Protection of personal data in IT and TMT sector

Legal services for the protection of personal data in the field of technology, media and telecommunications

The development of IT and telecommunication technologies greatly facilitates the work of specialists in many fields and makes it easier to solve a number of everyday household issues. Telecommunications, media and technology (TMT), as well as IT technologies today occupy an increasing place in business and everyday life. However, carrying out the simplest operations requires deep knowledge of the legislation governing the procedure for working in these areas, as well as the rules for providing, receiving, processing, and protecting personal data. Ignorance of the procedure for working with personal data entails the risks of bringing the operator of personal data to administrative, civil and even criminal liability. Also, the person providing his personal data is obliged to accurately assess the possible legal consequences of such provision in order to avoid fraudulent actions and significant damage.

Our lawyers have an experience in data protection, including preparing companies’ policies on the protection of personal data, other documents in order to comply with Russian legislation on the protection of personal data, assessing the application of the General Data Protection Regulation of the European Union (GDPR), advising on all issues related to the application of legislation on the protection of personal data.

Protection of personal data in the Internet

Internet transactions and other activity (including the purchase of goods/services, filling out questionnaires, placing orders, simple online communication, etc.) is accompanied by the need for the user to enter information about himself, which can be attributed to personal data. Federal Law of July 27, 2006 N 152-FZ “On Personal Data” (hereinafter referred to as the Law on Personal Data) provides that personal data includes any information relating directly or indirectly to a specific individual (subject of personal data). So personal data include surname, name, patronymic, gender, date and place of birth, place of residence, place of work, education, marital status, as well as photographs of the subject of personal data and other information.

It is important to note that both the person providing personal data and the person to whom they are provided have certain legal risks. Thus, the subject of personal data must verify the good faith of the person to whom the information is provided. Whereas the person who collects and processes personal data actually acquires the status of a personal data operator, since by virtue of The Law On Personal Data, the processing of personal data means any action (operation) or a set of actions (operations) performed using automation tools or without using such tools with personal data, including collection, recording, systematization, accumulation, storage, clarification (update, change), extraction, use, transfer (distribution, provision, access), depersonalization, blocking, deletion, destruction of personal data. At the same time, any processing of personal data is carried out with the consent of the subject of personal data.

Failure to obtain such consent entails the imposition of an administrative fine on citizens from 3000 to 5000 rubles; for officials – from 10,000 to 20,000 rubles; for legal entities – from 15,000 to 70,000 rubles (Article 13.11 of the Administrative Code of the Russian Federation).

At the same time, the illegal collection or dissemination of information about the private life of a person constituting his personal or family secret, without his consent, or the dissemination of this information in a public speech, publicly displayed work or the media is part of a crime. For such a violation, a fine of up to 200,000 rubles, or compulsory work for up to 360 hours, or corrective labor for up to 1 year, or forced labor for up to 2 years (with the deprivation of the right to hold certain positions for up to 3 years or without such), or arrest for up to 4 months, or imprisonment for up to 2 years (with deprivation of the right to hold certain positions for up to 3 years).

Thus, it is extremely important to comply with all legal requirements for the procedure for the protection and processing of personal data.

Personal data processing policies

By virtue of Art. 18.1 of the Law on Personal Data, the operator is obliged to take the measures necessary to fulfill the obligations provided for by the specified regulatory legal act. The operator independently determines the composition and list of appropriate measures.

One of the effective measures is the publication by the operator of documents defining the operator's policy regarding the processing of personal data, local acts on the processing of personal data, as well as local acts establishing procedures aimed at preventing and detecting violations of the legislation of the Russian Federation, eliminating the consequences of such violations.

In practice, in most cases, for legal entities-operators of personal data, the main document from the above is the policy regarding the processing and protection of personal data.

Currently, the official website of Federal Service for Supervision in the Sphere of Communications, IT and Media contains recommendations on the development of policies for the processing of personal data. It is recommended to include in them:

1. general provisions containing the main terms and development goals;
2. the purpose of collecting and processing personal data;
3. legal basis for the processing of personal data (for example, federal laws, the charter of a legal entity, consent to the processing of personal data, etc.);
4. volume and categories of processed personal data;
5. categories of personal data subjects;
6. procedure and conditions for their processing.

It is also recommended to include in this document the regulations for responding to requests/appeals of personal data subjects, authorized bodies regarding the inaccuracy of personal data, illegal processing, revocation of consent and access of the personal data subject to their data, as well as appropriate forms of requests/appeals.

Preparing of policies for the processing of personal data makes it possible for the operator of personal data to develop a uniform procedure for their processing, and also allows the subject of processing to familiarize himself in detail with all the conditions under which they are provided with personal data. In this regard, it is of particular importance to take into account in the personal data processing policy all legal aspects that allow protecting the interests of the operator of personal data and the subject of personal data.

General Data Protection Regulation (GDPR)

The General Data Protection Regulation of the European Union (GDPR) of May 25, 2018 was developed for the territory of the European Union, and also has a transnational character and, in fact, Russian personal data operators may also be subject to it.

The Regulation applies to the processing of personal data of data subjects located in the EU, as well as a controller or data processor not established in the EU, if the processing of data concerns: the provision of goods and services to data subjects in the EU, regardless of whether payment is required from said data subject, or monitoring their activities, provided that the activities are carried out in the EU.

Thus, the offer of goods, works, services in the EU, implying the processing of personal data, as well as the analysis of information about visitors to sites from the EU, in fact, are subject to the said regulation.

It is important to note that the said regulation explicitly provides for the possibility of obtaining consent to the processing of personal data by “ticking the boxes” on the operator's website.

Another feature of the GDPR is the assignment of personal data subjects the right to submit complaints to supervisory authorities. In fact, the document regulates in detail the procedure for processing personal data.

To accurately determine whether a legal entity is subject to this regulation, which has a cross-border effect, a legal analysis of the structure of the activities of one or another organization - the operator of personal data is required. At the same time, for violation of the requirements of the regulations, there is a fine of 20 million EUR, or up to 4% of the company's global annual turnover. It is the timely and correct determination of the rights and obligations of the operator of personal data that makes it possible to avoid checks and investigations by the supervisory authorities.

Legal services

1. Development of strategies for processing personal data and measures to protect them, depending on the structure and characteristics of the work of the operator of personal data
2. Legal analysis and development of policies for the processing and protection of personal data
3. Protecting the interests of operators of personal data during inspections by control and / or supervisory authorities
4. Legal advice to subjects of personal data and personal data operators on all issues related to the processing of personal data
5. Analysis of the need to comply with the requirements of GDPR and development of recommendations for compliance with the relevant requirements (if necessary)
6. Legal representation of subjects and operators of personal data