Ensuring of personal data protection up to Level 2;
Compliance with Federal Law 152-FZ On Personal Data Protection: Custom Design Solution
Preparation of expert opinions and certificates of compliance with Federal Law 152-FZ;
Provision of technical means of protection against information security threats.
Does this concern you?
Learn more about seamless migration to a scalable secure cloud platform in Secure Cloud Federal Law 152-FZ Standard Solution.
Any information about individuals, including names and contact details, gender, faith, as well as personal opinions on any topics. The law applies to both clients and employees. If you work with people, you are almost certainly subject to the law.
Any individual or legal entity that determines the purposes of collecting and processing personal data or performs any operations with such data, including collection, storage, analysis, use, transfer, and so on.
Most often, organizations from the financial services, healthcare, education, hospitality, telecommunications, advertising, and retail industries are subject to checks on the fulfillment of requirements set in Federal Law 152-FZ.
In order to comply with the law, the operator of personal data must develop internal regulations for working with personal data, implement technical protection measures, and localize data on the territory of the Russian Federation.
The law imposes different requirements for the level of applicable security, depending on the type of personal data that the operator processes, and to the extent of processing. These levels are described in detail in Clause 8 of the Decree of the Government of the Russian Federation No. 1119 of November 1, 2012.
The regulators responsible for ensuring compliance are Roskomnadzor (The Federal Service for Supervision of Communications, Information Technology and Mass Media), the FSB (Federal Security Service) and the FSTEC. Roskomnadzor is the authority most engaged in conducting checks. As a rule, the department is concerned about the compliance of the order and security of personal data processing with the requirements of the law.
Violations of Federal Law 152-FZ can entail all types of liability, including civil, disciplinary, administrative and criminal.
Disciplinary liability under the Labor Code of the Russian Federation is provided for persons responsible for the processing of personal data, including compensation for direct damages.
The Civil Code of the Russian Federation allows citizens to demand compensation from an organization if they suffered moral or property damages due to violations of the rules provided for operations with personal data.
Depending on the substance of the offense, administrative liability is up to 100 thousand rubles for individuals for violation of the law on personal data, up to 800 thousand for officials, up to 20 thousand rubles for individual entrepreneurs, and up to 18 million rubles for organizations.
Criminal liability for violation of the law on personal data can be qualified under a number of articles, which provide for punishment up to imprisonment for up to 4 years.
Violation of the law on personal data may lead to the inclusion of the organization in the register of violators, whose websites are subsequently blocked by telecom operators at the request of Roskomnadzor.
No, it does not. By law, the operator can entrust the work with personal data to third-parties, such as data processors, but their liability is limited by the agreement with the operator. The operator determines the purposes and procedure for the processing of personal data, and therefore bears responsibility before the state and the owners of the personal data.
When placing the processing of personal data in the cloud based on the Infrastructure as a Service (IaaS) model, the areas of responsibility of the operator and the processor can be clearly distinguished:
The processor is responsible for hardware and software down to the hypervisor level;
All superior levels, such as virtual machines, operating systems and applications installed on them are the operator’s area of responsibility;
By default, the operator is responsible for data protection, but can delegate tasks to the operator to ensure compliance with Security as a Service (SaaS) model. An example of such services can be antivirus protection, firewalling, VPN, etc.
Objective: Organize uninterrupted data processing in a secure cloud environment with service availability for users.
Solution: Linxdatacenter organized operations with personal data in the IaaS (infrastructure as a service) format on its platform in St. Petersburg. The migration was carried out in stages with testing of network availability after each step of implementation.
Objective: Transfer an application with personal data to a secure cloud environment within a time limited by the term of the contract between the client and the certifying organization.
Solution: Linxdatacenter performed the work in cooperation with the client’s contractor after assigning areas of responsibility. Linxdatacenter also took on some of the responsibilities of the client related to data protection. The work was completed on time and compliance with the Law on Personal Data Protection was confirmed by a third party, an FSTEC licensee.
Send an enquiry
You will also be interested in
Ready Private Cloud Platform for Reliable Functioning of Business Applications
Dedicated direct connectivity for multicloud environments
Virtual infrastructure compliant with the Russian data protection law. We build secure infrasctructure fully compliant with Russia Federal Law № 152 on personal data protection.