Amendments to the Law on Personal Data, which increased penalties for individual violations to 75 thousand rubles, stirred up the Internet community. Although the regulation itself has existed for 12 years, the site owners started their resources in accordance with its requirements only a year ago - the number of inspections has increased along with fines.
The first concept 152-FZ gives the following definition:
Personal data - any information relating directly or indirectly to a specific or designated individual (subject of personal data).
There is no exact list in the law, but based on the definition, it can be concluded that all data that relates to a specific person and allows him to be identified can be considered personal. Also in the text there are concepts of general, special and biometric data.
With operators, everything is easier - this is any person, company or government agency that collects, stores, processes and performs other actions with personal data. The owner of the Internet resource can be attributed to the operators, if the site has order forms, comments, registration and feedback, in which the person enters the name, surname, email address, telephone number, etc.
There is no approved form. But there is a list of information that must be written in the document.
- On what basis and for what purpose do you collect personal data.
- Your name, contact details and address.
- Information about who processes the data, if this is done by another company, as well as about third parties who have access to it.
- What data you process and from what sources you receive, including cookies.
- Terms of processing and storage of personal data.
- How do you respect the rights of the subject, provided by the law "On Personal Data".
- Information that you transmit data outside of Russia.
All this information can be presented in free form. The main thing is that the document contains all the information required by the law, and also clearly explains to the user what is happening with his personal data, how you can use it and what you are doing to protect his right to privacy and personal secrets.
How to issue a document and place on the site
The checkbox "Consent to the processing of personal data" next to the forms is also required. According to the law, it is possible to collect and process information about users only with their consent, with the exception of a few cases that do not apply to sites. Moreover, in the event of verification, the owner of the resource must be able to prove that there was agreement.
Complying with this requirement on designers and popular CMS is easy - most developers quickly responded and added this feature to their products.
New plugins for WordPress:
Both plug-ins meet the requirements of 152-ФЗ and are similar in functionality:
- automatically add checkboxes to comment forms and those created using the "Contact Form 7" plugin;
- set the text for the consent for processing;
- set this checkbox to be the default, although it is still not worth doing this - the user must give consent, and therefore check the checkbox himself;
- prohibit sending the form without it.
There are still old plug-ins, including English-language ones, with the help of which flags are added to subscribe to the newsletter, accept the user agreement, etc. However, new products were developed specifically to comply with 152-ФЗ and it will be easier to configure them for these purposes.
Finally, a few more requirements, which should not be forgotten.
- You can not store and process data using databases hosted on foreign servers.
- Before you begin collecting personal data, you need to notify Roskomnadzor in paper or electronic form. The list of information is in Art. 22 152-ФЗ.
- To delegate the processing of personal data to other legal entities or individuals, you need to enter into an agreement.
- The operator of personal data is obliged to ensure their security through organizational, legal and technical measures - instruct employees, develop local acts, ensure reliable protection of databases, excluding information leakage and access by third parties.