Regulations on maintaining a register of operators processing personal data. Why do you need a portal with personal data from Roskomnadzor?

Which turned out to be the most important both in accounting and when considering loan applications, etc.

But what it is and who still has the right to process such information and who does not is rarely mentioned, even with reluctance.

As a result, it is sometimes difficult to understand who the controller of personal data is.

– this is information about a person that characterizes him as a specific individual, is not generalized, and cannot be applied to a group of people. In most cases, we are talking about last name, first name, patronymic, date of birth, address where the person is registered and lives, marital status, etc.

The concept of personal data was introduced into business circulation after the adoption of “On Personal Data” in 2006. There, a division of information into a number of categories was introduced, which makes it possible to determine levels of processing resolution for various situations.

Information about race and nationality, religious beliefs, health status and details of a citizen’s intimate life.
Information that, in addition to identifying a citizen, also allows you to obtain various information about him, for example, telephone number, place of residence, etc.
Information that makes one person stand out from others - last name, first name and full date of birth.
Public information, as a rule, is anonymized, but sometimes also information that is required to be public by law, for example, the income of government officials. A separate category includes those data to which the citizen himself has given consent, for example, the address and telephone number in the 09 help desk.

In general, the Law “On Personal Data” is designed to ensure the right of every citizen to privacy and protection in the event of violations. Based on the above classification, various requirements are imposed to ensure the safety of information. For the first category, the requirements are stricter than for all others.

Who is the operator of personal data

Personal data operator is a legal entity that, by virtue of its activities, deals with information about current and potential clients and employees. The size of the organization does not matter at all, nor does the form of its ownership.

In practice, an operator is any organization that employs hired labor. After all, employment is impossible without filling out an application form with a fairly detailed list of information about yourself, as well as submitting personal documents, and copies are made of all of them, the information is entered into accounting programs, etc.

The main requirement of the legislation of the Russian Federation for operators is to ensure the safety of the data that the organization received in the course of its activities.

The standards according to which protection is ensured are established in the mentioned law; they can also be specified by regulations of the so-called regulators

There is a certain procedure that regulates cases when an organization receives the right to work with personal data without notification to:

if the company processes only the information that is needed for labor relations;
when publicly available data is processed;
if only last name, first name, patronymic are processed;
when they are used once, for example, to issue a pass;
if computer technology is not used for processing.

All other organizations are required to register, as a result of which they receive a unique registration number under which they are entered into a special register.

It can always clarify whether a specific legal entity has the right to request or store personal data.

For example, such questions often arise in relation to credit institutions, mobile operators, etc.

Therefore, it is customary to call “personal data processing operators” organizations that, due to their professional activities, collect and process not only publicly available information, but also such as series, passport number, residential address, etc.

Obtaining the right to process personal data

To ensure the security of storage and transfer of personal data, a procedure for certification and obtaining a license is provided for organizations involved in the collection and storage of such information.

To obtain a license, an enterprise has to not only train employees, but also purchase technical protective equipment.

The procedure consists of several stages, of which the most important can be identified.

notify the relevant authorities of the intention to process data using means (computers);
undergo a preliminary examination of existing information systems;
design a protection system taking into account the infrastructure of computer equipment and other automation equipment;
acquire and implement protective equipment;
bring all premises into compliance with fire safety, security, power supply, etc. requirements.
carry out advanced training of employees in the field of personal data protection and their certification.

As a result, it is possible to guarantee the presence of a functioning system for protecting information when it is transmitted through communication lines.

It is worth noting that all the actions described above can only be applied to the processing of personal data in electronic form, which is potentially unsafe for stored or transmitted information.

Checking the activities of personal data operators

The work of all personal data operators is not only regulated by legislative acts, but is also subject to regular inspections, both planned and random, for example, at the request of citizens affected by their activities.

Many supervisory and law enforcement agencies should be involved in monitoring compliance with the law on the protection of personal data, but due to the specifics of the work, only three of them stand out (they are called regulators):

Roskomnadzor - its functions include verifying compliance with any regulatory requirements of the law, as well as conducting inspections;
FSTEC (Federal Service for Technical and Export Control) - its tasks include, first of all, the protection of data located in the organization’s computers, as well as their transmission channels, when they are stored and transmitted without encryption;
FSB (Federal Security Service) – controls the use of encryption means for the processing and transmission of personal information, including the development and distribution thereof.

You can check the attitude of a particular organization towards operators of personal information yourself.

The Roskomnadzor website has access to the register of operators processing personal data; it is available at this link.

To view the information, simply enter the name or registration number of the enterprise of interest, or its taxpayer identification number (TIN), in the appropriate field.

This way you can find out whether the data was requested legally or not. If the organization is not on the list, then perhaps Roskomnadzor should take care of this and either include it in the register or prohibit the illegal collection of information about citizens.

Verification of personal data operators is carried out either at the request of citizens, or at the initiative, for example, of the prosecutor's office, which can contact Roskomnadzor as part of an audit of the organization's activities.

Responsibility is provided for violations in the processing of citizens' information. Depending on the severity of the actions committed, there may be administrative, disciplinary or criminal punishment.

In general, before giving permission to process personal data in a credit or other organization requesting such a right, it is better to first make sure that it is registered as an operator, and therefore has everything for their safe storage.

This may especially apply to small businesses, such as those providing small loans.

Of course, without providing such consent, such organizations usually refuse services, but there is nothing wrong with that, because The competition is quite high, and you can always find another suitable option.

Roskomnadzor maintains a register of operators - companies that comply with the requirements of the Law “On Personal Data”. To be included in the register, the company submits a notification about the processing of personal data. This can be difficult to do: it is unclear when to submit the notification, how to fill it out, and how to ensure that the information reaches Roskomnadzor.

Is it possible not to submit a notification?

The Personal Data Law requires every company to file a notice.

There are several exceptions in the law that allow some companies to avoid this. In this case, you need to be prepared to legally prove to the regulatory authority that the exceptions apply to the company. This is not so easy to do: lack of notification is one of the most common violations detected during Roskomnadzor inspections.

The best option is to file a notification and protect the company from questions from the regulatory authority as to why this was not done.

Sometimes companies are afraid that submitting a notification will attract undue attention from Roskomnadzor, and it will come with an inspection. In practice this does not happen.

When should I send the notification?

The notification is submitted before the processing of personal data begins. Based on the letter of the law, this must be done in the first days after state registration of a legal entity or individual entrepreneur.

Often the decision to file a notice is made when the company has been operating for several months or several years. There is no need to fear a fine or other sanctions for being “late” in submitting a notice. But if Roskomnadzor becomes interested in the company (it comes with an inspection or sends a “letter of happiness” where it demands to submit a notification), then a fine will not be avoided.

An important nuance: even if the notification is submitted “late,” it is better to indicate the date of state registration of the company as the “start date of processing of personal data.”

How to fill out a notification?

The notice must be submitted online (electronically) and sent by mail (hardcopy).

The electronic notification form is filled out on the Roskomnadzor website. There is quite a lot of information required, and it is not easy to do, despite the presence of hints. You need to be prepared to formulate the legal grounds and purposes of processing personal data, describe the actions performed with them and indicate how their security is ensured.

After submitting the electronic form, the Roskomnadzor website will offer to download the already completed printed form. It will need to be printed, signed and certified with the company’s seal, and then sent by mail to the territorial body of Roskomnadzor. This is necessary to confirm the information submitted online.

You can also fill out the notification electronically on the Public Services Portal, but this is a less convenient method.

How do I know if a notification has been accepted?

After filling out the notification on the Roskomnadzor website, the company will receive a notification number and a secret key. With their help, on a special page you can clarify the status of the notification and find out when its information will be included in the register of operators.

All information in the register of operators is publicly available, except for information about ensuring the security of personal data. You can find a notification from any operator.

How many times do I need to give notice?

The notification is given only once.

However, there is an important nuance: the Law “On Personal Data” requires that Roskomnadzor be notified of changes in the information specified in the notification within 10 days after such changes. The notice contains a lot of information about the company, and changes can happen quite frequently. Unfortunately, it can be difficult to monitor them and respond in time.

It is best to submit the notification as early as possible and carefully ensure that the company information in the operator register is up to date. This is very easy to do using our service.

How to become a personal data operator in the Roskomnadzor register

Not all companies and individual entrepreneurs know whether they are personal data operators and whether they need to transfer information about themselves to Roskomnadzor. Let's figure out who the service is monitoring more closely and how to notify citizens about the start of processing personal information.

Who are personal data operators and what do they do?

Most people know that personal data (hereinafter referred to as PD) includes information about the citizen’s last name, first name and patronymic, information from his passport, mobile phone number, residential address, e-mail. What other information could be included in this list? It turns out that any: an exhaustive list is not presented anywhere, and in principle there cannot be one. This is confirmed by the wording in Federal Law No. 152-FZ of July 27, 2006:

Personal data - any information relating to a directly or indirectly identified or identifiable individual (subject of personal data).

It turns out that in some cases the last name, first name and car number will be enough to identify a citizen, while in others you will also need his driver’s license number and registration address.

A personal data operator is a state or municipal body, legal entity or individual who:

independently or jointly with other persons organizes and/or carries out the processing of personal data;

determines the purposes of working with personal information, its composition, as well as actions (operations) with it.

That is, anyone who requests and uses personal data is their operator. And everyone who has access to and processes information by which a citizen can be identified actually works with personal data and is responsible for failure to comply with the law on their protection.

Let's imagine who might be classified as PD operators. Banks? Yes! Sites that collect material about subscribers? Yes! Legal and accounting companies providing various services? Yes! Shops and beauty salons offering to purchase a bonus card? Yes again! Homeowners' associations, universities, kindergartens, travel agencies, medical institutions, automated systems, including government ones? Yes Yes Yes! PD operators - everywhere, in any field!

Everyone who deals with personal data is obliged to comply with certain rules for collecting, ensuring security, clarifying, blocking and destroying this type of information. According to Law No. 152-FZ, operators must:

Registration with Roskomnadzor as a personal data operator

The law stipulates that before starting work with personal information, it is necessary to contact the authorized supervisory authority and notify about the start of work with personal information. This does not mean that every company must be included in the Roskomnadzor register of personal data operators. This list does not include:

employers. They collect and store information in accordance with labor legislation, for example, when drawing up employment contracts, various personnel orders;

cellular or landline telephone companies, if the data is obtained solely for the provision of communication services under a concluded contract, is not distributed or provided to third parties without the consent of the subject of the personal data;

public associations or religious organizations that gain access to the data of their members (participants) to achieve the goals provided for in the constituent documents;

organizations and individuals using publicly available information that subjects of personal data themselves disclosed, for example, on personal websites;

any companies that operate a pass system. If a citizen’s passport data is copied to obtain a one-time pass to the organization’s territory, there will be no need to register;

systems with the status of state automated information systems, as well as state PD systems created to protect state security and public order. There are a lot of them, and among them are the Era-Glonass and Management systems, AIS for accounting of non-profit and religious organizations and many others at the federal and regional level;

citizens and organizations that process information without the use of automation tools (computers). In doing so, they must be guided by the requirements approved by Government Decree No. 687 of September 15, 2008;

organizations that request data to ensure the safe operation of the transport complex, for example, when booking and purchasing tickets, including through online services of carriers or intermediaries.

Taking into account such formulations, many of the organizations are no longer included in the register of operators processing personal data maintained by Roskomnadzor. But those to whom exceptions do not apply must be on the list of the regulatory authority.

The registration procedure consists of submitting a notification in a certain form. It can be accessed through the Roskomnadzor personal data register, the government services portal, or using Order of the Ministry of Telecom and Mass Communications of Russia dated December 21, 2011 N 346. You can download the required document for free at the end of this article.

Roskomnadzor recommends submitting a notification on the organization’s letterhead, on paper or electronically. The paper version will need to be filled out, signed and sent to the territorial body of Roskomnadzor (by mail or delivered in person). An electronic document can be issued directly on the department’s website - in the “Electronic application forms” section.

Regardless of the method of informing officials, the notification must indicate:

full and abbreviated name of the company indicating the organizational and legal form, as well as legal and postal addresses, TIN;

the purposes of processing stated in the constituent documents or actually carried out;

categories of PD that will be processed;

subjects whose PD is planned to be processed, including relationships with them, for example, passenger, borrower, subscriber, depositor, policyholder;

the basis on which there is a right to processing (for example, articles of the Air Code of the Russian Federation or the law on acts of civil status), including the presence of a license for the type of activity being carried out;

description of the PD processing methods used and their list: manual, automated or mixed processing;

information about the persons responsible for organizing the processing of personal data, their telephone numbers, postal addresses, e-mail;

information about encryption (cryptographic) means;

start date, as well as conditions and terms for termination of PD processing;

information about where the data is stored during its processing, including about the country where the databases with information about the personal data of citizens of the Russian Federation are located;

information on ensuring the security of personal data in accordance with the requirements established by Decree of the Government of the Russian Federation of November 1, 2012 N 1119.

Please note that registration of a personal data operator on the Roskomnadzor website is carried out within 30 days. If an electronic application is submitted, the company will have to additionally send a paper copy of the notification to the territorial authority. If the information is insufficient, officials will send a request to clarify the submitted documents. It is impossible to refuse to accept a notification and enter information about an organization into the register.

If, for various reasons, the organization’s purposes for processing PD have changed or other changes need to be made, within 10 days it sends a letter to Roskomnadzor in the prescribed form. The document can be found below. In addition, PPT.ru readers can download a form of the document required to exclude a company from the register.

All services provided by Roskomnadzor in this case are free.

Current legislation provides for administrative liability for violation of requirements for personal data protection. According to Federal Law No. 13-FZ dated 02/07/2017, which came into force on July 1, 2017, Article 13.11 of the Code of Administrative Offenses of the Russian Federation provides for several offenses for which personal data operators can be fined. Depending on the offense, fines for legal entities under this article vary from 15,000 to 75,000 rubles, and for individual entrepreneurs - from 5,000 to 20,000 rubles.

Refusal to register in the register may be regarded as failure to provide information to the regulatory authority. The punishment for this is provided for in Article 19.7 of the Code of Administrative Offenses of the Russian Federation. According to it, officials face a fine of 300 to 500 rubles, and legal entities - from 3,000 to 5,000 rubles.

Maintaining a register of operators processing personal data

Entering information about the operator into the register of operators processing personal data (Federal Service for Supervision of Communications, Information Technologies and Mass Communications)

general information

Service results

Who can receive the service

Has the status of an entrepreneur
Individuals
Legal entities

How can I submit documents?

By mail
Through a legal representative

How can you get the results of the service?

Personally

Grounds for refusal to provide services

The basis for suspending the deadline for entering information about the Operator into the Register (making changes and excluding information about the Operator from the Register) is the provision by the operator of incomplete or unreliable information. (The basis for suspending the deadline for entering information about the Operator into the Register (amending and excluding information about the Operator from the Register) is the provision by the Operator of incomplete or unreliable information.)

Service delivery period

Service completion period: The provision of public services is carried out without direct interaction with the applicant.
Information about the Operator is entered into the register within 15 days from the date of receipt of the notification based on the results of verification of the information contained in the Notification. The date of entering information about the Operator into the Register is considered to be the date of signing the order.
An application for the provision of a public service is registered no later than the day following the day of its receipt by Roskomnadzor (the territorial body of Roskomnadzor).
Information on entering information about the Operator into the Register is posted on the official website of Roskomnadzor no later than 3 days from the date of signing the order.

The basis for considering the issue of entering information about the Operator into the Register is the sending by the Operator of the Notification directly to Roskomnadzor (the territorial body of Roskomnadzor) or the receipt of the Notification in the Unified Information System from the Unified Portal with the assignment of an incoming number to it.
The notice must contain the following information:

1. Name (last name, first name, patronymic), address of the Operator.
2. Purpose of processing personal data.
3. Categories of personal data.
4. Categories of subjects whose personal data is processed.
5. Legal basis for processing personal data.
6. List of actions with personal data, general description of the methods used by the Operator for processing personal data.
7. Description of the measures provided for in Articles 18.1 and 19 of the Federal Law, including information about the availability of encryption (cryptographic) means and the names of these means.
8. Last name, first name, patronymic of the individual or name of the legal entity responsible for organizing the processing of personal data, and their contact phone numbers, postal addresses and email addresses.
9. Information about the presence or absence of cross-border transfer of personal data in the process of processing.
10. Information about personnel safety

www.gosuslugi71.ru

Articles on the topic

A personal data controller is any person who collects information about employees and clients. Find out how to submit an application to Roskomnadzor for the processing of personal data, what are the responsibilities of the operator, which can lead to a fine

Read our article:

Who is included in the register of personal data operators of Roskomnadzor

A personal data operator is any person who collects information about employees and clients (Article 3 of Law No. 152-FZ “On Personal Data”).

New liability for violations of personal data. For what and how much will they now be fined>>>

A state or municipal company, a legal entity, a businessman, or even an ordinary person can become an operator (OPD) if he collects information about other people and independently determines what data to request, how to process it, and then what to do with the collected information.

The law defines personal data as any information that relates directly or indirectly to an identified or identifiable individual (subject of personal data).

Of course, in most cases, the requested information is limited only to the last name, first name, patronymic, passport data and cell phone number, but sometimes to identify a person you need to find out the number of his car, driver’s license details or SNILS and other information.

There is no exhaustive list in the law, so absolutely any information needed for identification can be considered personal data.

It turns out that anyone who requests and uses such information and has submitted the appropriate application is included in the register of personal data operators of Roskomnadzor. There are already more than 400,000 positions there, and new faces are constantly appearing. Among them are banks, insurance companies, travel agencies, beauty salons, shops, homeowners associations, kindergartens, clinics and many others.

If any site provides a feedback form, subscription or personal account in which visitors will leave data, then the site owners should also register in the registry.

The operator cannot process the information received without the consent of the person to whom it belongs.

But there are also exceptions. If any law provides for such work with information (defining the purpose and content of processing), then consent is not required.

For example, according to the Law “On Education”, for admission to the Unified State Examination, the transfer, processing and provision of personal data of students without their signature on consent to work with information is provided.

How to submit a request for the processing of personal data

The notification can be submitted on the Roskomnadzor website and sent by mail.

When filling out the electronic notification form, you will need to indicate:

TIN, OGRN and other data of the applicant;
purposes and legal basis for data processing;
indicate exactly what data will be processed and how this will happen;
license details (if the applicant’s activities are licensed);
measures taken to ensure the safety of the received data;
start date of processing and much more (Article 22 of Law No. 152-FZ).

After the electronic form is completed, it can be downloaded from the Roskomnadzor website, printed, signed and mailed to the territorial authority. This will confirm the information sent through the site.

There is an option to fill out an application through the State Services Portal, but this is a less convenient way than communicating with Roskomnadzor through its own website.

If everything is done correctly, the company will be entered by Roskomnadzor in the register of operators processing personal data.

The law provides for exceptions when such registration is not required.

The following may not apply for inclusion in the register:

employers collecting information about their employees;
those who process only people's full names;
those who take information to allow a person into their territory once, etc.

The full list of exceptions is described in Part 2 of Art. 22 of Law No. 152-FZ “On Personal Data”. A company that believes that it is on this coveted list will have to argue that this is indeed the case.

In a private conversation with inspectors, we found out where they will “dig” when a company needs to be fined, but there is no clear reason. Get ready for what they will be looking for - plans for fines are planned to increase.

Based on the provisions of the law, an application for the processing of personal data must be submitted in the first days after the creation of a legal entity or individual entrepreneur - that is, before starting to work with the information.

But in practice, the operator has already been working at full speed for several months, or even years, when the idea of registering occurs to the management. If this idea comes to the management before Roskomnadzor arrives, good - it will be possible to avoid a fine or other sanctions.

And if inspectors arrive before the notification is submitted, you will have to pay for their sluggishness.

Obligations of the operator when processing personal data

After a company or businessman has registered with Roskomnadzor as a personal data operator, he will have to fulfill the obligations prescribed in Chapter 4 of Law No. 152-FZ. In particular, the OPD must:

explain to the subject from whom they receive information what exactly they are taking and why;
explain the consequences of refusing to provide information;
ensure recording, systematization, accumulation, storage, clarification, etc. of the information received;
provide information about data processing to the subject if it was not received from him;
take measures to protect against unauthorized (accidental) access to information, destruction, modification, blocking or copying;
appoint a responsible person.

Operators must obtain the individual's prior consent to process personal information. It is requested in writing - the subject signs a paper stating that the data is collected in accordance with Law No. 152-FZ, after receipt it will be properly stored, used, and then destroyed. A special form proposed by Roskomnadzor can be downloaded on its website.

Responsibility for refusal to register in the register

If a potential operator has not submitted an application for inclusion in the Roskomnadzor personal data register, he faces administrative liability. Refusal to register in the register is regarded as failure to provide information to the regulatory authority. Such an offense is punishable under Article 19.7 of the Code of Administrative Offenses of the Russian Federation. Under this clause, a person may be fined in the amount of one hundred to three hundred rubles; for officials - from three hundred to five hundred rubles; for legal entities - from three thousand to five thousand rubles.

If you do not want to bear responsibility for refusing to register in the register and pay fines (albeit not as large as for other crimes), it is better to comply with the requirements of the law and submit an application on time.

www.pro-personal.ru

Register of personal data operators

Who are personal data operators and what do they do?

Most people know that personal data (hereinafter referred to as PD) includes information about the citizen’s last name, first name and patronymic, information from his passport, mobile phone number, residential address, e-mail. What other information could be included in this list? It turns out that any: an exhaustive list is not presented anywhere, and in principle there cannot be one. This is confirmed by the formulation in Federal Law dated July 27, 2006 No. 152-FZ:

Personal data - any information relating to a directly or indirectly identified or identifiable individual (subject of personal data).

A personal data operator is a state or municipal body, legal entity or individual who:

independently or jointly with other persons organizes and/or carries out the processing of personal data;
determines the purposes of working with personal information, its composition, as well as actions (operations) with it.

Obligations of the operator when processing personal data

carry out explanatory work with the subject of personal data, as well as obtain his prior consent to the processing of personal information;
publicly present the policy regarding the processing of personal data;
provide measures of protection against unauthorized or accidental access to personal data, their destruction, modification, blocking, copying, distribution;
destroy records if the subject of the personal data proves that the information was obtained illegally or is not necessary to achieve the stated purpose;
block access to information at the request of an authorized body or subject of personal data (its representative).

Registration with Roskomnadzor as a personal data operator

collected and stored in accordance with labor laws;
received solely for the provision of communication services under the concluded agreement, it is not distributed or provided to third parties without the consent of the PD subject;
refers to members (participants) of a public association or religious organization to achieve the goals provided for by their constituent documents;
made publicly available by the PD subject;
includes only last names, first names and patronymics of the subjects of personal data;
required for obtaining a one-time pass to the territory of the organization;
included in systems with the status of state automated information systems, as well as in state PD systems created to protect state security and public order;
processed without the use of automation tools (computer);
processed to ensure the safe functioning of the transport complex.

Taking into account such formulations, many of the organizations are no longer included in the register of operators processing personal data maintained by Roskomnadzor. That is, employers, companies providing communication services, religious organizations, persons receiving personal data only for the execution of contracts, and many others should not notify about the collection and processing of personal data. Those to whom exceptions do not apply must be on the list of the regulatory authority.

The registration procedure consists of submitting a notification in a certain form. It can be found through the Roskomnadzor personal data register, the government services portal, or using Order of the Ministry of Telecom and Mass Communications of Russia dated December 21, 2011 N 346. You can download the required document for free at the end of this article.

full and abbreviated name of the company indicating the organizational and legal form, as well as legal and postal addresses, TIN;
the purposes of processing stated in the constituent documents or actually carried out;
categories of PD that will be processed;
subjects whose PD is planned to be processed, including relationships with them, for example, passenger, borrower, subscriber, depositor, policyholder;
the basis on which there is a right to processing (for example, articles Air Code of the Russian Federation or civil status law on acts of civil status), including the availability of a license for the type of activity being carried out;
description of the PD processing methods used and their list: manual, automated or mixed processing;
information about the persons responsible for organizing the processing of personal data, their telephone numbers, postal addresses, e-mail;
information about encryption (cryptographic) means;
start date, as well as conditions and terms for termination of PD processing;
information about where the data is stored during its processing, including about the country where the databases with information about the personal data of citizens of the Russian Federation are located;
information about ensuring the security of personal data in accordance with the requirements established Decree of the Government of the Russian Federation dated November 1, 2012 N 1119.

All services provided by Roskomnadzor in this case are free.

Responsibility for refusal to register in the register

Current legislation provides for administrative liability for violation of requirements for personal data protection. According to Federal Law dated 02/07/2017 No. 13-FZ, which came into effect on July 1, 2017, in Article 13.11 of the Code of Administrative Offenses of the Russian Federation There are several offenses for which personal data operators may be fined. Depending on the offense, fines for legal entities under this article vary from 15 to 75 thousand rubles, and for individual entrepreneurs - from 5 to 20 thousand rubles.

This portal was created to provide citizens with information regarding the activities of Roskomnadzor in various areas. In addition, through this website it is easy to access any other data processor.

What it is

Roskomnadzor’s personal data portal is a tool that allows for thorough control of both ordinary citizens and individual entrepreneurs and commercial organizations. Any company processing personal data must first register with Roskomnadzor, and only then begin relevant activities.

What is it needed for

Any information that can be used to identify a specific person is considered personal information.. The portal is needed to make it easier for users to interact with operators who process any data and carry out various actions for this.

You can also inform the monitoring organization itself if any violations are identified. In this case, appropriate penalties are applied.

Who can use

A specialized portal operates in the public domain. So any citizen can take advantage of its capabilities and posted information. It is enough to enter the name of the operator of interest or use its TIN. The search result will be information relating to a particular market participant.

Operator register

Personal information can include a large number of phenomena, including:

E-mail address.
An accurate description of your current place of residence.
Mobile phone numbers.
Information from certificates.
Full name of the citizen.

Any information relating to a particular person can be considered personal. In some cases, your full name and car number are enough for identification. In other circumstances, a registration address and driver's license information are required.

They process personal data independently or team up with other persons for this purpose.
They themselves determine the operations with data, their composition, and the goals of the work.

An operator will be considered anyone who uses personal data and sends relevant requests. Such companies operate in all areas. It is the data about them that is entered into the register. Clients can study the TIN and permitting documentation themselves and so on.

Video showing how to register in the register of personal data processing operators of Roskomnadzor.

registration on the site

Registration on the portal is not required, all information is publicly available, no additional actions are required. The same applies to various documents devoted to the protection of visitor information.

Interface, use

There is nothing complicated here. The registry search button is located at the very top of the main page of the portal. In this line you enter any data known for a particular company. Just below is a link with an advanced search. That is, you can enter not only the name, but also the TIN and registration number, if available.

Regulatory regulation

Regulates the activities of Roskomnadzor related to monitoring the implementation of legislation on the personal data of citizens. But the text of the article itself does not contain the exact name of the body vested with the relevant powers. Therefore, it is also allowed to use as support the Decree of the Government of the Russian Federation No. 228 “On the register of persons dismissed due to loss of trust,” issued in 2009. It is in this text that the powers are assigned specifically to Roskomnadzor.

According to the law, representatives of this institution have the following powers and rights:

Independent bringing to administrative liability when violations related to personal data are detected.
Appeal to law enforcement agencies and courts in order to protect the interests of citizens. The same can be done if any violations are detected.
Restriction of access to information in the presence of violations on the part of the operator. Or issuing demands with requests to block, destroy or clarify certain information.
Request for information related to the processing of personal data.

Conducting inspections by Roskomnadzor

There are special regulations for such events. It was approved by the relevant Order of the Ministry of Communications No. 312 of 2011. Paragraph 32 of this regulation is devoted to situations when scheduled inspections must be carried out in relation to operators:

When a company is just starting to process personal data.
After 3 years have passed since the previous inspection. Or from the moment the activity began.

The organization must be notified of the upcoming inspection at least 3 days before the actual organization of the event.

Roskomnadzor has the right to conduct unscheduled inspections. For example, if there are requests from citizens and other organizations regarding violations of rights. Or when there is a threat to life or health. In this case, notification must be received 24 hours before the event.

According to the results of the inspection, specialists draw up the corresponding act. If there are violations, the latter are described in detail in the accompanying document. The persons responsible for certain violations must be indicated. A description of the legal grounds for holding citizens or companies accountable is provided.

When consent to data processing is required

Processing of information can only be carried out if the previous owner gives his consent or when there are other legal grounds. Each individual case is considered individually:

In the housing and communal services sector, the consent of residents is not required when management companies engage paying agents to pay for the use of services.
Some situations require written permission. This is especially true for special categories of personal data. For example, when it comes to biometric information.

Responsibility for violations

- the main document that until recently established penalties for violations in this area. Legal entities could face fines in the amount of 5,000 - 10,000 rubles or a warning issued by the competent authorities.

To identify violations, control measures were carried out in the form of inspections. Regarding violations, special messages were sent to representatives of the prosecutor's office. If the application is approved, judicial proceedings are organized.

But recently the situation has changed. Now laws have begun to describe the relevant procedures in more detail. The changes concern the following areas:

Increased fines.
The emergence of powers to draw up protocols and initiate cases without contacting the prosecutor's office.

About registering as an operator

This event is not necessary for the following categories of the population and market participants:

Companies requesting data, for example, to purchase tickets. This applies to any carriers operating online.
Those who process data without the use of computer technology.
Systems that have received the status of state automated information systems. Or organizations created to protect society and order.
Any companies with a valid pass system. There is no need to register if the citizen's information is read only once to receive a pass.
Companies and individuals using information disclosed by citizens themselves.
Those who use information to achieve the purposes described in the founding documents.
Cellular companies that need data solely to provide services.
Heads of enterprises.

Therefore, many companies may not be included in the register located on the official website of Roskomnadzor. To complete the registration procedure, it is enough to submit an application following the established requirements. It is recommended to submit applications electronically or using letterhead.

Who are personal data operators and what do they do?

Most people know that personal data (hereinafter referred to as PD) includes information about a citizen’s last name, first name and patronymic, information from his passport, mobile phone number, residential address, e-mail. What other information could be included in this list? It turns out that any: an exhaustive list is not presented anywhere, and in principle there cannot be one. This is confirmed by the formulation in Federal Law dated July 27, 2006 No. 152-FZ:

Personal data - any information relating to a directly or indirectly identified or identifiable individual (subject of personal data).

A personal data operator is a state or municipal body, a legal entity or an individual who:

independently or jointly with other persons organizes and/or carries out the processing of personal data;
determines the purposes of working with personal information, its composition, as well as actions (operations) with it.

Obligations of the operator when processing personal data

Registration with Roskomnadzor as a personal data operator

employers. They collect and store information in accordance with labor legislation, for example, when drawing up employment contracts, various personnel orders;
cellular or landline telephone companies, if the data is obtained solely for the provision of communication services under a concluded contract, is not distributed or provided to third parties without the consent of the subject of the personal data;
public associations or religious organizations that gain access to the data of their members (participants) to achieve the goals provided for in the constituent documents;
organizations and individuals using publicly available information that subjects of personal data themselves disclosed, for example, on personal websites;
any companies that operate a pass system. If a citizen’s passport data is copied to obtain a one-time pass to the organization’s territory, there will be no need to register;
systems with the status of state automated information systems, as well as state PD systems created to protect state security and public order. There are a lot of them, and among them are the Era-Glonass and Management systems, AIS for accounting of non-profit and religious organizations and many others at the federal and regional level;
citizens and organizations that process information without the use of automation tools (computers). In doing so, they must be guided by the requirements approved Government Decree of September 15, 2008 N 687;
organizations that request data to ensure the safe operation of the transport complex, for example, when booking and purchasing tickets, including through online services of carriers or intermediaries.

Regardless of the method of informing officials, the notification must indicate:

full and abbreviated name of the company indicating the organizational and legal form, as well as legal and postal addresses, TIN;
the purposes of processing stated in the constituent documents or actually carried out;
categories of PD that will be processed;
subjects whose PD is planned to be processed, including relationships with them, for example, passenger, borrower, subscriber, depositor, policyholder;
the basis on which there is a right to processing (for example, articles Air Code of the Russian Federation or civil status law on acts of civil status), including the availability of a license for the type of activity being carried out;
description of the PD processing methods used and their list: manual, automated or mixed processing;
information about the persons responsible for organizing the processing of personal data, their telephone numbers, postal addresses, e-mail;
information about encryption (cryptographic) means;
start date, as well as conditions and terms for termination of PD processing;
information about where the data is stored during its processing, including about the country where the databases with information about the personal data of citizens of the Russian Federation are located;
information about ensuring the security of personal data in accordance with the requirements established Decree of the Government of the Russian Federation dated November 1, 2012 N 1119.

If, for various reasons, the organization’s purposes for processing PD have changed or other changes need to be made, within 10 days it sends a letter to Roskomnadzor in the prescribed form. The document can be found below. In addition, the site’s readers can download a form of the document required to exclude a company from the register.

All services provided by Roskomnadzor in this case are free.

Responsibility for refusal to register in the register

Current legislation provides for administrative liability for violation of requirements for personal data protection. According to Federal Law dated 02/07/2017 No. 13-FZ, which came into effect on July 1, 2017, in Article 13.11 of the Code of Administrative Offenses of the Russian Federation There are several offenses for which personal data operators may be fined. Depending on the offense, fines for legal entities under this article vary from 15,000 to 75,000 rubles, and for individual entrepreneurs - from 5,000 to 20,000 rubles.