The use of digital services and software is inevitably linked to the processing of personal data. When working with FoodSoul software, many clients and partners do not even consider that, from a legal standpoint, they are already acting as personal data operators and have certain obligations.

In this article, we will discuss:

• who is a personal data operator;

• what obligations arise for FoodSoul clients;

• what data is processed within the use of FoodSoul software;

• what is Roskomnadzor and what functions does it perform;

• whether it is necessary to notify Roskomnadzor and how;

• how to properly obtain user consent if you use an external data collection form on your website;

• how to work with cookies, analytics, and user requests.

Who is a personal data operator

A personal data operator is any individual or legal entity that:

• collects personal data;
• stores, uses, transfers, or deletes it;
• independently determines the purposes and methods of processing.

Simply put, if you decide why and for what purpose you need user data, you are an operator.

FoodSoul clients become personal data operators if they:

• register users or employees;
• work with client databases;
• accept orders, applications, inquiries;
• use personal accounts and other functions of FoodSoul software.

It does not matter where the data is technically stored: the operator's responsibility remains.

What obligations arise for FoodSoul clients

As a personal data operator, a FoodSoul client has the following key obligations:

• process personal data legally and for specific purposes;
• obtain user consent for data processing (if required);
• inform the user about what data is processed and why;
• ensure the confidentiality and security of data;
• respond to user requests (modification, deletion of data);
• comply with the requirements of Russian legislation on personal data.

The presence of an IT platform does not exempt a business from these obligations. FoodSoul provides the technical part, while the legal responsibility for the legality of processing remains with the FoodSoul partner.

What data is processed within FoodSoul software

1. Data provided by the user

This is information that the user provides independently. It includes:

• During registration or account creation: name, gender, date of birth, contact phone number, email address, photo;
• When placing and fulfilling an order: name, email, payment card details, other payment information, delivery address, contact phone number;
• During feedback, complaints, participation in promotions and loyalty programs: surname, first name, patronymic, contact details, text information, and media content;
• When contacting support: account data, technical parameters of the device and software.

2. Data transmitted automatically

When using FoodSoul software, the following may be processed automatically:

• Technical data: IP address, HTTP headers, cookie data, web beacons/pixel tags, browser and operating system information, mobile device identifier, hardware and software information;
• Usage data: date and time of access to Sites and/or Services, order and action history;
• Geolocation data (if applicable and with user consent).

FoodSoul processes only the information necessary for the operation of the software and the improvement of services.

What is Roskomnadzor and what functions does it perform

Roskomnadzor is a state body that monitors compliance with personal data legislation.

It:

• maintains a register of personal data operators;
• monitors compliance with legal requirements;
• considers user complaints;
• conducts scheduled and unscheduled inspections;
• issues orders to eliminate violations;
• holds operators administratively accountable.

In simple terms, Roskomnadzor ensures that businesses work with personal data correctly and legally.

Do you need to notify Roskomnadzor

In most cases, FoodSoul clients are required to notify Roskomnadzor about the start of personal data processing. Notification is submitted before processing begins or, if processing is already underway, as soon as possible.

Below is a practical step-by-step guide on filling out the electronic form on the website pd.rkn.gov.ru, with examples based on your Privacy Policy.

Guide “How to fill out a notification about the start of personal data processing”

Step 1: General information about the operator

• Region of registration / Type of operator / Name / Address / INN, OGRN: Data is indicated strictly in accordance with the Unified State Register of Legal Entities/Individual Entrepreneurs. Check the relevance of the information on the Federal Tax Service website.
• Phone / Email address: Provide contact details through which Roskomnadzor can contact you.
• Region of processing: Indicate the regions where your company actually operates and processes data (e.g., head office, branches). If activities are conducted throughout Russia, you can indicate “Russian Federation.”

Step 2: Purposes of personal data processing

This is the most important block. You need to describe each purpose in detail. Use section 5 of your Privacy Policy.

Example of filling out for the purpose “Order placement and fulfillment, status control, delivery” (based on clauses 5.2 and 5.3 of the Policy):

• Purpose of processing: Placement, fulfillment, status control, and delivery of user orders for goods/services, interaction with the user regarding the order.
• Categories of personal data: surname, first name, patronymic; phone number; email address; delivery address; payment card data/other payment information; order details.
• Categories of subjects: Users placing orders and requesting delivery.
• Legal basis for processing: Consent of the personal data subject (Article 6 of the Federal Law “On Personal Data”); contract (User Agreement).
• List of actions: Collection, recording, systematization, accumulation, storage, clarification (updating, modification), extraction, use, transfer (including delegation of processing), anonymization, blocking, deletion, destruction.
• Methods of processing: Automated processing.

Similarly, fill out other purposes from the Policy, such as:

• Account registration (clause 5.1).
• Marketing communications (clause 5.4).
• Feedback and support (clauses 5.5, 5.7).
• Conducting promotions and loyalty programs (clause 5.6).
• Improving service performance, analytics, security (clauses 5.9, 5.10, 5.11).

Step 3: Methods of processing

Select in the tabs: “Automated,” “With transfer over the internal network of the legal entity,” “With transfer over the Internet.”

Step 4: Measures to protect personal data (Articles 18.1 and 19 of Federal Law-152)

Describe specific organizational and technical measures. You can base it on section 7 of your Policy.

Example of filling out:

1. Responsible persons for organizing processing and ensuring the security of personal data have been appointed.

2. A Policy regarding personal data processing has been developed and approved.

3. Employees involved in processing are familiar with the provisions of Russian legislation on personal data and local acts.
4. Access to information systems is managed (accounts, passwords).
5. Technical protection measures are applied: firewalls, antivirus software, intrusion detection systems.
6. Information is backed up regularly.
7. User actions in information systems are logged and accounted for.
8. Data transmission over the Internet uses a secure connection (HTTPS/TLS protocol).

Step 5: Use of encryption (cryptographic) tools

Indicate whether they are used or not.

If used, specify the class of cryptographic protection and the name, manufacturers, and serial numbers of encryption tools.

For example:

• Class of cryptographic protection: KS2; KS3.
• Name, manufacturers, serial numbers of encryption tools: CryptoPro CSP, PAK “AK-server,” VipNet CSP.

Step 6: Dates and conditions

• Start date of processing: Indicate the date when you actually started working with clients' personal data (may coincide with the company's registration date).
• Term or condition for termination of processing: Select in the tab: “Condition for termination.” Then specify: “Liquidation or reorganization of the legal entity.”

Step 7: Cross-border transfer

If you do not transfer data outside the Russian Federation, indicate “Not carried out.”

Step 8: Information about the location of the database

This is a critically important point for FoodSoul clients. LLC “FoodSoul” places the technological infrastructure of the platform (server equipment) on the territory of the Russian Federation in an outsourced data center (DC). Also, if you additionally use your own DC, add information and fill out Database No. 2 with information about your own DC.

Example of filling out information about the data storage location:

• Country: Russia
• DC address: 123060, Moscow, Berzarina St., 36, bldg. 3
• Own DC: no

Information about the organization responsible for data storage:

• Type of organization: legal entity

• Organizational and legal form: JSC

• Name of the organization: Joint Stock Company "Selectel"

• OGRN: 1247800067790

• INN: 7810962785

• Country of location: Russia

• Address of location: 196006, St. Petersburg, Tsvetochnaya St., 21, lit. A (in accordance with the Unified State Register of Legal Entities)

* If your own DC is also used — add Database No. 2 and enter your organization's data in accordance with the Unified State Register of Legal Entities.

Step 9: Information about persons having access and/or processing personal data contained in state and municipal information systems under a contract.

Here, third parties to whom the operator transfers data, who have access to IS, or who process data under a contract (Article 6 of Federal Law-152) are indicated. It is necessary to list the names/individuals, INN, address, and purpose of processing. These include IT companies servicing GIS/MIS, communication operators, engaged contractors, cloud providers to whom personal data is transferred.

If you do not have such systems, you need to delete the set of fields using the “Delete” button under the list of fields with contact details.

Step 10: Information on ensuring the security of personal data

Here, a list of measures implemented by you to comply with the requirements established by the Government of the Russian Federation Decree No. 1119 of November 1, 2012, “On approval of requirements for the protection of personal data during their processing in personal data information systems” is indicated. In this section, you can specify:

The operator ensures compliance with data protection requirements by using the cloud platform provided by LLC “FoodSoul” (INN 4345369685), which meets the following requirements:

1. Organizational measures:

• A contract with the platform owner (LLC “FoodSoul”) has been concluded, defining its obligations as an operator processing on behalf.
• Access rights of the Operator's employees to the platform's functionality are ensured based on the principle of least privilege (role-based access model).
• Employee accounts are protected by unique passwords.

2. Technical measures:

• Access to the platform and data transmission between the user and the system is carried out exclusively over secure communication channels using HTTPS/TLS protocols (encryption).
• User authentication and authorization are ensured by the platform itself.
• Protection against malicious code (antivirus protection) and firewalls are implemented on the platform owner's infrastructure side.
• The platform owner ensures regular data backup and physical protection of server equipment in data centers on the territory of the Russian Federation.
• Security event logging is ensured within the functionality provided by the platform (action logs).

3. Control of measure implementation:

• The operator monitors the platform owner's compliance with the contract terms regarding personal data security.

Step 11: Data of the person who formed the notification

Indicate the full name, position, and contact information of the person sending this notification to Roskomnadzor.

Step 12: Signing and sending the notification

Option 1. In paper form

The printed form of the Notification in paper form must be signed by the head of the organization or a person authorized to sign documents, with the date and seal (if available), and sent to the territorial Office of Roskomnadzor by mail or delivered in person.

Option 2. In electronic form using a qualified electronic signature

You can fill out the form and sign it with an electronic signature. In this case, submission in paper form will not be required. You must have the CryptoPro EDS Browser plug-in installed and configured to work with it.

Option 3. In electronic form using ESIA authentication tools

Authenticate on the State Services portal, fill out the form, and send it electronically. You must have a verified account. Sending a paper copy in this case will not be required. If you are submitting a notification for an organization, your account must be linked to this organization on the State Services portal.

DONE! After successful submission, you will be included in the operators' register. Save the notification number and key.

After successfully submitting the notification to Roskomnadzor and being included in the operators' register, it is necessary to ensure the correct daily work with personal data. Key practical aspects of this work include the use of cookies and analytics, as well as handling requests from users themselves.

Mechanism for obtaining consent when using external data collection forms

Many FoodSoul clients use external data collection forms (widgets) on their websites to attract clients — for example, callback order forms or support contact forms. It is important to understand that such integrations on the site are installed by clients themselves.

To ensure that data collection through these forms is legal, two conditions must be met:

1. Textual consent. Directly below the data collection form (widget), a user-friendly wording should be placed stating that by clicking the submit button, they give consent to the processing of their personal data.

2. Hyperlinks to documents. This wording should contain active (clickable) links to two documents:

   • User Agreement (or Offer Agreement), which describes the terms of service provision.

   • Privacy Policy, which details what data is collected, why, and how it is processed.

Recommended wording for placement under the form:

“By clicking ‘Submit,’ you accept the terms of the User Agreement and give consent to the processing of personal data according to the Privacy Policy.”

This simple measure will protect you from claims by regulatory authorities and prove that the user acted consciously and voluntarily.

How to work with cookies, analytics, and user requests

Cookies and analytics

FoodSoul software uses cookies and counters (if applicable) for:

• ensuring service functionality;
• personalizing features;
• analytics and statistics;
• improving software quality;
• personalizing advertising.

These data are also personal, and their processing should be reflected in the notification, as described above. It is important to remember that the user can prohibit the use of cookies in the browser settings, but certain service functions may be unavailable.

User requests

One of the direct obligations of the operator is to respond promptly to requests from personal data subjects. The user has the right to:

• request information about the processing of their data;
• modify their personal data;
• delete data by sending a request to info@fs.me.

To exercise their rights, the user can contact the operator (FoodSoul client) or use the personal account functionality (where applicable). Deleting an account or withdrawing consent may result in the inability to continue using the relevant Services.

At the same time, legislation may require the operator to store certain data for a specified period or transfer it to state authorities.

Conclusion

By using FoodSoul software, businesses gain a convenient and secure tool, but they also assume the status of a personal data operator. Understanding your obligations, working correctly with data, and having transparent rules for interacting with users are not formalities but a real way to reduce legal risks and increase client trust.

Are you still not in the register? Submit a notification with our guide — it's easier than it seems!
FoodSoul is with you every step of the way.

Best regards,

The FoodSoul Team