Processing of personal data 1s 8. The procedure for updating the secure software package

On May 29, 2014, a lecture was held in Moscow at 1C: Lectures (Moscow, Seleznevskaya st., 34). Our readers, who could not attend the lecture, sent their questions within the Internet conference of the same name. During the event, Yuri Kontemirov, Head of the Department for the Protection of the Rights of Personal Data Subjects of Roskomnadzor, and Irina Baimakova, an expert from 1C, answered questions about the protection of personal data, and also analyzed the main errors identified by Roskomnadzor during the implementation of control measures.

User kot : 1C:Enterprise 8.2z for small and medium enterprises. Medicine, State employees, Military...? Who and what is this platform for? In user mode, this should be burrowed with permissions. From third-party connection by means of a DBMS?

For 4 years now I have been guessing that this is a simple pumping of money by analogy with the "problem of the year 2000". When you came, you ran a program on your computer, it did something, you said that everything was fine and you were paid.

Irina Baimakova : The requirements of the Federal Law "On Personal Data" apply to any operators of personal data, i.e. any organization in which personal data is processed. Yes, indeed, the requirements for the protection of personal data, depending on the category of data and their volume, can vary significantly.

: What's so special about version 8.2z? Why is personal data protected in it and what is wrong in terms of protecting personal data in other versions of the eight programs?

Irina Baimakova : ZPK "1C:Enterprise, version 8.2z" is a certified version of the technological platform 1C:Enterprise 8.2. There are no functional differences between the certified version and the regular version. Improvements made taking into account the requirements of the FSTEC of Russia are implemented both in the regular and certified versions of the technological platform.

Using the ZPK "1C:Enterprise, version 8.2z" allows you to fulfill the requirement provided for in Article 2, Article 19 of the Federal Law "On Personal Data" in terms of the mandatory use of information security tools that have passed conformity assessment in relation to personal data processed using software products 1C.

Unregistered user : I don't really see how the program can become a panacea in the field of personal data protection. But what about the notorious human factor? After all, people work in the program.

Irina Baimakova : In this case, we cannot say that the program is a panacea. The secure software package "1C:Enterprise, version 8.2z" is one of the building blocks that allows you to build an information security system and ensure compliance with the requirements of the current legislation of the Russian Federation in the field of personal data protection.

Unregistered user : Have there been cases of data leakage of protected 1s?

Irina Baimakova : I do not have such data.

Unregistered user : Does 1C bear any responsibility for data loss and leakage?

Irina Baimakova : Responsibility for the loss of data lies with the operator of personal data.

Unregistered user : Who needs to use ZPK "1C:Enterprise, 8.2z"? What is included in the ZPK package?

Irina Baimakova

The ZPK "1C:Enterprise, version 8.2z" includes a distribution kit of the technological platform, a form, and documentation.

Unregistered user : What other software products can be used to protect personal data?

Irina Baimakova : There is a significant number of information security tools on the market. The need to use a particular product depends on the identified current threats and the requirements for the protection of personal data for a particular operator.

Unregistered user : What are the main potential dangers you see for personal data? What exactly does protection guarantee or exclude?

Yuri Kontemirov : The main danger is the leakage and illegal distribution of personal data, which can lead to negative consequences for a person, an invasion of his privacy. It is possible to guarantee the real protection of PD only with an integrated approach to the organization of information protection, paying special attention to the "human" factor.

Unregistered user : How often do you think small companies face leakage of accounting data?

Yuri Kontemirov : Information on this issue, unfortunately, I do not have.

Unregistered user : Why is "1C:Enterprise 8.2z" called secure? What is its fundamental difference from other products?

Irina Baimakova : In this case, "protected" is the name, i.e. checked by the testing laboratory for the absence of undeclared capabilities and compliance with other requirements determined by the FSTEC of Russia.

ZPK "1C:Enterprise, version 8.2z" is a special product for ensuring the requirements of the current legislation on personal data by organizations and entrepreneurs using 1C software products.

User Kaufen : The organization purchased ZPK "1C: Enterprise 8.2z". What are the main differences between the platform and 1C:Enterprise 8.2, except for the FSTEC certificate? Has anyone come across such a platform?

Irina Baimakova : ZPK "1C: Enterprise, version 8.2z" - a certified version of the technological platform 1C: Enterprise 8.2. There are no functional differences between the certified version and the regular version.

The main difference is that the certified release is verified by the testing laboratory and confirms compliance with the requirements given in the certificate, and also contains the checksums given in the 1C:Enterprise, version 8.2z ZPK form.

Unregistered user : We are a budget institution. Is there a modification of ZPK "1C:Enterprise 8.2z" specifically for state employees and how much does the version with support cost?

Irina Baimakova : ZPK "1C: Enterprise, version 8.2z" - a certified version of the technological platform 1C: Enterprise 8.2, which can be used with any typical configurations, including for budgetary institutions (for example, "1C: Salary and personnel of a state institution", " 1C: Accounting department of a state institution").

The procedure for selling and updating ZPK 1C: Enterprise version 8.2z" is defined in the information letter of the company 1C No. 12891. You can find it at the following link -http://1c.ru/news/info.jsp?id=12891

Unregistered user : The announcement of the lecture and the Internet conference talks about the main errors identified by Roskomnadzor during the implementation of control measures. I would like to know more about this, what errors are most often detected by the department?

Yuri Kontemirov : The most typical violations of the law revealed in the course of Roskomnadzor's control actions are reflected in the annual reports published on the department's website.

Unregistered user : Please tell us about the certification of ZPK "1C:Enterprise, version 8.2z".

Irina Baimakova : Questions about the goals, procedure, results of certification conducted by 1C are discussed in detail and set out on the website buh.ru, including in the article "Certification of programs in order to comply with personal data protection legislation" on primary certification in 2010 and in article "Protection of personal data - from 2011 to 2013 or two-year changes" about the certification carried out in 2013 and the renewal of the certificate.

Unregistered user : Do you think new measures are needed to prevent the leakage of personal data and increase the level of their protection? If needed, what are they?

Yuri Kontemirov : To prevent leaks of personal data, a reasonable integrated approach is important and special attention should be paid to the "human" factor.

Unregistered user : Does it make sense to use such software products for individual entrepreneurs and small businesses?

Irina Baimakova : In accordance with sub. 3, paragraph 2 of Article 19 of the Federal Law of July 27, 2006 No. 152-FZ "On Personal Data", the use of information security tools that have passed the conformity assessment procedure in accordance with the established procedure is one of the measures to ensure the security of personal data during their processing.

According to the requirements of Government Decree No. 1119 dated November 1, 2012, the use of information security tools that have passed the procedure for assessing compliance with the requirements of the legislation of the Russian Federation in the field of information security is mandatory when the use of such tools is necessary to neutralize current threats. Thus, it is possible to determine the need or lack of need to use information protection tools that have passed the conformity assessment, including the 1C:Enterprise version 8.2z ZPK, based on the threat model.

The use of ZPK "1C:Enterprise, version 8.2z" allows you to fulfill the requirements of the current legislation described above, as well as a number of requirements stipulated by the Order of the FSTEC of Russia dated February 18, 2013 No. 21, at the lowest cost.

Unregistered user : What are the adverse effects of a data breach? For example, for individual entrepreneurs without employees.

Irina Baimakova : The main danger is the leakage and illegal distribution of personal data, which can lead to negative consequences for a person, an invasion of his privacy.

If an individual entrepreneur does not have employees, and, accordingly, PD is not processed either by employees or other individuals, then in this case it is hardly possible to assume a possible PD leak.

Federal Law No. 152 “On Personal Data” came into force, at the request of which all personal data operators are required to comply with a number of requirements for the protection and storage of personal data.

We provide services for the placement of information systems on 1C for the processing of personal data, in accordance with 152-FZ. What are the solutions 1C for the protection of personal data (ISPD)?

1C has received a certificate of conformity No. 2137 issued by the FSTEC of Russia, which confirms that the secure software package (ZPK) “1C:Enterprise, version 8.2z” is recognized as a general-purpose software tool with built-in means of protecting information from unauthorized access (UAS) to information that does not contain information constituting a state secret.

According to the results of certification, compliance with the requirements of the guidance documents for protection against unauthorized access - class 5 was confirmed, according to the level of control of the absence of undeclared capabilities (NDV) at the 4th level of control, the possibility of using for the creation of automated systems (AS) up to security class 1G (i.e. AS , ensuring the protection of confidential information in the LAN) inclusive, as well as for the protection of information in personal data information systems (ISPD) up to class K1 inclusive.

Certified instances of the 1C platform are marked with conformity marks from No. G 420000 to No. G 429999.

1CAir offers these programs for rent. How to start using?

How to create a system for processing personal data on 1C, in accordance with 152-FZ?

All configurations developed on the platform "1C:Enterprise 8.2" can be used to create a personal data information system of any class and additional certification of application solutions is not required.

Additional clarifications were received from the company "1C":

1. The Federal Law No. 152-FZ “On Personal Data” itself does not impose any requirements on software (as amended today).

2. The requirement for the need to assess the conformity of information security tools is contained in paragraph 5 of the Regulations introduced by Decree of the Government of the Russian Federation of November 17, 2007 N 781 “On approval of the Regulations on ensuring the security of personal data during their processing in personal data information systems”.

3. Directly the requirements in terms of software are provided for by the Order of the FSTEC of Russia No. 58. In particular, the requirements are provided for subsystems for access control, registration and accounting and integrity control. These subsystems are related exclusively to the technological platform, and not to configurations.

4. When carrying out certification, it was originally supposed to provide for requirements for configurations (technical conditions). However, at the end of the certification, the testing laboratory refused to make any configuration requirements.

Thus, certification (or other conformity assessment) of software products that are not information security tools, which include typical configurations, is not provided for by the current legislation, any technical conditions for configurations are not provided. Accordingly, any configuration for this platform can be used with a secure software package.

At the same time, during certification, the object is not just programs, but the whole complex of administrative regulations and measures (security requirements, threat model, classification acts, personal data protection plan, etc.) and the entire information system used in the organization.
The operator of the processing of personal data must decide on the assignment of the personal data system of the appropriate class.

Despite the fact that the data is stored outside the Russian Federation, Federal Law No. 152-FZ expressly provides for the possibility of cross-border data transfer, namely Article 12. processing of personal data, as well as other foreign states that provide adequate protection of the rights of personal data subjects, is carried out in accordance with this Federal Law ...”. Personal data is stored in data centers only in those European countries that have signed this Convention, according to the letter Ministry of Communications and Mass Media of the Russian Federation "On the implementation of cross-border transfer of personal data".
According to Article 12, Clause 3 of Law No. 152-FZ, we made sure that adequate protection of the rights of personal data subjects is provided before the start of cross-border transfer of personal data. This is fixed in our contract with data centers, and is reflected in the Agreement with the client.

At the moment, the standard platform “1C:Enterprise, version 8.2″ is used, with data protection requirements as indicated above. Therefore, with the help of 1CAir, it is possible to build information security systems in personal data information systems (ISPD) up to class K2 inclusive.

Despite the use of 1CAir, your organization remains the controller of the processing of your personal data, and not us. You create your own security model and define protection parameters in accordance with this model. Based on these technical parameters, you can find out from us whether we provide such a service (for example, encryption), and create the desired system using programs in 1CAir.

On the pages of the magazine, we have repeatedly written about the need for organizational measures in accordance with the Federal Law of July 27, 2006 No. 152-FZ "On Personal Data". From January 1, 2011, this law will come into full force, and, accordingly, additional responsibilities will be assigned to organizations to ensure the protection of personal data. Among them is the need to control the absence of undeclared software capabilities of information security tools. In the proposed article, I.A. Baymakova (methodologist at 1C) will answer the questions most frequently asked by users of 1C software products.

Until January 1, 2011 - the date of entry into full force of "On Personal Data" (hereinafter - Federal Law No. 152-FZ), there is not much time left. More and more personal data operators, which are almost all organizations and entrepreneurs, are planning and implementing a set of measures to comply with the requirements of this law and regulatory legal acts.

1) What regulatory legal acts provide for certification?
2) Who needs to use certified software and when?
3) Who can certify software?
4) Is the use of a certified program sufficient to ensure the protection of personal data?

Certification of programs in order to comply with legislation on the protection of personal data

Until January 1, 2011 - the date of entry into full force of the Federal Law of July 27, 2006 No. 152-FZ "On Personal Data" (hereinafter - Federal Law No. 152-FZ), there is not much time left. More and more personal data operators, which are almost all organizations and entrepreneurs, are planning and implementing a set of measures to comply with the requirements of this law and regulatory legal acts.

Users of 1C software products are interested in whether the software product they use is certified. Within the framework of this article, we will answer this question, but first we will try to look at the problem a little deeper and consider the following questions:

1) What regulatory legal acts provide for certification?
2) Who needs to use certified software and when?
3) Who can certify software?
4) Is the use of a certified program sufficient to ensure the protection of personal data?

FSTEC completed certification (152-FZ "On Personal Data") of the secure software package "1C:Enterprise, 8.2z", which includes a complete set of technology platform version 8.2 (including with all types of application servers). Certificate of Conformity No. 2137 for 10,000 platform copies was obtained (valid until 07/20/2013). This certificate confirms that the 1C:Enterprise 8.2z software package is recognized as a general-purpose software tool with built-in means of protecting information from unauthorized access to information that does not contain information constituting a state secret. According to the results of certification, compliance with the requirements of the governing documents was confirmed:

  • For protection against unauthorized access - 5th class
  • By the level of control of the absence of NDV - by the 4th level of control
  • The possibility of using for the creation of AS up to class 1G inclusive, as well as for the protection of information in personal data information systems up to class K1 inclusive, has been confirmed.

The following programs are certified:

  • Protected software and hardware complex "1C:Enterprise, version 8.2z" for compliance with the requirements of the guidelines for protection against unauthorized access - class 5. Classification according to the level of control of the absence of NDV according to the 4th level of control, use in the AU up to class 1G inclusive, as well as compliance with the requirements for information security tools that are part of the ISPD, for the processing of personal data up to class K2 inclusive (the expected time for obtaining a certificate is January - February 2010);
  • Protected software and hardware complex "1C:Enterprise, version 7.7z" for processing personal data up to and including K3 (expected date of receipt of the certificate - February 2010).

Despite the fact that the law will come into full force only on January 01, 2011, let's consider what exactly is hidden behind the compliance with the listed information protection classes.

Compliance with class K2 for the protection of personal data

Please note that the following requirements are imposed on class K2 systems in multi-user access mode with different rights:

  • Identification and authentication of a user when logging into the information system system using a semi-permanent password with a length of at least six alphanumeric characters
  • Registration of user entry (exit) to the system (from the system) or registration of loading and initialization of the operating system and its software shutdown. Logging out of the system or shutdown is not carried out at the time of hardware shutdown of the information system. The registration parameters indicate the date and time of user entry (exit) into the system (from the system) or boot (stop) of the system, the result of the login attempt (successful or unsuccessful), the user ID (code or surname) presented during an access attempt
  • Accounting for all protected media by marking them and entering credentials in the accounting log with a note on their issuance (reception)
  • Ensuring the integrity of the software of the personal data protection system, processed information, as well as the immutability of the software environment. At the same time, the integrity of the software is checked when the system is loaded by the checksums of the components of information security tools, and the integrity of the software environment is ensured by the use of translators from high-level languages ​​and the absence of tools for modifying the object code of programs in the process of processing and (or) storing protected information
  • Physical protection of the information system (devices and storage media), which provides for the control of access to the premises of the information system by unauthorized persons, the presence of reliable barriers to unauthorized entry into the premises of the information system and the storage of information media
  • Periodic testing of the functions of the personal data protection system when the software environment and users of the information system change using test programs that simulate unauthorized access attempts
  • Availability of recovery tools for the personal data protection system, providing for the maintenance of two copies of software components of information protection tools, their periodic updating and performance monitoring

To comply with the K2 class, 1C companies implemented in the configurations based on the 1C:Enterprise 8.2 platform the ability to register a number of events, which can be configured on the Personal Data Protection tab.

Compliance with the requirements of guidelines for protection against unauthorized access to information (class 1G)

In addition to class K2 for the protection of personal data, the requirements for UA class 1G specifies the requirements for access control, accounting and integrity subsystems. For example:

  • Registration of access attempts by software tools (programs, processes, tasks, tasks) to protected files
  • Registration of the issuance of printed (graphic) documents for a “hard” copy, indicating additional registration parameters

Compliance with the level of control of the absence of undeclared capabilities at the 4th level of control

Level 4 requirements include:

  • Control of the composition and content of the documentation (description of the program indicating the checksums of the files included in the software, source codes of the programs included in the software)
  • Control of the initial state of the software (calculation of the current checksums of the software and comparison with the initial state)
  • Static analysis of program source texts (control of completeness and lack of redundancy of software source texts at the file level, control of compliance of software source texts with its boot code)
  • Formation of reporting on 1-3

ZPK delivery set includes:

  • distribution kit of the certified platform "1C:Enterprise 8.2z"
  • checksum form
  • protected product registration card
  • specification
  • application description
  • test documentation
  • program description
  • a copy of the FSTEC certificate

Click to enlarge

You can buy 8.2z right now!

You can order the product at [email protected]

Delivery to your office in any city in Russia is free of charge for you at our expense.

On July 1, 2017, amendments to Article 13.11 of the Code of Administrative Offenses of the Russian Federation came into force, in accordance with which fines for violation of legislation in the field of personal data (PD) were significantly increased.

When making purchases in online stores, buyers leave some information about themselves - full name, delivery address and other contact information. Therefore, owners of online stores should carefully study this issue and ensure compliance with the requirements of the Federal Law of July 27, 2006 No. 152-FZ “On Personal Data” when trading on the Internet.

We will show you which cash desk from our catalog is suitable for your business.

What applies to the personal data of an individual who is a visitor to the online store

Personal data is any information that directly or indirectly relates to a specific individual or allows him to be identified (clause 1, article 3 of the Law "On Personal Data" No. 152-FZ).

In the context of organizing the operation of an online store, personal data, in principle, can even include cookies - used, in particular, to personalize product offers to specific users. There are court precedents confirming the attribution of such files to personal data - for example, the Decision of the Moscow Arbitration Court dated March 11, 2016 in case No. A40-14902 / 2016-84-126 11.

Personal data may be:

  • processed;
  • common;
  • changed;
  • provided to certain persons (disclosed);
  • removed.

These actions are performed by the personal data operator. It can be any individual, organization or state or municipal authority. Including, of course, an online store - established by an individual (IP) or owned by a legal entity.

Therefore, becoming the operator of personal data, the online store is obliged to comply with the provisions of Law No. 152-FZ. But in what cases does he acquire such a status?

To acquire the status of a personal data operator, it is enough for an economic entity to complete any procedure that characterizes their processing, in particular:

  • collection;
  • record;
  • systematization;
  • accumulation;
  • clarification;
  • application;
  • Spread.

That is, having carried out at least the first procedure - collecting data (in practice - receiving from the client through an online form), the online store becomes an operator, and it has obligations to comply with the norms of Law No. 152-FZ.

A separate segment of legal relations in which compliance with the legislation on personal data is required is the interaction of the online store as an employer and its employees (working both remotely and in offline divisions of the online store). However, such legal relations, in general, are carried out in the jurisdiction of those legal norms that are relevant for the interaction of employers and employees (remote or offline), regardless of the type of activity they carry out.

In turn, the exchange of data between the online store and its customers forms a separate and, in fact, unique - in terms of the application of the norms of Law No. 152-FZ, a segment of legal relations in which a business entity has a wide range of rights and obligations in accordance with the law .

Let us consider in more detail what kind of obligations an online store must fulfill in connection with the need to comply with the norms of Law No. 152-FZ.

Subscribe to our channel in Yandex Zen - Online cash desk !
Be the first to receive hot news and life hacks!

What an online store needs to do to comply with the requirements of Federal Law No. 152-FZ

The main duty of any operator of personal data (and an online store is no exception) is to comply with the procedure for their processing. The main condition of this procedure is obtaining from the subject of personal data (that is, the buyer) consent to such processing.

Such consent can be obtained in any reliable form (clause 1, article 9 of Law No. 152-FZ). But in cases provided for by law, such consent is required in writing - that is, on paper or using an electronic document, which is certified by an electronic signature (clause 4, article 9 of Law No. 152-FZ).

The purchase of goods in an online store is not directly attributed by law to those operations that require the written consent of the subject of personal data. Therefore, obtaining such consent is possible, in principle, in any form - which, however, should make it possible to unambiguously certify the fact that an individual has approved the transfer of personal data to the operator.

The next duty of the personal data operator is to perform actions aimed at realizing the legal rights of personal data subjects. In particular, we are talking about the right:

  • to confirm the fact of receipt of PD by the online store and the beginning of their processing;
  • to receive information about the purposes and methods of processing PD;
  • to get acquainted with the persons (excluding persons who work in the staff of the operator) who are involved in the processing of PD).

Among other important duties of personal data operators, it is legitimate to include the observance of data confidentiality. If the client of the online store has not consented to the distribution of his data to other persons, then the business entity is not entitled to do this - as well as otherwise disclose personal data (Article 7 of Law No. 152-FZ). At the same time, even if consent is received, then the online store itself is responsible for the actions of third parties who received the personal data of the client of the online store (clause 5, article 6 of Law No. 152-FZ).

An important nuance characterizing the processing of personal data is the obligation of the operator to place data on servers located in Russia- unless otherwise provided by law (clause 5, article 18 of Law No. 152-FZ). Russian online stores do not fall under the exceptions, and therefore must comply with the specified norm of the law.

A separate issue is the need for the operator of personal data to submit a notification that they are being processed to Roskomnadzor - in accordance with the prescription of paragraph 1 of Art. 22 of Law No. 152-FZ. In general, such notification is required. But the provisions of paragraph 2 of Art. 22 of Law No. 152-FZ provides for a wide range of exceptions to this rule.

In particular, sub. 2 p. 2 art. 22 of Law No. 152-FZ provides that operators have the right not to submit a notification when executing an agreement concluded with the subject of personal data and provided that personal data is not transferred to third parties without the consent of the subject. Under such criteria, the contract of sale, concluded between the store and the buyer, falls well. Therefore, in the general case, an online store does not need to, when interacting with customers, submit notifications in question (but exceptions to this rule are possible - we will consider them later in the article).

So, the main duties of the personal data operator are:

  • to obtain consent to their processing;
  • to ensure the confidentiality of PD;
  • to fulfill other requirements of the legislation (on the placement of PD in the territory of Russia, on the fulfillment of requests from subjects of PD regarding how they are used).

Let us study in more detail how these duties can be technically performed by an online store.

Online cash registers for all types of business! Delivery throughout Russia.

Leave a request and get a consultation within 5 minutes.

How to obtain consent to the processing of personal data via the Internet

So, since the law does not establish requirements for obtaining written consent to the processing of personal data in relation to the activities of online stores, such consent can be obtained in any reliable way. But what exactly?

The options here are the following:

  1. When an online store requests personal data via an order form.

In this case, consent to data processing can be obtained by setting a condition under which sending order data through the form is possible only if a check mark (or other form element that performs a similar function) is placed in front of the line in which the wording is written like “I give consent to processing of personal data transmitted to the operator through this form.

Consent usually includes:

  • the purpose of providing the document to the operator (in the case of an online store - for the delivery of goods and other purposes determined by the sale and purchase procedure);
  • list of PD transferred to the operator;
  • terms and procedure for storing PD;
  • the procedure for transferring PD to certain third parties (for example, a goods delivery service).

At the same time, next to the checkmark and the link to the Consent, a link to a special document should be attached that explains in detail the procedure for processing personal data by the online store in accordance with Law No. 152-FZ - Privacy Policy. It can be issued as an attachment to the order form. The description of the link should contain a wording that may sound like “I am familiar with the annex to this form, which reflects the procedure for processing personal data in accordance with the law.”

Privacy Policy - a document that must be publicly available. In addition, it can be considered as part of the local regulatory framework of the organization that establishes the online store. Employees of the business entity should therefore be required to follow the approved Policy.

The policy usually includes:

  • general provisions;
  • wording reflecting the objectives of the collection of PD by an economic entity;
  • provisions on the legal grounds for collecting PD;
  • classification of the PD used, the procedure and conditions for working with them;
  • the procedure for ensuring the exercise by PD subjects of the rights established by law.

The Policy may include:

  • how the online store ensures the rights of users upon request for information about the processing of PD;
  • how data storage is organized (in this case, information may be provided to establish the fact that servers with PD of buyers are located in Russia).
  1. When an online store requests personal data through an advertising mailing form (subscriptions to thematic materials from the site - for example, booklets with discounts, promotional codes).

The collection of personal data here can be carried out according to a similar scheme - using a checkmark opposite the "Agree" item, a Consent file and a link to the Privacy Policy with a wording reflecting the fact that the buyer of the online store has read the Policy.

Among IT-specialists and experts in the field of personal data legislation, there is a widespread point of view that obtaining a person’s consent to the processing of personal data should be carried out in a mode that implies the establishment of “increased reliability” of his will. The common scheme with the use of a checkbox with Consent and a link to the Privacy Policy is considered by such experts from critical positions - and, I must say, not without reason, because, according to experts:

  • the tick can be affixed randomly;
  • the online form may load with an error - as an option, without a link to the Privacy Policy, with the absence of a checkmark or the wording accompanying it;
  • accidentally or intentionally, the user can enter other people's personal data in the form.

Taking into account these nuances, it is proposed to supplement the system under consideration - while maintaining its main elements in the form of a checkmark, Consent and a link to the Privacy Policy, with a mechanism for obtaining secondary consent. Options for organizing such a mechanism in the case of an online store can be:

  1. Mandatory user registration before making a purchase.

Such registration involves filling out, in fact, the same form with a checkmark, Consent and a link to the Privacy Policy, with the subsequent sending by the online store to the e-mail specified by the user of a letter confirming registration (and at the same time to certify the fact of consent to the processing of personal data and familiarization with the Privacy Policy).

In this form, it is supposed to indicate the login and password that the user will use to subsequently log into his account on the website of the online store.

If the user does not confirm the registration by letter, then the consent to the processing of personal data will not be considered received (but, at the same time, it will be considered that the user is invited to read the Privacy Policy).

The considered method of obtaining consent to the processing of data with "increased reliability" can be used by the store for marketing purposes. Through the personal account of the buyer, he can be informed about various discounts and promotions, exchange messages with him and solve other tasks specific to the interaction between the seller and the buyer.

  1. Confirmation of a separate order by e-mail (without mandatory registration of an account on the website of the online store).

The algorithm of such confirmation, in principle, will be similar to that which characterizes the procedure for registering a buyer's account, except for the use of the user's login and password. In this case, the confirmation will be made, in fact, for the sole purpose of obtaining consent to the processing of personal data and certifying the fact that the person has read the offer to read the Privacy Policy.

The next large-scale task of the online store is to ensure the confidentiality of personal data in practice.

1. Ask a question to our specialist at the end of the article.
2. Get a detailed consultation and a full description of the nuances!
3. Or find a ready-made answer in the comments of our readers.

How can an online store ensure the confidentiality of PD

In accordance with paragraph 1 of Art. 18.1 of Law No. 152-FZ, the personal data operator must take measures sufficient to fulfill the obligations provided for by law. At the same time, the operator determines the list of relevant measures independently - unless otherwise provided by law.

Obviously, we are talking, first of all, about measures that are designed to ensure the confidentiality of personal data - that is:

  • preventing access to them by persons who do not have permission to read the relevant PD;
  • prevention of unauthorized use, modification, distribution of PD;
  • ensuring the necessary protection of PD from various cyber threats, modification, distribution and other unauthorized operations with PD due to technical failures.

The law proposes the following measures aimed at solving these problems:

  1. Appointment by an operator with the status of a legal entity of a responsible employee - who organizes the processing of PD at the enterprise.
  1. Development by the operator of local regulations governing the processing of PD in accordance with the requirements of the law.
  1. The use of technical means to ensure the protection of PD.
  1. Carrying out internal control of procedures within the framework of PD processing.
  1. Conducting an assessment of the harm that may be caused to PD subjects as a result of violations of the law on the processing of personal data and eliminating the consequences of such violations.
  1. Carrying out the necessary work with employees to improve their knowledge in the field of personal data protection.

By the principle of legal analogy, all of these rules are also applicable to individual entrepreneurs who sell online. Including - if the individual entrepreneur works independently, without the involvement of employees. In the potential, one way or another, he may have a staff, and by that time he should have current local regulations governing the organization of the processing of personal data.

You should know that in accordance with paragraph 4 of Art. 18.1 of Law No. 152-FZ, those documents that an online store must issue as part of the implementation of the above instructions and recommendations may be requested by Roskomnadzor when conducting an audit of an economic entity.

One way or another, measures aimed at ensuring that the operator of personal data fulfills the requirements of the law (primarily in terms of ensuring the confidentiality of personal data) can be divided into 2 groups:

  • organizational (essentially and basically legal);
  • technical.

Organizational (legal) measures relate mainly to the documentary regulation of the application of these mechanisms for the interaction of an online store (represented by the owner or his employees) with the buyer.

It should be noted that when implementing organizational and legal measures, it is expected to develop

a sale and purchase agreement (offer) between the store and the buyer, on the basis of which consent to the processing of personal data is issued in a form other than written - with a check mark in the order form and a link to the Privacy Policy.

Technical measures can be presented in the widest range - let's consider them in more detail.

Technical support of equipment. We will solve any problems!

Leave a request and get a consultation within 5 minutes.

What is the technical side of ensuring the confidentiality of PD

The main source of legal norms that must be followed when solving technical problems to ensure the confidentiality of personal data are the provisions of Art. 19 of Law No. 152-FZ.

It says, in particular, that ensuring the security of personal data can be carried out by:

  1. Establishing threats to data security as part of their processing using information systems.

In practice, the implementation of such a measure implies the use of various anti-virus and complementary solutions - which are supposed to be implemented in the content management system. Such solutions are designed to timely detect attempts of automatic or manual unauthorized access by hackers to personal data collected using order forms on the site or stored on servers administered by the online store.

  1. The use of technical means to increase the level of personal data security.

First of all, we are talking about various data encryption tools - so that when accessing them, they are presented in a form in which their reading without subsequent decryption is impossible, provided that the decryption itself must be authorized by the online store.

  1. The use of technical means to recover deleted, damaged or unauthorized altered personal data.

Here we can talk about solutions that are applied in order to:

  • duplication of personal data in case of their removal from the original medium (damage or modification);
  • actually, recovery of deleted (damaged or modified) data from existing media.
  1. The use of technical means to delimit access (determine access levels) to personal data depending on the status of the person who has the authority to process personal data.

So, for example, the manager of an online store can only have access to the contact details of the buyer (in order to contact him in case of any questions), and the delivery manager can also have access to the address. Or - the first one can only have the authority to read contacts, and the second one - to change them.

  1. Application of systems of control over persons processing personal data.

Indeed, local regulations alone are not enough to ensure the confidentiality of personal data - a mechanism is needed to control their implementation. The solutions here can be very different - from selective monitoring of the actions of specific employees of an online store to the introduction of tools for continuous traffic analysis for unauthorized transfer of personal data.

How secure an information system should be for processing personal data is determined based on the potential harm that can be caused to the system due to the influence of threats typical of it. The lists of such threats and the requirements for system security, corresponding to the degree of threats, are defined in Decree of the Government of Russia dated November 1, 2012 No. 1119.

Let's consider them in more detail.

How secure should an online store be for secure processing of PD

In order to determine what specific measures are needed to ensure the necessary level of protection of personal data, the owner of an online store should use the table in the Appendix to the Composition and Content of Organizational and Technical Measures, which is approved by Order No. 21.

Note that this list concerns, first of all, all the same personnel nuances of organizing the work of an online store. But even if its owner is an individual entrepreneur working without a staff, then, in particular, to ensure the protection of personal data of buyers at least at level 1, he will have to:

  • apply means of identification and authentication of users;
  • manage user accounts;
  • control access to the server on which the PD is located;
  • use an antivirus;
  • identify incidents related to unauthorized access to PD.

Of course, it makes sense to delegate a significant part of such work to an individual entrepreneur (and a legal entity, of course, too) to a third-party partner - for example, the hosting owner that hosts the website of an online store. But the transfer of such powers must be properly secured legally - using detailed agreements that competently delineate the responsibility of the online store and its partner, which ensures the protection of buyers' personal data in accordance with the law.

In practice, many of the modern CMS content management systems have the necessary functionality to ensure that the operation of the online store meets the above requirements regarding the establishment of security levels for the processing of personal data.

But, of course, in many cases, their refinement and addition is required. As a rule, the largest providers of solutions for managing websites and hosting services try to offer their customers products that best meet the requirements set by Law No. 152 and departmental standards. However, when choosing a specific CMS system, it is always a good idea to seek additional expert advice on its compliance with the laws on the protection of personal data.

These are the main nuances that characterize the fulfillment by an online store of the requirements of Law No. 152-FZ and its accompanying legal acts in terms of interaction with buyers of goods. However, such interaction can also be carried out in other legal contexts. In particular - reflecting the settlements between the store and the buyer using an innovative type of CCP

As we noted at the beginning of the article, according to Law No. 152-FZ, personal data includes any information that may directly or indirectly relate to a specific person (or identify a person). Obviously, e-mail or phone can be at least indirect identifiers.

As for e-mail, it can take the form of [email protected], and if such an email address is leaked from the databases of the online store, third parties can easily understand that Stepan Petrov, who was born in 1976 in Moscow and studies at the University of Massachusetts, made purchases in the store.

It is more difficult with a phone - but if desired, it can also be counted as an indirect identifier. For example, a person who unauthorizedly received a number from an online store can call it and, posing as a person from a courier service, ask the subscriber to clarify his full name and delivery address - but in fact, to issue an intrusive advertising mailing.

Thus, despite the fact that, according to Law No. 54-FZ, which regulates the use of online cash registers, buyers of online stores leave their contacts to receive checks voluntarily, we are talking about the transfer of personal data to the seller.

Does this mean that operations with such data will be subject to the same requirements that characterize the processing of other personal data?

Note that some of these requirements remain relevant. For example, an online store that pays through an online checkout must:

  • guarantee buyers the right to receive information about the processing of PD;
  • ensure data confidentiality;
  • comply with other requirements of Law No. 152-FZ (in particular, on the placement of PD on Russian servers).

Most notably, such requirements will not include obtaining consent to the processing of personal data.

The fact is that in paragraph 1 of Art. 6 of Law No. 152-FZ lists a number of exceptions to the rule on the need to obtain consent. Such exceptions include the processing of data within the framework of the performance by the operator of the functions and duties assigned to him by law. Such functions and responsibilities of an online store can legitimately include the provisions of Law No. 54-FZ - on the formation of cash receipts for settlements with customers.

Thus, the consent to receive e-mail and phone - as varieties of personal data, the online store is not required to request from the buyer.

Of course, there are no legal obstacles to ask buyers for consent to the processing of personal data submitted by e-mail and telephone, at the same time as asking for consent to the processing of other personal data. That is, in the Consent - which is downloaded when confirming the order form, and in the accompanying Personal Data Policy, it can be reflected that part of the data - the e-mail and phone number of the buyer, will be used by the online store in order to comply with the provisions of Law No. 54-FZ. That is - to send electronic cash receipts to the buyer.

But this procedure, strictly speaking, is optional from the point of view of legislation - although it is not difficult at all.

At the same time, the seller should keep in mind that the receipt of personal data in order to comply with the norms of Law No. 54-FZ does not fall under the exceptions prescribed in paragraph 2 of Art. 22 of Law No. 152-FZ - those that relate to the obligation to inform Roskomnadzor about the receipt of personal data. That is - when accepting payment online, such notification will need to be submitted. The agency, having received a notification from the online store, enters it into the register of personal data operators.

The notice must include:

  1. The name of the document is "Notice on the processing of personal data".
  1. The name of the operator, its legal address.
  1. Legal grounds, purposes of data processing.
  1. Types of processed data.
  1. Categories of persons who become subjects of personal data.
  1. Data processing methods.
  1. Data processing security measures.
  1. Information about the location of the servers on which personal data is stored.
  1. Dates for the start of data processing.
  1. Conditions for termination of data processing.

The full name and position of the originator of the notification are indicated. He puts down the date of the document, signs it.

Thus, the law imposes an impressive amount of obligations on the owners of online stores. And the sanctions for non-compliance are quite serious. Let's study them.

Liability and new fines

For violation of the requirements of the law on this issue, the following sanctions are provided:

  1. Administrative fines.

Their main list is defined in Art. 13.11 of the Code of Administrative Offenses of the Russian Federation. But some are spelled out in the corresponding articles of the Code.

Typical penalties include:

  • for processing PD without the consent of their owner - up to 20 thousand rubles for officials and individual entrepreneurs, up to 75 thousand rubles - for legal entities (Article 13.11 of the Code of Administrative Offenses of the Russian Federation);
  • for refusing to provide an individual with information that he has the right to get acquainted with by law - up to 10 thousand rubles for officials and individual entrepreneurs (Article 5.39 of the Code of Administrative Offenses of the Russian Federation);
  • for illegal (not provided for by the designated purposes) processing of personal data - up to 10 thousand rubles for officials and individual entrepreneurs, up to 50 thousand rubles for legal entities (Article 13.11 of the Code of Administrative Offenses of the Russian Federation);
  • for the absence of a published Privacy Policy - up to 6 thousand rubles for officials, for individual entrepreneurs - up to 10 thousand rubles, for legal entities - up to 30 thousand rubles (Article 13.11 of the Code of Administrative Offenses of the Russian Federation);
  • for refusal to familiarize an individual with information about the processing of his PD - up to 6 thousand rubles for officials, up to 15 thousand rubles - for individual entrepreneurs, up to 40 thousand rubles - for legal entities (Article 13.11 of the Code of Administrative Offenses of the Russian Federation).
  1. Criminal liability.

In accordance with Art. 137 of the Criminal Code of the Russian Federation, the illegal collection of personal data constituting a personal secret of a citizen can lead to a fine of up to 200 thousand rubles or the appointment of corrective labor, disqualification, and imprisonment for up to 2 years.

  1. determined in civil proceedings.

Here we can talk about a variety of sanctions, but typical ones include:

  • the obligation to compensate for losses caused to the subject of PD as a result of the violation by the operator of the provisions of Law No. 152-FZ;
  • the obligation to compensate for the moral damage of the subject of the PD.

One way or another, it is most likely that if an online store violates the norms of Law No. 152-FZ, administrative sanctions will be applied against it. At the same time, it should be borne in mind that the most severe of them - in particular, a fine for failure to obtain consent to data processing (up to 75 thousand rubles) are applied in case of violation of the requirements for obtaining written consent to the processing of personal data. If it is permissible to obtain consent in any reliable form, then if such consent is not obtained, a sanction is applied in the form of a fine for illegal data processing (up to 50 thousand rubles).

There is a possibility of applying a number of additional administrative sanctions to the operator. For example:

  • in the form of a fine for non-compliance with data protection requirements - up to 2 thousand rubles for officials and individual entrepreneurs, up to 15 thousand rubles - for legal entities (Article 13.12 of the Code of Administrative Offenses of the Russian Federation);
  • in the form of a fine for failure to provide notification to Roskomnadzor - up to 500 rubles for officials and individual entrepreneurs, up to 5,000 rubles - for legal entities (Article 19.7 of the Code of Administrative Offenses of the Russian Federation).

Theoretically, it is possible to block the website of an online store - by a court decision. For example, if he allows the unlawful publication of buyers' personal data without their consent in purchase reviews.

Depending on the specific violation and the area of ​​legal relations in which the violation was committed, various sanctions may thus be initiated against the personal data operator.