The concept of personal data, consent to processing, publicly available personal data. Procedure for using personal data


Hello!
We are a state-owned enterprise (FSUE), non-employees must provide their passport information to receive a one-time one-day pass.

Previously, the process looked like this: if you invite a visitor, you request his data by email or write down by phone, fill out and print the form in Excel and take it to the security guard for signature, after which it is already printed and taken to the checkpoint, where the visitor’s PD is checked against the passport he presented. and on this basis they issue him a visitor pass.

We have written a small web application that is available on the enterprise’s internal network and allows you to enter all the visitor’s data (both full name and personal data), but does not allow them to be subsequently viewed and edited; the ability to view and correct entered passport data is available only to security department employees, distinction access is carried out on application level in the program code, based on the settings stored in the database.

The stack uses Microsoft products - IIS and MSSQL Server, the application is implemented on the ASP.NET MVC framework, and the browser acts as the client part.

Currently, one third-party organization is working to certify other systems that process personal data; for the system being described, they proposed an option using limited number PC, because according to them, processing pers. data occurs (potentially) on all machines of the enterprise. That is, they offer to install special software on, roughly speaking, 50 PCs and make possible work with the application only from these machines. We are not very happy with this option; ideally, we would like any user local network the enterprise had the opportunity to enter all the visitor’s data into the database (it can be assumed that the visitor’s consent for the use of his data is available).
For other systems everything was simpler, there was a limited circle of users (for example, the entire accounting department), they were simply transferred to a separate subnet behind a firewall, here this is not possible, as far as I understand, because access control does not occur on network level, and on the application side, in the logic of the server part of the application.

It seems to me that this situation is not unique, can anyone tell me what options there are for organizing the protection of personal data in accordance with the requirements of the law, I am interested in schemes that would be arranged by regulatory authorities.

Thank you in advance.

P.S. I forgot to clarify, many enterprise PCs have access to the Internet through our proxy server, the entire network is domain-based, and authentication in the application is also domain-based. There is a server room for secure server placement; we are only interested in options for software or hardware data protection.

Not all companies and individual entrepreneurs know whether they are personal data operators and whether they need to transfer information about themselves to Roskomnadzor. Let's figure out who the service is monitoring more closely and how to notify citizens about the start of processing personal information.

Who are personal data operators and what do they do?

Most people know that personal data (hereinafter referred to as PD) includes information about the last name, first name and patronymic of a citizen, information from his passport, number mobile phone, residential address, e-mail. What other information could be included in this list? It turns out that any: an exhaustive list is not presented anywhere, and in principle there cannot be one. This is confirmed by the formulation in Federal Law dated July 27, 2006 No. 152-FZ:

Personal data - any information relating to directly or indirectly determined or determined to an individual(to the subject of personal data).

It turns out that in some cases the last name, first name and car number will be enough to identify a citizen, while in others you will also need his driver’s license number and registration address.

A personal data operator is a state or municipal body, a legal entity or an individual who:

  • independently or jointly with other persons organizes and/or carries out the processing of personal data;
  • defines the goals of working with personal information, its composition, as well as actions (operations) with it.

That is, anyone who requests and uses personal data is their operator. And everyone who has access to and processes information by which a citizen can be identified actually works with personal data and is responsible for failure to comply with the law on their protection.

Let's imagine who might be classified as PD operators. Banks? Yes! Sites that collect material about subscribers? Yes! Legal and accounting companies providing various services? Yes! Shops and beauty salons offering to purchase a bonus card? Yes again! Homeowners' associations, universities, kindergartens, travel agencies, medical institutions, automated systems, including government ones? Yes Yes Yes! PD operators are everywhere, in every field!

Obligations of the operator when processing personal data

Everyone who deals with personal data is obliged to comply with certain rules for collecting, ensuring security, clarifying, blocking and destroying this type of information. According to Law No. 152-FZ, operators must:

Registration with Roskomnadzor as a personal data operator

The law stipulates that before starting work with personal information, it is necessary to contact the authorized supervisory authority and notify about the start of work with personal information. This does not mean that every company must be included in the Roskomnadzor register of personal data operators. This list does not include:

  • employers. They collect and store information in accordance with labor legislation, for example, when drawing up employment contracts, various personnel orders;
  • cell phone or landline company telephone communication, if the data is obtained solely for the provision of communication services under a concluded contract, it is not distributed or provided to third parties without the consent of the subject of the personal data;
  • public associations or religious organizations that gain access to the data of their members (participants) to achieve the purposes provided for in constituent documents;
  • organizations and individuals using publicly available information that subjects of personal data themselves disclosed, for example, on personal websites;
  • any companies that operate a pass system. If a citizen’s passport data is copied to obtain a one-time pass to the organization’s territory, there will be no need to register;
  • systems with the status of state automated information systems, as well as state PD systems created to protect state security and public order. There are a lot of them, and among them are the Era-Glonass and Management systems, AIS for accounting of non-profit and religious organizations and many others at the federal and regional level;
  • citizens and organizations that process information without the use of automation tools (computers). In doing so, they must be guided by the requirements approved Government Decree of September 15, 2008 N 687;
  • organizations that request data to ensure the safe operation of the transport complex, for example, when booking and purchasing tickets, including through online services of carriers or intermediaries.

Taking into account such formulations, many of the organizations are no longer included in the register of operators processing personal data maintained by Roskomnadzor. But those to whom exceptions do not apply must be on the list of the regulatory authority.

The registration procedure consists of submitting a notification in a certain form. It can be found through the Roskomnadzor personal data register, the government services portal, or using Order of the Ministry of Telecom and Mass Communications of Russia dated December 21, 2011 N 346. Free download required document You can also find it at the end of this article.

Regardless of the method of informing officials, the notification must indicate:

  • full and abbreviated name of the company indicating the organizational and legal form, as well as legal and postal addresses, TIN;
  • the purposes of processing stated in the constituent documents or actually carried out;
  • categories of PD that will be processed;
  • subjects whose PD is planned to be processed, including relationships with them, for example, passenger, borrower, subscriber, depositor, policyholder;
  • the basis on which there is a right to processing (for example, articles Air Code of the Russian Federation or civil status law on acts of civil status), including the availability of a license for the type of activity being carried out;
  • description of the PD processing methods used and their list: manual, automated or mixed processing;
  • information about the persons responsible for organizing the processing of personal data, their telephone numbers, postal addresses, email;
  • information about encryption (cryptographic) means;
  • start date, as well as conditions and terms for termination of PD processing;
  • information about where the data is stored during its processing, including about the country where the databases with information about citizens’ personal data are located Russian Federation;
  • information about ensuring the security of personal data in accordance with the requirements established Decree of the Government of the Russian Federation dated November 1, 2012 N 1119.

Please note that registration of a personal data operator on the Roskomnadzor website is carried out within 30 days. If an electronic application is submitted, the company will have to send to territorial body Additionally, a paper copy of the notice. If the information is insufficient, officials will send a request to clarify the submitted documents. It is impossible to refuse to accept a notification and enter information about an organization into the register.

If, by various reasons, the organization has changed the purposes of processing PD or needs to make other changes, within 10 days it sends a letter to Roskomnadzor in the prescribed form. The document can be found below. In addition, the site’s readers can download a form of the document required to exclude a company from the register.

All services provided by Roskomnadzor in this case are free.

Responsibility for refusal to register in the register

Current legislation provides for administrative liability for violation of requirements for the protection of personal data. According to Federal Law dated 02/07/2017 No. 13-FZ, which came into effect on July 1, 2017, in Article 13.11 of the Code of Administrative Offenses of the Russian Federation There are several offenses for which personal data operators may be fined. Depending on the offense, fines for legal entities under this article they vary from 15,000 to 75,000 rubles, and for individual entrepreneurs - from 5,000 to 20,000 rubles.

Refusal to register in the register may be regarded as failure to provide information to the regulatory authority. The punishment for this is provided for in Article 19.7 of the Code of Administrative Offenses of the Russian Federation. According to it, officials face a fine of 300 to 500 rubles, and legal entities - from 3,000 to 5,000 rubles.

How to ensure the collection, processing and protection of an employee’s personal data, what laws govern the work with personal data in an organization - this is discussed in the article.

From the article you will learn:

Policy for the protection and processing of personal data

Download documents on the topic:

This list is not exhaustive. Taking into account the specifics of individual positions or types of work, the employer may request from applicants a certificate of health, as well as no criminal record or other personal data. Find out how to avoid a fine from Roskomnadzor

The protection of employee personal data is ensured in accordance with the regulations of Russian legislation. Separate standards establishing general order processing of confidential information is contained in Articles 86-90 of the Labor Code of the Russian Federation, in Articles 137, 140 and 272 of the Criminal Code of the Russian Federation, Articles 5.39, 13.11-13.14 of the Code of Administrative Offenses of the Russian Federation, and in Articles 150-152 and 946 of the Civil Code of the Russian Federation.

There is also a separate regulatory act that fully covers such concepts as: “personal data”, “processing of personal information”, and “personal data protection”. This the federal law No. 152-FZ of July 27, 2006. This regulatory act applies to all employers without exception, regardless of the field of activity, from staffing structure and on the organizational and legal form of enterprises. Find out for what Now the fines are stricter.

Personal data and protection of employee personal data: Law 152-F3

Personal data is not limited to one specific type of information. Personal information is divided into three categories:

  • are common;
  • special;
  • biometric.

Personal data includes the following information:

  1. qualification level;
  2. education and experience;
  3. salary amount;
  4. social or property status;
  5. location;
  6. previous employment;
  7. date of birth, last name, first name and patronymic of the employee.

When collecting such information, the employer, in accordance with Law No. 152-FZ, receives the status of an operator, the employee is treated as a subject of personal data. Collection, processing and protection personal data employee must be carried out legally. Information about an employee can only be obtained directly from him, and not through third parties. If, due to some circumstances, information can only be obtained from a third party, it is worth notifying the employee about this in advance, having received it written agreement. You cannot limit yourself to a verbal agreement.

local regulatory act of the organization, for example in the Regulations on working with personal data of employees (Articles 8, 87 of the Labor Code of the Russian Federation, paragraph 2, part 1, article 18.1 of the Law of July 27, 2006 No. 152-FZ).

The regulation on the protection of personal data of employees is approved by the head of the enterprise. WITH normative document All employees are introduced and signed. The organization appoints a person responsible for working with personal data (Part 5 of Article 88 of the Labor Code of the Russian Federation). Most often, the person responsible is the personnel service specialist, since in the course of his work he is faced with processing personal data employees. The responsible person is appointed by order drawn up in any form.

Regulations on the procedure for storing and protecting personal data of users

Order on the appointment of a person responsible for working with personal data

Download a blank form
Download in.doc

Download the completed sample
Download in.doc

Depersonalization of information in order to protect personal data of employees

Anonymization of data is carried out in cases provided for by law. In particular, state and municipal authorities anonymize personal data processed in information systems, including those that are functioning and created and within the framework of ensuring the implementation of federal targeted programs(subparagraph “z” of paragraph 1 of the list approved by Decree of the Government of the Russian Federation of March 21, 2012 No. 211).

Depersonalization refers to actions that make it impossible to determine ownership personal data to a specific person without the use of additional information (Article 3 of the Law of July 27, 2006 No. 152-FZ).

The head of the organization approves the basic rules for working with anonymized data in order to protect the personal data of employees. The requirement to anonymize personal data allows for protection and prevents unauthorized processing.


disciplinary, material, administrative and criminal liability (Article 90 of the Labor Code of the Russian Federation, Part 1 of Article 24 of the Law of July 27, 2006 No. 152-FZ).

Responsible employees for working with personal data may be subject to disciplinary or financial liability if the current rules are violated and this leads to damage. Organization officials will also be fined for these violations.

The head of the enterprise and persons responsible for:

illegal collection or distribution of confidential information about the private life of employees, if this information constitutes a personal or family secret;


illegal dissemination of said information in public speeches, public works or in the media.

Personal data of employees - any information necessary for the administration in connection with labor relations and relating to a specific employee (Clause 1 of Article 3 of the Law of July 27, 2006 No. 152-FZ).

Full name and any other information about an individual is personal data. If you have employees or hold personal information about applicants, clients or other individuals, you must comply requirements of the law on personal data No. 152-FZ dated June 27, 2006

The accounting and personnel departments store documents containing personal data of employees - salary statements, personal cards, personal files and others. All personal data of an employee can only be obtained from him. If personal information can only be obtained from third parties, then first notify the employee about this and obtain written consent from him. Inform the employee about the purposes, intended sources and methods of obtaining personal data. In addition, inform the employee of the nature of the personal data to be collected and the consequences of the employee’s refusal to consent to receiving it.

Important! - salary information is also personal data. This is stated in the letter of Roskomnadzor dated 02/07/2014 No. 08KM-3681. For the fact that the accountant incorrectly stores or protects data on accruals and payments to employees,. For example, salary information cannot be shared with his ex-wife without the employee's consent.

The organization does not have the right to collect personal data that is not directly related to the employee’s work activity, for example, information about religion, political leanings, living conditions, etc. This information constitutes a citizen’s personal or family secret, which he has the right not to disclose to anyone. This is stated in paragraph 4 of part 1 of Article 86 of the Labor Code and Law of July 27, 2006 No. 152-FZ.

Having received personal data, the employer undertakes not to distribute it or disclose it to third parties without the employee’s consent (Article 7 of Law No. 152-FZ of July 27, 2006).

The employer keeps copies for employees

passports, military IDs, marriage certificates, birth certificates of a child, inspectors from Roskomnadzor can qualify as processing of personal data that is redundant in relation to the stated purposes of their processing. There are courts that support this position (resolutions of the Federal Antimonopoly Service of the North Caucasus District dated 04/21/2014 No. A53-13327/2013, dated 03/11/2014 No. A53-10287/2013). In this case, the organization and its officials.

Regulations on the Protection of Personal Data, Order on the appointment of a responsible person

To prevent disclosure of personal data, you need to create reliable system their protection. The procedure for receiving, processing, transferring and storing such information is established in a local act of the organization, for example, in the regulation on working with personal data of employees (.docx 52Kb). The regulations are approved by the head of the organization. Familiarize the employees with the document for signature (Article 8, clause 8, part 1, article 86, 87 of the Labor Code, clause 2, part 1, article 18.1 of the Law of July 27, 2006 No. 152-FZ).

To avoid sanctions, see the memo for what actions with personal data an accountant can be punished for.

It is necessary to appoint a person responsible for working with personal data. As a rule, such an employee is a personnel service employee, since it is he who most often comes across personal data of employees in the course of his work. Appoint the person responsible for working with personal data by order (.docx 36Kb) in any form (Part 5 of Article 88 of the Labor Code).

Note: Download another sample order “On the appointment of responsible employees for the protection of personal data” (.docx 14Kb)

When processing personal data in information system it is necessary to ensure the protection and security of personal data. At the same time, a threat to the security of personal data is a set of conditions and factors that create the danger of unauthorized (including accidental) access to personal data during their processing in the system, which may result in:

  • destruction;
  • change;
  • blocking;
  • copying;
  • provision;
  • spreading;
  • other illegal actions with personal data.

Note: Clause 6 of the requirements approved by Government Decree No. 1119 dated 01.11.2012.

To control the security of personal data during their processing, the employer or a person authorized by him carries out control checks at least once every three years, the specific timing of which is determined by the employer independently. If necessary, organizations or individual entrepreneurs that have a license to carry out activities can be involved in conducting an inspection on a contractual basis. technical protection confidential information (clause 17 of the requirements, approved by Government Decree No. 1119 dated 01.11.2012).

Consent to the processing of personal data

In the course of its activities, the employer has a need to processing of personal data of employees. The processing of such data, with the exception of certain cases, occurs only with the written consent of employees. In this case, the consent must include the following information:

  • last name, first name, patronymic, address of the employee, details of the passport (another document proving his identity), including information about the date of issue of the document and the issuing authority;
  • name or surname, first name, patronymic and address of the employer (operator) receiving the employee’s consent;
  • purpose of processing personal data;
  • list of personal data for the processing of which consent is given;
  • name or surname, first name, patronymic and address of the person processing personal data on behalf of the employer, if the processing will be entrusted to such a person;
  • list of actions with personal data for which consent is given, general description methods used by the employer for processing personal data;
  • the period during which the employee’s consent is valid, as well as the method of its withdrawal, unless otherwise established by federal law;
  • employee signature.

If an employee is incapacitated, written consent to the processing of his personal data is given by his legal representative: parent, guardian (Part 6 of Article 9 of Law No. 152-FZ of July 27, 2006).

An employee can at any time withdraw consent to the processing of your personal data by sending feedback to the employer in any form. In such a situation, the organization has the right to continue processing personal data without the consent of the employee, taking into account the restrictions from paragraphs 2–11 of part 1 of Article 6, part 2 of Article 10 and part 2 of Article 11 of the Law of July 27, 2006 No. 152-FZ. For example, to do justice or protect the life or health of the employee himself. This is stated in Part 2 of Article 9 of the Law of July 27, 2006 No. 152-FZ.

If a dispute arises, the obligation to provide evidence that the employee’s consent to the processing of his personal data has been received rests with the employer (Part 3 of Article 9 of Law No. 152-FZ of July 27, 2006).

With the consent of the employee, the organization also has the right to entrust the processing of personal data to another person (Part 3 of Article 6 of Law No. 152-FZ of July 27, 2006). In this case, the employer will continue to be responsible to the employee for the actions of the specified person, and whoever directly processes personal data on behalf of the employer will be responsible directly to the employer (Part 5, Article 6 of Law No. 152-FZ of July 27, 2006).

Consent to the processing of personal data the employer must receive not only from employees with whom there is an employment relationship, but also from applicants, as well as from people with whom civil law contracts have been concluded in the organization. This is stated in paragraph 5 of the Roskomnadzor clarification dated December 14, 2012.

Is it necessary to obtain consent from the employee for the processing of personal data during employment?

It all depends on what information the organization wants to receive.

The employer may receive, store and transmit only that information about the employee that is necessary for the execution of the employment contract (clause 2, 5, part 1, article 6 of Law No. 152-FZ of July 27, 2006, hereinafter referred to as Law No. 152-FZ, para. 1, 2 clarifications of Roskomnadzor dated December 14, 2012, hereinafter referred to as the Clarifications). The employee is a party to the employment contract, so it is not necessary to obtain his consent to process personal data in all cases. For example, an employer has the right to process personal data that it has received without the employee’s consent:

  • based on the results of a mandatory preliminary medical examination (Article 69 of the Labor Code, clause 3 of the Explanations);
  • from the documents that the employee presented when concluding an employment contract (Article 65 of the Labor Code);
  • from recruitment agency acting on behalf of the applicant (paragraph 12, paragraph 5 of the Explanations);
  • from the candidate’s resume on the Internet, accessible to an unlimited number of people (clause 10, part 1, article 6 of Law No. 152-FZ, paragraph 12, clause 5 of the Explanations).

Consent is not required for data processing to the extent provided personal card. You can also request information from the employee about his close relatives (clause 2 of the Explanations).

Consent is needed when you want to receive some kind of information from the applicant Additional information, which is not necessary for the execution of an employment contract. For example, personal address Email or phone number. Also obtain consent if you share the employee’s personal data with third parties. For example, a security organization that monitors access control on the territory of your company, or a third-party organization that keeps records of your company (clause 5 of the Explanations).

Is it necessary to obtain consent to process an employee’s personal data to produce a badge for him?

The answer to the question depends on the purpose of making the badge. Consent will be required unless this procedure falls under cases where data processing is not required.

Employee personal data is information, necessary for the organization and relating to a specific individual, that is, a specific employee. Examples of such information may include the employee’s last name, first name, and patronymic. This is stated in paragraph 1 of Article 3 of the Law of July 27, 2006 No. 152-FZ.

In general, the processing of an employee’s personal data requires his consent (clauses 2–11, part 1, article 6, part 2, article 10, part 2, article 11 of the Law of July 27, 2006 No. 152-FZ). At the same time, the law provides for exceptional cases when consent is not required. For example, if the processing of data involves an employee performing job responsibilities, including during his business trip. Or if the processing of personal data is carried out during the implementation of access control on the territory of the employer’s office buildings and premises, provided that the employer organizes access control independently. This is stated in paragraphs 1–5 of the explanations of Roskomnadzor dated December 14, 2012.

Thus, if the production of a badge based on the purpose falls under the specified exceptions, then it is not necessary to obtain additional consent from the employee. If this does not apply and the production of a badge is a one-time procedure not directly related to the employee’s work activity, then consent must be obtained.

If you take a photo on your badge, be sure to obtain the employee’s consent to process personal data. A photograph is biometric data (definition Supreme Court dated 03/05/2018 No. 307-KG18-101).

Prepare documents in the “Personal Data” service

Disciplinary, material, administrative and criminal liability for violations in working with personal data

For violation of the procedure for receiving, processing, storing and protecting personal data of employees, disciplinary, material, administrative and criminal liability is provided (Part 1 of Article 24 of the Law of July 27, 2006).

To disciplinary liability

Only those employees who have accepted obligations to comply with the rules for working with personal data and have violated them can be involved.

Material liability

may occur if, in connection with a violation of the rules for working with personal data, the organization has suffered direct actual damage (Article 192, Article 238 of the Labor Code).

For violating the procedure for collecting, storing, using or distributing personal data, the organization and its officials will be fined. During one inspection, Roskomnadzor may detect several different violations. Then he will collect several fines at once.

The amount of fines depends on the type of offense committed. Thus, officials can be fined in the amount of 3,000 to 20,000 rubles, individual entrepreneurs - in the amount of 5,000 to 20,000 rubles, organizations - in the amount of 15,000 to 75,000 rubles.

Criminal liability

According to Article 137 of the Criminal Code, for the head of an organization or another person responsible for working with personal data, this may occur if it is illegal:

  • collect or disseminate information about the private life of an employee that constitutes his personal or family secret, without his consent;
  • disseminate information about the employee's life through a public speech, publicly displayed work, or the media.

The following penalties are provided for these violations:

  • a fine of up to 200,000 rubles. (or in the amount of the convicted person’s income for a period of up to 18 months);
  • compulsory work for up to 360 hours;
  • correctional labor for up to one year;
  • forced labor for a term of up to two years with or without deprivation of the right to hold certain positions or engage in certain activities for a term of up to three years;
  • arrest for up to four months;
  • imprisonment for a term of up to two years with deprivation of the right to hold certain positions or engage in certain activities for a term of up to three years.

If, as a result of violations committed by the employer when working with personal data, the employee’s rights are violated, then he also has the right to demand compensation for moral damage from the organization. Compensation for moral damage is carried out regardless of compensation for property damage and other losses incurred by the employee. This is stated in Part 2 of Article 24 of the Law of July 27, 2006. The procedure for compensation for moral damage is regulated by civil law ().

TIN is not personal data

Each taxpayer is assigned a single TIN for all types of taxes and fees throughout the Russian Federation. It is formed as digital code, consisting of a sequence of numbers characterizing the tax authority code (4 characters), serial number records about a person in the Unified State Register of Real Estate (6 characters) and a control number (2 characters).

The TIN is actually a record number about a person in the Unified State Register of Taxpayers and is not information included in the list of personal data; it is used solely for the purpose of streamlining the accounting of taxpayers within the system of tax authorities, and also serves only to speed up the processing of a huge flow of information in the interests of respecting the rights of taxpayers .

Note: Letter of the Ministry of Finance No. 03-01-11/76554 dated October 25, 2018.







2024 gtavrl.ru.