Federal Law 152-FZ Cloud for VMware

No. Hosting your system in the Russian Federation would only allow you to meet the requirements of Federal Law No. 152-FZ for the localization of personal data. Your information systems need to be protected by the technical measures stipulated by FSTEC Order No. 21 in your area of responsibility.

You must implement the measures set out in articles 18.1 and 19 of Federal Law No. 152-FZ within your organization and each of its personal data processing systems.

There are 4 protection levels (PL). To determine your level, you need to know whose data, which categories of data, and the volume of data you are processing, as well as the type of relevant threats.

Relevant threats are conditions and factors that create the risk of unauthorized access to personal data (PD). There are 3 types of threats:

• Type 1 threats are related to undocumented (undeclared) features in the system software.
• Type 2 threats are related to undocumented (undeclared) features in the application software.
• Type 3 threats are not related to undocumented (undeclared) features in the system software and application software.

Data related to race, ethnic origin, political views, religious or philosophical beliefs, health, and private life.

In most cases, you need the written consent of the personal data subject in order to process special categories of personal data.

In most cases, commercial companies can confirm their compliance with the requirements of Federal Law No. 152-FZ by presenting an effectiveness assessment report without certification testing. Companies that have the appropriate competencies can do this themselves.

Certification is mandatory for state and municipal systems. Commercial entities may require certification, for example, if they are connecting to state systems or need to comply with contract requirements (in these cases, certification is carried out on a voluntary basis). The certification is carried out by an FSTEC licensee and imposes a number of additional restrictions on the information system.

To legally process personal data by a third-party company, you need to sign a Personal Data Processing Assignment Contract in accordance with article 6 of Federal Law No. 152-FZ. To do this, create a ticket in the control panel and provide the following information:

— personal data categories;
— categories of personal data subjects;
— level of personal data protection.

Based on this information, we will prepare the assignment for personal data processing, which can be signed through the electronic document flow system.

When you submit a notice to Roskomnadzor for an information system that processes personal data in Cloud powered by VMware, provide the following details:

Country: Russia

Data Center Address (this depends on the location providing you with cloud-based resources):

— MSK-1: 36 Berzarina St., b. 3, Moscow;
— SPB-1: 1 Sovetskaya St., Dubrovka urban-type settlement, Leningrad region;
— SPB-DR1: 1 Sovetskaya St., Dubrovka urban-type settlement, Leningrad region; and 28 Kolya Tomchak St., letter K, Saint Petersburg;
— MSK-DR1: 36 Berzarina St., b. 3, Moscow; and 69 Aviamotornaya St., Moscow.

In-House Data Centers: n/a

Type of Organization: Legal entity

Legal Form: Limited Liability Company

Name of Organization: Selectel

OGRN (Primary State Registration Number): 1089847357126

INN (Taxpayer Identification Number): 7842393933

Country of Location: Russia

Address of Location: 21 Tsvetochnaya St., letter A, Saint Petersburg

According to the Law «On Personal Data», this is any information relating directly or indirectly to a specific or identifiable individual (personal data subject). In other words, data on a person that makes it possible to identify them, or data on an already identified person (such as full name and passport details).