What is the privacy policy. Working with personal data – Privacy Policy. The procedure for collecting, storing, transferring and other types of processing of personal data

Privacy Policy - how to do it right?

July 2017 still made website owners pretty nervous. This is due to the amendments to Article 13.11 of the Code of Administrative Offenses of the Russian Federation that came into force on July 1, 2017 (see Federal Law No. 13-FZ dated 02/07/2017 “On Amendments to the Code of the Russian Federation on Administrative Offences”), tightening administrative liability for violation of the procedure for processing personal data. data.

The amount of fines for entrepreneurs varies from 5 thousand rubles. up to 75 thousand rubles. The last figure concerns organizations that allowed the processing of personal data, for example, without the written consent of the subject of personal data.

Before sounding the alarm and thinking about what to do and rushing to disable feedback forms on the site, you need to diagnose your own site for the presence or absence of documents regulating relations with users, including on the issue of processing the data they leave, and also evaluate their content in terms of transparency, completeness, consistency and sufficiency.

If you don’t know how to do this correctly and what the privacy policy should include, we suggest you pay attention to the following key points.

1. Why do we need a Privacy Policy?

We think that the answer here is obvious. The document regulating the processing of users’ personal data and posted on the site is nothing more than the rules of the game that the site owner sets in relations with users. The purpose of fixing and posting such rules is to reduce risks from the legislation on personal data, and, if necessary, to fight back against consumer extremism.

2. What is better to call it - an offer, an agreement on the processing of personal data or a privacy policy?

From a legal point of view, the name of the document regulating the processing of users’ personal data does not matter. The rest is a matter of taste for each site owner. For our part, we can highlight the name “privacy policy” because of its capacity, widespread use and user understandability.

3. What is the best way to post it - as a separate document or as part of the offer/user agreement?

There are also no mandatory rules or a universal template. You can reflect the necessary provisions in a separate document or make it part of, for example, a user agreement.

As a rule, the user agreement contains many specific features of using the site, which affects the volume of the document. Including data processing provisions in the user agreement will clearly overload the document and complicate its perception by the user.

When posting two separate documents on a website (for example, a privacy policy and a user agreement), we recommend checking them for consistency with each other, as well as for the presence of links to each other.

4. Is it necessary to post a separate consent form for the processing of personal data in addition to the Privacy Policy?

Here the answer is simple. If it is obvious from the Privacy Policy that the user consents to the processing of what data and for what purpose, then a separate consent form will be unnecessary.

5. How to make the rules work?

The privacy policy is the same offer (agreement), only on issues related to the processing of personal data of users. In order for the user to be considered to have accepted the terms of processing of his data by the site owner, he must accept the proposed rules (accept, agree).

Such an acceptance may be:

b) placing marks in the fields,

c) performing a sequence of actions,

d) use of the site functionality.

“The User agrees to the provisions of this Privacy Policy by clicking the “Accept Privacy Policy” or “Continue” button, putting the appropriate mark in the field during Registration, including at any stage of such registration and (or) at any time while using the site.”

6. What should be included in the Privacy Policy (hereinafter also referred to as the Policy)?

There is no universal Privacy Policy template. In any case, when drawing up the Privacy Policy, it is worth taking into account the specifics of the site, its purpose, functionality, range of users, and the amount of data they leave.

An analysis of current legislation in the field of personal data processing, as well as our own experience, allowed us to formulate the following recommendations to website owners on the content of the Privacy Policy:

A) turn on if desired section with terms and definitions- is not mandatory. For user convenience and unification of documents on the site, you can include a corresponding section with concepts and definitions that are common to both the Privacy Policy and the User Agreement (for example, “Privacy Policy”, “user”, “site”, “site owner” , “personal account”, etc.).

The absence of such a section in the Privacy Policy is not associated with risks for the site owner.

b) we highlight general provisions, where we describe:

subject of regulation of the Policy ( For example, “regulates the procedure for processing users’ personal data, including for the purpose of ensuring the security of the processing of users’ personal data, ensuring their rights and interests when processing personal data”).
user acceptance forms with the terms of the Policy and data processing ( an example is given in paragraph 5 of this article).
place for resolving disputes arising from the Policy, with the reservation ( for example, all possible disputes regarding this Privacy Policy and the relationship between the user and the Site Administration will be resolved according to the norms of Russian law in court at the location of the Site Administration,unless otherwise expressly provided for by the legislation of the Russian Federation ).

The reservation is necessary to comply with current legislation, and the indication of the place of consideration of disputes at the location of the site owner is intended to have a rather preventive effect on the user.

procedure for changing and updating the Policy ( for example, “The site administration reserves the right to change and (or) supplement this Privacy Policy without any special notice. The new edition of the Privacy Policy comes into force from the moment it is posted on the website page, unless otherwise provided by the new edition of the Privacy Policy. The current version of the Privacy Policy is always located on the website page at...").

It is worth pointing out that the user’s silence is regarded as consent to the changes and (or) additions to the Privacy Policy.

lack of access to data that the user leaves on third party sites. This may be due to the user paying for services and providing their payment information.

In this case, it is worth clearly stating, for example, the following:“the user acknowledges and confirms that any data (including bank card details) directly or indirectly related to payment for services is posted by the User on the pages of sites owned by third parties not related to the Site Administration; The Satya administration does not have access to such information and does not carry out any actions regarding such data, including their collection, systematization, accumulation, storage, clarification (updating, changing), use, distribution (including transfer), depersonalization, blocking , destruction, cross-border transfer."

c) we record the provision of consent to the processing of personal data. This is simply a “must have” of any privacy policy. We be sure to indicate that by giving consent, the user acts of his own will and in his own interest. Consent is given by the user from the moment of registering on the site and (or) performing other actions related to the use of services or capabilities of the site.

d) indicate the purpose of providing consent. Several options are possible here at the same time:

for the purpose of concluding an agreement with the Site Administration, other agreements directly provided for in the Policy, other agreements posted on the pages of the site, and their further execution,
participation in ongoing events, making decisions or performing other actions that give rise to legal consequences in relation to the user or other persons,
to accept and process requests;
informing about the status of the request, services, for example, through electronic and SMS notifications;
improving the quality of the site;
conducting statistical and other studies based on anonymized data.

The key is the first option indicating the provision of data for the purpose of concluding agreements with the Site Administration and their execution. If problems arise with Roskomnadzor, this option will explain the lack of consent to the processing of personal data “on paper”, as well as the failure of the site owner to send a notification to Roskomnadzor.

e) describe the composition of personal data. We remember that not all user data is personal. Personal data refers to such a set of data that allows you to identify the user, for example, full name and address of residence.

You can indicate that consent applies to last name, first name, patronymic, address, telephone number and any other information related to the user’s identity, available or known at any particular time Site administration.

f) indicate the period for which consent is provided. This option can be described - consent is given by the user before the expiration of the storage period for the relevant information or documents containing the above information, determined in accordance with the legislation of the Russian Federation, after which it can be withdrawn by the user by sending a corresponding written notification to the Administration at least 3 months before the withdrawal of consent.

g) we record the scope of possible processing actions. Here we proceed from the fact that the more possible actions with data are described, the better. It can be described as follows : consent is provided to carry out any actions in relation to personal data that are necessary or desirable to achieve the above purposes, including, without limitation: collection, systematization, accumulation, storage, clarification (updating, changing), use, distribution (including transfer), depersonalization, blocking, destruction, cross-border transfer of personal data, as well as carrying out any other actions with the user’s personal data, taking into account the current legislation of the Russian Federation.

h) indicate methods of data processing.You can specify the following: storage, recording on electronic media and their storage, compiling lists. Separately, it is worth noting that the specified list of processing methods is not exhaustive.

i) we include the right to disclosure to third parties. It is worth recording the right of the Site Administration to transfer data to third parties to achieve the goals specified in the Policy, as well as the user’s consent to this.

j) determine the procedure for sending legally significant messages. To regulate the flow of incoming requests from users regarding data processing issues, it is worth complicating the procedure for interaction with the Site Administration. This can be done by defining a written form for such requests, as well as the method of their submission - sending to the postal address indicated on the website and/or by courier. Additionally, it is worth pointing out that otherwise, user requests and notifications may remain without consideration.

At numerous requests from working webmasters and site owners, we have published a free sample Privacy Policy for sites with a feedback, subscription or call request form.

We decided to take this step because this form of the Policy does not provide for the processing of personal data, and as a result does not imply much variability in the decision. It is important to remember that it is not suitable for sites that process personal data. For example, online stores and other services where, in addition to a phone number or email, the user additionally provides other information about himself, require more attention to the issues of processing personal data.

Therefore, we thought about options for drawing up a “people’s” Privacy Policy. A simple template will not do here. We took as a basis the Recommendations of Roskomnadzor (hereinafter referred to as the “Recommendations”) issued in 2017 on the preparation of a document defining the operator’s policy regarding the processing of personal data (hereinafter referred to as the “Policy”). We supplemented it with live examples.

Let's see what happened.

Section 2 quotes the basic concepts from the Federal Law “On Personal Data”. We skip it as unnecessary. If desired, it is better to introduce your own terms into the Policy, clarifying the legal ones.

Section 3 finally provided the long-awaited advice on the structure and content of the Policy. Let's look at them in detail.

1. General provisions of the Policy

In this section, it is recommended to describe the purpose of the Policy, as well as include the basic concepts used in it (processing of personal data, operator, subject of personal data, confidentiality of personal data, etc.), list the basic rights and obligations of the operator and subject(s) of personal data data.

So let's start with definitions. In order not to repeat Federal Law 152, we suggest making references to specific clauses and sections of the Policy that specify the concepts used. Below is an example of the terms and definitions of the Privacy Policy for an online store.

1.1. In this document and the relations of the Parties arising or related thereto, the following terms and definitions apply:

Personal data- data provided by the subject of personal data or his representative, the scope and composition of which are indicated in paragraph X.X. Politicians.

Administration- Romashka LLC, INN XXX, OGRN XXX, Address: XXXXX, in the legal possession and/or management of which the Site is located. In the cases provided for in this Policy, the Administration acts as a personal data operator.

User- a person using the Site for the purpose of concluding and/or executing Agreements.

3. Legal grounds for processing personal data

According to the explanation of Roskomnadzor, the legal basis for the processing of personal data is the set of legal acts in pursuance of which and in accordance with which the operator processes personal data.

If the above link exists, the legal basis for the processing of personal data may be the agreements concluded between the operator and the subject of personal data.

If personal data is processed for other purposes, a separate consent to the processing of personal data must be indicated as a basis.

4. Volume and categories of personal data processed, categories of personal data subjects

Roskomnadzor warns that the content and volume of personal data processed must correspond to the stated purposes of processing. The personal data processed should not be redundant in relation to the stated purposes of their processing.

First of all, we indicate data from the fields of online feedback, order, subscription and registration forms. Then we pay close attention to the composition of the information entered by the user when filling out a profile in his personal account.

Additionally, we indicate the data that is requested by support or the sales department when filling out or processing applications over the phone or at service points.

5. Procedure and conditions for processing personal data

Let's choose. Federal Law 152 provides the following list of operations with personal data: collection, recording, systematization, accumulation, storage, clarification (updating, changing), extraction, use, transfer (distribution, provision, access), depersonalization, blocking, deletion, destruction of personal data.

Processing methods may include:

a) automated processing of personal data

b) processing of personal data without the use of automation tools.

According to the definition given in Federal Law 152, automated processing of personal data is the processing of personal data using computer technology.

It would seem that this includes any actions with personal data performed using computer technology. But it's not that simple. We look at the Regulations on the peculiarities of processing personal data carried out without the use of automation tools, approved by Decree of the Government of the Russian Federation of September 15, 2008 N 687.

Clause 1 states that the processing of personal data contained in the personal data information system or extracted from such a system (hereinafter referred to as personal data) is considered to be carried out without the use of automation tools (non-automated), if such actions with personal data as use, clarification , distribution, destruction of personal data in relation to each of the subjects of personal data are carried out with the direct participation of the person.

The processing of personal data cannot be recognized as carried out using automation tools only on the basis that personal data is contained in the personal data information system or was extracted from it (clause 2).

In other words, if personal data is not used, specified, distributed and destroyed in the IPDN of your website automatically without human intervention, you can safely choose the second processing method - processing personal data without the use of automation tools.

The result of this simple action will be a legal refusal to apply the draconian requirements of Federal Law 152 for the processing of automated processing of personal income tax in the information system.

Regarding the timing of PD processing We propose to indicate, at a minimum, the validity period of the agreement for which the PD was requested. You can add to the validity period of the contract 3 years of limitation for the protection of rights in connection with its execution.

Roskomnadzor reminds that when storing personal data, the personal data operator is obliged to use databases located on the territory of the Russian Federation, in accordance with Part 5 of Art. 18 of the Federal Law "On Personal Data". It is not necessary to reflect this point in the Policy, since it is related to actual circumstances. Although, as a matter of form, you can include in the Policy a declarative article on the processing of personal data in Russia.

The user has expressed his consent to such actions;
The transfer is required for the conclusion and performance of contracts on or using the Site;
At the request of a court or other authorized government body within the framework of the procedure established by law
To protect rights and legitimate interests in connection with violation of agreements concluded with the user.

Within certain limits, this list can be expanded to include cases of sale of the Site or transfer of PD in anonymized form.

In addition, Roskomnadzor recommends indicating in this section of the Policy information about compliance with the requirements for confidentiality of personal data established by Art. 7 of the Federal Law “On Personal Data”, as well as information about the operator taking measures provided for in Part 2 of Art. 18.1, part 1 art. 19 of the Federal Law “On Personal Data”.

In practice, this information boils down to a statement that the Site administration stores Personal Data and ensures its protection from unauthorized access and distribution in accordance with internal rules and regulations.

6. Updating, correction, deletion and destruction of personal data, responses to requests from subjects for access to personal data

Roskomnadzor recommends including in the Policy regulations(s) for responding to requests/appeals from personal data subjects and their representatives, authorized bodies regarding the inaccuracy of personal data, illegality of their processing, withdrawal of consent and access of the personal data subject to their data, as well as relevant forms of requests/ requests.

In such cases, it is usually indicated that the user has the right at any time to independently edit the information provided by him in his personal account. In case of termination of the concluded agreement, the user has the right to delete his own personal account independently or by contacting the support service at the email address XXX@ХХХ.ХХ.

If desired, you can tighten the terms of the regulations for processing requests to change/delete PD, requiring the user to send valuable letters to your address in Bobruisk.

7. Processing of anonymized data

It is noteworthy that Roskomnadzor, as always, avoided the issue of processing equally important data for users that is not considered personal. We are talking about information collected automatically on the site: cookies, IP, information about the device and its location, etc.

Apparently, Roskomnadzor stubbornly does not want to disclose the composition of personal data, even by exclusion through information that is not personal. However, in practice, it is customary to include a notice and procedure for processing such data in the Privacy Policy in order to fully inform the user about the consequences of using the site.

Below is an example of such a notification.

You understand and accept the possibility of using third party software on the Site, as a result of which such parties may receive and transmit data in anonymized form.
These third party software include Google Analytics visitor statistics collection systems.

The composition and conditions for collecting anonymized data using third-party software are determined directly by their copyright holders and may include:

browser data (type, version, cookie);
device data and its location;
operating system data (type, version, screen resolution);
request data (time, referral source, IP address).

A full description of the conditions for processing anonymized data can be found in the sample Privacy Policy with which we began our article.

We wish you success in developing your own Privacy Policy in accordance with the recommendations of Roskomnadzor and the approaches developed in practice.

This Privacy Policy (hereinafter referred to as the Policy) is an annex to the User Agreement and determines the procedure for processing and protecting personal information about Users that Mann, Ivanov and Ferber Limited Liability Company (hereinafter referred to as the Administration) may receive during their use Administration Services (hereinafter referred to as the Services).

Before using the Service, users should read the terms of this Privacy Policy.

1. General provisions

1.1. Use of the Service in any form means the User’s unconditional consent to the terms of this Privacy Policy and the conditions for processing his personal information specified therein. In case of disagreement with the terms of the Privacy Policy, the User must refrain from using the Service.

1.2. The Privacy Policy (including any of its parts) may be changed by the Administration without any special notice and without payment of any compensation in connection with this. The new version of the Privacy Policy comes into force from the moment it is posted on the Administration website.

1.3. By accepting the terms of this Policy, the User expresses his consent to the Administration’s processing of data about the User for the purposes provided for in this Policy, as well as to the transfer of data about the User to third parties in the cases listed in this Policy.

This consent can be revoked by the User only if he notifies the Administration in writing at least 180 days before the expected date of termination of the use of data by the Administration.

Using the Service using a web browser that accepts data from cookies means the User’s consent that the Administration can collect and process data from cookies for the purposes provided for in this Policy, as well as to transfer data from cookies to third parties in the cases listed in this Policy.

Disabling and/or blocking by the User of the web browser option for receiving data from cookies means a prohibition on the Administration’s collection and processing of data from cookies in accordance with the terms of this Privacy Policy.

1.4. As a general rule, the Administration does not verify the accuracy of the personal information provided by Users. At the same time, in cases provided for in the User Agreement, the User is obliged to provide confirmation of the accuracy of the personal information about himself provided by him.

2. Composition of information about Users that the Administration receives and processes

2.1. This Policy applies to the following types of personal information:

2.1.1. Personal information posted by Users, incl. about yourself when filling out the form for sending a message, other personal information to which the User provides access to the Administration through websites or services of third parties, or personal information posted by Users in the process of using the Service. Personal information obtained in this way may include, in particular, the User’s last name, first name, telephone number, email address, and order delivery address. Other information is provided by the User at his discretion.

It is prohibited for the User to provide personal data of third parties without permission for such distribution received from third parties or if such personal data of third parties was not obtained by the User himself from publicly available sources of information.

2.1.2. This Policy also applies to candidates for existing vacancies of the Administration, along with other Users. Candidates for vacancies, sending a resume to the Administration using the Service, or by email, for the purpose of an interview and further employment, thus express consent to the processing of the following personal data: last name, first name, patronymic, date of birth, citizenship, city of residence, contacts ( telephone number, email address), place of work and dates of work, as well as other data specified by candidates for vacancies in their resumes.

2.1.3. The Seller guarantees the Buyer to maintain the confidentiality of the following personal information about the Buyer:

— information about the user’s card (last 4 digits);

— information about purchases and orders.

The specified information is transferred by the Seller to third parties solely for the purpose of paying for the order by the payment system; other cases of transfer of this information to third parties are not allowed.

2.1.4. Data automatically transferred to the Service during their use using software installed on the User’s device, incl. IP address, individual network number of the device (MAC address, device ID), electronic serial number (IMEI, MEID), data from cookies, information about the browser, operating system, access time, search queries of the User.

2.1.5. Data additionally provided by Users at the request of the Administration in order to fulfill the Administration’s obligations to Users regarding the use of the Service.

2.1.6. Other information about Users, the collection and/or processing of which is established by the Administration’s user agreement.

3. Purposes of collecting and processing information about Users

3.1. The Administration collects and processes only information about Users, incl. their personal data, which is necessary to fulfill the Administration’s obligations to provide the Service, answer the question asked by the User when sending a message using the Service, as well as fulfill the obligations provided for in the user agreement.

3.2. The Administration may use Users’ personal information for the purposes of:

3.2.1. identification of the party within the framework of agreements between the User and the Administration.

3.2.2.providing services to Users using the Service and to fulfill their obligations to them, incl. clarification of payment data, processing of orders and requests and further improvement of the Service, development of new services.

3.2.3. informing Users about the appearance of new materials on the Site, sending requests regarding the use of the Service, feedback from the User.

3.2.4. performing marketing tasks, conducting statistical and other research based on anonymized data,

3.2.5. informing the User through electronic mailings. By providing his data, the User agrees to receive advertising, informational and service messages (newsletters).

3.3. The purposes of processing personal data of candidates for vacancies are:

— Ensuring compliance with the requirements of the legislation of the Russian Federation.
— Solving employment issues, registration and regulation of labor relations.
— Reflection of information in personnel documents.
— Other purposes for processing personal data may be approved by order of the Operator.

3.4. Mobile applications may collect anonymous data about the user's location in order to provide a more accurate experience with the choice of payment method. Mobile applications may collect anonymous usage statistics.

3.5. The User hereby expresses his consent to the transfer of personal information about him to the Administration’s partners and third parties for the purposes provided for in clause 3.2 of this Privacy Policy.

3.6. If it is necessary to use personal information about the User for purposes not provided for in this Policy, the Administration requests the User’s consent to such actions.

4. Processing information about Users

4.1. Personal information about Users is stored in accordance with current legislation.

4.2. Personal information about Users is not transferred to third parties, except for the following cases:

4.2.1. The user agreed to such actions.

4.2.2. The transfer is necessary in order to ensure the functioning of the Service and/or its individual functionality.

4.2.3. The transfer is subject to applicable law.

4.2.4. In order to ensure the possibility of protecting the rights and legitimate interests of the Administration and/or third parties in cases where the User violates the terms of the user agreement.

4.2.5. If the Administration takes part in a merger, acquisition or any other form of sale of part or all of its assets. In this case, all obligations to comply with the terms of this Policy are transferred to the acquirer of the Administration’s assets.

4.3. The User is hereby notified and agrees that the Administration may receive personal data of third parties that are provided by the User when using the Service and use them to implement certain functions of the Service, provided that the User guarantees the consent of third parties, data about which is provided by the User when using the Service, for processing by the Administration for the purposes provided for in this Policy, as well as for the transfer of such data in the cases listed in this Policy.

4.4. In addition, the User is hereby notified and agrees that the Administration may receive statistical anonymized (without reference to the User) data about the User’s actions when using the Service.

4.5. Users have the right, upon request, to receive from the Administration information regarding the processing of their personal data.

5. Measures to protect information about Users

5.1. The Administration takes all necessary and sufficient organizational and technical measures to protect personal information about Users from unauthorized or accidental access to it, destruction, modification, blocking, distribution of personal information, as well as from other unlawful actions with it. These measures include, but are not limited to, internal review of data collection, storage and processing processes and security measures, including physical data security measures to prevent unauthorized access to personal information.

5.2. When processing personal data of Users, the Administration is guided by the Federal Law “On Personal Data” dated July 27, 2006 No. 152-FZ.

6. Final provisions

6.1. This Policy, the relationship between the User and the Administration arising in connection with the application of this Policy, as well as issues not regulated by this Policy, are governed by the current legislation of the Russian Federation.

Margarita Ledovskikh

I am glad to welcome you to our website. My name is Margarita Ledovskikh, I am a media lawyer. I have been working in the field of information law for 19 years, of which 6 years I have been leading the “Law on the Network” project.

Search the site

We provide services for registering websites as media outlets

Preparatory stage First, you need time for preparatory actions. I am writing about this because sometimes these points are not taken into account. At a minimum, individual founders need to visit the bank and a notary to make notarized copies of documents. You will say that you can pay through online banking without leaving your home, and this is the absolute truth, but even in this case you need to go to […]

We will prepare documents for your website

When the customer, after you have provided him with a service, signs the act, you have in your hands documentary evidence of the fulfillment of obligations. And if suddenly the customer begins to refuse to accept the result of the work, you can resolve all issues with this document. But in the case of remote services, such as online education or consultations via Skype, acts are not signed. At […]

So that each user can enter their personal data and not be afraid that they will be used by scammers, the privacy policy for the site is in effect. In this article, we will look at what a website privacy policy is, what federal laws govern it, and how its rules apply in everyday life.

You will learn:

What does the privacy policy mean for the site?
Is there a need for a privacy policy on the company website?
How the privacy policy of the website is regulated by law.
How to write a privacy policy for a website.
How to post a privacy policy on a website or landing page.

What does the privacy policy mean for the site?

The privacy policy is legal documentation, the authenticity of which is confirmed by experts. It shows that the owner of this Internet resource has the right to collect, process, and use personal information of users, ensuring its integrity. A privacy policy is needed to protect site visitors from unfair use of their personal information by the owner of the resource for personal gain.

Just a few years ago, privacy policies for websites were of secondary importance. Many owners, and especially visitors to resources, did not know what its purpose was, and, accordingly, considered it something unnecessary. Today, Russian legislation regulates the activities of most sites that request personal data from users.

The regulations state that website owners are responsible for transferring any customer information to third parties. In addition, owners of Internet resources are required to indicate what kind of protection is provided against leakage of information about visitors.

A document entitled “Personal Information Privacy Policy” should be located on the first page of the site. It is better to place it so that the visitor does not have any problems familiarizing himself with it before registering.

The data privacy policy applies to all personal information that the client leaves on the site. We are talking about name, postal address, bank card number, email, phone number and other types of information. Disclosure of other people's data is a fairly serious action that threatens with unpleasant consequences. A person posts personal information about himself to gain access to goods or services, which means that information about him must be reliably protected.

If scammers or advertising agencies gain access to users’ personal data, they will be able to use it for their own selfish interests, and people will no longer trust you as the owner of the resource. In addition, disclosure of confidential information is an article that provides for administrative penalties based on a court decision.

Experts note: the main trend in the field of online marketing is the creation and optimization of a mobile version of the company’s website. 59% of consumers use the mobile Internet to find information about a product or go to a company’s website. If you don’t want to lose potential customers, pay attention to the mobile version of your company’s website or online store.

The article in the electronic magazine “Commercial Director” contains 11 universal tips that will help optimize the design and settings of a mobile website.

Is there a need for a privacy policy on a company website?

It is difficult to maintain user interest in a particular site for a long time. As a rule, the visitor finds what he needs and leaves the site. He returns back in very rare cases. As time passes, he enters another query into the search engine, goes to the information he needs on a similar resource, and closes the tab, leaving the site.

To form and maintain their audience, site owners collect data about all visitors, and then from time to time, in an unobtrusive form, send them news and tempting offers, reminding them of themselves. The registered user receives all notifications by email.

The website must contain a special paragraph explaining the procedure and purpose for collecting personal information. Even if you only need an email to register on the site, the owner of the resource is still required to post a privacy policy. As a rule, on sites you only need to leave your name and email.

The fact that you receive unnecessary offers and advertisements every day to your email means that the privacy policy of some site where you left your email is incompetent or simply does not exist.

Note that some sites transmit contact information and names of visitors to related resources associated with them. They do not have the right to overload the visitor with unnecessary information, but they can offer something based on requests. This is how Google's privacy policy works.

If we are talking about an online store, then in this case the user cannot specify only a login and email. Here the scheme is more complex, since we are talking about financial transactions. In this regard, the privacy policy for the site should be more strict. As for landing organizations, they need a privacy policy in order to successfully undergo moderation in advertising networks.

How to increase website traffic: effective methods and tools

A practitioner tells

How to avoid problems with storing and using personal data of clients

Elena Denisova,

Head of Commercial Practice, CLIFF

Many entrepreneurs believe that there is no direct connection between their activities and the processing of personal data, since they simply collect information about their audience in order to know them. In addition, a large percentage of businessmen believe that a website is not an automated processing tool. Consequently, they do not collect personal data from users and are not obliged to take care of their non-disclosure. However, Russian legislation states that a personal data operator is both an individual and a legal entity that organizes and processes personal information and establishes the purposes for its collection.

To avoid problems with storing and using personal data and act in accordance with the law, you need to:

Determine the procedure, volume and time for obtaining private information about your clients. If you do not receive information by which you can accurately identify the visitor (but only receive an email, do not offer to register and leave contact information, that is, you do not ask the user for any personal information and work on confidentiality terms), then you have nothing to do with personal information you have. In all other cases, you must strictly follow the legal regulations regarding maintaining the confidentiality of personal data on the site.
Establish a procedure for your organization to obtain the client’s consent to process his personal data. An individual or legal entity must give consent to the processing of private information if you plan to conduct trading operations and conduct any activities related to the promotion of products, services, or work on the market using direct contact with a person (via SMS messages, phone calls, email etc.). It should be emphasized that if a controversial situation arises, the personal data operator, that is, your company, will be required to provide evidence of obtaining consent from the client to use his personal information. That is why you need to develop rules according to which you will collect, process, store and destroy personal data (that is, a privacy policy for the site). It is also necessary to develop a special form of consent to perform these actions (see download material). The user may not accept the terms of the privacy policy if the purpose of processing personal data is to fulfill the terms of the agreement in which he participates, that is, if the information is used only by your company and exclusively for completing a purchase and sale transaction with the user, without transferring personal data to third parties.
Make sure that in the future your company will be able to provide evidence that the user has consented to the processing of personal data. It is not enough to post a privacy policy and a consent form for the processing of private information on your website. If a controversial situation arises, regulatory authorities will still impose an administrative penalty on you. You must have a document signed by the user, from which his consent to the processing of personal information will follow. In addition, the document must indicate the types and purposes of using PD. If you do not have such paper, a fine from regulatory authorities cannot be avoided. Of course, proof can be a paper form in which the client signed, but this is not suitable for trading activities on the Internet.

According to Roskomnadzor, consent to the processing of personal data on the site may be an electronic digital signature file. In addition, in a number of situations, the operator’s proposals for the sale of goods can be regarded as a public offer. In other words, when a user agrees to an offer when placing an order or registering, he thereby authorizes the seller to use his personal data.

According to judicial authorities, enterprises should place a web label on their websites, meaning that the user agrees with the rules and procedure for processing personal data (resolution of the Federal Antimonopoly Service of the North-West District dated December 13, 2010 in case No. A56-73636/2009, resolution of the Federal Antimonopoly Service UO dated 18.03 .2010 in case No. F09-1736/10-S1, ruling of the Moscow City Court dated February 14, 2011 in case No. 33-2064).

How to create a landing page that sells: development rules and common mistakes

How is the privacy policy of an Internet site regulated at the legislative level?

At the moment, the state is paying increased attention to the issue of security of citizens’ personal information. In this regard, the most famous and large resources, such as Vk.com, Yandex.Direct, Google AdWords, etc., began to take privacy policies more seriously on their websites. If it is not present on the landing page, these resources may not accept the advertising campaign or may significantly complicate its moderation.

Until recently, the privacy policy for the site (152-FZ) was perceived by many members of the Internet community as wishes that could be followed or not taken into account, even despite the legislative basis. The fact that administrative liability was provided for violation of requirements for maintaining the confidentiality of personal data (note, rather modest) did not in any way affect the implementation of regulatory requirements. Representatives of the Internet community still did not strictly follow the rules related to the safe storage and use of personal information.

As a result, in July 2017, Law No. 152-FZ was amended and supplemented, as a result of which administrative liability for violation of PD confidentiality requirements became stricter. Today, penalties are provided for neglecting them.

Please note that the privacy policy for the site is mandatory. If it is not there, the owners of the Internet resource are responsible. In addition, there are certain sanctions for processing confidential customer information without their consent.

If a company commits a violation for the first time, it will be fined in the amount of 30 thousand rubles, and the second time - 75 thousand rubles. In addition, it is allowed to simultaneously bring violators to justice under several parts of Art. 13.11 of the Code of Administrative Offenses of the Russian Federation. Conclusion: if a businessman has not previously followed the law on maintaining confidentiality of personal data, he may face a serious fine.

Bringing administrative liability for violation of 152-FZ will now fall within the competence of Roskomnadzor, and not the prosecutor's office. This means that the qualifications of Roskomnadzor employees will increase, as well as the speed of inspections.

A practitioner tells

What can happen when working with personal data through a feedback form without a privacy policy?

Ildar Bagautdinov,

partner, head of commercial practice at ANP Zenit, Kazan

Roskomnadzor employees found that the TGYUK company posted a feedback form on the website. However, there was no privacy policy document regarding the collection and use of personal data. The organization was fined in the amount of 1 thousand rubles. in accordance with Art. 13.11 of the Code of Administrative Offenses of the Russian Federation. But the company went to court. As its representatives noted, it was impossible to establish the user’s identity, since the form contained only 3 elements: name, subject and message text. In this case, the visitor could not fill in the “name” column. But the court did not take these arguments into account, and the company had to pay a fine (resolution of the Tambov Regional Court dated October 4, 2016 in case No. 4A-288).

How to avoid penalties? If the owner places a feedback form on his website, this means that the company works with personal data, that is, collects information about citizens. Accordingly, she is obliged to perform the functions of a PD operator. In other words, the organization must notify Roskomnadzor that it intends to collect and process personal data, and also obtain the consent of the subject. In addition, her website must have a privacy policy that users can familiarize themselves with without any problems.

From July 1, 2017, fines of 30 thousand rubles are imposed on enterprises for the lack of a privacy policy for websites.

When creating a feedback form on the website, make sure that there is a function for obtaining the subject’s consent to process personal data. Before submitting the questionnaire, the user must check the appropriate box, thus agreeing with the further processing of private information.

Protecting information on the Internet: problems and solutions

External and internal privacy policy documents for the site

There are two types of PD violations:

Violations that can be identified on the basis of external documents, that is, official documents of the company, to which a certain circle of employees have access. These documents allow you to remotely (without interaction with the PD operator) identify violations in the area of confidentiality of personal information and collect a sufficient evidence base. Due to poorly prepared external documentation on personal data, the operator risks facing consumer terrorism, attacks from competitors, or penalties from Roskomnadzor.
Violations that can be identified on the basis of internal company documents, that is, accessible only to a limited number of persons. Violations can be detected only during an inspection of compliance with the confidentiality of personal data, which is carried out by an authorized body.

The privacy policy for the site, a sample of which you can always download on the Internet, is an external document, since in accordance with Russian legislation, access to it must be provided to all visitors to the resource. That is why the terms of the privacy policy must first of all meet the following requirements:

Exact compliance with legal regulations, relevance, relationship with the business model of the company posting it on its website.
No redundant conditions regarding the development of rules. Because of them, unreasonable costs may arise both at the stage of development and in the process of maintaining the relevance of standards.

The offer agreement and the website pages on which the personal information used is posted or displayed are also external documents. They should be developed by experienced specialists who are well versed in the intricacies of drawing up privacy policies for websites.

How to develop a website privacy policy

The privacy policy for the site must first of all be reliable. The reputation of the resource will suffer greatly if the provisions specified in your privacy policy are not followed. In addition, it is possible that problems will arise with the law, which states that for violating the privacy policy, responsible persons must be punished, including criminal penalties.

At the moment, new bills related to the Internet sphere are being actively formed in Russia. However, there are no clear requirements for drawing up privacy policies for websites yet. But certain unspoken rules for its development still exist, namely:

the privacy policy for the site must be drawn up correctly, in compliance with all spelling and punctuation rules;
it must be written simply and clearly for users. It should not contain phrases with an ambiguous interpretation;
the privacy policy for the site should be drawn up in a formal business style;
the site administrator must have an excellent understanding of the development and application of privacy policy standards in order to be responsible for the information contained in it;
The privacy policy for the site must contain guarantees of the safety of personal information.

What to consider when writing a privacy policy for a website

When developing a privacy policy for a website, there are certain subtleties to consider. Let's look at them in more detail:

The website that is used to process personal data is part of the personal data information system (PDIS). Its second element is the hosting on which this resource is located.
The privacy policy for the site should cover the use of personal data of employees of the organization and the use of personal data processing systems not related to the site (1C, external email, etc.).
The site’s privacy policy should have a relationship in terms of the legality of PD processing both with the agreement concluded with individuals and with the business model of the enterprise as a whole, since the privacy policy is a non-localized document that determines the legality of the use of personal information.
It is necessary to provide not only for the presence of a privacy policy on the site, but also for the legality of the processing of personal data from the moment of their transmission through an Internet resource until the conclusion of an agreement on the site’s privacy policy (acceptance of the offer). Thus, acceptance of an offer may be provided for by the first payment for a product (service), but after registration (transfer of personal information), the potential buyer may not make payment.
Software tools should be provided for the visitor to independently delete, correct, clarify and file complaints, and also establish the possibility of their use.
The privacy policy for the site determines the number and scope of subsidiary documentation (local legal acts) of the Internet company. To reduce costs, its volume should be reduced.

How to create a selling blog and attract 290 thousand subscribers

How to write a privacy policy for a website: main sections of the document

First of all, the privacy policy for the site must be as transparent as possible. After reading the document, the user must fully understand why he is providing personal information, how it is stored and processed, how its confidentiality is ensured, etc.

Type and type of data collected.

Here you need to indicate a complete list of information that the user must provide in order to receive services, buy goods, view information, etc. It is also necessary to indicate the data that will be recorded automatically: IP address, date and time of URL transition, etc.

In the same chapter, visitors are usually informed for what purposes personal information is collected (usually contacting the account owner).

Personal information management.

Instructions that indicate how the visitor can access information about himself, edit it or delete it.

Please note: if the site provides a function for temporarily storing user PD after deleting his account, the privacy policy should say so.

Exchange of data between users.

This chapter is relevant if site visitors can send each other personal messages. In this case, the privacy policy can indicate that the content of messages is protected from indexing by search engines.

Protection of personal information.

Measures that site owners take to prevent unauthorized access to visitor information.

The procedure for transferring personal information to third parties.

Based on Art. 7 of the Law “On Personal Data” No. 152-FZ of July 27, 2006, it is prohibited to disclose and transfer the user’s personal data to third parties without his consent.

Exceptions to this rule are indicated in regulations. But not all citizens are legally savvy, and therefore, in order for them to trust the site, it is necessary to specify the situations in which the site can issue their personal data:

if law enforcement authorities have submitted an official request;
if a court decision is executed;
if we are talking about preventing fraudulent activities;
if there is protection of user rights, etc.

Please note: if the privacy policy includes information about the possibility of transferring personal data for personal, commercial use and other purposes not provided for by law, this does not mean anything and does not relieve the resource owner from liability for unauthorized use of private information. For violating the law in this matter, he may be held accountable, including criminal charges, despite advance warning to visitors.

In addition, when the site is sold, the new owner automatically gains access to clients’ personal information. In this regard, this chapter should indicate that account owners are guaranteed to be notified of a change in resource ownership so that they can delete their personal information if they wish.

Changes.

This indicates the order in which users will be notified of amendments to the privacy policy for the site. Example: users can be notified of the most significant changes by email.

There are no strict rules regarding the names of sections in the privacy policy and their number. Additional conditions may be specified here - everything is determined by the focus and content of the resource. For example, websites often indicate the procedure for obtaining information from persons under 18 years of age, requirements for posting photographs, etc.

Where to go for help writing a website privacy policy

Specialized lawyers understand the privacy policies of websites best of all. If for the successful functioning of your resource you need to collect data about users in large quantities, the most reasonable solution is to turn to professionals. If the resource is simple, then the standard privacy policy for the site is used in the form of a standard document, guaranteeing that the client’s name and email will not be received by unauthorized persons. If we are talking about an online store or a large portal, it is better to insure yourself with all possible options, especially if you collect very personal information about users.

Lawyers will develop a competent privacy policy for the site, covering all areas of your activity, and will ensure that its provisions cannot be perceived ambiguously.

By using the services of a professional, you will protect yourself from possible problems with the confidentiality of users’ personal information. In addition, having a serious professional document (policy) on your website will provide you with customer trust and loyalty.

How to post a privacy policy on a websiteor landing page

Privacy Policy for Landing Page.

How to add a privacy policy to a landing page in a pop-up (modal) window?

Let's look at the procedure for placing a privacy policy using the example of creating a pop-up window.

You need to use the Bootstrap framework from the creators of Twitter and take scripts from it to create a modal window.

A modal window is formed in several stages:

opening a landing page;
opening a Bootstrap document (in English);
searching Bootstrap documents for the “modal window” code and then placing it on the landing page.

There are 2 parts in the modal window:

a link or button that opens it;
directly the modal window.

Another important detail: in addition to Bootstrap styles, Bootstrap JavaScript and jQuery need to be loaded. Then opening a modal window on the landing page will be correct.

You should also remember that if your resource is advertised on the Vk.com site, the moderator does not in all cases accept the “Privacy Policy” link. That is why it is better to indicate “Personal Data Processing Policy” in it.

This is what the result should be:

To make your work more convenient, open the following windows in your browser: