The concept of personal data, consent to processing, publicly available personal data. How to work with personal data correctly so as not to break the law? Who are personal data operators and what do they do?
Every day, people perform many online operations that involve the use of a citizen’s personal data. Most of them don't know simple rules safety when using the Internet. For this reason, the government has placed the responsibility of protecting these citizens on the agencies that use employee information.
The main legal document regulating the processing of personal information by various organizations is the Law “On Personal Data” dated July 27, 2006 No. 152-FZ.
The provisions of the law apply to organizations that work with the processing of personal information of citizens or those who have access to it.
Actions that are not regulated by Law 152-FZ:
- Personal information is processed by individuals for personal needs. It should be noted that processing should not violate the rights of the data owner;
- Organization of archives, which is regulated by archiving legislation in the Russian Federation;
- Processing of personal data that contains information related to state secrets;
- Personal data that relates to the activities of judicial authorities and which were submitted in court;
- Personal information related to the activities of courts.
Did you know that the law with the previous number 151 is devoted to the issue.
When was it accepted?
152-FZ was adopted by the State Duma on July 8, 2006. It was approved by the Federation Council on July 14, 2006. The last revision of the law occurred on February 22 of this year. It was valid until March 1, 2017.
Procedure for using personal data
According to the law of the Russian Federation, the head of the company must approve the procedure for using personal information. The required standards are specified in the organization's local data protection document. They must comply with the requirements of legal acts of the Russian Federation and 152-FZ.
The personal data operator is a government, municipal body or individual, entity, which organizes the processing personal information and determines the purposes of their use.
The operator's responsibilities include :
1. When collecting personal information, the operator provides, at the request of a citizen, information about whose data he received, information that is provided for in Art. 14 part 7 152-FZ.
2. If a citizen is obliged to provide his information according to the law of the Russian Federation, the operator must explain to him that in case of refusal, he may face legal consequences.
3. If the personal information received by the operator for processing was not provided by its owner, he is obliged to provide him with the following information:
- Full name and address of the operator;
- For what purpose is the data processed and on the basis of what legal acts;
- Rights of the citizen whose data was obtained;
- From what source was the personal information obtained?
4. According to the provisions of 152-FZ, the operator appoints a responsible person in a certain organization who organizes the processing of received materials. The authorized person receives instructions on further actions from the operator.
Processing of personal information under 152-FZ is permitted in the following cases:
- Analysis of personal information may be carried out with the consent of the citizen whose data was obtained;
- If the processing of information is required to achieve the goals provided for by the law of the Russian Federation or international treaties of Russia;
- Analysis of information is necessary for the court;
- Processing of information is required to protect the life of a citizen;
- Produced for statistical or research purposes, with the exception of the purposes specified in Article 15, 152-FZ.
By the way, the text of the law on postal service is also important to study. Details
Latest changes to the Federal Law “On the Protection of Personal Data”
Since legislative acts often undergo adjustments, changes were also made to 152-FZ.
Due to the entry into force of Federal Law No. 230-FZ of July 3, 2016, the conditions for the analysis of personal information described in Federal Law 152 have undergone changes.
Article 3
Article 3 of the law describes the basic concepts that are used in the act: personal data, operator, processing of personal information, as well as dissemination and provision of personal information. The presented article has not undergone any changes in the latest edition.
Article 5
Article 5 of the federal law describes the principles of information analysis. It is noted that the processing of information is carried out only in accordance with the law and combining the database with personal information of citizens is prohibited. There were no changes to the current article as of last edit.
Article 7
In 7 tbsp. 152-FZ states that operators and other responsible persons who have access to personal data are obliged not to disseminate information without obtaining the consent of the owner. The article has not undergone any changes.
Article 9
In 9th century 152-FZ provides information about the subject’s consent to the processing of his personal data. Provides information on how to create written consent.
At the last revision, there were no changes to the current article.
Article 19
19 article 152 Federal Law indicates measures to ensure the security of personal information during its analysis.
Download 152-FZ
To allow conflict situation or other issues related to the protection of personal data, study the latest edition of 152-FZ of the Russian Federation. All amendments, additions and changes are presented. You can download the amended law at
Personal data of employees - any information necessary for the administration in connection with labor relations and relating to a specific employee (Clause 1, Article 3 of the Law of July 27, 2006 No. 152-FZ).
Full name and any other information about an individual is personal data. If you have employees or hold personal information about applicants, clients or other individuals, you must comply requirements of the law on personal data No. 152-FZ dated June 27, 2006
The accounting and personnel departments store documents containing personal data of employees - salary statements, personal cards, personal files and others. All personal data of an employee can only be obtained from him. If personal information can only be obtained from third parties, then first notify the employee about this and obtain written consent from him. Inform the employee about the purposes, intended sources and methods of obtaining personal data. In addition, inform the employee of the nature of the personal data to be collected and the consequences of the employee’s refusal to consent to receiving it.
Important! - salary information is also personal data. This is stated in the letter of Roskomnadzor dated 02/07/2014 No. 08KM-3681. For the fact that the accountant incorrectly stores or protects data on accruals and payments to employees,. For example, salary information cannot be shared with his ex-wife without the employee's consent.
The organization does not have the right to collect personal data that is not directly related to the employee’s work activity, for example, information about religion, political leanings, living conditions, etc. This information constitutes a citizen’s personal or family secret, which he has the right not to disclose to anyone. This is stated in paragraph 4 of part 1 of Article 86 of the Labor Code and Law of July 27, 2006 No. 152-FZ.
Having received personal data, the employer undertakes not to distribute it or disclose it to third parties without the employee’s consent (Article 7 of Law No. 152-FZ of July 27, 2006).
The employer keeps copies for employees
passports, military IDs, marriage certificates, birth certificates of a child, inspectors from Roskomnadzor can qualify as processing of personal data that is redundant in relation to the stated purposes of their processing. There are courts that support this position (resolutions of the Federal Antimonopoly Service of the North Caucasus District dated 04/21/2014 No. A53-13327/2013, dated 03/11/2014 No. A53-10287/2013). In this case, the organization and its officials.
Regulations on the Protection of Personal Data, Order on the appointment of a responsible person
To prevent disclosure of personal data, you need to create reliable system their protection. The procedure for receiving, processing, transferring and storing such information is established in a local act of the organization, for example, in the regulation on working with personal data of employees (.docx 52Kb). The regulations are approved by the head of the organization. Familiarize the employees with the document for signature (Article 8, clause 8, part 1, article 86, 87 of the Labor Code, clause 2, part 1, article 18.1 of the Law of July 27, 2006 No. 152-FZ).
To avoid sanctions, see the memo for what actions with personal data an accountant can be punished for.
It is necessary to appoint a person responsible for working with personal data. As a rule, such an employee is a personnel service employee, since it is he who most often comes across personal data of employees in the course of his work. Appoint the person responsible for working with personal data by order (.docx 36Kb) in any form (Part 5 of Article 88 of the Labor Code).
Note: Download another sample order “On the appointment of responsible employees for the protection of personal data” (.docx 14Kb)
When processing personal data in information system it is necessary to ensure the protection and security of personal data. At the same time, a threat to the security of personal data is a set of conditions and factors that create the danger of unauthorized (including accidental) access to personal data during their processing in the system, which may result in:
- destruction;
- change;
- blocking;
- copying;
- provision;
- spreading;
- other illegal actions with personal data.
Note: Clause 6 of the requirements approved by Government Decree No. 1119 dated 01.11.2012.
To control the security of personal data during their processing, the employer or a person authorized by him carries out control checks at least once every three years, the specific timing of which is determined by the employer independently. If necessary, organizations or individual entrepreneurs that have a license to carry out activities can be involved in conducting an inspection on a contractual basis. technical protection confidential information (clause 17 of the requirements, approved by Government Decree No. 1119 dated 01.11.2012).
Consent to the processing of personal data
In the course of its activities, the employer has a need to processing of personal data of employees. The processing of such data, with the exception of certain cases, occurs only with the written consent of employees. In this case, the consent must include the following information:
- last name, first name, patronymic, address of the employee, details of the passport (another document proving his identity), including information about the date of issue of the document and the issuing authority;
- name or surname, first name, patronymic and address of the employer (operator) receiving the employee’s consent;
- purpose of processing personal data;
- list of personal data for the processing of which consent is given;
- name or surname, first name, patronymic and address of the person processing personal data on behalf of the employer, if the processing will be entrusted to such a person;
- list of actions with personal data for which consent is given, general description methods used by the employer for processing personal data;
- the period during which the employee’s consent is valid, as well as the method of its withdrawal, unless otherwise established by federal law;
- employee signature.
If an employee is incapacitated, written consent to the processing of his personal data is given by his legal representative: parent, guardian (Part 6 of Article 9 of Law No. 152-FZ of July 27, 2006).
An employee can at any time withdraw consent to the processing of your personal data by sending feedback to the employer in any form. In such a situation, the organization has the right to continue processing personal data without the consent of the employee, taking into account the restrictions from paragraphs 2–11 of part 1 of Article 6, part 2 of Article 10 and part 2 of Article 11 of the Law of July 27, 2006 No. 152-FZ. For example, to do justice or protect the life or health of the employee himself. This is stated in Part 2 of Article 9 of the Law of July 27, 2006 No. 152-FZ.
If a dispute arises, the obligation to provide evidence that the employee’s consent to the processing of his personal data has been received rests with the employer (Part 3 of Article 9 of Law No. 152-FZ of July 27, 2006).
With the consent of the employee, the organization also has the right to entrust the processing of personal data to another person (Part 3 of Article 6 of Law No. 152-FZ of July 27, 2006). In this case, the employer will continue to be responsible to the employee for the actions of the specified person, and whoever directly processes personal data on behalf of the employer will be responsible directly to the employer (Part 5, Article 6 of Law No. 152-FZ of July 27, 2006).
Consent to the processing of personal data the employer must receive not only from employees with whom there is an employment relationship, but also from applicants, as well as from people with whom civil law contracts have been concluded in the organization. This is stated in paragraph 5 of the Roskomnadzor clarification dated December 14, 2012.
Is it necessary to obtain consent from the employee for the processing of personal data during employment?
It all depends on what information the organization wants to receive.
The employer may receive, store and transmit only that information about the employee that is necessary for the execution of the employment contract (clause 2, 5, part 1, article 6 of Law No. 152-FZ of July 27, 2006, hereinafter referred to as Law No. 152-FZ, para. 1, 2 clarifications of Roskomnadzor dated December 14, 2012, hereinafter referred to as the Clarifications). The employee is a party to the employment contract, so it is not necessary to obtain his consent to process personal data in all cases. For example, an employer has the right to process personal data that it has received without the employee’s consent:
- based on the results of a mandatory preliminary medical examination (Article 69 of the Labor Code, clause 3 of the Explanations);
- from the documents that the employee presented when concluding an employment contract (Article 65 of the Labor Code);
- from recruitment agency acting on behalf of the applicant (paragraph 12, paragraph 5 of the Explanations);
- from the candidate’s resume on the Internet, accessible to an unlimited number of people (clause 10, part 1, article 6 of Law No. 152-FZ, paragraph 12, clause 5 of the Explanations).
Consent is not required for data processing to the extent provided personal card. You can also request information from the employee about his close relatives (clause 2 of the Explanations).
Consent is needed when you want to receive some kind of information from the applicant Additional information, which is not necessary for the execution of an employment contract. For example, a personal email address or telephone number. Also obtain consent if you share the employee’s personal data with third parties. For example, a security organization that monitors access control on the territory of your company, or a third-party organization that keeps records of your company (clause 5 of the Explanations).
Is it necessary to obtain consent to process an employee’s personal data to produce a badge for him?
The answer to the question depends on the purpose of making the badge. Consent will be required unless this procedure falls under cases where data processing is not required.
Employee personal data is information, necessary for the organization and related to a specific to an individual, that is, to a specific employee. Examples of such information may include the employee’s last name, first name, and patronymic. This is stated in paragraph 1 of Article 3 of the Law of July 27, 2006 No. 152-FZ.
In general, the processing of an employee’s personal data requires his consent (clauses 2–11, part 1, article 6, part 2, article 10, part 2, article 11 of the Law of July 27, 2006 No. 152-FZ). At the same time, the law provides for exceptional cases when consent is not required. For example, if the processing of data involves an employee performing job responsibilities, including during his business trip. Or if the processing of personal data is carried out during the implementation of access control on the territory of the employer’s office buildings and premises, provided that the employer organizes access control independently. This is stated in paragraphs 1–5 of the explanations of Roskomnadzor dated December 14, 2012.
Thus, if the production of a badge based on the purpose falls under the specified exceptions, then it is not necessary to obtain additional consent from the employee. If this does not apply and the production of a badge is a one-time procedure not directly related to the employee’s work activity, then consent must be obtained.
If you take a photo on your badge, be sure to obtain the employee’s consent to process personal data. A photograph is biometric data (definition Supreme Court dated 03/05/2018 No. 307-KG18-101).
Prepare documents in the “Personal Data” service
Disciplinary, material, administrative and criminal liability for violations in working with personal data
For violation of the procedure for receiving, processing, storing and protecting personal data of employees, disciplinary, material, administrative and criminal liability is provided (Part 1 of Article 24 of the Law of July 27, 2006).
To disciplinary liability
Only those employees who have accepted obligations to comply with the rules for working with personal data and have violated them can be involved.
Material liability
may occur if, in connection with a violation of the rules for working with personal data, the organization has suffered direct actual damage (Article 192, Article 238 of the Labor Code).
For violating the procedure for collecting, storing, using or distributing personal data, the organization and its officials will be fined. During one inspection, Roskomnadzor may detect several different violations. Then he will collect several fines at once.
The amount of fines depends on the type of offense committed. Thus, officials can be fined in the amount of 3,000 to 20,000 rubles, individual entrepreneurs - in the amount of 5,000 to 20,000 rubles, organizations - in the amount of 15,000 to 75,000 rubles.
Criminal liability
According to Article 137 of the Criminal Code, for the head of an organization or another person responsible for working with personal data, this may occur if it is illegal:
- collect or disseminate information about the private life of an employee that constitutes his personal or family secret, without his consent;
- disseminate information about the employee's life through a public speech, publicly displayed work, or the media.
The following penalties are provided for these violations:
- a fine of up to 200,000 rubles. (or in the amount of the convicted person’s income for a period of up to 18 months);
- compulsory work for up to 360 hours;
- correctional labor for up to one year;
- forced labor for a term of up to two years with or without deprivation of the right to hold certain positions or engage in certain activities for a term of up to three years;
- arrest for up to four months;
- imprisonment for a term of up to two years with deprivation of the right to hold certain positions or engage in certain activities for a term of up to three years.
If, as a result of violations committed by the employer when working with personal data, the employee’s rights are violated, then he also has the right to demand compensation for moral damage from the organization. Compensation for moral damage is carried out regardless of compensation for property damage and other losses incurred by the employee. This is stated in Part 2 of Article 24 of the Law of July 27, 2006. The procedure for compensation for moral damage is regulated by civil law ().
TIN is not personal data
Each taxpayer is assigned a single TIN for all types of taxes and fees throughout the Russian Federation. It is formed as digital code, consisting of a sequence of numbers characterizing the tax authority code (4 characters), serial number records about a person in the Unified State Register of Real Estate (6 characters) and a control number (2 characters).
The TIN is actually a record number about a person in the Unified State Register of Taxpayers and is not information included in the list of personal data; it is used solely for the purpose of streamlining the accounting of taxpayers within the system of tax authorities, and also serves only to speed up the processing of a huge flow of information in the interests of respecting the rights of taxpayers .
Note: Letter of the Ministry of Finance No. 03-01-11/76554 dated October 25, 2018.