CRM

CRM. How to comply with the law on personal data?

The organization uses internal CRM. Clients are issued with plastic cards, which are associated with records in this CRM with barcodes. The data (full name, date of birth, contact phone number) is filled in according to the client's words by the operator under dictation, the correctness of the data is not checked (without an identity card). The operator also takes a photo of the client - I don’t know why, a whim of the management.
Before registration, the client also signs in the TB log and separately in the form on the voluntary transfer of personal data.
Now, in fact, the question is: CRM is a regular desktop client to REST-api on a regular rented VDS. The interaction takes place over HTTPS with authorization by a client certificate + a login-password pair.
Interaction with the server does not occur over the VPN channel. The server itself, although located in the Russian Federation, but, as I understand it, does not meet the requirements for storing PD in any way.
There are actually several questions:

1. Is the law on PD violated?
   
2. Do the developers bear any responsibility for non-compliance with the Federal Law? (This is not explicitly stated anywhere in the contract, except for the clause "... must develop a product of adequate quality in accordance with the TOR ...")
   
3. What minimum steps need to be taken to ensure the law on PD in the described situation?
   
4. What are the consequences of inaction to describe to the customer? At what time?
   

Thanks in advance for your replies