The legislation of the Russian Federation contains normative acts guaranteeing the protection of personal data of citizens. The main source of law of the corresponding type is Federal Law No. 152-FZ. It contains provisions that adequately regulate the implementation of the turnover of personal data of Russians. Which of them can be called key? What is the meaning of Federal Law No. 152?
Scope of a normative act
The Law on Personal Data No. 152-FZ applies to legal relations that are related to the processing of information mainly of a personal nature. It can include the full name, address, phone number, passport details of a person. The personal data protected by the law in question can be processed by both legal entities and individuals. PD can also be biometric, that is, represent a citizen’s fingerprints or a snapshot of his retina.
What is the point of regulating the turnover of PD?
The main idea of the Federal Law No. 152 "On Personal Data" is that a citizen who owns a PD can determine who he allows to use the relevant data and how. That is, if the corresponding permission is not obtained, another person is not entitled in any way to process PDs belonging to another entity. The law establishes a number of exceptions to this rule. Further in the article we will consider this aspect and other features of the application of the provisions of Law No. 152-FZ in more detail.
Most often, PD turnover is carried out by employing companies, authorities at various levels, and after-sales services. Therefore, they should most carefully study the law "On Personal Data" and ensure that their work is consistent with its provisions. Consider what standards that are contained in the specified normative act, you should pay attention in the first place.
Basic norms of the Federal Law No. 152
When studying the law "On Personal Data" (152-FZ), you should first understand the terminology that is reflected in it. So, the key concepts that the corresponding source of law contains can be considered:
- “personal data” proper - defined as any information relating to an individual;
- “Personal data operator” - an organization or individual that processes personal data;
- "Information system" - a resource on which PDs are located.
It can be noted that the law provides a sufficiently broad interpretation of the concept of PD - there are no clear criteria for their definition. This, according to many lawyers, significantly improves the level of protection of personal information of citizens, because, by virtue of the provisions of the law, almost all of its types can be classified as personal data.
Operations with PD
The legislation on PD regulates operations that can, in principle, be carried out with the relevant data:
- Spread;
- provision;
- blocking;
- depersonalization;
- cross-border transmission;
- destruction.
The Law "On Personal Data" requires PD operators to carry out these actions, subject to the following:
- confidentiality of PD (unless otherwise provided by law);
- integrity PD.
That is, personal data must be protected, firstly, from unauthorized viewing, and secondly - from destruction or unauthorized adjustment. Let us examine how the protection of the PD itself should be implemented in accordance with the provisions of Law No. 152-FZ.
Protection of personal data under the law No. 152-FZ
The fulfillment of the main obligation stipulated by law, the operator of the PD should carry out using
- introduction of advanced technological solutions to protect data from unauthorized reading and alteration;
- application of legal methods of information protection.
Solving these tasks, the PD operator, as prescribed by the law "On the protection of personal data", should:
- classify the information, the processing of which it carries out, according to the level of security;
- establish requirements for the quality of personal data carriers;
- Define specific security criteria for biometric data.
Before you begin processing PD, their operator must receive the relevant information at the disposal. How can he do this in a legal way?
How can the owner of the PD allow their use?
The main and in many cases the only way that the owner of the PD can transfer his personal data to the operator - in writing, give consent to their processing. As a rule, it is a statement in which a person lists the PD that he is ready to give for processing, indicates the methods of processing the PD that he approves.
The Law "On Personal Data" in some cases does not require the issuance of appropriate consent - for example, when it comes to registration of an employee for work. However, in practice, many companies that hire workers still ask them to give their consent to process PD. This is largely due to the fact that formally not all types of operations with personnel documents fall under the exceptions contained in the law "On the Protection of Personal Data". It will be useful to consider their list separately.
In what cases can PD be processed without the consent of the owner?
Federal Law 152 “On Personal Data” establishes that the PD operator does not need to request the consent of their owner to process relevant information if it is carried out:
- by virtue of the provisions of any federal law;
- for the execution of the contract concluded between the operator of the PD and their owner;
- in order to collect statistical data or when conducting scientific research - but on the condition that PD will be anonymized;
- in an emergency when it is necessary to assist the owner of the PD;
- in order to send mail;
- for settlements between providers and their customers who own PD;
- in the framework of journalistic activities;
- in accordance with laws governing the activities of state and municipal employees.
Compliance with the requirements of Federal Law No. 152 by PD operators can be monitored by competent state authorities. We will study this aspect in more detail.
Control over the implementation of the provisions of Federal Law No. 152
The Law on Personal Data (152-FZ) establishes that control over the implementation of its provisions should be carried out by a competent authority. It operates at the federal level, and therefore, various regional departments are subordinate to it. This authority has the right:
- receive from individuals and organizations the information necessary for the implementation of the powers established for him;
- check the information included in notifications about PD processing;
- apply to other government agencies for assistance in solving assigned tasks;
- prescribe the operator of the PD to correct, block or destroy data that are deemed inaccurate or illegally obtained for processing;
- apply to the judicial authorities with claims in favor of protecting the owners of the PD, as well as represent their interests in the hearing process;
- to interact with the authorities issuing licenses for PD operators to annul the relevant permits in cases where the person processing the PD violates the requirements of the law;
- interact with the prosecutor's office and law enforcement agencies on the protection of personal data of citizens;
- to propose to the Government of the Russian Federation measures to improve legislation in the field of PD;
- bring to administrative responsibility those persons who violate the norms of the Federal Law No. 152.
Summary
Thus, the Law on Personal Data 152-FZ establishes a detailed list of legal norms protecting the circulation of confidential information about citizens. It determines the nature of the PD, the status of their owners and operators. The main task that the federal law "On Personal Data" solves is the protection of citizens' personal information from being used in the interests of third parties.
The provisions of the relevant Federal Law suggest that a person must consent to the processing of his data, and the operator of the relevant data receives the right to request the data only in cases specified by law. In addition, the law under consideration requires persons using personal data of citizens to ensure the proper level of protection.
Regarding the first criterion, there are exceptions - the law also contains them. Federal Law “On Personal Data” is a fairly progressive regulatory act that allows bringing legal mechanisms to protect citizens' interests to a new level. Sanctions for its violations can be envisaged as very serious, therefore, PD operators: employers, service departments and any other companies working with the personal data of a citizen should carefully study the provisions of the relevant law.
