Previous audits Roscomnadzor operators of personal data for the last year

The title Office in recent years have increasingly featured Habré in the news related to what some regular blacklists and ridiculous locks, but in this article I would like to recall one of the least important functions Roskomnadzor - supervision of the implementation of legislation in the sphere of protection personal data.

It so happened that in 2013-2014 the plans of inspections of Roskomnadzor has got a lot of our customers, but we do not particularly feared because checking our customers were in the past, and the experience is very positive. We know that new customers too, all put in order and waited another test just to put a new checkbox in the portfolio "The successful testing of regulators." But this article would not have appeared on light, if all met our optimistic expectations ...

Early last year, I wrote an article , which incrementally tried to tell about the stages of preparation for such checks. And this algorithm clearly worked until mid-2013. What happened? Below I will discuss in more detail about some of the cases, the tyranny of RKN on inspections of personal data, but if briefly - the Office in respect of such checks introduced cane system. The inspectors will now search for any violation of the most shallow, only to issue an order and made to pay at least a small but nasty fine. It is possible that the stick is considered only in our region, but communication with colleagues from other Russian regions suggests otherwise.

Before telling specific cases, ask if further reading to remember a few facts:
  • the composition of inspection has not changed, that is, in all cases the auditors have been the same people;
  • set of measures and quality of preparations for the inspection of all checked before and the second half of 2013 was at the same level;
  • to each subsequent inspection during preparation considered prior whims inspection.
    First order from one of our customers was due to the fact that in the notification of the operator in terms of employees' personal data did not indicate that they are treated with non warrants, which give this or that employees with a certain purpose. How many did not try to appeal to common sense and to explain that the power of attorney is a separate document and that it is man who is the requisite authorization (who and what the power of attorney is issued) rather than a power of attorney is a requisite number of man - did not help. And this helped very vague definition of "personal data" in the 152-FZ (any information relating directly or indirectly to an identified or identifiable natural person). We are very fond of all the legislators vague wording. What is in this case carried out anti-corruption examination of draft laws in the Ministry of Justice is not particularly clear.

    Okay, with the numbers take into account the power of attorney time, we waited for the next inspection. And here we are again in for a surprise.
    At this time the inspectors of Roskomnadzor, apparently not found inconsistencies categories of personal data, and they decided to make a feint ears - to find a mismatch in the categories of personal data. Here the situation is the same as the categories themselves PD - if you have specified in the notice that processes personal data of employees and customers, but in fact treated with additional PD what some volunteers, you get a prescription. And in this case the representatives of RCN anything in a head does not come to say that current and laid-off employees of the organization is actually different categories of personal data (as we remember that the inspectors - the same persons before they is not paying attention). Here, too, any appeal to common sense did not help.

    One of the customers got to the bottom to the content of public policy with respect to personal data. It is a document that should be published in the public domain (if you have a website, then it). Naturally, in this paper we will never write any specifics like that and from whom we are defending. And why should we actually publish useful information for potential offenders at the portal? So, roskomnadzorovtsy want to in a public document, we painted detail the measures taken to protect personal data. Why - is not clear. In general, an abnormal desire for exhibitionism from Roskomnadzor has long been a concern. That only is register of state information systems , in which we can find a working and mobility (for example, here ) number responsible for the system and its e-mail, and information about server and client operating systems used in the system, application system software, information on financing and much more. Simply a paradise for social engineers, spammers, and other chernoshlyapov.

    But back to the inspection. The last case was a little different from the rest. The client came to us for help a week before the test. During the pre-call and check the registry operators of PD it was found that the company was not filed a notice of the processing of personal data earlier. That is, the registry operators of the client was absent. Here you need to understand that even if we have prepared a notice on the same day, 152-FZ provides Roskomnadzor up to 30 days to make the registry operator of the filing of the notice, and experience shows that the registry entry appears 20-25 days from the date of the notice (although, again, it relates directly to our region, where some guys from the RCN can be porastoropnee). In general, we decided to proceed with the position that the 152-FZ provides for the cases when the notice is not required to submit this, in particular when the treatment of PD is made in the implementation of the employment relationship and in the contract, one of the parties which is the subject of PD. In principle, it could work, if at the RCN would not be objective to punish the organization, because the client was a small commercial firm that just handles the PD employees the Labour Code and concludes contracts with clients. The order, issued by the audit, was that the firm had to file a notice, and since not filed, then broke the 152-FZ, ay-ay-ay! And in the prescription was no justification, a "no notice, and falls under the exception does not, therefore, violates ...". In the words of the auditors were told that a contractual relationship with customers is difficult to find fault, so they must file a notice because (IMPORTANT!) Organization transfers personal data of employees to third parties - in the Federal Tax Service and the Pension Fund! That's it! There of course is immediately clear - then why in the federal law, all these exceptions allow the operator not to file a notice of PD? Is not it easier to write - "all legal entities must file a notice" and to finish this?

    What to do? h5>
     Frankly, I'm even wondering what will come up, and what to dig RCN representatives at the next check, because there is a system of cane. But sometimes a thought - or maybe especially post in a conspicuous place a clear flaw? It is small fines, and saw the violation in a prominent place, with high probability inspectors would make it to the injunction, we will pay a small fee, to eliminate the violations in a timely manner and will continue to live in peace, and inspectors will not dig deeper. There is another option - to challenge the injunction Roskomnadzor in court, that's decided to make our last client. Unfortunately, the denouement of this story, I can not share, because the story itself has not yet ended. In any case, everyone will choose his way himself, although it is possible in your area to cane system has not yet reached.

    Source: habrahabr.ru/post/228063/