Personal data processing policy constructor. How to create a terms of use and business privacy policy What better to call it - an offer, an agreement on the processing of personal data or a privacy policy

Margarita Ledovskikh

I am glad to welcome you on our website. My name is Margarita Ledovskikh, I am a media lawyer. I have been working in the field of information law for 19 years, of which 6 years I have been managing the Law on the Net project.

Site search

We provide services for registering sites as mass media

Preparatory Stage First, you need time for preparatory activities. I am writing about this because sometimes these points are not taken into account. Founders-individuals at least need to visit a bank and a notary to make notarized copies of documents. You will say that you can pay through an online bank without leaving your home, and this is the purest truth, but even in this case, you need to go to […]

Prepare documents for your website

When the customer, after you have provided him with a service, signed the act, you have documentary evidence of the fulfillment of obligations in your hands. And if suddenly the customer starts to refuse that he accepted the result of the work, you can remove all questions with this document. But in the case of remote services, such as online education or Skype consultations, acts are not signed. At […]

Due to numerous requests from working webmasters and site owners, we have published a free sample Privacy Policy for sites with a form feedback, subscription or order a call.

We decided to take this step because given form The policy does not provide for processing personal data, and as a result does not imply a large variability of the solution. It is important to remember that it is not suitable for sites that process PD. For example, online stores and other services where, in addition to a phone number or email, the user additionally provides other information about himself, require more attention to the processing of personal data.

Therefore, we thought about the options for compiling a "people's" Privacy Policy. simple pattern you won't get around here. We took as a basis the Recommendations of Roskomnadzor (hereinafter referred to as the "Recommendations"), published in 2017, on the preparation of a document defining the operator's policy regarding the processing of personal data (hereinafter referred to as the "Policy"). Complemented with live examples.

Let's see what happened.

Section 2 cites the main concepts from the Federal Law “On Personal Data”. We pass as useless. If you wish, it is better to introduce your own terms into the Policy, clarifying the legal ones.

In section 3, the long-awaited advice on the structure and content of the Policy finally came. Let's dwell on them in detail.

1. General provisions of the Policy

In this section, it is recommended to describe the purpose of the Policy, as well as include the basic concepts used in it (processing of personal data, operator, subject of personal data, confidentiality of personal data, etc.), list the main rights and obligations of the operator and subject (s) of personal data.

So let's start with definitions. In order not to repeat Federal Law 152, we suggest making references to specific clauses and sections of the Policy that specify the concepts used. Below is an example with the terms and definitions of the Privacy Policy for an online store.

1.1. In this document and the resulting or related relations between the Parties, the following terms and definitions apply:

Personal Information- data provided by the subject of personal data or his representative, the volume and composition of which are specified in clause X.X. Politicians.

Administration- Romashka LLC, TIN XXX, OGRN XXX, Address: XXXXXX, in the legal possession and / or management of which the Site is located. In the cases provided for in this Policy, the Administration acts as a personal data operator.

User- a person using the Site for the purpose of concluding and/or executing Agreements.

3. Legal grounds for the processing of personal data

According to the clarification of Roskomnadzor, the legal basis for the processing of personal data is a set of legal acts, in accordance with which and in accordance with which the operator processes personal data.

In the presence of the above link, the contracts concluded between the operator and the subject of personal data may be indicated as the legal basis for the processing of personal data.

If PD is processed for other purposes, a separate consent to the processing of personal data must be indicated as the basis.

4. Scope and categories of processed personal data, categories of personal data subjects

Roskomnadzor warns that the content and scope of the processed personal data must comply with the stated purposes of processing. The processed personal data should not be excessive in relation to the stated purposes of their processing.

First of all, we indicate the data from the fields of online feedback forms, order, subscription and registration. Then we pay close attention to the composition of the information entered by the user when filling out the profile in the personal account.

Additionally, we indicate the data that is requested by the support or sales department when filling out or processing applications by phone or at service points.

5. Procedure and conditions for processing personal data

Choose. Federal Law 152 provides for the following list of operations with personal data: collection, recording, systematization, accumulation, storage, clarification (updating, changing), extraction, use, transfer (distribution, provision, access), depersonalization, blocking, deletion, destruction of personal data.

Processing methods may include:

a) automated processing of personal data

b) processing of personal data without the use of automation tools.

According to the definition given in Federal Law 152, automated processing of personal data is the processing of personal data using means computer science.

It would seem that any actions with PD performed using computer technology fall here. But not everything is so simple. We look at the Regulations on the features of the processing of personal data carried out without the use of automation tools, approved by Decree of the Government of the Russian Federation of September 15, 2008 N 687.

Clause 1 states that the processing of personal data contained in information system personal data or extracted from such a system (hereinafter - personal data), is considered to be carried out without the use of automation tools (non-automated), if such actions with personal data as the use, clarification, distribution, destruction of personal data in relation to each of the subjects of personal data are carried out with direct human participation.

The processing of personal data cannot be recognized as carried out using automation tools only on the basis that personal data is contained in the personal data information system or has been extracted from it (clause 2).

In other words, if the PD is not used, specified, distributed or destroyed in the PDTI of your site in automatic mode without human intervention, you can safely choose the second processing method - the processing of personal data without the use of automation tools.

The result of this simple action there will be a legal waiver of the application of the draconian requirements of Federal Law 152 for processing the automated processing of PIT in the information system.

With regard to the processing time of PD we propose to indicate at least the duration of the contract, in pursuance of which the PD was requested. It is possible to add to the term of the contract 3 years of limitation period for the protection of rights in connection with its execution.

Roskomnadzor reminds that when storing personal data, the operator of personal data is obliged to use databases located on the territory Russian Federation, in accordance with Part. 5 Article. 18 of the Federal Law "On Personal Data". It is not necessary to reflect this item in the Policy, since it is related to the actual circumstances. Although, for the sake of formality, a declarative article on the processing of PD in Russia can be included in the Policy.

• The user has expressed his consent to such actions;
• The transfer is required for the conclusion and performance of contracts on or using the Site;
• At the request of a court or other authorized state body within the framework of the procedure established by law
• To protect the rights and legitimate interests in connection with the violation of agreements concluded with the user.

Within certain limits, this list can be expanded to include cases of the sale of the Site or the transfer of PD in an impersonal form.

In addition, Roskomnadzor recommends specifying in this section of the Policy information on compliance with the confidentiality requirements for personal data established by Art. 7 of the Federal Law "On Personal Data", as well as information on the adoption by the operator of the measures provided for in Part 2 of Art. 18.1, part 1 of Art. 19 of the Federal Law "On Personal Data".

In practice, this information boils down to a statement that the Site administration stores Personal Data and ensures its protection from unauthorized access and distribution in accordance with internal rules and regulations.

6. Update, correction, deletion and destruction of personal data, responses to requests from subjects for access to personal data

Roskomnadzor recommends that the Policy include the regulation(s) for responding to requests/appeals from personal data subjects and their representatives, authorized bodies regarding the inaccuracy of personal data, the illegality of their processing, withdrawal of consent and access of the personal data subject to their data, as well as the relevant request forms/ appeals.

In such cases, it is usually indicated that the user has the right to independently edit the information provided by him in his personal account at any time. In the event of termination of the concluded agreement, the user has the right to delete his own Personal Area on your own or by contacting the support service at Email [email protected].

If you wish, you can tighten the terms of the regulations for processing requests to change/delete PD, requiring the user to send valuable letters to your address in Bobruisk.

7. Processing of anonymous data

Noteworthy is the fact that Roskomnadzor, as always, bypassed the issue of processing no less important data for users, which are not considered personal. We are talking about information collected on the site in automatic mode: cookies, IP, information about the device and its location, etc.

Apparently, Roskomnadzor stubbornly does not want to disclose the composition of PD, even by exclusion through information that is not personal. However, in practice, it is customary to include a notice and the procedure for processing such data in the Privacy Policy in order to most fully inform the user about the consequences of using the site.

Below is an example of such a notification.

You acknowledge and accept the use of the Site software third parties, as a result of which such persons can receive and transmit data in an anonymized form.
This third party software includes Google Analytics visitor statistics collection systems.

The composition and conditions for collecting anonymized data using third-party software are determined directly by their copyright holders and may include:

• browser data (type, version, cookie);
• device data and its location;
• operating system data (type, version, screen resolution);
• request data (time, referral source, IP address).

A full description of the conditions for processing anonymized data can be found in the sample Privacy Policy, with which we began our article.

We wish you success in developing your own Privacy Policy in accordance with the recommendations of Roskomnadzor and the approaches developed in practice.

1. General provisions

This personal data processing policy has been drawn up in accordance with the requirements of the Federal Law of July 27, 2006. No. 152-FZ "On Personal Data" and determines the procedure for processing personal data and measures to ensure the security of personal data of Mikhailov Ivan Sergeevich (hereinafter referred to as the Operator).

1. The operator sets as its most important goal and condition for the implementation of its activities the observance of the rights and freedoms of a person and a citizen in the processing of his personal data, including the protection of the rights to privacy, personal and family secrets.
2. This Operator's policy regarding the processing of personal data (hereinafter referred to as the Policy) applies to all information that the Operator can receive about visitors to the https://mysite.ru website.

2. Basic concepts used in the Policy

1. Automated processing of personal data - processing of personal data using computer technology;
2. Blocking of personal data - temporary suspension of the processing of personal data (unless the processing is necessary to clarify personal data);
3. Website - a set of graphic and informational materials, as well as computer programs and databases that ensure their availability on the Internet via network address https://mysite.ru ;
4. Information system of personal data - a set of personal data contained in databases and providing their processing information technologies And technical means;
5. Depersonalization of personal data - actions, as a result of which it is impossible to determine without using additional information belonging of personal data to a specific User or other subject of personal data;
6. Processing of personal data - any action (operation) or a set of actions (operations) performed with or without the use of automation tools with personal data, including collection, recording, systematization, accumulation, storage, clarification (updating, changing), extraction, use, transfer (distribution, provision, access), depersonalization, blocking, deletion, destruction of personal data;
7. Operator - a state body, municipal body, legal or individual, independently or jointly with other persons organizing and (or) carrying out the processing of personal data, as well as determining the purposes of processing personal data, the composition of personal data to be processed, actions (operations) performed with personal data;
8. Personal data - any information relating directly or indirectly to a specific or identifiable User of the website https://mysite.ru;
9. User - any visitor to the website https://mysite.ru;
10. Providing personal data - actions aimed at disclosing personal data to a certain person or a certain circle of persons;
11. Dissemination of personal data - any actions aimed at disclosing personal data to an indefinite circle of persons (transfer of personal data) or familiarizing with personal data of an unlimited number of persons, including the disclosure of personal data in the media, placement in information and telecommunication networks or providing access to personal data in any other way;
12. Cross-border transfer of personal data - transfer of personal data to the territory of a foreign state to an authority of a foreign state, a foreign natural or foreign legal entity;
13. Destruction of personal data - any actions as a result of which personal data is irretrievably destroyed with the impossibility of further restoration of the content of personal data in the information system of personal data and (or) as a result of which material carriers of personal data are destroyed.

3. The Operator may process the following personal data of the User

1. Full Name;
2. Phone number;
3. E-mail address;
4. The site also collects and processes anonymous data about visitors (including cookies) using Internet statistics services (Yandex Metrika and Google Analytics and others).
5. The above data further in the text of the Policy are united by the general concept of Personal data.

4. Purposes of personal data processing

1. The purpose of processing the User's personal data is the conclusion, execution and termination of civil law contracts; providing the User with access to the services, information and/or materials contained on the website https://mysite.ru; clarification of order details.
2. The Operator also has the right to send notifications to the User about new products and services, special offers and various events. The user can always refuse to receive informational messages by sending an email to the Operator [email protected] marked "Opt out of notifications about new products and services and special offers."
3. Impersonal data of Users collected using Internet statistics services are used to collect information about the actions of Users on the site, improve the quality of the site and its content.

5. Legal grounds for the processing of personal data

1. The Operator processes the User's personal data only if they are filled in and / or sent by the User independently through special forms located on the site https://mysite.ru. By filling out the relevant forms and / or sending their personal data to the Operator, the User expresses his consent to this Policy.
2. The Operator processes anonymized data about the User if it is allowed in the User's browser settings (saving cookies and using JavaScript technology is enabled).

6. The procedure for collecting, storing, transferring and other types of processing of personal data

The security of personal data processed by the Operator is ensured through the implementation of legal, organizational and technical measures necessary to fully comply with the requirements of the current legislation in the field of personal data protection.

1. The Operator ensures the safety of personal data and takes all possible measures to exclude access to personal data of unauthorized persons.
2. The User's personal data will never, under any circumstances, be transferred to third parties, except in cases related to the implementation of applicable law.
3. In case of detection of inaccuracies in personal data, the User can update them independently by sending a notification to the Operator to the Operator’s e-mail address [email protected] marked "Updating personal data".
4. The term for processing personal data is unlimited. The User may at any time revoke his consent to the processing of personal data by sending a notification to the Operator by e-mail to the Operator's email address. [email protected] marked "Withdrawal of consent to the processing of personal data".

7. Cross-border transfer of personal data

1. Before the start of the cross-border transfer of personal data, the operator is obliged to make sure that the foreign state, to whose territory it is supposed to transfer personal data, ensures reliable protection rights of personal data subjects.
2. Cross-border transfer of personal data on the territory of foreign states that do not meet the above requirements can be carried out only if there is a written consent of the subject of personal data to the cross-border transfer of his personal data and / or execution of an agreement to which the subject of personal data is a party.

8. Final provisions

1. The user can get any clarifications on issues of interest regarding the processing of his personal data by contacting the Operator via e-mail [email protected].
2. IN this document any changes in the personal data processing policy by the Operator will be reflected. The policy is valid indefinitely until it is replaced by a new version.
3. The current version of the Policy in the public domain is located on the Internet at https://mysite.ru/policy/.

This Privacy Policy (hereinafter referred to as the Policy) is an annex to the User Agreement and determines the procedure for processing and protecting personal information about Users that Mann, Ivanov and Ferber Limited Liability Company (hereinafter referred to as the Administration) may receive during their use Administration Service (hereinafter referred to as Services).

Before using the Service, users should read the terms of this Privacy Policy.

1. General Provisions

1.1. Using the Service in any form means the User's unconditional consent to the terms of this Privacy Policy and the conditions for processing his personal information specified therein. In case of disagreement with the terms of the Privacy Policy, the User must refrain from using the Service.

1.2. The Privacy Policy (including any of its parts) may be changed by the Administration without any special notice and without payment of any compensation in connection with this. The new version of the Privacy Policy comes into force from the moment it is posted on the Administration website.

1.3. By accepting the terms of this Policy, the User expresses his consent to the processing by the Administration of data about the User for the purposes provided for in this Policy, as well as to the transfer of data about the User to third parties in the cases listed in this Policy.

The specified consent can be revoked by the User only if he notifies the Administration in writing at least 180 days before the expected date of termination of the use of data by the Administration.

Using the Service using a web browser that accepts data from cookies means the User's consent to the fact that the Administration can collect and process data from cookies for the purposes provided for in this Policy, as well as to transfer data from cookies to third parties in the cases listed in this Policy.

Disabling and / or blocking by the User of the web browser option to accept data from cookies means a prohibition on the collection and processing by the Administration of data from cookies in accordance with the terms of this Privacy Policy.

1.4. As a general rule, the Administration does not verify the accuracy of the personal information provided by Users. At the same time, in the cases provided for by the User Agreement, the User is obliged to provide confirmation of the accuracy of the personal information provided by him about himself.

2. The composition of information about Users that the Administration receives and processes

2.1. This Policy applies to the following types of personal information:

2.1.1. Personal information posted by Users, incl. about yourself when filling out the form for sending a message, other personal information, access to which the User provides the Administration through websites or services of third parties, or personal information posted by Users in the process of using the Service. The personal information obtained in this way may include, in particular, the last name, first name, telephone number, e-mail address of the User, address for delivery of the order. Other information is provided by the User at his discretion.

It is prohibited for the User to provide personal data of third parties without permission from third parties for such distribution, or if such personal data of third parties were not obtained by the User from publicly available sources of information.

2.1.2. This Policy also applies to candidates for existing vacancies of the Administration, along with other Users. Candidates for vacancies, by sending a resume to the Administration using the Service, or by e-mail, for the purpose of passing an interview and further employment, thus express their consent to the processing of the following personal data: last name, first name, patronymic, date of birth, citizenship, city of residence, contacts ( telephone, e-mail address), place of work and dates of work, as well as other data indicated by candidates for vacancies in the resume.

2.1.3. The Seller guarantees the Buyer the confidentiality of the following personal information about the Buyer:

- information about the user's card (last 4 digits);

- information about purchases and orders.

The specified information is transferred by the Seller to third parties solely for the purpose of making payment for the order payment system; other cases of transfer of the specified information to third parties are not allowed.

2.1.4. Data automatically transmitted to the Service in the course of their use using the software installed on the User's device, incl. IP address, individual device network number (MAC address, device ID), email serial number(IMEI, MEID), cookie data, browser information, operating system, access time, search queries User.

2.1.5. Data additionally provided by the Users at the request of the Administration in order to fulfill the obligations of the Administration to the Users regarding the use of the Service.

2.1.6. Other information about Users, the collection and / or processing of which is established by the user agreement of the Administration.

3. Purposes of collecting and processing information about Users

3.1. The Administration collects and processes only that information about Users, incl. their personal data, which is necessary to fulfill the obligations of the Administration to provide the Service, answer the question asked by the User when sending a message using the Service, as well as fulfill the obligations stipulated by the user agreement.

3.2. The Administration may use the personal information of Users for the following purposes:

3.2.1. identification of the party within the framework of agreements between the User and the Administration.

3.2.2.providing services to Users using the Service and to fulfill their obligations to them, incl. clarification of payment data, processing of orders and requests and further improvement of the Service, development of new services and services.

3.2.3. informing Users about the appearance of new materials on the Site, sending requests regarding the use of the Service, feedback from the User.

3.2.4. performing marketing tasks, conducting statistical and other research based on anonymized data,

3.2.5. informing the User through electronic mailing lists. By providing his data, the User agrees to receive advertising and informational messages and service messages(mailing).

3.3. The purposes of processing personal data of candidates for vacancies are:

— Ensuring compliance with the requirements of the legislation of the Russian Federation.
– Solving employment issues, registration and regulation of labor relations.
— Reflection of information in personnel documents.
— Other purposes of PD processing may be approved by the order of the Operator.

3.4. Mobile applications may collect anonymous data about the user's location in order to provide a more correct work with the choice of payment method. Mobile applications may collect anonymous usage statistics.

3.5. The User hereby expresses his consent to the transfer of personal information about him to the partners of the Administration, third parties for the purposes provided for in clause 3.2 of this Privacy Policy.

3.6. If it is necessary to use personal information about the User for purposes not provided for by this Policy, the Administration requests the User's consent to such actions.

4. Processing information about Users

4.1. Personal information about Users is stored in accordance with applicable law.

4.2. Personal information about Users is not transferred to third parties, except for the following cases:

4.2.1. The user has agreed to such actions.

4.2.2. The transfer is necessary in order to ensure the functioning of the Service and / or its individual functionality.

4.2.3. The transfer is subject to applicable law.

4.2.4. In order to ensure the possibility of protecting the rights and legitimate interests of the Administration and / or third parties in cases where the User violates the terms of the user agreement.

4.2.5. If the Administration takes part in a merger, acquisition or any other form of sale of some or all of its assets. At the same time, all obligations to comply with the terms of this Policy are transferred to the purchaser of the Administration's assets.

4.3. The User is hereby notified and agrees that the Administration may receive personal data of third parties that are provided by the User when using the Service and use them to implement certain functions of the Service, provided that the User guarantees the consent of third parties, data about which are provided by the User when using the Service, for processing by the Administration, for the purposes provided for in this Policy, as well as for the transfer of such data in the cases listed in this Policy.

4.4. In addition, the User is hereby notified and agrees that the Administration may receive statistical anonymized (without reference to the User) data on the User's actions when using the Service.

4.5. Users have the right, upon request, to receive information from the Administration regarding the processing of their personal data.

5. Measures to protect information about Users

5.1. The Administration takes all necessary and sufficient organizational and technical measures to protect personal information about Users from unauthorized or accidental access to them, destruction, modification, blocking, distribution of personal information, as well as from other illegal actions with it. These measures include, in particular, internal review of data collection, storage and processing processes and security measures, including measures to ensure the physical security of data to prevent unauthorized access to personal information.

5.2. When processing personal data of Users, the Administration is guided by the Federal Law "On Personal Data" dated July 27, 2006 No. 152-FZ.

6. Final provisions

6.1. This Policy, the relationship between the User and the Administration arising in connection with the application of this Policy, as well as issues not regulated by this Policy, are governed by the current legislation of the Russian Federation.

Part 3

Compliance with legal requirements for privacy policy

Do you need a privacy policy? You collect personal information about customers, whether it be website operations or a page in in social networks? Then you must draw up and abide by a privacy policy. In other words, these will be your terms of collection, use, transfer and protection of third party data. The Consumer Protection Bureau describes the importance of privacy and policies on their website. The US Small Business Administration also recognizes the importance of privacy and confidentiality, as stated on the organization's website.

Review the types of clauses in the privacy policy. The privacy policy contains a number of different provisions. It includes, but is not limited to, these provisions:

Make sure you don't make promises that you can't deliver. Very often people make a serious mistake using a phrase like "We do not provide your personal information to third parties." Alas, sales transactions and Internet transactions as such do not leave the possibility of avoiding the exchange of this information. For example, an intermediary bank that processes payments credit card client, must have at least some information about the client. Such statements can cost you dearly, so it is important that the privacy policy is reviewed by a professional lawyer.