Personal data in the cloud: are business concerns justified?
The issue of storing and processing personal data has been actively discussed for many years both in the business community and among IT specialists. The topic of 152-FZ has become overgrown with many myths and speculations. The reason for this is insufficient awareness of the real meaning of the law and sometimes incorrect interpretation of the term "personal data".
In this article, we will dispel some stereotypes about PDn and try to understand whether it is possible to place ISPDn in the cloud and whether it is safe.
What is personal data?
Many people believe that PDn can include any personal information, from full name to e-mail wordpress web design agency or mobile phone number. In reality, everything is much more complicated and interesting.
Let's figure out what personal data is from the regulator's point of view.
The category of personal data includes data that directly or indirectly relate to an identified person, i.e. the subject of the personal data.
The interpretation may seem vague at first glance: how can we determine what minimum set of data about a person should be considered sufficient to classify this set as personal data? Let's turn to Roskomnadzor for clarification. In one of its publications, the regulator notes that:
https://afbdirectory.com/wp-content/uploads/2024/10/WordPress-Web-Design-Agency-2-scaled.jpg
data are considered personal if their total volume is sufficient to identify a person, even if they do not include any identification documents.
If it is impossible to identify a specific person without additional information, such data cannot be considered personal.
To understand how this mechanics works in practice, let's look at several different scenarios.
Online store
Let's say you are the owner of an online store. To place an order, the buyer is asked to fill in the fields with their full name and phone number. Optionally, you can specify the address.
All of these fields individually are not personalized according to at least the following criteria:
it is impossible to identify a specific person by full name, since the sample may include full namesakes;
the phone number also does not allow identifying the person;
different people may live at the same address.
A store can reliably identify the customer of a product only by a minimum set consisting of at least two fields, for example, full name and address.
Thus, the owner of the online store automatically becomes the operator of personal data and is obliged to take care of their protection in accordance with the requirements of regulators.
List of freelancers
An Internet agency that accepts orders for website layout keeps track of its freelance workers in Google spreadsheets. The table does not contain the full names of the performers, but there is a field next to each name or nickname called “Bank card/account number”. As soon as the outsourced specialist completes the assigned task, the manager makes a money transfer to the account number specified in the column.
The agency in this scenario also acts as a personal data operator, since the bank card or account number falls under the definition of an identifier given by Roskomnadzor. An identifier is a certain set of information that allows for the unmistakable identification of the specific person to whom it belongs.
頁:
[1]