News

How we helped the cosmodrome to resolve Roskomnadzor's claims

11.06.2024

At the end of February this year, Cosmodrom Exposervice, a well-known space tourism operator, asked us for assistance in resolving a problem related to Roskomnadzor claims of violations when working with personal data of users of the company's websites. The claims of Roskomnadzor are significant and should be carefully considered. The deadlines, as is customary, are as tight as possible, but first things first.

To prevent, identify, and suppress violations of personal data legislation, employees of the Voronezh Region's Roskomnadzor Office conducted an inspection of our client without interfering with the company. As part of the control activities, an assessment was made of the compliance of the information gathered through the site with the requirements of the Russian Federation's legislation on personal data, as well as the information presented in the register of RKN operators.

Based on the assessment results, the inspectors prepared a conclusion in which a number of violations of the requirements of the Federal Law of July 27, 2006 No. 152-FZ “On Personal Data” (hereinafter referred to as the Law on Personal Data) were identified. The main complaints were that documents relating to the processing of personal data, including user cookie data, were not properly published on the operator's websites, notification of the intention to process personal data in the prescribed form was not submitted in a timely manner, and the operator did not have permission to conduct cross-border data transfers based on documented use of Google Analytics metrics. Furthermore, when users completed feedback forms, the sites were unable to obtain their consent for data processing. The client is required to bring its activities in line with current legislation. The response time to a request, including the delay in contacting lawyers, is two calendar days.

Our team accepted the challenge and immediately set about resolving the issue. We first audited both websites to identify any violations or issues. Next, we created a detailed action plan that included creating the necessary documents, making changes to websites to ensure compliance with legal requirements, and making recommendations for future document management related to personal data processing within the organization. Due to time constraints, an information letter with a request to include the company in the register of RKN operators had to be prepared concurrently with the legal binding of the sites.

At the notification generation stage, we requested complete information from the client about the content and volume of personal data processed in the company and planned for cross-border transfer, as well as an assessment of the company's need for further use of Google Analytics services as a marketing tool and an estimate of the costs.

The problem is that using the Google Analytics metric program requires the transfer of user data to the territory of a foreign state to a foreign legal entity. For the operator, this implies two things. a) comply with the requirements of the law on the localization of personal data (i.e., the initial recording of information about Russian citizens, including information about cookies, in databases located on the territory of the Russian Federation); b) the obligation to obtain Roskomnadzor's permission for cross-border transfer of personal data by submitting the appropriate notification according to the Article 12 of the Law on Personal Data. At the same time, the ability to file a notification about a cross-border transfer is directly dependent on the company's entry in the register of operators as a personal data operator.

Failure to comply with the relevant requirements may result in fines of up to 18 million rubles for repeat violations (see clauses 1, 8, and 9 of Article 13.11 of the Code of Administrative Offenses).

As a result, the client decided to change the company's marketing strategy in terms of data collection and processing using Google Analytic software, as well as to implement a planned shutdown of the specified resource on the operator's websites. The operator does not currently collect user data through Google Analytic programs and send it to foreign servers. As a result, notification of intention to transfer user data across borders is not required.

According to the requirements of Article 9 of the Law on Personal Data, the company placed pop-up windows on the websites with a notification about the use of cookies and an integrated link leading to pages displaying the current text of the Cookies Policy. Any user who visits the sites has the opportunity to learn about and manage the terms of use for their user data, as specified in the Cookies Data Use Policy.

Furthermore, the company provided unlimited access to a document outlining the operator's policy for processing personal data, which meets the requirements of Part 2 of Article 18.1 of the Law on Personal Data. This document specifies the requirements for protecting users' personal data, the categories and lists of personal data processed for each purpose, the methods and terms of data processing and storage, and the procedure for data destruction. The text containing the corresponding content is titled Personal Data Privacy Policy and is displayed on the page. These links are located in each site's footer and can also be accessed through an internal link system used by the operator when collecting personal data via feedback forms.

Thus, all the inspection authorities' questions were answered. The company promptly informed the regulatory authorities of its intention to process personal data using the unified identification and authentication system, and a record of this has already been created in the register of personal data operators.

Share:

Sign up to receive our newsletter

Do you have a difficult question? let's discuss it when we meet!
Имя
E-mail*