Personal data processing of a legal entity

Apply for SearchInform DLP TRY NOW

Sometimes, when analyzing the rules governing the rules for the processing of personal data, the question arises about the personal data of a legal entity. The question of consent to their processing may become a matter of principle when concluding various civil law contracts.

Does the legal entity have personal data

The legislation very specifically brings under the concept of "personal data" only that information that directly or indirectly relates to a specific citizen, natural person, and allows him to directly identify him. This understanding is contained in the Federal Law "On Personal Data". Absolutely any information can be attributed to PD - from passport data to e-mail address.

With regard to a legal entity, the list of identifying information is exhaustive, almost all of them, except for the place of residence and passport data of the head, founder and trustee performing legally significant registration actions, are contained in the Unified State Register of Legal Entities.

Thus, as part of its function of registering a legal entity, the tax inspectorate receives the personal data of an individual, while the citizen does not sign a consent for processing and understands that in certain situations this information can be provided to third parties. In fact, they are not the personal data of a legal entity, but in relation to them the confidentiality regime is determined by the norms of the Law "On Registration", such information can be provided only in the cases established by it.

All other information of a legal entity that is not publicly available has a different confidentiality status, it may be protected by the laws governing commercial secrets.

Transfer of personal data by a legal entity for processing to others

The concept of personal data grew out of the American model of privacy, or the right to privacy, and the Declaration of Human Rights, based on its information rights. These include:

  • the right to receive the data he needs, for example, from government agencies;
  • the right to protect your private information from others.

Accordingly, the key is to define "private life", which a legal entity cannot have.

But, interpreting the term "personal data of a legal entity" more broadly, they include the information about citizens that the company receives in the course of its activities and processes in one way or another. In some cases, such data is transferred for processing to other legal entities. An example would be the implementation of online payments, when the payer's data is received by a payment system, a bank and an operator - an online store or another person.

A similar situation arises when the bank transfers the data to the insurance company during the execution of the loan agreement. Another case is associated with the transfer of information to a company that provides outsourcing services for accounting or HR workflow. In all cases, the citizen gives his consent to the processing of personal data to one legal entity, and it is carried out by the second or third, about which the citizen is not informed.

The third case will be the storage of information on cloud resources. In fact, the information is at the disposal of third parties, while the situation is not always regulated in the contractual relationship between the parties ordering and providing services. This is especially true in cases where the owner of the cloud has not technically equipped his information system with the necessary means of protecting personal data in accordance with the law.

Thus, a legal entity, based on the norms of the law, which does not have its own personal data, exercises certain powers in relation to these citizens. In some cases, it disposes of them imprudently, does not properly protect them during transfer and does not even include information about such a possibility in consent to processing.

Personal data of a legal entity in contracts for their processing

It should be borne in mind that if the information transferred by a citizen to the company is disseminated by its counterparties, the person in whose favor the consent was signed will bear the greatest responsibility. Responsibility can be:

  • civil law , in the form of damages or moral damage. Now there are frequent lawsuits with such requirements when banks transfer information about citizens to collection agencies;
  • administrative , in the form of a fine, for example, for violation of the processing purposes specified in the notification submitted by the operator to Roskomnadzor. Fines in Russia are still low. In Europe, a company may be fined up to € 20 million for violation of the new Data Protection Regulation, or up to 4% of the company's annual global turnover in the previous financial year;
  • criminal , which occurs when the unlawful collection or dissemination of data caused significant damage.

In order to avoid these risks, it is imperative to introduce norms on liability for improper processing of personal data into contracts with counterparties. Therefore, the protection system should look like this:

1. study of the technical protection system of the counterparty's information in the event that the transmitted data has a significant volume or increased value (medical information, financial information). If necessary, conclude an agreement with a cloud service provider to strengthen the degree of protection;

2. the inclusion of consent to the processing of personal data of all counterparties, which is supposed to transmit information. Judicial practice speaks about this necessity;

3. introduction of a trade secret protection regime in the company. The assignment to it of personal data at the disposal of the company, both employees and customers;

4. Inclusion in contracts with counterparties of the norm on the safety of commercial secrets and fines for any illegal use.

A legal entity does not have its own personal data, but it uses information entrusted to it by citizens. Control over the information transferred to the operator of personal data should be carried out both at the level of building information security systems, and at the level of building relationships with persons to whom information is provided for processing.