What is the personal information posted online. Assessment of the level of digital literacy. Documents for legal entities and individual entrepreneurs

Today we want to talk with you about personal data, privacy policy, user agreement and upcoming changes. Maybe you know, or maybe not, but from July 1, 2017, amendments to Article 13.11 of the Administrative Code of the Russian Federation come into force. Personal data operators, all owners of sites with forms feedback, as well as persons who process personal data, it is necessary to make adjustments in order to avoid the imposition of fines increased in the future. latest changes legislation.

Violation of the procedure established by law for the collection, storage, use or dissemination of information about citizens (personal data) - entails a warning or the imposition of an administrative fine on citizens in the amount of three hundred to five hundred rubles; for officials - from five hundred to one thousand rubles; on legal entities- from five thousand to ten thousand rubles.

[collapse]

Article 13.11. Violation of the procedure established by law for the collection, storage, use or dissemination of information about citizens (personal data)

1. Processing of personal data in cases not provided for by law Russian Federation in the field of personal data, or processing of personal data incompatible with the purposes of collecting personal data, except for the cases provided for in part 2 of this article, if these actions do not contain a criminal offense, - entails a warning or the imposition of an administrative fine on citizens in the amount of one thousand up to three thousand rubles; for officials - from five thousand to ten thousand rubles; for legal entities - from thirty thousand to fifty thousand rubles.

2. The processing of personal data without written consent of the subject of personal data to the processing of his personal data in cases where such consent must be obtained in accordance with the legislation of the Russian Federation in the field of personal data, if these actions do not contain a criminal offense, or the processing of personal data data in violation of the requirements established by the legislation of the Russian Federation in the field of personal data for the composition of the information included in the written consent of the subject of personal data to the processing of his personal data - entails the imposition of an administrative fine on citizens in the amount of three thousand to five thousand rubles; for officials - from ten thousand to twenty thousand rubles; for legal entities - from fifteen thousand to seventy-five thousand rubles.

3. Failure by the operator to comply with the obligation stipulated by the legislation of the Russian Federation in the field of personal data to publish or otherwise provide unrestricted access to the document defining the operator's policy in relation to the processing of personal data, or information on the implemented requirements for the protection of personal data - entails a warning or the imposition of an administrative fine on citizens in the amount of seven hundred to one thousand five hundred rubles; for officials - from three thousand to six thousand rubles; for individual entrepreneurs - from five thousand to ten thousand rubles; for legal entities - from fifteen thousand to thirty thousand rubles.

4. Failure by the operator of the obligation stipulated by the legislation of the Russian Federation in the field of personal data to provide the subject of personal data with information relating to the processing of his personal data - entails a warning or the imposition of an administrative fine on citizens in the amount of one thousand to two thousand rubles; for officials - from four thousand to six thousand rubles; for individual entrepreneurs - from ten thousand to fifteen thousand rubles; for legal entities - from twenty thousand to forty thousand rubles.

5. Failure by the operator, within the time limits established by the legislation of the Russian Federation in the field of personal data, to meet the requirements of the subject of personal data or his representative or the authorized body for the protection of the rights of subjects of personal data to clarify personal data, block or destroy it if the personal data is incomplete, obsolete, inaccurate, illegally obtained or not necessary for the stated purpose of processing - entails a warning or the imposition of an administrative fine on citizens in the amount of one thousand to two thousand rubles; for officials - from four thousand to ten thousand rubles; for individual entrepreneurs - from ten thousand to twenty thousand rubles; for legal entities - from twenty five thousand to forty five thousand rubles.

6. Failure by the operator, when processing personal data without using automation tools, to comply with the conditions ensuring, in accordance with the legislation of the Russian Federation in the field of personal data, the safety of personal data when storing tangible media of personal data and excluding unauthorized access to them, if this entailed illegal or accidental access to personal data, their destruction, alteration, blocking, copying, provision, distribution or other illegal actions in relation to personal data, in the absence of signs of a criminal offense - entails the imposition of an administrative fine on citizens in the amount of seven hundred to two thousand rubles; for officials - from four thousand to ten thousand rubles; for individual entrepreneurs - from ten thousand to twenty thousand rubles; for legal entities - from twenty five thousand to fifty thousand rubles.

7. Failure by the operator, which is a state or municipal body, provided by the legislation of the Russian Federation in the field of personal data, of the obligation to depersonalize personal data, or failure to comply with the established requirements or methods for depersonalizing personal data - entails a warning or the imposition of an administrative fine on officials in the amount of three thousand to six thousand rubles.

[collapse]

Thus, from July 1, 2017, the regulatory authorities have a wide field of application of penalties against operators of personal data, from one to SEVEN grounds. And the total amount of fines will increase from 10,000 rubles to 290,000 rubles. It's up to you to decide whether it's a lot or a little, but it's still worth reading our article.

So that you are aware of and understand how to act and for what you may face a fine, we offer the following FAQ:

1. What is personal data?
This is any information about a person together or separately, be it first name, last name, phone number, his email, etc. they collect personal data of users in a different way, automatically almost all site owners are operators of personal data, even without knowing it.

2. Privacy policy, what is it?
This is a local act that states how you work with personal data. TO this document you must provide unlimited access and, if you have a site, place it in the footer of your site. And as you understand, otherwise you can be brought to administrative responsibility according to 13.11 of the Administrative Code of the Russian Federation.

3. Should a privacy policy be posted on any site?
No, not at all. It is worth posting a policy if you are the operator of personal data, that is, in any way receive personal data of users.
At the moment, most Internet sites collect personal data through registration forms, feedback forms and ordering goods, etc.

4. Do I need to obtain consent for the processing of personal data?
Necessarily! This is required by the provisions of the Federal Law "On Personal Data". On Internet sites, this is accomplished by including in feedback forms, mailing list subscription forms, user registration forms and other forms of links to the privacy policy and related text.

5. What is the name of the document?
The Federal Law "On Personal Data" says that "An operator collecting personal data using information and telecommunication networks is obliged to publish a document in the relevant information and telecommunication network that defines its policy regarding the processing of personal data ...". Therefore, we will call the document "personal data processing policy".

6. Is there a generally accepted policy of the organization regarding the processing of personal data (document template)?
There are enough similar templates on the Internet, such a document contains: general provisions, information about the operator, methods of processing personal data, a list of processed personal data by subjects of personal data, purposes of processing personal data, the rights of subjects of personal data and the operator of personal data, etc. Nevertheless, when developing a policy, one should proceed from the specifics of the activities of a particular organization, goals receiving and processing personal data. Free Templates as always to be used wisely.

7. Notice about the processing of personal data, what is it, how to submit it, etc.?
You must notify Roskomnadzor of your intention to process personal data, and the latter, in turn, must include you in the register of personal data operators.
A notification can be submitted by filling out the form at the link, in addition, sending a notification through the Russian Post is also correct, you never know what can happen to them. They even block themselves already, and losing the base is quite easy.

8. Can I not submit a notification about the processing of personal data?
Roskomnadzor's notification is an OBLIGATION of the operator of personal data. All a few exceptions are indicated in the Federal Law "On Personal Data".

9. Who can initiate a review?
A check can be assigned at the request of any subject of personal data whose personal data you are processing. That is, any "well-wisher" may well add "a little" extra trouble to you.

10. Is it necessary to make adjustments to the templates of contracts taking into account the requirements of the Federal Law "On the processing of personal data"?
Yes. This is due to the fact that, in one case or another, you not only process, but also use the personal data of contractors, and sometimes transfer this data to third parties.

In accordance with Article 20 of the Federal Law "On Personal Data", you are given 30 days to provide information at the request of Roskomnadzor. You probably thought that you will surely have time to prepare in 30 days? Don't jump to conclusions. The privacy policy and user agreement are just a small fraction of the documents that Roskomnadzor may request from you.

An indicative list of documents that Roskomnadzor may request for verification

1. General information
1.1. A copy of the document on the appointment of the legal representative of the Operator, authorized to represent the interests of the legal entity during the audit.
1.2. Certificate of the Operator's status as a small business entity indicating the type of business (small business, micro-business, etc.).
1.3. A copy of the Articles of Association of the legal entity.
1.4. For each of the activities of the Operator listed in the Charter of the Company, indicate:
- categories of PD subjects whose PD is processed;
- a list of processed PD categories separately for each category of PD subjects;
- the purposes of PD processing for each category of PD subjects;
- PD information system (hereinafter - PDIS), in which PD processing is carried out, separately for each category of PD subjects;
- the legal basis for the processing of personal data (consent, agreement, norm / article / clause of the law or by-law, otherwise).
1.5. Information on the legal basis for PD processing without submitting a Notification of PD processing with supporting documents attached (in case of failure to submit a Notification);
1.6. Documents allowing to establish the address of the location, the territorial location of buildings, structures, premises, offices, etc. owned by the Operator or leased by the Operator and subleased to other persons. Attach copies of lease agreements with all attachments in relation to the address of the actual implementation of activities, documents and diagrams that allow you to accurately delineate office premises (workplaces) used by the Operator alone and / or in conjunction with subleasers.
1.7. A copy of the staffing table (valid at the time of verification).
1.8. Help, in accordance with the staffing table, about the structural units in which the Operator organizes the processing of PD: their location address, floor, office number, contact information.
1.9. A copy of the document on the appointment of a person responsible for organizing PD processing. A copy of the job description (job description) or job description of the person responsible for organizing PD processing.
1.10. Copies of documents defining the Operator's policy in relation to PD processing;
1.11. All current local acts issued by the Operator reflecting the following issues of PD processing (if a general document is issued, indicate the relevant paragraph, section, etc.):
1) Purposes of PD processing;
2) The legal basis for the processing of personal data (consent, agreement, norm / article / clause of the law or by-law);
3) Categories of PD subjects, whose PD is processed;
4) PD categories for each category of PD subjects, respectively;
5) Description of the order, methods and methods of PD depersonalization, for what purposes PD depersonalization is carried out, in relation to which PD subjects and categories of PD the depersonalization is carried out;
6) The term for processing PD of PD subjects (in electronic form, on tangible media);
7) The storage period for PD subjects of PD (in electronic form, on tangible media);
8) Places of storage of material carriers of personal data;
9) Conditions for the destruction of PD of PD subjects and the procedure for its implementation (in electronic form, on tangible media), copies of acts on the destruction of PD;
10) The list of persons who have access and are directly admitted to work with PD of PD subjects (in electronic form, on tangible media).
1.12. Copies of local acts establishing procedures aimed at preventing and detecting violations of the legislation of the Russian Federation, eliminating the consequences of such violations.
1.13. Copies of documents confirming the application of legal, organizational and technical measures to ensure PD security;
1.14. Copies of documents confirming the implementation of internal control and (or) audit of the compliance of PD processing with the Federal Law "On Personal Data" and the regulatory legal acts adopted in accordance with it, the requirements for PD protection, the operator's policy regarding PD processing, local acts of the operator.
1.15 Copies of documents confirming the familiarization of the operator's employees who directly process personal data with the provisions of the legislation of the Russian Federation on personal data, including requirements for the protection of personal data, documents defining the operator's policy regarding the processing of personal data, local acts on processing personal data, and (or) training of these employees.
1.16. Typical forms of documents (questionnaires, questionnaires, etc.), the nature of the information in which suggests or allows the inclusion of PD. Orders approving the specified standard forms.
1.17. Copies of journals (registers, books) containing PD required for a single pass of the PD subject to the territory on which it is located
Operator.
1.18. Documents confirming the adoption of measures in the processing of personal data to ensure, in relation to each category of personal data, the ability to determine the storage locations of personal data (material carriers) and establish a list of persons who process personal data or have access to them.
1.19. Documents confirming the adoption of measures to ensure the separate storage of personal data (material carriers), the processing of which is carried out for various purposes.
1.20. Documents confirming the adoption of measures to comply with the conditions ensuring the safety of personal data and excluding unauthorized access to them when storing material media. Submit the list of measures established by the Operator to ensure such conditions, the procedure for their adoption, as well as provide a list of persons responsible for the implementation of these measures.
1.21. Documents confirming informing the persons processing PD without using automation tools (the Operator's employees and (or) persons carrying out such processing under an agreement with the Operator) about the fact of processing of PD by them, the processing of which is carried out by the Operator without using automation tools, the categories of PD processed, and also about the features and rules for the implementation of such processing, established by the regulatory legal acts of federal bodies executive power, executive authorities of the constituent entities of the Russian Federation, as well as local legal acts of the Operator (if any).
1.22. Copies of signed written consent of PD subjects (one for each category of PD subjects) for the processing of their PD, including copies of signed written consent of PD subjects for the processing of biometric PD, special categories of PD, for making decisions based solely on automated PD processing, for implementation cross-border transfer of personal data to the territory of a foreign state that does not provide adequate protection of personal data.
1.23. Material media (completed questionnaires, applications, resumes, etc.) containing PD received from PD subjects, separately for each category of subjects.
1.24. Material media (completed questionnaires, applications, resumes, etc.) containing personal data obtained legally (contract, law, etc.), separately for each category of subjects.
1.25. Electronic media (completed questionnaires, registers, applications, resumes, etc.) containing personal data received from subjects and / or on a legal basis (agreement, law and other), separately for each category of subjects.
1.26. Information confirming the legality of processing biometric PD. Attach supporting documents.
1.27. Information confirming the legality of processing special categories of PD. Attach supporting documents.
1.28. Information confirming the legality of decision-making on the basis of exclusively automated processing of PD. Attach supporting documents.
1.29. Information confirming the legality of the cross-border transfer of personal data. Attach supporting documents.
1.30. Information confirming the legality of the processing of personal data in order to promote goods, works, services on the market by making direct contacts with a potential consumer using communication means, as well as for political campaigning. Attach supporting documents.
1.31. Information on the procedure for obtaining by the Operator the consent of the PD subject to provide access to an unlimited number of persons to his PD if such access is necessary.
1.32. Certificate on the procedure for processing PD in cases necessary to protect the life, health or other vital interests of PD subjects.
1.33. Copies of agreements, one of the parties to which is the subject of personal data (employee, client, etc.), one agreement for each category of subjects.
1.34. Copies of all agreements concluded with third parties regarding the order (ordering processing to another person and processing on behalf of another person) for the processing of personal data, one agreement for each category of subjects.
1.35 Copies of applications from citizens (for the last two calendar years, including the current one) on issues of clarification, deletion, destruction of PD, considered by the Operator. Copies of the Operator's responses and measures taken for citizens' appeals with the attachment of copies of documents on the measures taken.

2. Personnel block
2.1. Help on the procedure for the search and selection of personnel with the attachment of supporting documents. In the certificate regarding the PD of applicants for filling vacant positions, indicate: the source of PD receipt; the legal basis for the processing; the purpose of the processing; the procedure for obtaining, recording, using storage (storage location, data storage); persons with access; procedure and conditions for destruction. Additionally, indicate the persons to whom the PD is transferred, as well as the order for the processing of PD, attach copies of contracts with all attachments.
2.2. The form of the applicant's consent to fill a vacant position for the processing of personal data. A copy of the completed form containing the applicant's personal data.
2.3. The consent form of the office visitor for PD processing. A copy of the completed form containing the visitor's personal data.
2.4. The consent form of the Operator's employee for the processing of personal data. A copy of the completed form containing the employee's personal data.
2.5 Form of consent of employees' relatives to PD processing. A copy of the completed form containing the personal data of the employees' relatives.
2.6 Information on the composition of documents included in the personal file of the Operator's employee.
2.7 Information on the procedure for transferring personal data of employees to third parties. With the attachment of supporting documents.
2.8 Information on the procedure for registration of a salary project with the attachment of the following documents. Attach a copy of the agreement concluded with the bank.
2.9. Certificate on the implementation of medical insurance for employees and their relatives with a copy of the contract attached.
2.10. Information on the procedure for registration and booking of hotel rooms, travel tickets, etc. when sending workers with supporting documents attached.
2.11 Information about the storage time of the personal files of the dismissed employees of the Operator until they are transferred to archival storage, carried out in accordance with the legislation on archiving in the Russian Federation (hereinafter referred to as the archive), as well as until the storage of personal files is entrusted to a third party. Indicate the composition of the documents of employees transferred to the archive (to a third party storing documents on behalf of the Operator). Copies of documents establishing the procedure for maintaining (referring to the archive) archival storage in accordance with the legislation on archiving in the Russian Federation (if any).
2.12. Copies of agreements concluded with third parties regarding the order to process personal data of employees, relatives of employees.
2.13. Certificate on the procedure for processing personal data of dismissed employees.

3. PD information systems
3.1. Scroll information systems PD processing PD of all categories of PD subjects.
3.2 Information about the location (address) of the Operator's information databases containing personal data of citizens of the Russian Federation. Description of information systems, indicating the name, software version, software developer, location of components.
3.3. The list of PD subjects, a list of groups of PD subjects processed in the ISPD, if the PD subjects are combined into groups.
3.4. Sources of obtaining PD for each category of PD subjects, respectively (the subject himself provided them or they were obtained in another legal way).
3.5. list of PD categories of PD subjects processed in ISPD.
3.6. Description and purpose of the ISPD, in which PD processing is carried out for each category of PD subjects. Instruction to ISPD, user manual and any similar documents on ISPD functionality, access procedure, reservation.
3.7. The list of operations, actions performed with the PD of PD subjects in the PDIS.
3.8. Description of the procedure for processing PD (a step-by-step description of the procedure for entering, collecting, loading, storing, reading, using, transferring, accessing, distributing, modifying, deleting, destroying) in the ISPD for each category of PD subjects, respectively.
3.9. Order information Reserve copy information, including the frequency of copying, order and storage location backups and the procedure for destroying backups.
3.10. Description of technological and informational support of ISPDN.
3.11. Copies of lease agreements for server capacities used to host PD databases.
3.12. Copies of documents confirming the presence of our own server capacities, on which the PD databases are located;
3.13. Information and documents about the person (persons) in charge of maintenance, administration, use of server facilities on which the subscribers' personal data base is located.
3.14. A certified block diagram of the exchange of information containing PD of PD subjects, reflecting the directions of information flows and participants in information exchange, indicating the name of the ISPD, the address of the database and server facilities.

4. Internet services (Yandex.Metrica, Google analytics etc.), mobile applications.
4.1. Information about the Internet services used on the Operator's sites, developed and owned by the Operator, as well as developed and owned by third-party organizations, with the help of which data about visitors and users of the Operator's sites are processed, indicating the purpose and functionality of Internet services.
4.2. Attach copies of contracts concluded with third-party organizations specified in clause 4.1 and all published annexes to contracts.
4.3. Help on the functionality of the Internet services used in the part concerning the collection of data about visitors on the sites and in the mobile applications of the Operator, separately for each service.
4.4. List of data about visitors and registered users of sites and mobile applications Operator received using the specified services, separately for each service. Attach supporting documents.
4.5. Information about the databases (their address, who owns it) on which the data obtained using Internet services is stored, when and how the data is destroyed.
4.6. Copies of documents and local acts issued by the Operator on the processing of personal data of mobile users software applications Operator. Copies of technical documentation on the functionality of the Operator's mobile applications. Information about the content of user data processed in the Operator's mobile applications for operating systems iOS, Android, Windows, indicating data storage locations, processing purposes, persons to whom data is transferred, processing and storage periods, procedure and conditions for destruction;
4.7. Copies of contracts with all attachments concluded with third parties, on the basis of which advertising services are provided, the data of visitors, site users, clients (individuals) of the Operator is transferred. Copies of agreements on the basis of which the transfer of statistical anonymized data obtained after aggregation and any other modification (change) of data of visitors, users of sites, clients of the Operator is carried out.
4.8. List of sites owned by the Operator.
The data of visitors and registered users of the Operator's websites and mobile applications means all data about visitors collected using the functionality of these services, as well as the data that the services themselves collect and process on their computing power, namely: the user's pseudonym, user's address or address the user's device through which the user entered the Operator's website, as well as information about the user, including the ip-address, search queries of the user, the Internet addresses of the web pages visited by the user, the subject of information posted on the visited by the user Internet resources Of the Operator, the user identifier converted by the Operator using a hash function or other modifications, the geographical address of the point of connection of the user to the Internet, information that does not allow to uniquely identify the user or a specific individual, but ensuring the formation of sufficient advertising information to provide the user.
4.9 Documents establishing the procedure for backing up information containing PD.

[collapse]

And now you are sure that you will have time to prepare everything and everyone in 30 days?

Our services:

• filing a notification with Roskomnadzor;
• analysis of the site for compliance with the provisions of the Law;
• analysis of finished documents for compliance with the Law;
• development of a standard package of documents;
• development of a package of documents on a turnkey basis (a package of documents is developed after a preliminary detailed analysis of the organization's activities);
• analysis of civil contracts for compliance with the requirements of the Law, recommendations for bringing them into compliance;
• counseling.

.sp-force-hide (display: none;). sp-form (display: block; background: #ffffff; padding: 15px; width: 100%; max-width: 100%; border-radius: 8px; -moz -border-radius: 8px; -webkit-border-radius: 8px; border-color: #dddddd; border-style: solid; border-width: 1px; font-family: Arial, "Helvetica Neue", sans-serif; background-repeat: no-repeat; background-position: center; background-size: auto;). sp-form .sp-form-fields-wrapper (margin: 0 auto; width: 930px;). sp-form .sp -form-control (background: #ffffff; border-color: #cccccc; border-style: solid; border-width: 1px; font-size: 15px; padding-left: 8.75px; padding-right: 8.75px; border -radius: 4px; -moz-border-radius: 4px; -webkit-border-radius: 4px; height: 35px; width: 100%;). sp-form .sp-field label (color: # 444444; font- size: 13px; font-style: normal; font-weight: bold;). sp-form .sp-button (border-radius: 4px; -moz-border-radius: 4px; -webkit-border-radius: 4px; background-color: # 0089bf; color: #ffffff; width: auto; font-weight: 700; font-style: normal; font-family: Arial, sans-serif;). sp-form .sp-button-container (text-align: left;)

In particular, he expanded the list of grounds for bringing to administrative responsibility for illegal processing of personal data (PD) and increased fines.

Personal data: fines

Base	Fine amount
	Physical persons	Officials	Legal entity	SP
PD processing in cases not provided for by the legislation of the Russian Federation; PD processing incompatible with the purposes of PD collection	warning or fine - from 1000 to 3000 rubles.	warning or fine - from 5000 to RUB 10,000	warning or fine - from 30,000 to 50,000 rubles.
PD processing without the written consent of their subject	from 3000 to 5000 rubles	from 10,000 to 20,000 rubles.	from 15,000 to 75,000 rubles.
Failure to comply with the obligation to publish or provide access to a document defining a policy for PD processing, or information on PD protection	from 700 to 1500 rubles	from 3000 to 6000 rubles	from 15,000 to 30,000 rubles.	from 5,000 to 10,000 rubles.
Failure to provide the personal data subject with information on their processing	warning or fine - from 1000 to 2000 rubles.	warning or fine - from 4000 to 6000 rubles.	warning or fine - from 20,000 to 40,000 rubles.	warning or fine - from 10,000 to 15,000 rubles.
The operator's failure to comply with the requirement of the PD subject or his representative to clarify, block, destroy (if the PD is incomplete, outdated, inaccurate, illegally obtained, and is not necessary for the stated purpose of processing)	warning or imposition of a fine in the amount of 1,000 to 2,000 rubles.	warning or fine - from 4000 to RUB 10,000	warning or fine - from 25,000 to 45,000 rubles.	warning or fine - from 10,000 to 20,000 rubles.
Failure by the operator, when processing PD without automation tools, of the obligation to preserve PD, which led to unauthorized or accidental access to PD and became the reason for their destruction, modification, blocking, copying	from 700 to 2000 rubles	from 4000 to RUB 10,000	from 25,000 to 50,000 rubles.	from 10,000 to 20,000 rubles.
Failure by the operator (state or municipal authority) to anonymize PD; non-compliance with the requirements for anonymization of personal data		warning or imposition of an administrative fine - from 3000 to 6000 rubles.

Please note: it is precisely such a basis as the processing of personal data without obtaining the consent of their subject that provides for the largest fines for all categories of violators - up to 75,000 rubles.

In this regard, many questions arise, the most frequently asked:

• Am I a data controller?
• Is my personal data law applicable to me?
• How to notify Roskomnadzor about the processing of personal data?
• What should a website owner do to avoid fines?

Let's deal with all the questions in order.

Imagine the situation.

Your potential client has heard about your company, but he does not know the address of your site, or where you are, or how to contact you.

What will he do in this case?

The answer is simple: he will go to google and start looking for information about you. And your task is to make the search for a potential client as easy as possible. This means that your company, in addition to its own website, should be represented in all popular online resources.

Which ones?

This is what will be discussed today!

Preparation

Before you start actively registering on online resources, you need to collect as much information as possible about your company in order to fill out your profile completely.

Think about the search terms a potential client can find you for.

For example, a dry cleaner, which is located in the center of Kiev, potential customers can search for by request “ Dry cleaning center Kiev" or " Where can you wash a suit Kiev».

It is imperative that you identify all popular search terms and add as many as possible to your business description. To do this, use the Wordstat service from Yandex or AdWords from Google.

Also, take care of reviews from real customers, collect high-quality photos and videos that can put your business in a good light.

I recommend that you create a separate document that will store all the necessary information about your company. This will greatly simplify registration - all you need to do is copy and paste the information from the document into your company's online profile.

Having finished with the preparation, we turn to the study of the most popular online resources, where your company must be represented.

10 online resources where your company must be represented

Now we will move on to reviewing the most popular online resources, where you definitely need to register your company. The ranking of sites is based on the ranking of the international research company Alexa (you can see the results of the ranking), which analyzes the popularity and influence of sites around the world.

V Facebook for business there are much more opportunities than in the same In contact with... You can create a community page, a personal page, a page for a company or its brands.

Having created a page, do not forget to update it regularly. If a user visits your page and sees that the information on it was last updated 3 months ago, this will give reason to think that your company is not popular enough.

No. 6 - Prom.ua

Prom.ua is an online resource where you can create a complete profile of your company, describe your products and services, and place a product catalog along with a price list. Thus, a potential client can immediately receive information about both the product itself and its price.

The resource is more suitable for Ukrainian trading companies.

No. 7 - Allbiz

Allbiz is an international analogue of the Ukrainian Prom.ua. With the help of Allbiz, you can easily find foreign partners and buyers.

The annual audience of Allbiz has reached more than 220 million people, which allowed the resource to become the leaders of the Internet space. To date, the Allbiz online catalog contains over 20 million products and services from more than 1.3 million companies from 90 countries of the world.

So be sure to join this resource.

# 8 - Foursquare

Foursquare is a very popular resource among young people. With check-ins, ratings, reviews and photos, you can easily draw attention to your company. Add a small check-in bonus and you are guaranteed a flow of visitors.

The Law "On Personal Data" was adopted several years ago. If the site does not have a privacy policy, consent to the processing of personal data has not been obtained, fines are provided, and they can be summed up.

- this is any information directly or indirectly related to a specific physical. face.

What exactly on the site is subject to personal data:

• Subscription form, when the user enters his nickname and email.
• In the feedback form, the user also indicates a name (often made up) and mail. In judicial practice, there is a case when a feedback form was attributed to personal data, in which there was only a name and a message.
• Comments and messages on the site when it is required to provide a name and mail.
• Registration on the site, data in your personal account (address, city of residence, full name, mail, year of birth).
• Ordering goods through the site, buying in an online store without registering, the user indicates a name and phone number, sometimes mail.
• Callback form when you need to provide your name and phone number.
• Moneyback, i.e. money back for the purchased goods. The user specifies the full name and bank details.
• Questionnaires, tests and questionnaires based on the results of trainings, purchases made - full name and mail.
• Applications for offline events: holding holidays, parties, weddings, etc. Here the user specifies his contact information.
• Reviews on the site. User photo, email - collection of personal data.
• Personal data in an article about a person, for example, during an interview, when asked about the details of his personal life.
• Application for the publication of an announcement - on the website of announcements, mass media.

On your Internet resource, you need to determine where your personal data collection points are. Even if you are physical. person and own the site, you are still personal data operator, which means you fall under the Federal Law "On Personal Data" and are responsible. The only plus is fines for individuals. persons are small, unlike individual entrepreneurs and legal entities. persons.

Roskomnadzor monitors compliance with the relevant law on all sites. The site owner sends a notification about the processing of personal data there. A register of operators is kept on the basis of notifications. The office also considers all complaints from users about the illegal use of their personal information. Some users even take legal action.

How do we process personal data?

On the site:

Better to make the consent a separate document. If on the site you have several places for entering personal data (registration, comments, reviews, subscription), then there should be several options for consent - for each case.

In the consent, you need to indicate the specific volume of processed personal data, in what form and for what purposes they will be processed. The goals can be different: targeted advertising, mailing, customer feedback, marketing research, refunds for goods, if it is an online store.

Consent text on the site

I give consent to the Site Administration for _______ (processing methods) of the following personal data: _______ (name and email), for the purposes of _______ (for example, sending information about site news, new services, special offers, other useful information from the Administration of the resource or its partners).

Consent to the processing of personal data is not indefinite, it can be revoked at any time.

Roskomnadzor notification... Notification can be sent by email, simple by registered mail, and you are included in a single register as the operator of personal data.

You do not need to send a notification if you only use the user's full name, if his data is publicly available, if you act within the framework of a previously concluded agreement (on the website) and do not distribute information to third parties.

It is possible to store personal data of citizens of the Russian Federation only on the territory of the Russian Federation. By law, only domestic hosting can be used.

You must delete or change personal data at the request of their owner. It is better to do this at the first request, otherwise a person may complain to Roskomnadzor about the site or go to court. Or upon completion of the contract with the user.

Privacy Policy... It is better to make it a separate document and place the link in the footer of the site so that it can be accessed from all pages of the resource.

Privacy Policy

The main provisions of the document:

• in what cases the user gives his personal data to the Site Administration;
• 2 types of information are collected: information that the user gave himself and Technical information(ip-address, browser, software, screen resolution, gender, age, location, etc.);
• what data we receive from the user and where on the site (subscription form, registration, commenting);
• indication of personal data when using some services on the site; when filling out a form on a specific page, when writing a claim;
• card details when paying for goods are not available to the administration of the site and are processed by a payment integrator (Interkassa, for example);
• regulation on registration on the site through social networks;
• if the site uses a system for identifying users through cookies, you need to tell about it;
• guarantee of the safety of personal data of users and non-transfer of data to third parties without the consent of users; provide for those cases of transfer of personal data, whenever possible;
• for what purposes personal data is collected;
• data processing time: from user registration to deletion account from the website;
• where to contact if the user wants to delete his personal data, specify the email of the administration;
• the user can change, supplement or partially delete his data - how to do it;
• information about mailing to users, the ability to unsubscribe.

User registration on the site _______ can be carried out through the social network ______. This method registration is chosen by the user himself by performing actions on the site at the time of registration.

When registering through the social network _____, the site collects the following information about the user from social network: Name, nickname, gender, place of stay (city, town).

Penalties

Fines effective January 1, 2017 for violation of legislation in the field of personal data.

As you can see from the table, fines for physical. people are small, so many webmasters do not bother with the implementation of the law on the collection and storage of personal data.

Notification to Roskomnadzor

The notification is submitted before the start of the processing of personal data. It is submitted simultaneously via the Internet (email) and sent by registered mail with a list of attachments and a return receipt to the territorial office of Roskomnadzor (addresses on the official website).

The notification is sent 1 time, but if some information has changed, it is necessary to send an information letter about the changes in the information in the register by the operator of personal data.

After filling out on the site, you will receive a notification number and a secret key. From it you will find out when you will be included in the register of personal data operators.

If you are in a contractual relationship with someone or provide services on the site, you do not need to notify Roskomnadzor.

• Where are you sending this notification.
• Operator type:
  • physical person (indicate full name);
  • legal entity person (full name, abbreviated name, branches).
• Operator's address: legal and postal address for legal entities, TIN, PSRN or OGRNIP for individual entrepreneurs, links to OKVED codes.
• Legal basis for the processing of personal data. We indicate the laws on the basis of which we collect personal data.
• For what purposes we process personal data.
• Whose personal data we process: employees, customers, subscribers, site users.
• If you collect data over the Internet, a privacy policy must be posted on the site.
• What personal data do you process and in what way (with transfer to third parties, with transfer via the Internet or not, with or without transfer within a legal entity, automated system whether manual).
• Terms and conditions for termination of the processing of personal data.

Alternatively, a different approach can be considered. What does your site render free information services... This is stated in the privacy policy. In this case, there is no need to worry about the storage of personal data at all and notify Roskomnadzor.

For example, you provide space on your site for rent: a person wrote a review - you published it on the site, posted a photo and indicated your full name with mail - you published it on the site, the user subscribed to the newsletter - received free materials (service).

Processing of personal data of legal entities individuals and individual entrepreneurs

Personal data of employees:

• can be processed for strictly limited purposes: assistance in employment, promotion, personal safety, control of work performed, ensuring the safety of the company's property;
• all data can be obtained directly from the employee himself;
• it is forbidden to process data on nat. affiliation, religious and philosophical views, intimate life, health status, membership in organizations;
• you cannot transfer personal data without written consent, unless this is necessary in order to prevent his life and health or within the framework of the law.

Director of company must approve the regulation on the personal data of employees, familiarize all employees with it on receipt. It is necessary to prepare a list of persons who have access to this information. This is usually a director, accountant, lawyer and HR manager. But here it is important to distinguish between what personal data this or that employee has access to, what he needs in his work. Further, these data can be provided to the employee himself upon request.

Employee has the right to receive information about who else has access to his data, where and how long this data is stored, how it is processed.

Employees admitted to data processing must sign a nondisclosure obligation of information containing personal data. It can be made as a separate document or made as a separate chapter in an employment contract or job description.

Responsible employees:

• The person responsible for the processing of personal data (appointed by order) monitors the observance by all employees of the procedure for processing personal data.
• The security administrator of information systems of personal data (appointed by order) ensures the security of personal data in the organization, keeps logs. It can be 1 or more people. These instructions are best written as an addition to the employment contract.
• Employees must take measures to prevent access to personal data of unauthorized persons, must record all facts of violations.

The company must adopt a regulation on the processing of personal data: what data is processed, for what purpose, the procedure for processing.

Documents for legal entities and individual entrepreneurs

All the necessary document templates for the processing of personal data for legal entities. persons you can download below.

Mikhail Khokholkov, INTELLECT-S: “The minimum that a site owner needs to do is to post a personal data processing policy on the site.”

On July 1, 2017, amendments to Article 13.11 of the Code of Administrative Offenses (CAO RF) came into force, which regulates responsibility for compliance with legislation on personal data.

Previously, one offense was envisaged - violation of legislation on personal data. Now this list is expanded into 7 items. The amount of fines is also increasing. Cases of administrative offenses in the field of personal data will be considered by the territorial offices of Roskomnadzor.

The very same Law "On Personal Data" has been in effect for 10 years, not radically changing. Therefore, it is incomprehensible to the panic that is fanned by some media. However, for the owners of any sites that collect user data, I have highlighted the following important points.

Personal data processing policy on the website

Clause 3 of Article 13.11 of the Code of Administrative Offenses of the Russian Federation: the operator's failure to comply with the obligation, stipulated by the legislation of the Russian Federation in the field of personal data, to publish or otherwise provide unrestricted access to a document defining the operator's policy regarding the processing of personal data, or information on the requirements for the protection of personal data being implemented - entails a warning or the imposition of an administrative fine:

• for citizens in the amount of 700 to 1,500 rubles;
• for officials - from 3,000 to 6,000 rubles;
• for individual entrepreneurs - from 5,000 to 10,000 rubles;
• for legal entities - from 15,000 to 30,000 rubles.

The minimum you need to do now is post a personal data processing policy on the website.

The legislator does not establish special requirements for the location, however, I recommend that you set the link to the policy on home page, as well as duplicate it in the places where the forms for collecting personal data are placed. The personal data processing policy must be accessible to any user.

Checklist for developing a personal data processing (PD) policy on the website

Things to check:

• any forms of sending messages of the "ask a question" type and mandatory fields. They will need to be specified in the PD processing policy in the "PD volume" section;
• User registration / Personal Area/ authorization via social networks. Check the required fields. Indicate them in the PD processing policy in the "PD volume" section;
• callback order form - what fields are required in it. These data will need to be indicated in the PD processing policy in the “PD Scope” and “PD Purposes” sections;
• mailing. If there is a form for subscribing to the newsletter, then it is necessary to place consent to the processing of PD and consent to receive the newsletter (everything can be done in one document). The mailing list should also be referred to in the section “PD Objectives”;
• reviews of visitors / clients / partners with PD (letters of thanks, etc.). If the user writes a review himself, then you need to place consent to the processing of PD. If you upload scans of letters of thanks, you must first discuss with your partner the possibility of obtaining such consent;
• the ability to send a resume. In this case, consent to the processing of PD for employment purposes is required.

The site database with personal data of users must be located in Russia.

If the PD processing policy (the document may be called "privacy policy" or similar) is already on the site, check the collection goals and the amount of PD using the checklist. Superfluous information it shouldn't be there. The principle “we'd better indicate more data, suddenly it will come in handy” is unacceptable. It is important to remember that the amount of data collected must be consistent with the purpose of the processing. There are no universal criteria for such compliance, so you need to be guided by the principles of rationality and sufficiency.

• to order air tickets you need passport data, for pizza delivery - no;
• for the delivery of the order by the courier of the online store, you need a delivery address, for self-pickup - no;
• to book a movie ticket - nothing is needed at all if it is not paid online.

If there are no feedback forms on the site, there is no way to order a call back, etc. - personal data is not processed, therefore, there is no need to post a PD processing policy.

Purpose and scope of collection of personal data

An excessive amount of data collected from the user may be a violation in its own right. Clause 1 of Article 13.11 of the Administrative Code: processing of personal data in cases not provided for by the legislation of the Russian Federation in the field of personal data, or processing of personal data incompatible with the purposes of collecting personal data, with the exception of cases provided for in part 2 of this article, if these actions do not contain criminal punishable offense - entails a warning or the imposition of an administrative fine:

• for citizens in the amount of 1,000 to 3,000 rubles;
• for officials - from 5,000 to 10,000 rubles;
• for legal entities - from 30,000 to 50,000 rubles.

Thus, collected personal data must be consistent with the purpose processing them and not be redundant.

Therefore, the personal data processing policy must indicate the purpose of the processing and the scope.

Example

The most common case of collecting data on the site is ordering a call back.

In this case, it is enough to ask the user to indicate only the phone number. If, for a call back, you ask to indicate your e-mail, name, address, place of work, position, then such data is considered unnecessary, not consistent with the purposes of processing, and, therefore, their collection is a violation.

Do not collect passport data unless absolutely necessary. Most often they are not needed. To complete an order, for example, in an online store, it is enough to indicate the phone number and delivery address.

Having decided on the goals and scope of personal processing, draw up your processing policy, post it on the site.

By the way. I sent such a request to Roskomnadzor:

Is it necessary to post a personal data processing policy on the delivery site if the user only specifies a phone number to place an order? The site operator calls the buyer at the specified number, specifies the details of the order and the delivery address. In the future (after the delivery of the order), the phone number, name and surname of the buyer, delivery address is not saved and is not processed by the site owner.

And this is the answer I got:

According to the information contained in the appeal, it is not possible to give a legal assessment on the merits of the question raised.

In fact, this means that not every case of collection of personal data entails the need to post a policy for the processing of this data, which does not negate the need to study this issue for each site individually.

Consent to the processing of personal data

When a written consent form for the processing of PD is required

Written form is a printed document with an original (not scanned, not facsimile) signature of the subject. Written form will not be respected if received by email as a scanned document. Consent in the form of an electronic document can be signed with an electronic signature in accordance with the Federal Law "On electronic signature". Requirements for the content of the written form are established by paragraph 4 of Article 9 of the Federal Law "On Personal Data".

A written form of consent to the processing of personal data is required only in cases expressly provided for by law. There are five such cases in total, and they are described in Articles 8, 10, 11, 12 and 16 of the Federal Law "On Personal Data":

• Article 8 deals with cases of creation of publicly available sources of information (directories, address books etc.). In these directories, you can include information about persons, having previously received written consent from them to process personal data.
• Article 10 - special categories of personal data concerning race, nationality, political views, religious or philosophical beliefs, health status, intimate life.
• Article 11 talks about the processing of biometric personal data: photo and video images, fingerprints, DNA. Photos and videos are considered the processing of personal data if they are used to establish an identity. Shooting from conventional camera surveillance in an office, in a supermarket or on the street does not constitute processing of personal data.
• Article 12 deals with the cross-border transfer of personal data.
• Article 16 prohibits the adoption on the basis of exclusively automated processing of personal data of decisions that give rise to legal consequences in relation to the subject of personal data or otherwise affecting his rights and legitimate interests - only with the consent in writing of the subject of personal data or in cases provided for by federal laws.

There are cases when personal data can be processed without the consent of the subject - these are paragraphs 2-11 of Part 1 of Article 6, Part 2 of Article 10 of the Federal Law "On Personal Data".

In all other cases (i.e. when there is no requirement to obtain consent in writing or when consent is not required), consent may be obtained in any form that allows confirmation of receipt of such consent. The operator of personal data processing must confirm the existence of such consent.

We recommend installing a hyperlink to consent to the processing of personal data next to the buttons "send", "next", "subscribe to the newsletter" and the like, accompanied by the text: "By clicking on the SEND button, I confirm that I have read personal data processing policy and give consent to the processing of personal data», Where the italicized text is hyperlinks to the relevant documents.

Notification to Roskomnadzor

In certain cases, it is necessary to submit a notification to Roskomnadzor at the place of registration (legal entity, entrepreneur or citizen - site administrator) to be included in the register of personal data processing. If such a notification is not provided, then it is possible to prosecute under Article 19.7 of the Administrative Code - warning or imposition of an administrative fine

• for citizens in the amount of 100 to 300 rubles;
• for officials - from 300 to 500 rubles;
• for legal entities - from 3,000 to 5,000 rubles.

In paragraph 2 of Art. 22 of the Federal Law "On Personal Data" lists cases when no notification is required to be submitted to Roskomnadzor. There are nine such cases in total. The most common is that personal data was obtained in connection with the conclusion of an agreement, if, at the same time, personal data is not disseminated, and is also not provided to third parties without the consent of the subject of personal data. This data should be used exclusively for the execution of the specified agreement and the conclusion of an agreement with the subject of personal data.

Conclusion

If the site does not have a personal data processing policy, then its owner does not comply with the requirements of the Law "On Personal Data".

Additional requirements may be imposed on online stores, recruiting services, ticket booking services, receiving payments, online publications (media), etc. I will write separately about the use of personal data in the media.

Therefore, I ask you to carefully consider the preparation of documents, without using "standard forms of personal data processing policy", since they do not exist. For help, contact lawyers who specialize in this industry.

P.S

Did you know that additional requirements for information posted on any sites are established by the Federal Law "On Information"?

Clause 2 of Article 10 of the Federal Law of July 27, 2006 No. 149-FZ (as amended on July 6, 2016) "On information, information technology and on the protection of information ":

Information disseminated without the use of funds mass media, should include reliable information about its owner or about another person disseminating information, in a form and to the extent that are sufficient to identify such a person.

The owner of the site on the Internet is obliged to place on the site belonging to him information about his name, location and address, address Email to send an application specified in Article 15.7 of this Federal Law (pre-trial measures to terminate copyright infringement), and also have the right to provide for the possibility of sending this application by filling out electronic form on the website on the Internet.

Mikhail Khokholkov on personal data

On July 28, Mikhail Khokholkov, a leading lawyer of INTELLECT-S, spoke at the studio of the Malina.Am TV channel about amendments to the law on personal data.