A
A
Alexander2013-02-15 23:46:54
Law in IT
Alexander, 2013-02-15 23:46:54

Third party personal data

Goodnight.
I decided to implement one idea, and without going into details, one person can send a regular paper letter to another using a web service. In this idea, I am concerned about the issue of fulfilling the requirements of 152-FZ: The address and full name of the recipient, in fact, are personal data. The law says in black and white that the processing of PD requires the written consent of the subject. But even theoretically you can’t get it, because a completely different person sends a letter. It is he who enters the address and the recipient, i.e. actually gives me the PD of another person.

How to deal with this issue from a legal point of view? Is there a way to somehow make such a service white and fluffy for the Regulator?

Answer the question

In order to leave comments, you need to log in

6 answer(s)
A
Andrew, 2013-02-16
@OLS

In the new version of the Law on Personal Data (dated July 2011), if person “A” (whether legal or natural) entrusts you with the processing of personal data of person “B”, then it is person “A” who is responsible for the fact that he has permission from person "B" to transfer his data to you.
At the same time, you are a “PD processor”, and person “A” is a “PD operator”.
Parts 3, 4, 5 of Article 6 (new edition):
3. The operator has the right to entrust the processing of personal data to another person with the consent of the subject of personal data, unless otherwise provided by federal law, on the basis of an agreement concluded with this person, including a state or municipal contract, or by adopting a relevant act by a state or municipal body (hereinafter operator's order). A person who processes personal data on behalf of the operator is obliged to comply with the principles and rules for the processing of personal data provided for by this Federal Law. The instruction of the operator must define a list of actions (operations) with personal data that will be performed by the person processing personal data, and the purposes of processing,
4. The person processing personal data on behalf of the operator is not required to obtain the consent of the subject of personal data to the processing of his personal data.
5. If the operator entrusts the processing of personal data to another person, the operator shall be liable to the subject of personal data for the actions of the said person. The person who processes personal data on behalf of the operator is liable to the operator.

L
Loreweil, 2013-02-16
@Loreweil

1. Now there is no mandatory requirement for written consent, there is simply “consent”, that is, you need to somehow prove the fact of obtaining consent to the regulator. Of course, in this regard, written consent removes all questions. You can, of course, implement the “I agree” checkbox, but the sender cannot give consent for the recipient to process his PD.
2. Consent is not required for the implementation of mailings, but this is not your case in my opinion. Although you can try to prove that you do not store this data. It just needs details that you did not go into =)
3. At various conferences, representatives of the RKN, when asked about personal data sent via web forms, declare that such information is not personal data, since there is no way to verify its authenticity. And really, how do you know that the person who told your web form that he is Ivan Ivanov is actually Ivan Ivanov?
4. Since the question is really extraordinary, I would advise you to call your regional branch of the RKN and find out their opinion on this issue. As practice shows, the regulator always meets the needs of operators who want to do everything right. Well, it definitely won’t get worse, especially since they don’t need to tell what exactly the project is, they just need to describe the situation in general terms.

K
kimssster, 2013-02-17
@kimssster

There is a term called “cognitive consent”. If those PD subjects are transferred to the person sending the PD to you for certain purposes, services, etc., and you cannot take consent from them for processing, then it is understood that they themselves agree to this. Example: a person remotely contacts an organization with a description of a problem containing PD, even k1, the organization cannot take consent from the subject, but, according to its charter, it is obliged to accept and process this data. This is where cognitive agreement comes into play.

A
Andrey Burov, 2013-02-16
@BuriK666

No written required.

L
LastDragon, 2013-02-16
@LastDragon

> Address and full name of the recipient, in fact, are personal data.
It is the recipient who will have to allow you to process their data. To be honest, how doubtful that someone would agree to this (“allow the left site to store your PD and get a letter of happiness”, I would send it :) )
> The law says in black and white that the written consent of the subject is required for the processing of PD.
Written consent is required only for certain categories of PD (for them, this is clearly indicated in the law).

M
msuhanov, 2013-02-17
@msuhanov

How to deal with this issue from a legal point of view? Is there a way to somehow make such a service white and fluffy for the Regulator?

No.
Paragraph 2 of Part 1 of Article 6 of the Federal Law "On Personal Data" allows the processing of personal data of a person without his consent for the purposes provided for by laws. One of these laws is the Federal Law “On Postal Communication”. The second article of this law defines the concept of address data of users of postal services (full name, postal address), and article 21 stipulates that in case of inaccuracy or incompleteness of address data, the postal item is returned to the sender. That is, the essence of postal service, defined in the Federal Law "On Postal Communication", requires the processing of personal data of recipients of postal items, and such processing, being regulated at the level of federal law, does not require the consent of the recipient in accordance with the above provision of the Federal Law "On Personal Data ”(by the way, the same applies to the personal data of the sender of the postal item).
However, the activity of providing postal services, as well as communications in general, is licensed (clause 36 of part 1 of article 12 of the Federal Law "On licensing certain types of activities"). Your project does not meet the criteria for activities in the field of postal communications, since it does not provide for the creation of a single production and technological complex of means that ensures the transfer of postal items (see the definition of postal communications in Article 2 of the Federal Law "On Postal Communications"). This means that the “indulgence” for the processing of personal data from the Federal Law “On Postal Communication” will not apply to you.
Which means nothing :-)

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question