Subscribing to a newsletter, filling in your full name and phone number for payment or a manager’s call – users leave personal data on company websites every day. In this article, we will tell you how to collect and process them correctly so as not to break the law.
Data is a lifesaver for business owners and marketers — it can help them better understand their target audience, fine-tune their advertising, and offer personaliz offers to each segment. But to process and store customer information, a number of requirements must be met. The procure for collecting personal data is contain in Feral Law No. 152-FZ “On Personal Data.”
What is consider personal data
Personal data is any information relating directly or indirectly to a specific or identifiable individual (subject of personal data).
Definition from Feral Law 152-FZ “On Personal Data”
The law does not provide a precise list of information that can be consider personal data – it includes any information that allows identifying a person. This does not include food or movie preferences, but the taxpayer identification number and information about the place of work will be consider personal data.
According to the Personal Data Act, the company or person who collects this information is the personal data operator. Even if you delete the information immiately after receiving it, you are still responsible for the collection, processing and destruction of personal data.
Personal data is collect in two ways – directly and automatically. The first case includes data that the user leaves himself. For example, when filling out a registration form or a request for a call. These include:
Full name (but the name alone is not consider personal data
email,
registration/residence address,
phone number,
photo,
information about relatives,
health information,
income size,
link to social networks.
Data that is collect automatically may include IP address and location information. Companies receive them using cookies, text files with information about resource visits and actions on the site. If a company violates cookie requirements, Roskomnadzor may require blocking the resource. This already happen with LinkIn in 2016 — the site was block in the Russian Feration for illegal use and storage of cookies.
What is requir to collect personal data
In order to properly collect and process data and not break the law, you ne to prepare several documents, as well as comply with the requirements of Roskomnadzor. Let’s look at what is ne to collect data step by step.
Step 1: Install SSL Certificate
In 2022, the volume of user data leaks increas 40 times compar to 2021 – personal information of 100 million people became publicly available. An SSL certificate will help minimize risks.
With the help of mobile phone number data experts in our business, people can create a list based on their preferences. Having specific mobile italy phone number data phone number data for an industry or business is very helpful because by purchasing or using a specific mobile phone number data, people can immediately start marketing their products or services while reducing marketing efforts and costs.
The secure data transfer protocol creates an encrypt connection and guarantees the security of information exchange. The certificate will not allow fraudsters to intercept traffic and use data illegally, preventing leakage. If you plan to collect users’ full names, bank card details and other personal information, installing an SSL certificate is a necessary step. You can get a basic SSL in REG.RU for free for 6 months .
Step 2. Prepare documents
To collect personal data on the site, you ne to prepare a package of documents. Here are the most basic ones:
Privacy Policy. This document contains information about the organization that collects the data, the purposes of collection, methods of processing and transfer. The policy must specify the operator, the legal or actual address of the company/individual, the list of data collect, processing periods and how the data is destroy. At the same time, the hosting and database must be locat in the Russian Feration – the rule applies even to foreign companies. If you plan to transfer data to third parties, this must also be specifi in the policy.
Data protection statement. This document should describe the risks and the security measures you have taken to prevent data leakage. All data protection measures are in Order No. 21 of the Feral Service for Technical and Export Control.
Consent to personal data processing
Users will ne to be shown a consent morisaki tomomi: the multifaceted ldol captivating audiences worldwide notice for data processing every time they fill out forms on the website. Each website visitor must make their own decision about transferring personal information. The consent period may be unlimit.
Cookie collection notice. You’ve probably seen such notices on websites – a pop-up banner with a button or the inscription “By continuing to use the site, you agree to the processing of data.” The banner must include a link to the privacy policy.
Confidentiality Agreement. This document does not ne to be publish on the website, but it must be sign by the company’s employees. It obliges them not to disclose information obtain about clients during their work.
An order to appoint a person responsible for the storage and processing of personal data. This is also an internal document. A lawyer or a security officer can be appoint responsible – there are no specific requirements here.
Step 3. Submit a notification to Roskomnadzor
This step is not mandatory for all companies. If you only process employee data or only on paper, you can skip this step. Other exceptions are describ in detail in Article 22 of 153-FZ.
You can submit a notification on paper by mail, through Gosuslugi or online using the form on the Roskomnadzor website . If you do not receive a response within 10 working days after submitting the notification, you can collect data. A response will only be receiv if collection and processing are prohibit or limit.
After submitting the notification, the organization or individual will be enter into the register of personal data operators .
Step 4: Publish the policy and forms on the site
The privacy policy should be on every page of the site – for convenience, a link to it is plac in the footer.
The privacy policy is usually publish in the phone number qa footer of the site – an example from the REG.RU site.
In addition, each form for collecting data, whether it is email or full name, must contain a link to the agreement and a notice of consent to data processing. If you use cookies, you also ne to notify users about this – the most convenient way is to place a banner that automatically appears on the site.
A pop-up notification that we at REG.RU use cookies is visible to all visitors to the site.
Step 5. Don’t forget to update the information
The Law on Personal Data is constantly updat and supplement, so from time to time it will be necessary to update the information and rewrite some documents. Roskomnadzor must be notifi of all changes no later than the 15th day following the month in which the changes occurr. Otherwise, the organization may face a fine.
