Personal Data Processing Policy
Legal services for the development and preparation of a personal data processing policy
The activities of almost every organization are connected with the processing of personal data, which. In this regard, the legislator has provided for the obligation of personal data operators to issue a document defining a policy regarding the processing of personal data. Different organizations may adopt different local documents, the legislator does not restrict personal data operators in this matter. In particular, this may be one document reflecting all the requirements of the legislation, or it may be several documents reflecting the individual positions of the norms of the Law No. 152-FZ.
A personal data processing policy, as a rule, is a local document developed by an organization that processes personal data for specific purposes. As a rule, it is recommended to include the following sections in the sections of the personal data processing policy:
- General provisions. This section describes the purpose of the adopted Policy, the basic concepts, as well as the basic rights and obligations of the operator and the subject of personal data.
- Legal grounds for the processing of personal data. This section reflects the regulatory documents in accordance with which the personal data operator collects and processes them, such as regulatory documents of the Russian Federation, local documents of the personal data operator, agreements between the operator and the subject of personal data, consent to the processing of personal data.
- Purposes of collecting personal data. For each purpose of processing personal data, categories and a list of processed personal data are determined.
- Scope and categories of processed personal data, categories of personal data subjects. The content and scope of the processed personal data must correspond to the stated purposes of processing. The processed personal data should not be excessive in relation to the stated purposes of their processing. At the same time, the categories of personal data subjects, for example, employees of the personal data operator, customers, contractors, etc., should be reflected in the Policy.
- The procedure and conditions for the processing of personal data. In this section, it is necessary to indicate what actions will be performed by the operator with personal data, processing methods, processing times, storage methods, conditions for terminating the processing of personal data, the possibility of transferring personal data to third parties and the conditions for such transfer, etc. It should be noted that some personal data is subject to a sufficiently long storage. In this regard, the conditions for their storage must be protected and limited in order to prevent the leakage of personal data to an unlimited number of persons.
- Deletion, destruction, updating, correction of personal data. The operator is not entitled to process without the consent of the subject of personal data, however, in connection with the achievement of the purpose of processing personal data, their further use becomes irrelevant, and personal data may be subject to deletion, destruction. At the same time, personal data may be changed, and therefore their periodic updating or correction is required.
- Final provisions. This section may reflect additional terms of the Policy that are not reflected in other sections, for example, consideration of requests from personal data subjects, withdrawal of consent to the processing of personal data, etc.
The structure and composition of the Personal Data Processing Policy depends directly on the purposes of their receipt and processing, as well as the specifics of the activities and structure of personal data operators. To draw up a Policy, personal data operators need to study the entire process of interaction with personal data, the categories of employees who have access to personal data, the conditions for obtaining personal data, the conditions and terms of storage of personal data, etc. After receiving and structuring such information, a Personal Data Processing Policy is drawn up. At the same time, such a local document must be updated in accordance with the changes introduced by the legislator.
The personal data processing policy can be drawn up by the personal data operator independently or with the involvement of a qualified specialist who will study the available ways of interaction of a particular organization with personal data, structure the information received and draw up a personal data processing policy that fully complies with the requirements of the Personal Data Law.
At the same time, in addition to the direct development of the Personal Data Processing Policy, one should not forget that in accordance with Part 2 of Article 18.1 of the Law on Personal Data, the operator is obliged to publish or otherwise provide unrestricted access to the document defining its policy regarding the processing of personal data, to information about the implemented requirements for the protection of personal data. At the same time, if the collection of personal data is carried out using information and telecommunication networks, the personal data operator is obliged to publish the Policy in such a network and provide access to the specified document using the means of the corresponding network.
An important point in the field of personal data processing is that the requirement to have a Personal Data Processing Policy and ensure unrestricted access to it must be fulfilled by all personal data operators, regardless of the method of their collection.
- Advice on the processing of personal data
- Verification, analysis and structuring of existing documents on personal data processing
- Preparation and execution of a personal data processing policy and related documents
- Support for the activities of organizations related to the processing of personal data