For Website Owners - How to Fulfill the Requirements of 152-FZ
Since July 1, 2017, fines for non-compliance with the requirements of Federal Law No. 152-FZ "On Personal Data" have significantly increased. Inspections by Roskomnadzor bodies have also been simplified: it is enough to simply register the absence of necessary form on a website with a screenshot. For each violation you get a separate fine. So the final amount can become significant.
In this article, we explain how website owners can avoid risks and do everything according to the law.
Who can get fined
The law applies to all personal data operators – legal entities or individuals who collect, process and store user data. If your online activities somehow target Russian citizens, the law applies to your organization.
The factors that may evidence an organization's targeting of online activities in Russia are as follows:
using websites registered with a Russian domain name including .ru, .su, and .moscow;
the operator's website is translated into Russian, regardless of which domain name the data operator uses;
allowing payments in Russian rubles;
availability of Russian phone numbers on a website;
displaying Russian-oriented marketing activities, including keyword ads or banners in Russian with a link to the appropriate website.
The law does not apply to individuals who process personal data for their personal purposes or family needs, unless the rights of others are violated.
If your website has at least one feedback or application form, subscription to newsletter, you are a personal data operator and must comply with the law.
What does this mean for websites owners
The main purpose of the Law 152-FZ "On Personal Data" is to guarantee the protection of human, civil rights, and freedoms when using personal data, necessarily on privacy, personal and family secrets.
All online stores and websites that collect subscribers' database are now required to post information on personal data and its protection. In addition, the personal data itself must only be processed with the user’s consent. Such consent can be obtained by means of a "tick" in registration forms.
According to the law, personal data is any information about an individual: name, surname, patronymic; date of birth; phone number, e-mail; social status; education, profession. Cookies, geoposition, IP address and information about user behavior refer to PD as well.
How to comply with 152-FZ
This should be done before publishing a website that collects visitors' information. You can register on the Roskomnadzor website by filling out the form. It is necessary to prepare a package of documents beforehand and then take it to the territorial body of Roskomnadzor.
There is no need to submit a notification to Roskomnadzor in some cases:
only employee data is being processed;
personal data is only collected for the purpose of fulfilling a specific contract with a specific person and will not be used;
the person himself made the data available to the public;
you only have the name of the client and nothing else.
2. Publish the documents on your website
"Personal data processing policy" and "User Agreement" should be available on all pages of your website. If a public offer is published on a website, the Policy is replaced by it (so there is no need to publish the Policy). The Law on the PD states that a virtual document has the same legal force as a paper document. This means there is no need to actually sign documents.
3. Develop a consent to the processing of personal data.
Consent does not require a specific form, but it must include information required by Part 4 of Article 9 152-FZ.
the name and address of your company or the name, surname, patronymic and address of the individual entrepreneur who collects personal data;
the name of organization or first name, surname, patronymic and address of the person who processes the personal data on your behalf (if any);
the purpose of personal data processing;
the list of PD on which processing the consent of the subject of the personal data is given;
the list of the actions you will perform with personal data and a general description of the data processing methods you use;
the period of time during which the user's consent is valid, as well as the way to withdraw this consent.
4. Post a notice about the collection of cookies and other data
Along with personal information (name, surname, patronymic, e-mail) Roskomnadzor refers IP, location information and cookies to the PD. By reading and closing this notice, users agree with collecting and processing their personal data.
5. Prepare internal documentation
Roskomnadzor conducts scheduled and unscheduled inspections, as well as remotely monitors websites. During inspections, they may request additional documents regarding PD processing. In case you do not have the requested documents, Roskomnadzor can issue a fine, block your website and even suspend your activities.
Penalties for non-compliance
Fines are varying for companies, officials and individual entrepreneurs. They also depend on the type of offence. Here are a few examples
Processing of the personal data without client’s consent – the fine 75 000 rubles.
Data transfer abroad without a warning – 40 000 rubles.
Collection of personal data without notifying Roskomnadzor. The new penalty is up to 50 000 rubles.
The maximum penalties for LLCs are specified. For each violation, you will have to pay separately. If data leaks from the site and a person is affected, the punishment is even more severe, up to imprisonment and deprivation of the right to engage in certain activities. This is regulated by the Criminal Code (Article 137).
Check whether your website complies with FZ-152 in order to avoid penalties. And do not forget to move a database to Russian servers. This is a requirement of the Federal Law N 242-FZ. You can find more information about it in our article.