Frequently asked questions (FAQ)
1. What is the core of the FZ-152 cloud service?
We built a secure circuit in our data centre that is security-certified in accordance with Federal Law-152 and has received a certificate of compliance for personal data protection up to and including security level 1. And we help our customers resolve compliance issues from a technical point of view.
Public institutions may also be interested in Class 1 Certificate of Conformity for government information systems (according to Order 17 of the FSTEC) and Class 1Г Certificate for confidential information protection (according to СТР-К).
2. Who is a personal data operator according to Federal Law No. 152?
According to FZ-152, the operator of personal data is a legal or natural person, state or municipal authority that processes and collects personal data for purposes other than labour law purposes, and determines the purpose and content of such personal data processing.
3. What is the purpose of the Federal Law No. 152 on Personal Data?
The purpose of the Federal Law-152 "On personal data" is defined in Article 2 of the Federal Law of 27.07.2006 N 152-FZ (as amended on 31.12.2017) "The purpose of this Federal Law is to protect the rights and freedoms of individuals and citizens in the processing of their personal data, including the protection of rights to privacy, personal and family secrets.
4. Who is subject to the requirements of FZ-152?
The law FZ-152 applies to every business, state or municipal body, individual that processes personal data for purposes other than compliance with labour law requirements.
The list of sectors for which the processing of personal data is a priority:
- Medicine (public and private)
- Educational institutions
- Financial institutions
- Insurance companies
- Cellular service providers
- Travel Agencies
- Recruitment agencies
- Passenger transportation
- Real estate companies
- HR department and accounting department of any company
5. What is the legal liability for breach of FZ-152?
Liability for failure to comply with the requirements of Federal Law-152 is determined by the text of the document itself, as well as by the recent Federal Law FZ No. 405 "On Amendments to Certain Legislative Acts of the Russian Federation".
5. What are the penalties, incl. fines, for violating FZ-152?
Currently, fines under FZ-152 and other penalties are stipulated by Federal Law FZ No 405 "On Amendments to Certain Legislative Acts of the Russian Federation", which came into force on 02 December 2019.
The subject of the breach " Failure by the operator, when collecting personal data..., to ensure recording, systematisation, accumulation, storage, clarification (update, change) or retrieval of personal data of Russian citizens using databases located in the Russian Federation" 13.11 of the CAO.
An administrative fine for a primary law violation is up to 50,000 roubles for citizens, up to 200,000 roubles for officials and up to 6,000,000 roubles for legal entities. Repeated detection of a violation will result in a 2x or even 4x increase in the fine. For citizens - up to 100,000 roubles; for officials - up to 800,000 roubles; for legal entities - up to 18,000,000.
6. How much does it cost to protect personal data according to Federal Law № 152?
The cost of organising protection depends on whether you decide to "build" and certify the infrastructure yourself, or apply to a cloud provider. Based on our experience with customers, the cost of cloud resources rental is often 30-50% lower in the long term perspective of 2-5 years.
The cost is calculated individually for the customer, taking into account the volume, security level and time of deployment.
7. Can you help prepare the documentation?
Yes, we can (we provide ready-made templates or take care of the entire preparation process turnkey).
8. How is the data transfer channel organised?
A Russian GOST-encrypted channel via a VipNet coordinator is used.
9. Is it considered redundant to store personal data of different organisations in a single database?
In practice, maintaining a single database of personal data for several organisations is a popular solution. But will it comply with Article 5 of the Federal Law 152-FZ on personal data in terms of data redundancy? Won't the personal data of employees of one company be considered excessive in relation to the other company? How to properly execute the documents for each organization if the ISPN is common and the information contained therein is redundant?
In fact, redundancy is specifically concerned with the composition of the subject's personal data. For example, information on medical diagnoses or biometric data is redundant in order to conclude an employment contract. Storing this data does not correspond to the stated purposes.
There are no restrictions that would prohibit the processing of personal data in the same information system by different entities. This model is used by many services on the Internet. For example CRM Bitrix24.
However, in this case it's important that administrator of information system has built protection system accordingly, so that data of some users are not available to other users.
You can find answers to your questions in our Knowledge Base. If you can't find an answer to your question, ask our consultants using the online chat or send a request using the support ticket system.