Hosting storage of personal data 152. Which hosting to choose - Russian or foreign - so as not to violate the Law on Personal Data? Regulatory documents and classification

On September 1, 2015, amendments to the federal law came into force “On Personal Data” (Law 152 FZ).
According to the law, the data that the client enters on your website must be stored on the territory of the Russian Federation.
And that is not all. About who this law will affect and what to do, in our article.

On September 1, 2015, amendments to the law “On Personal Data” entered into force.
According to this law, all data that a client enters on your site and which is precisely personal data (passport, addresses, including e-mail, payment data, etc.) must be stored on the territory of the Russian Federation.

HERE IS THE EXTRACT FROM LAW 152 on the protection of personal data

“When collecting personal data, including through the Internet information and telecommunication network, the operator is obliged to ensure the recording, systematization, accumulation, storage, clarification (updating, change), extraction of personal data of citizens Russian Federation using databases located on the territory of the Russian Federation, except for the cases specified in paragraphs 2, 3, 4, 8 of part 1 of Article 6 of this Federal Law” (Part 5 of Article 18 of the Federal Law “On Personal Data”).”

The term "Operator" should be understood as all companies, in particular e-commerce, on whose websites customers provide personal information.

Well, that's not all. In February 2017, further amendments were made to the law on the protection of personal data. These amendments oblige all owners of sites and online stores (Operators) to notify users that when entering personal data on the site, they give their consent to their collection, processing and storage.

If you ignore these amendments to the law, then you risk getting a fine of up to 75,000 rubles for one violation. And if there are more of them, then the amount of the fine will increase (on violation of the legislation of the Russian Federation in the field of personal data - article 13.11 of the Code of Administrative Offenses of the Russian Federation)

WHAT ELSE IS A PERSONAL DATA LAWS BREAKING RISK?

We have already talked about significant fines. It can affect everyone. And do not think that this is not about you :) Look at the judicial practice and you will understand that this is not a joke. Here, for example, is the sensational case of the Tambov law firm (Decree No. 4A-288/2016 of October 4, 2016 in case No. 4A-288/2016), which was fined for violations in the field of PD storage. The amount of the fine is insignificant, but it must be borne in mind that since July 1, 2017, fines have increased significantly.

In addition to administrative liability, there may also be criminal liability. So if you cause moral harm to a user whose personal data, for example, fell into the wrong hands.
Well, for such violations, Roskomnadzor can block the site and add you to the so-called “black list”.
And then be prepared for additional checks by Roskomnadzor.

WHAT TO DO?

1. The first thing to do is to notify users about the processing of personal data. If you haven't already, now is the time. Develop and post on the site a document on the processing of PD, and also obtain the consent of users for such processing (for example, by checking the checkbox with information under each registration form).
   In general, this can be done in different ways, depending on your goals and business features. For example, Ozon places a privacy policy on the site and, when registering a user, takes consent to the processing of PD. Or you can place information about the collection of PD as part of a public offer, as Lamoda does, and also collect consent to processing during registration. Or like Sberbank, which places such information in the contract.
2. Prepare internal documents governing rules for the enforcement of this law. These include orders, instructions and appointments of persons responsible for storage personal information.
3. It is very important to make sure that the data is stored in Russia (on Russian servers).
   This is required by the law on the protection of user information (part 5 of article 18 of the Federal Law “On Personal Data”).
   Therefore, check with your hosting provider for the address of the location of the servers that host your site and conclude an agreement with him, where this address will be indicated. You will need this address to fill out a notification to Roskomnadzor. If you have your own server, then be sure to save the documents on it. They may be required by Roskomnadzor during a possible audit. The same is true for a contract with a hosting provider.

   If your hosting provider hosts its servers in a Russian data center, then all is well.
   This is the easiest way to meet the requirements of the law by purchasing hosting from a domestic provider.

   There is another way, which is called cross-border data transfer. This is not prohibited by law. Storage of PD abroad is allowed, but with some reservations. So, in any case, a company, in addition to storing PD abroad, must have such a database on the territory of the Russian Federation. But at the same time, the database should be as complete and up-to-date as possible. The scheme here is this - the entire database with personal data is collected, systematized and stored on the territory of the Russian Federation, and then the data can be transferred abroad. It is important to understand here that the primary source is the base on the territory of the Russian Federation.

4. After that, prepare and send a notification to Roskomnadzor.
   This can be done through the electronic form on the website:

   Notification is not required if:

   
   → you process only employee data;

   → enter into an agreement with a specific person and the data specified in the agreement are used only for the execution of this agreement, i.e. information is not published or transferred to third parties without the consent of the subject of personal data (this paragraph is ambiguous, as questions may arise due to the specifics of the business. It is important to correctly draw up an agreement, taking into account all the nuances that meet the requirements of the law. Therefore, we recommend consulting with lawyer, and if there is no definite answer, then it is better to file a notice.);

   → if the collected data includes only the names of users;

   → if the user himself made his personal data publicly available.

note that it is only about cases where notification is not required. The above data is still personal and it is necessary to notify the user about it.

INSTEAD OF CONCLUSION

There is no need to be afraid of this law. It regulates our rights with you, as individuals. Each of us at least once purchased goods via the Internet and left our personal data. Now you and I have grounds for defending our rights legally if our rights are violated.

For site owners, the most important thing is to arrange everything correctly. This way you protect yourself from fines, other liability and gain the trust of customers.
Small note: we advise you not to make a blueprint, for example, like competitors - each has its own specifics. It is better to spend time developing documentation specifically for your business than to pay fines later. And if you still have questions seek the help of your lawyer, as this article does not replace a specialist, which will help you do everything as you need and specifically for your goals and objectives.

• Share:

Before proceeding with the analysis of 152-FZ, you should know that there is also law 242-FZ, which entered into force on September 1, 2015, which is a normative act that amended another, fundamental source of law - Federal Law No. 152, adopted in July 2006. The adoption of the law on “localization of personal data” was accompanied by wide coverage of the legislative initiative in various media, as a result of which two main myths on Federal Law No. 242-FZ:

• Russians are no longer allowed to post their personal data (websites) abroad;
• all foreign companies were banned from receiving and processing personal data of Russians on servers outside the Russian Federation.

Federal Law No. 242-FZ provides that “when collecting personal data, including through the Internet, the operator is obliged to ensure the recording, systematization, accumulation, storage, clarification (update, change), extraction of personal data of citizens of the Russian Federation using databases located on the territory of the Russian Federation”. In case of non-compliance with the law, access to a site found in the primary collection and storage of personal data of Russian citizens on databases located within the jurisdiction of the Russian Federation may be limited.

Is it possible to use hosting abroad

The law does not prohibit placement of any website (database) on servers located in the territory of the countries that have signed the convention of the Council of Europe ETS No. 108, as well as cross-border transfer of personal data. According to the Convention of the Council of Europe ETS No. 108 “On the protection of individuals with automatic processing of personal data”, ratified by Russia, in part 2 of article 12 it is provided that the countries that have acceded to it will not prohibit or put under special control the information flows of personal data going to the territory other party to the Convention, and Art. 25 prohibits any reservation to the Convention.

This means that the use of hosting abroad (not within the Russian Federation), as well as the storage and processing of personal data, is considered lawful if the hosting is located in one of the countries that have signed the Convention: Austria, Belgium, Bulgaria, Denmark, Great Britain, Hungary, Germany, Greece, Ireland, Spain, Italy, Latvia, Lithuania, Luxembourg, Malta, the Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Finland, France, Czech Republic, Sweden, Estonia, and also, as follows from the clarifications of Roskomnadzor, in countries providing adequate protection of personal data. These are countries that have national regulatory legal acts in the field of personal data protection and an authorized supervisory authority for the protection of the rights of personal data subjects: Andorra, Argentina, Israel, Iceland, Canada, Liechtenstein, Norway, Serbia, Croatia, Montenegro, Switzerland, South Korea, Japan.

Where personal data should be stored

Physically, the site and the database can be hosted by any country that has signed the Council of Europe Convention ETS No. 108. The Law requires the operator to ensure the recording, systematization, accumulation, storage, clarification (updating, change), extraction of personal data of citizens of the Russian Federation using databases located on the territory of the Russian Federation, however, the Law does not prohibit the storage of personal data of Russians on servers outside territory of the Russian Federation. The only condition is that initially personal data is collected and processed in the Russian Federation. But, we repeat, this does not prohibit the cross-border transfer of personal data and work with it in the countries that have signed the Convention.

Hosting Compliance JIHOST 152-FZ

Jihost fully complies with Federal Law 152 through the use of replication and cross-border transfer of personal data.

Schematically, the princes of operation are described below:

Hosting Jihost compliance with 152-FZ Any change in the site database, including when transferring personal information, the database is replicated to a server located on the territory of the Russian Federation, thus ensuring the constant relevance and completeness of the data in accordance with the Law. Then the data is replicated to the server's local database, with which the site subsequently works. This circular pattern works everywhere. At the same time, if only reading data is required, then it occurs without replication, directly from the local database. In addition to compliance with 152-FZ, this scheme of work improves the performance, fault tolerance and reliability of the hosting.

After the entry into force of clause 4, part 2, article 19 of the Federal Law of July 27, 2006 No. 152-FZ "On Personal Data", each enterprise is obliged to bring its information systems and processes related to the processing of personal data in accordance with the requirements of the Legislation of the Russian Federation .

What does this mean for legal entities?

Organizations are obliged to ensure the protection of the rights and freedoms of a person and citizen in the processing of his personal data, including the protection of the rights to privacy, personal and family secrets. Thus, they become "organizations-operators of personal data". The Federal Service for Supervision in the Sphere of Communications will control the fulfillment of the requirements of the Legislation, information technologies and mass communications (Roskomnadzor), FSTEC and FSB of Russia.

the federal law applies to companies of any organizational form - this government bodies, federal and municipal institutions: banks, insurance companies, medical institutions, telecom operators, online stores, retail chains, manufacturing companies and other organizations that process personal data received from employees, customers and other individuals and legal entities.

The responsibilities of the operating organization include:

• ensuring the legality of the processing of personal data;
• building a personal data protection system in accordance with the requirements of the FSTEC and the FSB of Russia;
• sending a notification to Roskomnadzor;
• development of internal documentation;
• carrying out attestation tests or conformity assessment;
• systematic updating of the personal data protection system.

Often, this turns out to be a difficult and costly task, including due to the need to obtain a document confirming the effectiveness of the measures taken to protect personal data. That is why most companies prefer to optimize this process by looking for a reliable partner with a turnkey solution in an external virtual infrastructure.

To be fulfilled by all legal entities on the territory of Russia of the law of the same name FZ-152, we - hosting a site in cooperation with the WELLSERVICE company - offer a less costly and time-consuming solution: transferring personal data storage and processing systems to a secure cloud system, which we call - "ISPD in the cloud".

Servers for information systems personal data (ISPD) is provided to any companies located in the territory and being residents of the Russian Federation.

What is ISPD in the cloud?

The product "ISPDn in the cloud" is a separate protected virtual server, at the rate you choose, fully compliant with the requirements of FZ-152.

Each "ISPD in the cloud" is a completely isolated object. This means that access to your ISPD by the hosting provider is blocked using certified security tools and is absolutely confidential!

The confidentiality of the processed information is achieved through:

• Access to data located on the "ISPDn in the cloud" is limited using certified by FSTEC Russia of means of protection against unauthorized access (NAD) and using the functions of the hypervisor of virtual machines (which is part of the certified means of protection).
• Data transmitted over communication channels from the terminal of the organization-operator of personal data to the network interface virtual machine, are encrypted using a tool certified by the FSB of Russia cryptographic protection information (SKZI). Disk images virtual machines are also encrypted using CIPF.
• None of the data centers has any access keys to the CIPF facilities located in the client's virtual machine. So, for example, to download operating system on the VPS, the client independently enters the password for the cryptocontainer containing the system partition. This procedure is implemented using an operating system loader specially developed by our company on a virtual machine. At the same time, access keys can be regenerated by the user of the virtual machine at any time on their own, and the cryptocontainer can be re-encrypted accordingly.
• The availability and integrity of the processed information is ensured by the use of reserved communication channels, reliable systems storage, cooling devices and uninterruptible power supply. Our partners are the best data centers in Russia: Miran, IXCellerate, KIAEHOUSE.

What does "ISPDn in the cloud" give to companies in Russia?

Simple procedure: we will undertake the whole complex of organizational, legal and technical work- development of a security threat model, the concept of a protection system, a certification methodology, direct certification tests and issuance of a certificate of conformity. By choosing our ISPD in the cloud product, you will NOT NEED TO OBTAIN THE CONSENT OF PERSONAL DATA SUBJECTS when collecting them.

Substantial savings: our product frees the customer company from the costs of creating and owning a secure IT infrastructure for storing, processing and protecting personal data. Moreover, the placement of ISPD in the cloud is provided as a service, the customer company has no capital costs.

Our advantages:

• the secure system "ISPDn in the cloud" has passed all the necessary certifications, as it fully complies with all the requirements of the legislation of the Russian Federation in the field of personal data;
• full compliance with the requirements of the FSTEC and the FSB of Russia of all hardware, software, and network elements of the system;
• you will not need to obtain the consent of personal data subjects when collecting them;
• consultations and support at all stages of implementation and work with the product.
• a full package of organizational, administrative and regulatory documents;
• no capital costs.

What is the service delivery process?

1

Registration of a representative of the customer company on our website and subsequent filling out an application form for the ISPD in the cloud service: the need for certification, details of the organization, type of activity.

Depending on the requirements of ISPD, you choose the appropriate tariff plan with the necessary server parameters: disk space and RAM.

Conclusion of an agreement for the provision of the "ISPD in the cloud" service and payment.

Based on the data provided, we will prepare for you a set of organizational, administrative and regulatory documents, including the regulation on personal data, the ISPD classification act, the threat model and other necessary documents. The specialist of our company will check the correctness of filling and approval of these documents.

We agree with you on the date of the on-site attestation of the workplace. After the specialist visits and checks all the requirements for the workplace, you receive a certificate of conformity and the entire package of documents certifying the full compliance of your ISPD with the requirements and norms No. 152-FZ "On Personal Data" and all by-laws.

Our licenses and certificates

* The cost of a secure ISPD server with a package of documents and an attestation procedure when paid for 1 year.

Sale of a secure infrastructure for the storage and processing of personal data according to the submitted tariff plans carried out with a minimum period of 1 year.

When ordering the first server in ISPD, an installation fee of 11,300 rubles is charged.

Since the server is not at your home, you do not have access to it, and even more so, you cannot influence the policy of the data center in any way, then you simply do not have the opportunity to fulfill a number of legal requirements. There is only one thing left, to find a hosting that meets the requirements of the law.

I'm not Beguete now, I wrote them a letter about their license from the FSTEC for protection confidential information. They answered vaguely, like I’m not me and it’s not my house, we’re just these and in general we shouldn’t ... To summarize, they don’t have a license, which means that by and large a site that collects personal data cannot be kept there. I climbed on the Internet (not very tight yet) and found so far only RU-CENTER with a license.

License for the development and (or) production of confidential information protection tools
LICENSE No 0917 dated September 20, 2011

Activity license technical protection confidential information
LICENSE No. 1594 dated September 20, 2011
Copyright holder: Joint Stock Company "Regional Network Information Center"
License term: unlimited

Hosting of confidential information in RU-CENTER

From March 6, 2012 RU-CENTER starts to provide a new service - hosting of confidential information.
Hosting of confidential information is the placement of a site on the Internet with the use of additional measures to protect information.
This service will allow you to fulfill a number of mandatory requirements of the current legislation (Law N 152-FZ), which are required when processing personal data.
In addition to the main methods of data protection and information storage used in other RU-CENTER services, confidential information hosting offers:

• specialized certified equipment that allows you to carry out a number of actions to protect information during network access;
• additional restriction of physical access to the equipment on which the service is provided;
• daily backup(2 copies);
• accounting for the physical media used;
• MySQL dedicated to each service.

Main consumers new service- small and medium-sized businesses, online stores, forums, marketing research systems and many other Internet resources that, when processing and storing users' personal data, must comply with the requirements of the legislation of the Russian Federation (Law N 152-FZ).

The question is, how are they in terms of quality?
And if anyone finds other hosters with an FSTEC license to protect confidential information, post it in this thread.