Personal data, rights of PD subjects
We all use the phone, go to work or for interviews, use bank cards or just travel around the Internet. Often without even thinking about the fact that we leave a trace of personal data. It has become so habitual to leave our data that most of us no longer read the agreements or other documents that we agree “on the machine”. At the same time, our data can be used for different purposes: to display specific advertising, spam mailings, phishing , etc. In this article I would like to talk about the rights of subjects of personal data, i.e. us with you. What laws govern the work with personal data and how to act in difficult situations, how to defend your honor and dignity and the right to a personal space, which is already almost gone.
What is personal data?
So, let's start with the simplest, what is personal data? According to the definition given in Art. 3 FZ-152 “On personal data” is: “any information relating directly or indirectly to a specific or determinable individual”. In other words, this is the name, phone number, email, passport details, photo, etc. From this point, questions already begin, for example, can a name be considered Personal Data? To answer this question, we turn to the explanations of Roskomnadzor , in this case this agency acts as the Regulator.
“The surname and initials of a citizen - this is undoubtedly the personal data of the subject. However, without the use of additional information, it is impossible to determine the ownership of personal data to a specific subject of personal data. Name (surname, name, patronymic) along with many other methods is used to identify an individual among others. By its nature, it is a composite key, an identifier based on combinations of three parameters of a surname, first name and patronymic, which does not really identify a person unambiguously, but only greatly reduces the selection of those to whom they may belong ”Thus, only working with a combination of data to determine a specific person can be considered the processing of personal data. For example, a full name in combination with a phone number and passport data will undoubtedly allow you to identify a person.
FZ-152 "On personal data"
The main document that regulates personal relations was adopted back in 2006 and is called the Federal Law “On Personal Data”. Changes have been made to it more than once, but now I would like to mention the draft of the new Code of Administrative Offenses, at the moment new Code of Administrative Offenses . A new article has been added to the project, which provides fines of up to 500 tr. for the leak of personal data. There was no such article before, but we will not get ahead of ourselves.
We focus on the 3rd Chapter of the aforementioned law - it is called “Rights of the subject of personal data”. And start with article 14 . And the first thing that the subject of personal data has the right to do is access to his personal data. In other words, you can send a request to any operator (whether it is a State body or not) at any time to provide information regarding your PD, and the operator must provide such information. The processing time for such a request may vary, but not exceed 30 days.For example, if you find on the Internet, information about yourself that does not correspond to reality, then the owner of such a resource must make the necessary adjustments or delete them altogether no more than 7 days after receiving your request.
This moment is enshrined in article 20 of the Federal Law "On Personal Data" .
How to generate a request to the personal data operator?
When forming such a request, a number of requirements must be observed, but they are not very complicated. Such a request should contain the passport data of the subject (passport number, date of issue, by whom and when it was issued). In addition, you must attach confirmation that the operator is processing your data, this may be the number and date of the contract, a screenshot or any information confirming the fact of processing. Even verbal designation is allowed, i.e. just a description of the fact that the processing of your personal data is carried out by a particular operator. And of course, you will need to put a signature.
It is allowed to send a request in the form of an electronic document, but in this case it must be signed by electronic signature.
If the operator has provided you with the requested information, then you have the right to request it again, but not earlier than after 30 days. The countdown is from the date the previous request was sent.
If the operator has not provided you with all the information that you requested, then you do not have to wait 30 days, in which case you can generate a second request immediately. But do not forget to justify your appeal.
What information does the subject of personal data have the right to request?
In fact, the operator of personal data must comply with a lot of conditions in order to be able to work with your personal information and therefore the list of information that you can request is quite large. Let's take them in order:
- confirmation of the fact of the processing of personal data by the operator;
- legal grounds and purposes of processing personal data;
The legal grounds may be a contract, charter, license or rule of law in the operator’s memo ILV gives the following example:
"Art. 86-90 of the Labor Code of the Russian Federation; Art. 53, part 2, article 54 of the Federal Law of 07.07.2003 No. 126-ФЗ “On Communication”; Clause 4.5 of the License No. _____ dated ______., issued by LLC _________ by the Federal Service for Supervision of Communications in the field of communications services; Clause 1 of the Charter of _________ LLC, approved at the general meeting of shareholders on 01.01.0000, Minutes No. 1. ”The goals of the processing of personal data must be specific, predetermined, legal and relevant to the activities in which such processing is carried out.
The operator determines the goals in advance, when submitting an application to Roskomnadzor, more about setting goals and preparing a notification to Roskomnadzor can be found in this article .
- goals and methods of processing personal data used by the operator;
Processing methods can be automated, i.e. using computer technology and manual or mixed. Moreover, the goals for different methods of processing data of the same person can be different.
- name and location of the operator, information about persons (except for the operator’s employees) who have access to personal data or to whom personal data may be disclosed on the basis of an agreement with the operator or on the basis of federal law;
- processed personal data relating to the relevant subject of personal data, the source of their receipt, unless otherwise provided by federal law;
- terms of processing personal data, including the periods of their storage;
- the procedure for the exercise by the subject of personal data of the rights provided for by the Federal Law "On Personal Data";
- information on completed or suspected cross-border data transfer;
Cross-border transfer is the transfer of your data to the territory of another state. For such a transfer, the operator must have your written consent.
- name or surname, name, patronymic and address of the person who processes personal data on behalf of the operator, if processing is or will be entrusted to such a person;
- other information provided for by this Federal Law or other federal laws.
When can they deny access to personal data?
Undoubtedly, everyone has the right to request information from the operator about the processing of their own personal data. But there are a number of exceptions when the operator may fail. As a rule, all these cases are related to the work of law enforcement agencies. This may be operational investigative or intelligence and counterintelligence activities. Access to PD may be limited if a criminal case has been instituted against the subject or if the processing of personal data is carried out in accordance with the law on combating the legalization (laundering) of proceeds from crime.
Access restrictions may occur if the rights and legitimate interests of third parties are violated.
SPAM, personal data and advertising law
Many companies use personal data to send messages that advertise the operator’s services or products. We all periodically receive information about discounts, promotions and special offers by mail, but often we are not interested in such messages, they bother us and we don’t even remember when we agreed to this “tempting” offer.
In this case, in addition to the federal law “On Personal Data”, it is worth referring also to the law on advertising . But let's sort it out in order.
In Art. 15 FZ-152 it is said that the processing of personal data in order to promote goods, works and services by means of communication can be carried out only with the consent of the individual. A very interesting point is that in cases of advertising its own works and services, the company must prove that such consent was obtained.
If you nevertheless gave the operator such consent (by ticking the check box on the site or by concluding an agreement with him), then you can withdraw it at any time. To do this, just write an appeal to a company that throws you letters and the operator must immediately stop processing your personal data for purposes of an advertising nature.
Moreover, if you receive messages by e-mail, the letter should contain a link to automatically refuse and exclude your contacts from the advertising mailing list.
What is advertising? Let us turn to the definition - “information distributed by any means a circle of persons aimed at drawing attention to the object of advertising, the formation or maintenance of interest in it and its promotion in the market. "
As in the situation with the law “On personal data” in the law “On advertising”, in chapter 2, art. 18 it is written that the distribution of advertising on telecommunication networks is allowed only provided that the subscriber has given this prior consent. The advertiser is also required to prove the existence of such consent, as is the case with the requirements of 152-FZ. The requirements of the laws converge and part of the fact that the advertising distributor is obliged to immediately stop the process of distributing advertising upon receipt of the corresponding request from an individual.
If Roskomnadzor is the regulator in the field of personal data, then in the case of the law “On Advertising” it is the Federal Antimonopoly Service (FAS). Complaint requirements are available on the regulator’s website. It’s quite simple to execute them, in many ways the filing mechanism is similar to the requirements for filing an appeal to ILV, you must specify:
- Name of applicant and his place of residence
- Advertiser Name
If the applicant cannot independently provide evidence of an offense, he is entitled to indicate the legal or natural person from whom such evidence can be obtained.
- Applicant's requirements
The term of consideration should not exceed 1 month from the date of its receipt, unless the evidence is insufficient. With this scenario, the FAS should notify you and may extend the period for consideration of the complaint, but not more than 1 month.
Based on the results of the appeal, the FAS can initiate an audit. The result of which, quite possibly, will be a fine to the advertising distributor. The amount of the fine in this case is quite substantial. The amount of fines is regulated by Art. 14.3. Code of Administrative Offenses of the Russian Federation and they can reach 500 000 rub.
Life example, Sberbank is again not up to the mark
As an example, let’s analyze the case of Sberbank in 2018. The essence of this lawsuit is that Sberbank concluded an agreement with one of its customers to issue an international card. Moreover, the contract of accession was drawn up in such a way that meant sending messages of an advertising nature. The client could not get the card he needed and at the same time refuse the service imposed by the bank. In this situation, the consumer of banking services was not at a loss and withdrew this consent earlier.
When he received another newsletter advertising the bank’s services, he turned to the Federal Antimonopoly Service.
Despite a number of arguments of the bank’s representatives, the court ordered Sberbank to pay a fine of 250,000 rubles. In accordance with Part 1 of Art. 14.3. Code of Administrative Offenses of the Russian Federation.
Most important in one paragraph
Individuals are quite well protected by law, in particular, Federal Law-152 “On Personal Data”. Have the right to access, modify and destroy their personal information. At any time, they may withdraw their prior consent to the processing of personal data.They have a winning position in relation to the operator, who, in turn, must prove that he has received the above consent. And as stated in Art. 17 of the Law "On Personal Data" : "The subject has the right to protect his rights and legitimate interests, including compensation for losses and non-pecuniary damage in court."