Data processing, according to the current laws, is any action with personal data, or Personal Data, such as collection, systematization, storage, dissemination, deletion, etc.
The personal data legislation of a particular country applies if the company's activities are carried out in the territory of that country and the company itself processes personal data of citizens/residents. For example, if the site is in Russian and allows payment in rubles, and the legal entity owning the site processes personal information of Russian citizens on the basis of an agreement with them, then such a legal entity, even a foreign one, needs to take into account the laws of the Russian Federation. If the above criteria are met for another jurisdiction, such as the EU, then EU law must be followed.
If a person processes personal data, it is called an operator. In Russia, operators in most cases must notify the Federal Service for Supervision in the Sphere of Telecom, Information Technologies and Mass Communications of their intentions even before processing begins, after which the data is included in the register.
The requirements applicable to processing vary not only by jurisdiction, but also by category of data. Thus, for example, physiological characteristics that enable identification (fingerprints, etc.) require a higher level of security than data about an individual that is already available to an indefinite number of persons.
Processing control can also differ depending on whether it is automatic or manual. Manual processing of data implies compliance with the obligations for separate recording and subsequent storage of information, special requirements for standard forms and logs.
Legislation usually establishes special procedures for the fulfillment of certain duties of operators. For example, a notification procedure has been established for the intention to carry out a cross-border transfer or leakage of personal data.
Processing is only permitted on statutory grounds, e.g. the subject's consent is a legal basis for processing.
Legal support in the field of personal data includes:
- Oral and/or written advice on the legal organization of the processing.
- Analysis of compliance of the personal data processing and measures to ensure personal data security with the laws on personal data.
- Development of local normative acts regulating work within the organization with personal data.
- Legal paperwork for the site, including drawing up the Personal Data Processing Policy (Privacy Policy), Consent to Processing.
By ensuring proper legal support for the processing of personal data, the operator will be able to avoid fines from the Federal Service for Supervision in the Sphere of Telecom, Information Technologies and Mass Communications or other foreign regulatory authorities.
For legal services in the area of personal data, you can contact the lawyers at GMT Legal. We can develop packages of documents for you, advise you on the organization of personal data processing on a one-time basis or comprehensively support the project, providing all the necessary services. A personalized approach will ensure that your processing complies with the law with minimal effort for you.