Moscow, Bratislavskaya st. 16K1
+7 495 740 4333
THE LAW “ON PERSONAL DATA”. INSPECTIONS. WHO AUDITS, WHO IS AUDITED, AND HOW. PART 1
To begin with, we need to understand what personal data is and why this topic worries many companies.
According to the Federal Law of 27.07.2006 N 152-FZ (ed. on 29.07.2017) “On Personal Data”, personal data – any information that directly or indirectly relates to a specific or identifiable individual (the subject of the personal data).
In any company, personal data is collected and processed in relation to candidates for a vacant position, customers. In addition, since July 1 of this year, amendments to the law came into force, which adjusted the responsibility for violations of legal requirements. Therefore, you need to know which organizations control activities in this area, who they check and how.
So, who checks:
- Roskomnadzor
- State Labour Inspectorate
- FSTEC and FSS.
The main supervisory body in this area is Roskomnadzor. It is intended to protect the rights of subjects of personal data and supervise the processing of personal data in terms of its compliance with legal requirements. To perform its functions, Roskomnadzor possesses the following set of powers:
- verification of the information specified by the organization in the Notice;
- Has the ability to restrict access to data that is processed in violation of the law;
- has the right to apply to court with claims to protect the rights of personal data subjects and represent them in court;
- Has the right to bring administrative proceedings against those responsible for violating this Federal Law;
- Has to consider complaints and appeals on issues related to the processing of personal data, and to make decisions on them within its powers.
- May require the operator to destroy personal data obtained illegally
To date, Roskomnadzor carries out the following activities to implement its powers:
- processing appeals from citizens;
- Carrying out control and supervisory activities;
- Maintaining the Register of Personal Data Operators.
Roskomnadzor processes complaints in accordance with the law of May 2, 2006 № 59-FZ “On the procedure of consideration of citizens’ appeals of the Russian Federation”. Any citizen can send a complaint in writing or via an electronic form on the Roskomnadzor website or the State Services portal. All appeals must be considered within 30 days. A new draft of Administrative Regulations is being considered by the Government. Currently, Roskomnadzor carries out checks based on Administrative Regulations approved by order of the Ministry of Communications № 312 of 14.11.2011.
Scheduled inspections are carried out on the basis of an annual plan. The subject of Roskomnadzor inspections are: personal data processing activities; documents, the nature of information in which involves or allows inclusion of personal data; personal data information systems.
That is, Roskomnadzor does not check the availability and state of technical protection of personal data information systems. Its main task is to check the legal basis for the processing of personal data. Regulations, instructions, orders and other documents are not the main object of inspections.
The authorized agency is interested in the personal data itself and the compliance of the volume of this data with the purposes of processing.
As a rule, it is written in the notification about the planned inspection that the inspected person must submit a complete list of necessary documents. The inspection may concern everyone: legal persons who have submitted the notification on personal data processing to the register of operators, as well as those who have not done so. Both scheduled and unscheduled inspections take no more than 20 days.
Unscheduled inspections by Roskomnadzor can be documentary and on-site inspections. During a documentary check Roskomnadzor makes a request for the necessary documents and indicates the deadline for providing them. The operator is notified of an unscheduled inspection no later than 24 hours prior to the inspection by any available means. Usually this is done by phone or fax.
Such inspections are carried out if the deadline for the operator’s fulfillment of a previously issued order to eliminate the identified violation has expired. Most often, after a scheduled inspection, Roskomnadzor conducts an unscheduled inspection. This is done in order to control the elimination of the detected violation. Such an inspection is rarely an on-site inspection. Usually, it is carried out by requesting the necessary documents, demonstrating the elimination of the violation; if the service or its territorial bodies received an appeal from citizens, legal persons, individual entrepreneurs, information from public authorities, local authorities, from the media.
Inspections by the State Labor Inspectorate
LC RF contains chapter 14: “Protection of Employee’s Personal Data”. During the inspections they pay attention to the requirement of point 8 of Article 86: “The employees and their representatives shall be acquainted against signature with the employer’s documents establishing the procedure for processing of employees’ personal data, as well as their rights and obligations in this field. That is, they check the existence of such a document and the fact that all employees are familiar with it.