal data, in case of its withdrawal, only if there are appropriate grounds, for example, to combat terrorism or corruption ().

Leading lawyer of the European Legal Service Elena Derzhieva noted that under the terms of the user agreement of the social network Vkontakte, the owner of personal data only consents to access to the information that he posts on his page, but not to processing by third parties.

Is it legal to create public databases of personal data?

At the very end of 2015, I took part in a discussion interesting article in LiveJournal, which was devoted to the need to create a unified publicly accessible database of unscrupulous job seekers.

It must be said that the idea is not new and, for sure, a number of companies have internal databases of applicants. With the help of such databases, personnel officers weed out unsuitable candidates with the most minimal costs time. If we theoretically assume that all HR in the country could have such a base at their disposal, then how much better it would be for everyone. Well, right? Thank God, no, not like that. As the commentators of this article correctly noted, potential benefits can easily be offset by the negativity that will inevitably arise from the misuse of data from the database, the unreasonable inclusion/exclusion of people in such databases, and issues of reputation, honor and dignity of people included in the databases.

Fortunately, since 2006, the federal law “On Personal Data” has been in force in Russia, which clearly defines the conditions under which such databases can exist:

2. Article 6 of the federal law “On Personal Data” determines that “the processing of personal data is carried out with the consent of the subject of personal data to the processing of his personal data.”

3. Article 7 of the federal law “On Personal Data” determines that “Operators and other persons who have access to personal data are obliged not to disclose to third parties or distribute personal data without the consent of the subject of personal data, unless otherwise provided by federal law.”

4. Article 8 of the federal law “On Personal Data” determines that: “1. In order to information support publicly accessible sources of personal data may be created (including directories, address books). Public sources of personal data, with the written consent of the subject of personal data, may include his last name, first name, patronymic, year and place of birth, address, subscriber number, information about profession and other personal data reported by the subject of personal data. 2. Information about the subject of personal data must be excluded at any time from publicly available sources of personal data at the request of the subject of personal data or by decision of a court or other authorized government bodies.”

5. And finally, article 13.11. The Code of the Russian Federation on Administrative Violations determines that “Violation of the procedure established by law for collecting, storing, using or distributing information about citizens (personal data) - entails a warning or the imposition of an administrative fine on citizens in the amount of three hundred to five hundred rubles; for officials - from five hundred to one thousand rubles; on legal entities- from five thousand to ten thousand rubles.”

In other words and in short:

1. Any data relating to an individual (including just a telephone number) is personal.

2. To process personal data, you must obtain consent, which can be withdrawn at any time.

3. If someone has legal access to personal data, then it is prohibited to disclose it to anyone or share it with anyone without the consent of the personal data subject, unless otherwise provided by current legislation.

4. A written consent form is provided especially for those wishing to create publicly available sources of personal data.

5. Liability is provided for violation of the established procedure for collecting and storing personal data.

The conclusion is very simple and clear - the creation of a single publicly accessible database of careless job seekers is possible only with the written consent of these same careless workers, which, naturally, reduces to zero the likelihood of the legal creation of such a database. For those who decide to create such databases and share them with friends, our company recommends that you familiarize yourself with the existing this moment punishments.

publicly available personal data - Personal data, access to which is provided to an unlimited number of persons with the consent of the subject of personal data or to which, in accordance with federal laws, is not subject to confidentiality requirements.... ... Technical Translator's Directory

Public personal data - personal data, access to an unlimited number of persons to which is provided with the consent of the subject of personal data or to which, in accordance with federal laws, is not subject to confidentiality requirements ... Large legal dictionary

PUBLICLY AVAILABLE PERSONAL DATA - according to Federal law“On personal data” dated July 27, 2006 No. 152 Federal Law, - personal data, access to an unlimited number of persons to which is granted with the consent of the subject of personal data or to which in accordance with federal... ... Records management and archiving in terms and definitions

Public personal data - Publicly available personal data is personal data that is accessible by an unlimited number of persons with the consent of the subject of personal data or to which, in accordance with federal laws, is not subject to the requirement of compliance... Official terminology

PUBLICLY AVAILABLE SOURCES OF PERSONAL DATA - in accordance with the Federal Law “On Personal Data” dated July 27, 2006 No. 152 FZ - directories, address books, etc. Public sources of personal data with the written consent of the subject of personal data may include his last name, first name... Records management and archiving in terms and definitions

O - Security for credit, loan security, collateral Security of production with inventories (number of days’, weeks’ stock) Depreciation of assets (impairment of assets) ... Economic and mathematical dictionary

Website - Home page website Wikipedia.org Website (from the English website ... Wikipedia

>What is publicly available personal data and what types of information are involved?

Peculiarities

Publicly available personal information is presented in such sources as a passport or other identification card, driver’s license, military ID, work record book, or education diploma.

Not in all cases there is a need for written permission to use them; sometimes a signature or a “tick” in the required box is sufficient (for example, when filling out applications via the Internet).

General information can be placed in publicly accessible sources. They store information about subjects, including various directories with telephone numbers or addresses.

According to the “List of Confidential Information”, those that are subject to dissemination in the media are not confidential.

Processing is carried out by special units or bodies that collect, systematize, store, use, and destroy information. Control over the legality of the use of personal data is carried out by Roskomnadzor, the FSB and the FSTEC.

FSTEC - the federal service for technical and export control issues licenses to organizations that provide services to others to create personal data protection systems. The data protection system is created for your own needs; a license is not required for it.

An individual has the right to obtain information about the operator, as well as find out the specific purpose pursued by the operator during processing.

The subject has the full right to submit an application, the approval of which allows you to clarify, block or destroy personal information in the event that it is outdated, invalid, incomplete or its presence is not necessary during processing.

Among other things, an individual has the right to request from the operator access to his personal information, as well as to familiarize himself with the means of processing information. Operators are specialists involved in processing information about a person.

Bodies for processing personal data are all organizations that collect, process, accumulate and store information about employees, clients, and suppliers.

When are they included in open sources?

Inclusion of information in publicly available sources occurs in various situations, for example:

• during employment and concluding an employment contract;
• during the census process;
• establishing trade relations, etc.

The subject's personal data is classified according to the amount of personal information about the person and the degree of importance. Any transactions with them are carried out strictly within the framework of legislative acts and are subject to protection.

Operators are obliged to organize the safety of the work process. They must ensure complete protection of subjects' personal information from access by unauthorized persons.

During the collection process, the operator is required to obtain written permission for further processing. The written consent to processing includes information about the subject and the operator (full name, address), the purpose of processing and a list of necessary information, as well as a description of the operations that will be performed with them.

Citizen as owner personal information about himself, can revoke the previously signed permission to process it. If the subject is incapacitated or in the event of his death, consent is sought from legal representatives or heirs. The operator’s actions are based on the Federal Law “On Personal Data”.

Violation of the law is punished by criminal, civil, administrative or other types of liability.

Any information about an individual - the subject of personal data can be excluded from publicly available sources based on the request of the subject, Roskomnadzor, a court decision or other government bodies.

If you find an error, please select a piece of text and press Ctrl+Enter.

Not all information about a person and his life can be disseminated and published in open sources. From the very beginning of Internet expansion, boundaries have been erased and data that should be transmitted only with a person’s permission is literally “stolen” from him. Let's take a closer look at what personal data is, what this concept includes, how data marked “PD” is stored, what the penalties are for violating the law and unauthorized dissemination of personal information?

Normative base

List of laws on personal data:

• Federal Law of the Russian Federation of July 27, 2006 N 149-FZ On information, information technologies and information protection;
• Decree of the President of the Russian Federation of April 3, 1995 N 334;
• Decree of the President of the Russian Federation of March 17, 2008 N 351;
• Decree of the Government of the Russian Federation of June 26, 1995 On certification of information security means N 608;
• Decree of the Government of the Russian Federation of August 15, 2006 N 504 On licensing activities for the technical protection of confidential information;
• Decree of the Government of the Russian Federation of August 31, 2006 N 532 On licensing activities for the development and (or) production of means of protecting confidential information;
• Order of the FSB of the Russian Federation dated February 9, 2005 N 66 “On approval of the Regulations on the development, production, implementation and operation of encryption (cryptographic) information security means (Regulations PKZ-2005)”;
• Decree of the Government of the Russian Federation of November 17, 2007 N 781 Moscow “On approval of the Regulations on ensuring the security of personal data when processed in information structures personal data;
• GOST according to information security and information protection;
• GOST R 34.10-2001 Information technology. Cryptographic protection information;
• GOST R ISO 7498-2-99 Information technology. Information security architecture;
• GOST R 50739-95 Means computer technology. Protection against unauthorized access to information. General technical requirements;
• GOST R 50922-96 Information protection. Basic terms and definitions;
• GOST R 52069.0-2003 Information protection. System of standards. Basic provisions.;
• GOST 28147-89 Information processing systems.

The Federal Law “On Personal Data” can be downloaded here:

Classification of personal data

According to the Federal Law “On Personal Data”, this is any information that directly or indirectly relates to the life of the subject. What applies to personal data:

1. surname and passport details;
2. place and date of birth;
3. registration or residence address;
4. Family status;
5. information about income and debts;
6. specialty, profession,
7. employment information;
8. income.

This may also include information about social connections, contacts, personal life, purchases of a citizen or his family members.

According to Part 1, Article 85 of the Civil Code of the Russian Federation, personal information of an enterprise employee includes all information necessary for the manager to regulate all labor processes associated with a specific employee.

A telephone number is personal information in the Russian Federation, as it is tied to passport data.

General PD

General data includes those that are “on the surface”. Public personal data is the name that can be seen on the badge of a company employee, his phone number in the questionnaire on the website, specialty and position. If a person himself distributes data that does not belong to the “General” section, this does not give citizens the right to dispose of it or publish it in open sources.

Biometric PD

This includes weight, height, hair and eye color, fingerprints, nationality, and special features. This data is used by intelligence officers to create leads and search for criminals in databases.

Police and law enforcement agencies do not have the right to fingerprint citizens without probable cause and enter their information into a database.

Special PD

This includes race and nationality, political views, religious or philosophical beliefs, health, and intimate life. Dissemination of this information is not permitted, except as provided for in Part 2 of Federal Law No. 152.

No circumstances oblige a citizen to disclose this data to police officers or publicly. This request may be denied under legal circumstances.

Anonymized PD

This is data whose ownership cannot be determined. Depersonalization is the process of “alienation” of data that makes personal information public.

Example: An organization has 2 employees – a man and a woman. The man follows a dress code, and the woman wears a burqa. If the employer provides statistics on the number of believers and/or religious people, and specifically one atheist, one believer, it will be easy to calculate who is who.

Such a clumsy example is not a direct violation of the law; nevertheless, it transfers personal data (and, in addition, special data) to third parties.

Processing of personal data

The protection of personal information can be ensured by several sources of law:

• The first source of protection is the Labor Code of the Russian Federation, which enshrines guarantees, norms, and rules for regulating the exchange and open publication of employee materials;
• The second source is the system of organizational and legal relations, the charter of the enterprise, the confidentiality policy generally accepted in this labor field;
• The third factor is the right to the protection of personal information, guaranteed by the Constitution of the Russian Federation to every citizen.

The exchange of information and the use of personal data occurs throughout the entire work process, between employer and employee, between employees, as well as third parties. The Labor Code of the Russian Federation has the highest priority in resolving conflict situations, followed by the charter and legal norms of the organization, and then the right to protection guaranteed by the Constitution of the Russian Federation. An employer cannot simply demand that an employee provide information. Only information that is necessary for concluding an employment contract, drawing up regulatory documents, possible settlement of conflicts and controversial situations, a collective or corporate agreement with third parties (according to the text of Article 22 of the Labor Code of the Russian Federation) is subject to disclosure.

Ways to protect personal information and precautions

Organizational:

• Limited access to storage facilities and archives of materials;
• Verification of the requester before providing information;
• Introductory format for providing information;
• Sanctions and fines for violations of the rules.

Technical:

• Cryptography and data encryption;
• Creation of separate servers and communication channels;
• Destruction of obsolete materials;
• Shielding of premises and devices to protect against burglary.

An employee can exercise the right to protection of personal information through:

• Free access to documents containing his personal data (may require a copy of any regulatory document).
• A requirement in relation to the employer to delete or change personal data, or part thereof.
• By appealing the procedure for submitting, processing and publishing information by an organization.

Step-by-step instructions for protecting data in an organization:

• Development of a draft algorithm for processing personal information;
• Development of a system of consent and refusal for the processing of personal materials;
• Development of a draft notification message about the inclusion of personal materials in the general flow;
• Designing a structure committed to maintaining restricted access information;
• Publishing an order to enter materials from enterprise employees into the database, determining the procedure and method for processing and transmitting information, appointing those responsible, designating sanctions and fines for violation of the charter;
• Making changes or additions to labor and job descriptions employees who are responsible for storing, providing and processing personal information.

On the Internet, like other open sources, user data is also stored and processed. Since 2017, sites that use cookie technology are required to notify users about this. This technology will allow you to display relevant advertising, optimize the work process, and speed up technical algorithms. However, they collect data about citizens:

• browsing history;
• links and transitions (the site sees from which page the user came to it);
• what accounts are linked to account(if you log in to the site using your social network profile);
• search queries (not only on a specific resource. Google, Yandex and other tech giants collect all information from users).

Collection, storage and processing of data is mandatory. If the user is against it, you need to leave the resource that collects information. By continuing to work with the site, the user consents to the collection of data.

What to do if your data is used without your consent

First of all, check whether they are special PD and whether their distribution is prohibited. If the law is violated, you urgently need to contact the police with a statement, clearly indicating the circumstances and time of the theft. Refer to Article 137 of the Criminal Code of the Russian Federation. Depending on the classification and elements of the crime, you can expect compensation in the form of a payment ranging from 1,000 to 50,000 rubles. For officials, the fine is much higher. Criminal liability provides for imprisonment for up to 2 years (the maximum measure of restraint).

We hope that our article helped the reader understand PD issues. Remember that laws and human rights in the Russian Federation are violated every day, and only a few turn to law enforcement agencies for help. If a reader has become a victim or witness of theft of personal information, one cannot remain silent. Today these are someone else's rights, tomorrow they are yours.

Article 8. Publicly available sources of personal data

Commentary on Article 8

1. The commented article is devoted to the so-called publicly available sources of personal data, which are accessible to an indefinite number of persons. Such sources include, in particular, directories (for example, of persons living in an apartment building; operator employees, etc.) or address books. At the same time, the norms of this article apply only to those publicly available sources that are created at the initiative of the operator, and not as part of his compliance with legal requirements for the disclosure or publication of certain information (Clause 11, Part 1, Article 6 of the Law on Personal Data). Thus, it does not apply to information contained in the Unified State Register of Legal Entities, as well as in other registers formed in accordance with the legislation of the Russian Federation (Resolution of the Presidium of the Nizhny Novgorod Regional Court dated July 6, 2016 in case No. 44g-49/2016; Appeal ruling of the Tambov Regional Court dated February 15, 2016 in case No. 33-500/2016). The regime for using and changing the information contained in this information is determined by the requirements of the law and is based on the principle of openness and reliability of data stored in government information systems. So, in accordance with Part 9 of Art. 14 of the Law on Information, state bodies are obliged to ensure the accuracy and relevance of the information contained in the state information system, access to the specified information in cases and in the manner provided by law, as well as protection of the specified information from unauthorized access, destruction, modification, blocking, copying, provision, distribution and other illegal actions.
2. The provisions contained in the commented article should be distinguished from the norms of paragraph 10, part 1, art. 6 and paragraph 2, part 2, art. 10 of the Law on Personal Data, establishing the grounds for processing personal data in the absence of the subject’s consent. In the first case we're talking about on the conditions for the legality of the operator’s initial dissemination of personal data and giving it public status, in the second case - on the processing by interested parties of personal data that already are publicly available, including by users of such publicly available sources.
3. The format and composition of data included in publicly available sources of personal data are determined by the operator. At the same time, personal data such as last name, first name, patronymic, year and place of birth, address, subscriber number, information about profession, can be included in publicly available sources based on the data available to the operator, and the source of other types of personal data can only be the subject himself , as the word “reported” clearly indicates.
4. The main condition for the creation and use by the operator of a publicly available source of personal data is obtaining consent from each subject whose personal data is included in such a source. At the same time, the Law does not make any exceptions from these provisions, and therefore the inclusion by the operator of personal data that has already been made publicly available with the consent of its subject earlier in the source of publicly available data created by such operator still requires the consent of the subject. This is largely due to the fact that the creation of databases containing personal data in itself carries certain risks for their subjects, and therefore must be authorized by them. Such consent must meet the requirements established in Art. 9 of the Law on Personal Data.
5. In accordance with Part 2 of the commented article, the operator of a publicly available source of personal data is obliged to exclude information about the subject on the basis of an application from such a subject, a court decision or a request from an authorized body (for example, the prosecutor’s office or Roskomnadzor). The norm in question does not establish a period during which the operator must delete information constituting personal data, and therefore it seems that the provisions of Part 1 of Art. 21 of the Law on Personal Data, by virtue of which the operator must block access to such data from the moment the subject contacts them, i.e. immediately. As a result of these actions, the data ceases to be available to third parties and loses the status of publicly available data, including for the purposes of applying the provisions of clause 10, part 1, art. 6 of the Law on Personal Data on the admissibility of processing such data without the consent of the subject. The operator’s refusal to satisfy the personal data subject’s demands to exclude his data from a publicly available source in accordance with Part 2 of Art. 8 of the Law on Personal Data gives the subject the right to appeal this refusal or inaction of the operator to Roskomnadzor or in court (see commentary to Article 17 of this Law).
6. European legislation contains provisions regulating subscriber directories (directories of subscribers). In accordance with Art. 12 Directive 2002/58/EC on the protection of privacy in telecommunications sets out the following requirements:
- subjects of personal data must be notified free of charge of the planned inclusion of their data in such directories with a description of the search mechanism in these directories;
- subjects of personal data should be given the opportunity to make corrections to information about them contained in such directories;
- in the case of using such directories for purposes other than searching for regular contact information, it is necessary to obtain the consent of the subject of personal data.
National legislation may impose more stringent requirements on operators when creating these types of directories.