From July 1, 2017, amendments to Article 13.11 of the Code of Administrative Offenses will come into force, describing violations of the law on the storage and processing of personal data. Previously, fines did not depend on the type of violation and amounted to a maximum of 1 000 rubles for individual entrepreneurs and 10 000 rubles for legal entities. Now the fines are divided by types of violations and increased significantly:
- if you do not post a privacy policy on the site, individual entrepreneurs can be fined 10 000 rubles, and the company – 30 000 rubles;
- if you process personal data without the consent of the client of the online store or the subscriber to the newsletter, then the fine for a legal entity will be up to 75 000 rubles, and the individual entrepreneur will have to pay up to 20 000 rubles;
- if there are several violations, then there will be several fines.
Prior to this, only the prosecutor’s office could issue protocols on violations. The procedure took a long time, and the fines were small, so they rarely checked and not everyone. From July 1, Roskomnadzor will issue protocols, fines will increase, and the number of those fined, most likely, will also grow. For example, in Astrakhan, prosecutors are already penalizing website owners for feedback forms by company name in alphabetical order.
Personal data is any data about a person by which he can be identified (name and phone number, name and email address, etc.). The law does not contain a list of such data, so you have to guess which data is considered personal. For example, recently Roskomnadzor in Tambov issued a fine to a company for violating the law on personal data due to a feedback form on the site (with the fields name, subject and text of the message, and the name was an optional field), and this decision could not be challenged in court.
Most likely, you are a personal data operator if you somehow receive such information from any people in any combination: full name, address, email, phone number, date or place of birth, photo, link to a personal website or social networks, profession, education.
All this means that all owners of sites that have personal accounts, feedback forms, subscriptions or registrations, where you can buy something, place an ad, fill out a questionnaire, are personal data operators. Even if the site has only a button for ordering a call or sending a message, this is already the processing of personal data.
We recommend that you prepare public documents and place them on the site so that they are available on all pages (for example, in the footer of the site). In a good way, it should be two pages:
- “User Agreement” – an agreement with users describing the terms of use of the site and various services of the company;
- “Privacy Policy” – the conditions, as well as the purposes of collecting and storing personal data.
However, you can limit yourself to at least the last document.
You can find and view similar documents on the websites of various large companies, and also take them as a guide, but the content (collected data and purpose of use) must be specified as your own, because requesting unnecessary data is also a violation of the law and a reason for a fine.
Then, on all data collection forms, implement a solution that clearly establishes that the person has consented to the processing of personal data. It can be either a checkmark in the form or a text warning that by submitting this form, he agrees with the documents posted on the site.
Keep in mind that in addition to fines for violating the rules for processing personal data, the law provides for the possibility of recovering compensation for moral damage and even criminal liability.
If you need help in bringing the site in line with the law – contact us, we will help!
