Personal data processing policy designer. How to create terms of use and a business privacy policy Composition of information about Users that the Administration receives and processes
Margarita Ledovskikh
I am glad to welcome you to our website. My name is Margarita Ledovskikh, I am a media lawyer. I have been working in the field of information law for 19 years, of which 6 years I have been leading the “Law on the Network” project.
Site search
We provide services for registering websites as media outlets
Preparatory stage First, you need time for preparatory actions. I am writing about this because sometimes these points are not taken into account. At a minimum, individual founders need to visit the bank and a notary to make notarized copies of documents. You will say that you can pay through online banking without leaving your home, and this is the absolute truth, but even in this case you need to go to […]
We will prepare documents for your website
When the customer, after you have provided him with a service, signs the act, you have in your hands documentary evidence of the fulfillment of obligations. And if suddenly the customer begins to refuse to accept the result of the work, you can resolve all issues with this document. But in the case of remote services, such as online education or consultations via Skype, acts are not signed. At […]
This Privacy Policy (hereinafter referred to as the Policy) is an annex to the User Agreement and determines the procedure for processing and protecting personal information about Users that Mann, Ivanov and Ferber Limited Liability Company (hereinafter referred to as the Administration) may receive during their use Administration Services (hereinafter referred to as the Services).
Before using the Service, users should read the terms of this Privacy Policy.
1. General Provisions
1.1. Use of the Service in any form means the User’s unconditional consent to the terms of this Privacy Policy and the conditions for processing his personal information specified therein. In case of disagreement with the terms of the Privacy Policy, the User must refrain from using the Service.
1.2. The Privacy Policy (including any of its parts) may be changed by the Administration without any special notice and without payment of any compensation in connection with this. The new version of the Privacy Policy comes into force from the moment it is posted on the Administration website.
1.3. By accepting the terms of this Policy, the User expresses his consent to the Administration’s processing of data about the User for the purposes provided for in this Policy, as well as to the transfer of data about the User to third parties in the cases listed in this Policy.
This consent can be revoked by the User only if he notifies the Administration in writing at least 180 days before the expected date of termination of the use of data by the Administration.
Using the Service using a web browser that accepts data from cookies means the User’s consent that the Administration can collect and process data from cookies for the purposes provided for in this Policy, as well as to transfer data from cookies to third parties in the cases listed in this Policy.
Disabling and/or blocking by the User of the web browser option for receiving data from cookies means a prohibition on the Administration’s collection and processing of data from cookies in accordance with the terms of this Privacy Policy.
1.4. As a general rule, the Administration does not verify the accuracy of the personal information provided by Users. However, in cases provided for in the User Agreement, the User is obliged to provide confirmation of the accuracy of the personal information about himself provided by him.
2. Composition of information about Users that the Administration receives and processes
2.1. This Policy applies to the following types of personal information:
2.1.1. Personal information posted by Users, incl. about yourself when filling out the form for sending a message, other personal information to which the User provides access to the Administration through websites or services of third parties, or personal information posted by Users in the process of using the Service. Personal information obtained in this way may include, in particular, the User’s last name, first name, telephone number, email address, and order delivery address. Other information is provided by the User at his discretion.
It is prohibited for the User to provide personal data of third parties without permission for such distribution received from third parties or if such personal data of third parties was not obtained by the User himself from publicly available sources of information.
2.1.2. This Policy also applies to candidates for existing vacancies of the Administration, along with other Users. Candidates for vacancies, sending a resume to the Administration using the Service, or by email, for the purpose of an interview and further employment, thus express consent to the processing of the following personal data: last name, first name, patronymic, date of birth, citizenship, city of residence, contacts ( telephone number, email address), place of work and dates of work, as well as other data specified by candidates for vacancies in their resumes.
2.1.3. The Seller guarantees the Buyer to maintain the confidentiality of the following personal information about the Buyer:
— information about the user’s card (last 4 digits);
— information about purchases and orders.
The specified information is transferred by the Seller to third parties solely for the purpose of making payment for the order by the payment system; other cases of transfer of this information to third parties are not allowed.
2.1.4. Data automatically transferred to the Service during their use using software installed on the User’s device, incl. IP address, individual network number of the device (MAC address, device ID), electronic serial number (IMEI, MEID), data from cookies, information about the browser, operating system, access time, search queries of the User.
2.1.5. Data additionally provided by Users at the request of the Administration in order to fulfill the Administration’s obligations to Users regarding the use of the Service.
2.1.6. Other information about Users, the collection and/or processing of which is established by the Administration’s user agreement.
3. Purposes of collecting and processing information about Users
3.1. The Administration collects and processes only information about Users, incl. their personal data, which is necessary to fulfill the Administration’s obligations to provide the Service, answer the question asked by the User when sending a message using the Service, as well as fulfill the obligations provided for in the user agreement.
3.2. The Administration may use Users’ personal information for the purposes of:
3.2.1. identification of the party within the framework of agreements between the User and the Administration.
3.2.2.providing services to Users using the Service and to fulfill their obligations to them, incl. clarification of payment data, processing of orders and requests and further improvement of the Service, development of new services.
3.2.3. informing Users about the appearance of new materials on the Site, sending requests regarding the use of the Service, feedback from the User.
3.2.4. performing marketing tasks, conducting statistical and other research based on anonymized data,
3.2.5. informing the User through electronic mailings. By providing his data, the User agrees to receive advertising, informational and service messages (newsletters).
3.3. The purposes of processing personal data of candidates for vacancies are:
— Ensuring compliance with the requirements of the legislation of the Russian Federation.
— Solving employment issues, registration and regulation of labor relations.
— Reflection of information in personnel documents.
— Other purposes for processing personal data may be approved by order of the Operator.
3.4. Mobile applications may collect anonymous data about the user's location in order to provide a more accurate experience with the choice of payment method. Mobile applications may collect anonymous usage statistics.
3.5. The User hereby expresses his consent to the transfer of personal information about him to the Administration’s partners and third parties for the purposes provided for in clause 3.2 of this Privacy Policy.
3.6. If it is necessary to use personal information about the User for purposes not provided for in this Policy, the Administration requests the User’s consent to such actions.
4. Processing information about Users
4.1. Personal information about Users is stored in accordance with current legislation.
4.2. Personal information about Users is not transferred to third parties, except for the following cases:
4.2.1. The user agreed to such actions.
4.2.2. The transfer is necessary in order to ensure the functioning of the Service and/or its individual functionality.
4.2.3. The transfer is subject to applicable law.
4.2.4. In order to ensure the possibility of protecting the rights and legitimate interests of the Administration and/or third parties in cases where the User violates the terms of the user agreement.
4.2.5. If the Administration takes part in a merger, acquisition or any other form of sale of part or all of its assets. In this case, all obligations to comply with the terms of this Policy are transferred to the acquirer of the Administration’s assets.
4.3. The User is hereby notified and agrees that the Administration may receive personal data of third parties that are provided by the User when using the Service and use them to implement certain functions of the Service, provided that the User guarantees the consent of third parties, data about which is provided by the User when using the Service, for processing by the Administration for the purposes provided for in this Policy, as well as for the transfer of such data in the cases listed in this Policy.
4.4. In addition, the User is hereby notified and agrees that the Administration may receive statistical anonymized (without reference to the User) data about the User’s actions when using the Service.
4.5. Users have the right, upon request, to receive from the Administration information regarding the processing of their personal data.
5. Measures to protect information about Users
5.1. The Administration takes all necessary and sufficient organizational and technical measures to protect personal information about Users from unauthorized or accidental access to it, destruction, modification, blocking, distribution of personal information, as well as from other unlawful actions with it. These measures include, but are not limited to, internal review of data collection, storage and processing processes and security measures, including physical data security measures to prevent unauthorized access to personal information.
5.2. When processing personal data of Users, the Administration is guided by the Federal Law “On Personal Data” dated July 27, 2006 No. 152-FZ.
6. Final provisions
6.1. This Policy, the relationship between the User and the Administration arising in connection with the application of this Policy, as well as issues not regulated by this Policy, are governed by the current legislation of the Russian Federation.
At numerous requests from working webmasters and site owners, we have published a free sample Privacy Policy for sites with a feedback, subscription or call request form.
We decided to take this step because this form of the Policy does not provide for the processing of personal data, and as a result does not imply much variability in the decision. It is important to remember that it is not suitable for sites that process personal data. For example, online stores and other services where, in addition to a phone number or email, the user additionally provides other information about himself, require more attention to the issues of processing personal data.
Therefore, we thought about options for drawing up a “people’s” Privacy Policy. A simple template will not do here. We took as a basis the Recommendations of Roskomnadzor (hereinafter referred to as the “Recommendations”) issued in 2017 on the preparation of a document defining the operator’s policy regarding the processing of personal data (hereinafter referred to as the “Policy”). We supplemented it with live examples.
Let's see what happened.
Section 2 quotes the basic concepts from the Federal Law “On Personal Data”. We skip it as unnecessary. If desired, it is better to introduce your own terms into the Policy, clarifying the legal ones.
Section 3 finally provided the long-awaited advice on the structure and content of the Policy. Let's look at them in detail.
1. General provisions of the Policy
In this section, it is recommended to describe the purpose of the Policy, as well as include the basic concepts used in it (processing of personal data, operator, subject of personal data, confidentiality of personal data, etc.), list the basic rights and obligations of the operator and subject(s) of personal data data.
So let's start with definitions. In order not to repeat Federal Law 152, we suggest making references to specific clauses and sections of the Policy that specify the concepts used. Below is an example of the terms and definitions of the Privacy Policy for an online store.
1.1. In this document and the relations of the Parties arising or related thereto, the following terms and definitions apply:
Personal Information- data provided by the subject of personal data or his representative, the scope and composition of which are indicated in paragraph X.X. Politicians.
Administration- Romashka LLC, INN XXX, OGRN XXX, Address: XXXXX, in the legal possession and/or management of which the Site is located. In the cases provided for in this Policy, the Administration acts as a personal data operator.
User- a person using the Site for the purpose of concluding and/or executing Agreements.
3. Legal grounds for processing personal data
According to the explanation of Roskomnadzor, the legal basis for the processing of personal data is the set of legal acts in pursuance of which and in accordance with which the operator processes personal data.
If the above link exists, the legal basis for the processing of personal data may be the agreements concluded between the operator and the subject of personal data.
If personal data is processed for other purposes, a separate consent to the processing of personal data must be indicated as a basis.
4. Volume and categories of personal data processed, categories of personal data subjects
Roskomnadzor warns that the content and volume of personal data processed must correspond to the stated purposes of processing. The personal data processed should not be redundant in relation to the stated purposes of their processing.
First of all, we indicate data from the fields of online feedback, order, subscription and registration forms. Then we pay close attention to the composition of the information entered by the user when filling out a profile in his personal account.
Additionally, we indicate the data that is requested by support or the sales department when filling out or processing applications over the phone or at service points.
5. Procedure and conditions for processing personal data
Let's choose. Federal Law 152 provides the following list of operations with personal data: collection, recording, systematization, accumulation, storage, clarification (updating, changing), extraction, use, transfer (distribution, provision, access), depersonalization, blocking, deletion, destruction of personal data.
Processing methods may include:
a) automated processing of personal data
b) processing of personal data without the use of automation tools.
According to the definition given in Federal Law 152, automated processing of personal data is the processing of personal data using computer technology.
It would seem that this includes any actions with personal data performed using computer technology. But it's not that simple. We look at the Regulations on the peculiarities of processing personal data carried out without the use of automation tools, approved by Decree of the Government of the Russian Federation of September 15, 2008 N 687.
Clause 1 states that the processing of personal data contained in the personal data information system or extracted from such a system (hereinafter referred to as personal data) is considered to be carried out without the use of automation tools (non-automated), if such actions with personal data as use, clarification , distribution, destruction of personal data in relation to each of the subjects of personal data are carried out with the direct participation of the person.
The processing of personal data cannot be recognized as carried out using automation tools only on the basis that personal data is contained in the personal data information system or was extracted from it (clause 2).
In other words, if personal data is not used, specified, distributed and destroyed in the IPDN of your website automatically without human intervention, you can safely choose the second processing method - processing personal data without the use of automation tools.
The result of this simple action will be a legal refusal to apply the draconian requirements of Federal Law 152 for the processing of automated processing of personal income tax in the information system.
Regarding the timing of PD processing We propose to indicate at least the validity period of the agreement for the purposes of which the PD was requested. You can add to the validity period of the contract 3 years of limitation for the protection of rights in connection with its execution.
Roskomnadzor reminds that when storing personal data, the personal data operator is obliged to use databases located on the territory of the Russian Federation, in accordance with Part 5 of Art. 18 of the Federal Law "On Personal Data". It is not necessary to reflect this point in the Policy, since it is related to actual circumstances. Although, as a matter of form, you can include in the Policy a declarative article on the processing of personal data in Russia.
- The user has expressed his consent to such actions;
- The transfer is required for the conclusion and performance of contracts on or using the Site;
- At the request of a court or other authorized government body within the framework of the procedure established by law
- To protect rights and legitimate interests in connection with violation of agreements concluded with the user.
Within certain limits, this list can be expanded to include cases of sale of the Site or transfer of PD in anonymized form.
In addition, Roskomnadzor recommends indicating in this section of the Policy information about compliance with the requirements for confidentiality of personal data established by Art. 7 of the Federal Law “On Personal Data”, as well as information about the operator taking measures provided for in Part 2 of Art. 18.1, part 1 art. 19 of the Federal Law “On Personal Data”.
In practice, this information boils down to a statement that the Site administration stores Personal Data and ensures its protection from unauthorized access and distribution in accordance with internal rules and regulations.
6. Updating, correction, deletion and destruction of personal data, responses to requests from subjects for access to personal data
Roskomnadzor recommends including in the Policy regulations(s) for responding to requests/appeals from personal data subjects and their representatives, authorized bodies regarding the inaccuracy of personal data, illegality of their processing, withdrawal of consent and access of the personal data subject to their data, as well as relevant forms of requests/ requests.
In such cases, it is usually indicated that the user has the right at any time to independently edit the information provided by him in his personal account. In case of termination of the concluded agreement, the user has the right to delete his own personal account independently or by contacting the support service at the email address XXX@ХХХ.ХХ.
If desired, you can tighten the terms of the regulations for processing requests to change/delete PD, requiring the user to send valuable letters to your address in Bobruisk.
7. Processing of anonymized data
It is noteworthy that Roskomnadzor, as always, avoided the issue of processing equally important data for users that is not considered personal. We are talking about information collected automatically on the site: cookies, IP, information about the device and its location, etc.
Apparently, Roskomnadzor stubbornly does not want to disclose the composition of personal data, even by exclusion through information that is not personal. However, in practice, it is customary to include a notice and procedure for processing such data in the Privacy Policy in order to fully inform the user about the consequences of using the site.
Below is an example of such a notification.
You understand and accept the possibility of using third party software on the Site, as a result of which such parties may receive and transmit data in anonymized form.
These third party software include Google Analytics visitor statistics collection systems.
The composition and conditions for collecting anonymized data using third-party software are determined directly by their copyright holders and may include:
- browser data (type, version, cookie);
- device data and its location;
- operating system data (type, version, screen resolution);
- request data (time, referral source, IP address).
A full description of the conditions for processing anonymized data can be found in the sample Privacy Policy with which we began our article.
We wish you success in developing your own Privacy Policy in accordance with the recommendations of Roskomnadzor and the approaches developed in practice.
Part 3
Compliance with legal requirements for privacy policyDo you need a privacy policy? Do you collect personal information about customers, whether through website transactions or social media pages? Then you must create and comply with a privacy policy. In other words, these will be your terms and conditions for the collection, use, transfer and protection of third party data. The Consumer Protection Bureau describes the importance of privacy and policy on its website. The US Small Business Administration also recognizes the importance of confidentiality and privacy, as described on the organization's website.
Review the types of clauses in the privacy policy. The Privacy Policy contains a number of different provisions. It includes, but is not limited to these provisions:
Make sure you don't promise anything you can't deliver. Very often people make a serious mistake when they use phrases like “We do not share your personal information with third parties.” Unfortunately, purchase and sale transactions and Internet transactions as such do not leave the opportunity to avoid the exchange of this information. For example, an intermediary bank processing a customer's credit card payments must have at least some information about the customer. Such statements can be costly to you, so it is important to have the privacy policy reviewed by a legal professional.