We all use the phone, go to work or interviews, use bank cards, or just surf the Internet. Often without even thinking about leaving a trace of personal data. Leaving your data has become so commonplace that most of us no longer read agreements or other documents with which we agree “on the machine”. At the same time, our data can be used for various purposes: to display certain advertisements, spam mailings, phishing , etc. In this article I would like to talk about the rights of subjects of personal data, i.e. you and me. What laws regulate the work with personal data and how to act in difficult situations, how to defend your honor and dignity and the right to personal space, which is almost gone.
What is personal data?
So let's start with the simplest, what is personal data? According to the definition given in Art. 3 FZ-152 "On personal data" is: "any information relating directly or indirectly to a specific or identifiable individual." In other words, this is your full name, phone number, email, passport details, photograph, etc. From this point on, questions begin, for example, can a full name be considered Personal data? To answer this question, let us turn to the explanations of Roskomnadzor , in this case it is this department that acts as the Regulator.
« — , , . , . (, , ) . — , , , , , , »Thus, only work with a combination of data that allows you to identify a specific person can be considered the processing of personal data. For example, a full name in combination with a phone number and passport data will undoubtedly allow a person to be identified.
FZ-152 "On personal data"
The main document that regulates relations in the field of personal data was adopted back in 2006 and is called the Federal Law "On Personal Data". It has been amended more than once, but now I would like to mention the draft of the new Code of Administrative Offenses, at this moment the new Code of Administrative Offenses is being actively discussed . A new article has been added to the project , which provides for fines of up to 500 thousand rubles. for personal data leakage. There was no such article before, but let's not get ahead of ourselves.
Let's focus on the 3rd Chapter of the aforementioned law - it is called the "Rights of the personal data subject". And let's start with article 14. And the first thing the subject of personal data is entitled to is access to his personal data. In other words, you can at any time send any operator (whether it is a State authority or not) a request for information regarding your PD, and the operator is obliged to provide such information. The processing time for such a request may vary, but not exceed 30 days. For example, if you find information about yourself on the Internet that does not correspond to reality, then the owner of such a resource must, within a period of no more than 7 days from the date of receipt of your request, make the necessary corrections or completely delete them.
This moment is enshrined in Article 20 of the Federal Law "On Personal Data" .
How to generate a request to the operator of personal data?
When forming such a request, a number of requirements must be met, but they are not very complicated. Such a request must contain the passport data of the subject (passport number, date of issue, by whom and when it was issued). In addition, you must attach a confirmation that the operator is processing your data, this can be the number and date of the contract, a screenshot or any information confirming the fact of processing. Even a verbal designation is allowed, i.e. simply a description of the fact that the processing of your personal data is carried out by a specific operator. And of course you will need to sign.
It is allowed to send a request in the form of an electronic document, but in this case it must be signed with an electronic signature.
If the operator has provided you with the requested information, then you have the right to request it again, but not earlier than 30 days later. The countdown starts from the date of the previous request.
If the operator did not provide you with all the information that you requested, then it is not necessary to wait 30 days, in which case you can generate a new request immediately. But don't forget to justify your appeal.
What information does the subject of personal data have the right to request?
In fact, the operator of personal data must comply with many conditions in order to be able to work with your personal information, and therefore the list of information that you can request is quite large. Let's break them down in order:
- confirmation of the fact of personal data processing by the operator;
- ;
, , , :
«. 86-90 ; . 53, . 2 . 54 07.07.2003. № 126- « »; . 4.5 № ___________ ., «_________» ; .1 «_________», 01.01.0000., № 1.», , , .
, , .
- ;
, .. . .
- , ( ), ;
- , , , ;
- , ;
- , « »;
- ;
, . .
- , , , , ;
- , .
?
Undoubtedly, everyone has the right to request information from the operator about the processing of their own personal data. But there are also a number of exceptions when the operator can refuse. As a rule, all these cases are related to the work of law enforcement agencies. It can be operational-search or intelligence and counter-intelligence activities. Access to personal data may be limited if a criminal case is initiated against the subject or if the processing of personal data is carried out in accordance with the legislation on combating the legalization (laundering) of proceeds from crime.
Restriction of access may arise if the rights and legitimate interests of third parties are violated.
SPAM, personal data and advertising law
Many companies use personal data to send messages that advertise the operator's services or products. We all periodically receive information about discounts, promotions and special offers by e-mail, but often such messages are not interesting to us, they bother us and we do not even remember when we agreed to this “tempting” offer.
In this case, in addition to the federal law "On Personal Data", it is worth referring to the Law "On Advertising" . But let's sort it out in order.
In Art. 15 FZ-152it is said that the processing of personal data in order to promote goods, works and services using communications can be carried out only with the consent of an individual. A very interesting point is that in cases of advertising its own works and services, the company must prove that such consent has been obtained.
If you nevertheless gave such consent to the operator (by putting a tick in the check box on the site or by concluding an agreement with him), then at any time you can revoke it. To do this, it is enough to write an appeal to the company, which bombards you with letters and the operator is obliged to immediately stop processing your personal data for advertising purposes.
Moreover, if you receive messages by e-mail, the letter should contain a link for automatic opt-out and exclusion of your contacts from the advertising mailing list.
What is advertising, let us turn to the definition - "information disseminated in any way and addressed to an indefinite circle of persons aimed at drawing attention to the object of advertising, generating or maintaining interest in it and its promotion on the market."
As in the situation with the Law "On Personal Data" in the Law "On Advertising", in Chapter 2, Art. 18 says that the distribution of advertising through telecommunication networks is allowed only on condition that the subscriber has given prior consent to this. The advertiser is also obliged to prove the existence of such consent, as is the case with the requirements of 152-FZ. The requirements of the laws converge and part of the fact that the advertising distributor is obliged to immediately stop the process of distributing advertising after receiving a corresponding request from an individual.
If the regulator in the field of personal data is Roskomnadzor, then in the case of the law "On Advertising" it is the Federal Antimonopoly Service (FAS). Requirements for filing a complaintposted on the regulator's website. It is quite simple to execute them, in many ways the filing mechanism is similar to the requirements for filing an appeal with the ILV, you need to indicate:
- Full name of the applicant and his place of residence
- Advertiser name
If the applicant cannot independently provide evidence of an offense, then he has the right to indicate the legal or natural person from whom such evidence can be obtained.
- Applicant's requirements
The term of consideration should not exceed 1 month from the date of its receipt, except in cases where there is not enough evidence. In this scenario, the FAS must notify you and may extend the period for considering the complaint, but also for no more than 1 month.
Based on the results of the appeal, the FAS can initiate a check. The result of which, quite possibly, will be a fine for the advertising distributor. The amount of the fine in this case is quite substantial. The amount of fines is regulated by Art. 14.3. Administrative Code of the Russian Federation and they can reach 500,000 rubles.
An example from life, Sberbank is again not up to par.As
an example, let us analyze the case that happened with Sberbank PJSC in 2018.The essence of this litigation is that Sberbank entered into an agreement with one of its clients to issue an international card. At the same time, the accession agreement was drawn up in such a way that it implied the sending of advertising messages. The client could not get the card he needed and at the same time refuse the service imposed by the bank. In this situation, the consumer of banking services was not at a loss and withdrew the previously given consent.
When he received another mailing advertisement for the bank's services, he turned to the Federal Antimonopoly Service.
Despite a number of arguments from the bank's representatives, the court ordered Sberbank to pay a fine of 250,000 rubles. In accordance with Part 1 of Art. 14.3. Administrative Code of the Russian Federation.
The most important thing in one paragraph
Individuals are fairly well protected by legislation, in particular FZ-152 "On Personal Data". Have the right to access, modify and destroy their personal information. At any time, they can revoke the previously given consent to the processing of personal data. Have an advantageous position in relation to the operator, who, in turn, must prove that they have received the above consent. And as stated in Art. 17 of the Law "On Personal Data" : "The subject has the right to protect his rights and legitimate interests, including compensation for damages and compensation for moral damage in court."