Cross-border transfer of personal data is what?

In the conditions of development and globalization of the Internet, the number of territorial restrictions for commercial activities is becoming less and less every day. Despite the rather complicated foreign policy situation, the number of domestic enterprises cooperating with foreign partners is constantly growing. The absence of territorial boundaries requires the introduction of unified rules for the interaction of all parties to the relationship. In particular, this refers to the process of sharing personal information. Let's consider further how the cross-border transfer of personal data is made.

2016 year

Currently, the legislation lacks clear rules for the exchange of information with foreign counterparties. As the initial normative act in the sphere of communications, Federal Law No. 152 was in effect. This law regulates the implementation of cross-border transfer of personal data. What it is? This activity is understood as the provision of personal information on the territory of a foreign state, a foreign state authority, a physical or a legal entity. In 2014, Federal Law No. 242 was adopted. It was to enter into force 01.sent. 2016 This regulatory act introduced some changes to the laws in terms of clarifying the rules for processing personal information in information and communication networks. However, the bill was submitted to the State Duma No. 596277-6 on the adjustment of Art. 4 of Federal Law No. 242. In accordance with these changes, the effective date was postponed to January 2015. Currently, thus, Federal Law No. 242 has been in force for more than a year.

Restrictions

Federal Law No. 152 establishes prohibitions, under which cross-border transfer of personal data falls. These are restrictions related to ensuring the protection of the constitutional system of the RF, health, morality, interests and rights of the population, maintaining the security and defense capability of the state. At the same time, FZ No. 152 does not establish any other rules. In particular, there are no conditions under which countries providing adequate protection of personal information could limit the cross-border transfer of personal data. These are the states that act as participants of the ETS Convention No. 108, as well as those listed in the list approved by Roscomnadzor Order No. 274.

Exceptions

Federal Law No. 152 specifies cases when states that, despite the lack of adequate protection of personal information, can cross-border personal data transfer. These are the situations:

1. Provided in the federal legislation, if the provision of information is required to protect the constitutional foundations, ensure the security and defense capability of the country, the sustainable functioning of the transport infrastructure, protect the interests of society, the individual and the state from unlawful interference.
2. When the contract is executed, the participant of which is the carrier of the information provided.
3. When it is necessary to ensure protection of health, life and other important interests of the subject of personal data, as well as other persons if it is impossible to obtain the written consent of the first.
4. Provided in international agreements.
5. When consent is received for the cross-border transfer of personal data from the subject of PND.

An Important Moment

If there is permission from the subject of PND, in accordance with Federal Law No. 152, cross-border transfer of personal data is allowed. This permit presupposes that a person is notified that information relating to him personally will be provided to a foreign counterparty. The need to obtain such a document when sending information to countries that provide adequate protection is not established in a normative act. Nevertheless, it is important that the subject be informed by the operator of the alleged actions.

Public policy

To avoid problems, the operator indicates:

1. What is transboundary transfer for?
2. What is the amount of information provided.
3. Persons who receive information.

The operator also notifies Roskomnadzor that a cross-border transfer of personal data will be made. This is done by filling / amending the notice. The notification shall indicate the countries receiving the information. Prior to the processing of information, the subject of NDP is notified of the forthcoming operation. This provision is reflected in the policy, contract or other document, with which the person can get acquainted.

Internal regulations

In local documents, the operator reflects:

1. The legal basis for the provision of personal information to foreign entities. In particular, the list of normative acts on the basis of which the processing and sending of information is made is given.
2. Regulation on cross-border transfer of personal data.
3. Description of activities and protective equipment, including technical and cryptographic.

Agreement

The operator enters into an agreement with an organization that will cross-border the transfer of personal data, which means acceptance by the processor of the duty to respect the confidentiality of information, to comply with the requirements for protecting information, and to ensure their security. The contract also indicates the list of actions committed by the parties.

Use of protective equipment

The operator's duties include the implementation of a number of measures to prevent unauthorized access to personal information in the process of working with information. At the same time, it is allowed to use uncertified cryptographic protective means due to:

1. Requirements of the Convention ETS No. 108, Article 12.2 of which does not allow the creation of restrictions and the introduction of special control over information flows going to the territory of a foreign state, proceeding from the principle of protecting the inviolability of private affairs.
2. There are special conditions for the export of funds from the territory of Russia, including encryption tools.
3. The specifics of the legislation of a foreign country, in which cryptographic equipment is imported, features the receipt of permits from the relevant foreign authorities for this.

FZ No. 242

As was stated above, in 2014 a law was adopted that amended a number of normative acts in terms of clarifying the rules for processing personal information in information and telecommunications networks. FZ No. 242 complements Federal Law No. 152 by requiring that in the process of collecting data, including through the Internet, the operator should ensure the systematization, recording, accumulation, clarification, storage and retrieval of them using databases located in the territory of Russia. This requirement may not be met if personal information is processed for:

1. Achievement of the objectives established in the international agreement or by law, for the implementation of the operator's assigned powers, duties and functions.
2. Administration of justice, execution of judicial decision, an act of another body or employee, subject to enforcement in the manner provided for by the rules of Russian law.
3. Realization of powers by federal, regional, municipal executive power institutions, structures included in extrabudgetary state funds, organizations involved in providing services at the state and local levels.
4. Performing professional tasks of a journalist or media (legitimate), literary, scientific and other creative work. At the same time, the condition on the inadmissibility of infringing the interests of other persons must be fulfilled.

As practice shows, cross-border information transfer is now an effective and convenient tool for interaction. With its correct use, operators can reduce costs when processing information within Russia.