L
L
LavTeam2015-07-27 13:26:25
Law in IT
LavTeam, 2015-07-27 13:26:25

FZ-152. Site requirements?

Good afternoon.
Soon opening a project with open registration, where users can leave their personal data.
I really would not want to be punished under FZ152.
In addition to the fact that it will be hosted on the territory of the Russian Federation, what should I do?
Somewhere I managed to read that certification of software and equipment in the FSB is required.
In general, is it enough located on the territory of the Russian Federation?
PS will be a minimum: date of birth, name, email.

Answer the question

In order to leave comments, you need to log in

4 answer(s)
M
Max, 2015-07-27
@LavTeam

follow the example of Russian Railways - force the user to agree with the recognition of PD as publicly available.
plus if you only have a name (not a full name) - then I would try to call this case anonymized personal data, you can’t identify a person by typing a name + d.r. + mail.

L
LavTeam, 2015-07-27
@LavTeam

To Max @MaxDukov
This item is already excluded from the rules.
Was there in May, not now.

O
other_letter, 2015-07-27
@other_letter

Oh ... Well, let me tell you without details - anrial. Documentation and instructions are now, of course, quite enough. But in general, everything is built as if to suck the dough: you need N certified specialists, you need to contact only offices from the list, a lot of software and equipment, a lot of checks, and so on.
Therefore, if I started something like this, I would declare a focus on non-citizens of the Russian Federation and would be located somewhere outside the jurisdiction. And then ... A check will come on a complaint (from Ivanov I.I., in this case you don’t need to warn), it will see that you have uncertified protection against water leakage in the toilet and stop all the servers.

N
Nikita, 2015-08-06
@TheWolf

Everything is simple here:
1. Your main enemy is Roskomnadzor. FSTEK and FSB won't come to you, don't worry. The RKN publishes its inspection plan, and believe me, it is not so easy to get into it.
There are 2 scenarios for the development of events: 1. You get into the inspection plan. 2. An unscheduled check on the fact of the incident (PD leak, complaint of the subject of PD ...). At the same time, the RKN can come for verification after 3 years of the company's existence, unless, of course, any incident has occurred.
2. ILV does not fit into the technical part, i.e. how exactly something is configured, what tools are used and why. First of all, they check security documents (Operator's policy, instructions of those responsible, completed logs, etc.) and check the presence of the Threat Model and the technical project.
3. It is indeed possible to make PD publicly available, with the consent of the subject, but this will not allow you NOT to protect PD, at least integrity and availability will need to be ensured.
In summary, you need to:
1. Submit a notice to the RKN that you are an operator.
2. Develop a set of regime documentation in accordance with the requirements of the regulations.
3. Write documents on technical protection. Here you need to understand that the word "certification" and "attestation" are superfluous for you. On this subject, you can not worry and calmly work with a clear conscience.

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question