Who needs a privacy policy on the site and how to develop it

Amendments to the Law on Personal Data, which increased penalties for individual violations to 75 thousand rubles, stirred up the Internet community. Although the regulation itself has existed for 12 years, the site owners started their resources in accordance with its requirements only a year ago - the number of inspections has increased along with fines.

We hope that in the course of a year most webmasters have already implemented all the necessary changes and can sleep well. But new resources appear every day, which means the question remains relevant. We will understand who can not do without a privacy policy and how to implement it on your resource.

Who needs a privacy policy on the site

The law requires the publication of a privacy policy only for personal data operators. To understand whether you need such a document on your site, you first need to figure out what the data is and who the operators are.

The first concept 152-FZ gives the following definition:

Personal data - any information relating directly or indirectly to a specific or designated individual (subject of personal data).

There is no exact list in the law, but based on the definition, it can be concluded that all data that relates to a specific person and allows him to be identified can be considered personal. Also in the text there are concepts of general, special and biometric data.

With operators, everything is easier - this is any person, company or government agency that collects, stores, processes and performs other actions with personal data. The owner of the Internet resource can be attributed to the operators, if the site has order forms, comments, registration and feedback, in which the person enters the name, surname, email address, telephone number, etc.

If when sending a comment from a user, only a name or nickname is required, the privacy policy is not necessary, since it is impossible to identify a person by such information.

How to write a privacy policy

There is no approved form. But there is a list of information that must be written in the document.

  • On what basis and for what purpose do you collect personal data.
  • Your name, contact details and address.
  • Information about who processes the data, if this is done by another company, as well as about third parties who have access to it.
  • What data you process and from what sources you receive, including cookies.
  • Terms of processing and storage of personal data.
  • How do you respect the rights of the subject, provided by the law "On Personal Data".
  • Information that you transmit data outside of Russia.

All this information can be presented in free form. The main thing is that the document contains all the information required by the law, and also clearly explains to the user what is happening with his personal data, how you can use it and what you are doing to protect his right to privacy and personal secrets.

Copy privacy policy from other sites is not worth it. At a minimum, you need to adapt the text to your data processing conditions.

The document may be called on the website in different ways: personal data policy, privacy policy, user agreement, etc. This does not change the essence and is not considered a violation.

How to issue a document and place on the site

The only requirement of the legislation in this regard is that the personal data subjects have free and unlimited access to the privacy policy. The rest of the site owner is free to decide how best to implement it on the site.

Usually the document is published on a separate page and provide access in one click from any other. Links to the privacy policy should be placed next to the forms where the user agrees to the processing. Also, a footnote to documents is often placed in the basement or the top menu of the site.

The checkbox "Consent to the processing of personal data" next to the forms is also required. According to the law, it is possible to collect and process information about users only with their consent, with the exception of a few cases that do not apply to sites. Moreover, in the event of verification, the owner of the resource must be able to prove that there was agreement.

Complying with this requirement on designers and popular CMS is easy - most developers quickly responded and added this feature to their products.

New plugins for WordPress:

  • Free - "Privacy Policy for the site. Consent under the Contact-Form 7 forms."
  • Paid - Privacy Policy, issue price: 700-2500 rubles, depending on the priority of technical support and the number of sites.

Both plug-ins meet the requirements of 152-ФЗ and are similar in functionality:

  • automatically add checkboxes to comment forms and those created using the "Contact Form 7" plugin;
  • allow you to create and configure a page with privacy policy;
  • show a notification about the use of cookies;
  • set the text for the consent for processing;
  • set this checkbox to be the default, although it is still not worth doing this - the user must give consent, and therefore check the checkbox himself;
  • prohibit sending the form without it.

There are still old plug-ins, including English-language ones, with the help of which flags are added to subscribe to the newsletter, accept the user agreement, etc. However, new products were developed specifically to comply with 152-ФЗ and it will be easier to configure them for these purposes.

Finally, a few more requirements, which should not be forgotten.

  • You can not collect more data than you need to achieve the goals prescribed in the privacy policy.
  • You can not store and process data using databases hosted on foreign servers.
  • Before you begin collecting personal data, you need to notify Roskomnadzor in paper or electronic form. The list of information is in Art. 22 152-ФЗ.
  • To delegate the processing of personal data to other legal entities or individuals, you need to enter into an agreement.
  • The operator of personal data is obliged to ensure their security through organizational, legal and technical measures - instruct employees, develop local acts, ensure reliable protection of databases, excluding information leakage and access by third parties.

Watch the video: 4. The Importance of Developing an Accurate Privacy Policy (November 2019).


Leave Your Comment