Protection of employee personal data. Who are personal data operators and what do they do?
Personal data of employees - any information necessary for the administration in connection with labor relations and relating to a specific employee (Clause 1, Article 3 of the Law of July 27, 2006 No. 152-FZ).
Full name and any other information about an individual is personal data. If you have employees or hold personal information about applicants, clients or other individuals, you must comply requirements of the law on personal data No. 152-FZ dated June 27, 2006
The accounting and personnel departments store documents containing personal data of employees - salary statements, personal cards, personal files and others. All personal data of an employee can only be obtained from him. If personal information can only be obtained from third parties, then first notify the employee about this and obtain written consent from him. Inform the employee about the purposes, intended sources and methods of obtaining personal data. In addition, inform the employee of the nature of the personal data to be collected and the consequences of the employee’s refusal to consent to receiving it.
Important! - salary information is also personal data. This is stated in the letter of Roskomnadzor dated 02/07/2014 No. 08KM-3681. For the fact that the accountant incorrectly stores or protects data on accruals and payments to employees,. For example, salary information cannot be shared with his ex-wife without the employee's consent.
The organization does not have the right to collect personal data that is not directly related to the employee’s work activity, for example, information about religion, political leanings, living conditions, etc. This information constitutes a citizen’s personal or family secret, which he has the right not to disclose to anyone. This is stated in paragraph 4 of part 1 of Article 86 of the Labor Code and Law of July 27, 2006 No. 152-FZ.
Having received personal data, the employer undertakes not to distribute it or disclose it to third parties without the employee’s consent (Article 7 of Law No. 152-FZ of July 27, 2006).
The employer keeps copies for employees
passports, military IDs, marriage certificates, birth certificates of a child, inspectors from Roskomnadzor can qualify as processing of personal data that is redundant in relation to the stated purposes of their processing. There are courts that support this position (resolutions of the Federal Antimonopoly Service of the North Caucasus District dated 04/21/2014 No. A53-13327/2013, dated 03/11/2014 No. A53-10287/2013). In this case, the organization and its officials.
Regulations on the Protection of Personal Data, Order on the appointment of a responsible person
To prevent disclosure of personal data, you need to create reliable system their protection. The procedure for receiving, processing, transferring and storing such information is established in a local act of the organization, for example, in the regulation on working with personal data of employees (.docx 52Kb). The regulations are approved by the head of the organization. Familiarize the employees with the document for signature (Article 8, clause 8, part 1, article 86, 87 of the Labor Code, clause 2, part 1, article 18.1 of the Law of July 27, 2006 No. 152-FZ).
To avoid sanctions, see the memo for what actions with personal data an accountant can be punished for.
It is necessary to appoint a person responsible for working with personal data. As a rule, such an employee is a personnel service employee, since it is he who most often comes across personal data of employees in the course of his work. Appoint the person responsible for working with personal data by order (.docx 36Kb) in any form (Part 5 of Article 88 of the Labor Code).
Note: Download another sample order “On the appointment of responsible employees for the protection of personal data” (.docx 14Kb)
When processing personal data in information system it is necessary to ensure the protection and security of personal data. At the same time, a threat to the security of personal data is a set of conditions and factors that create the danger of unauthorized (including accidental) access to personal data during their processing in the system, which may result in:
- destruction;
- change;
- blocking;
- copying;
- provision;
- spreading;
- other illegal actions with personal data.
Note: Clause 6 of the requirements approved by Government Decree No. 1119 dated 01.11.2012.
To control the security of personal data during their processing, the employer or a person authorized by him carries out control checks at least once every three years, the specific timing of which is determined by the employer independently. If necessary, organizations or individual entrepreneurs that have a license to carry out activities can be involved in conducting an inspection on a contractual basis. technical protection confidential information (clause 17 of the requirements, approved by Government Decree No. 1119 dated 01.11.2012).
Consent to the processing of personal data
In the course of its activities, the employer has a need to processing of personal data of employees. The processing of such data, with the exception of certain cases, occurs only with the written consent of employees. In this case, the consent must include the following information:
- last name, first name, patronymic, address of the employee, details of the passport (another document proving his identity), including information about the date of issue of the document and the issuing authority;
- name or surname, first name, patronymic and address of the employer (operator) receiving the employee’s consent;
- purpose of processing personal data;
- list of personal data for the processing of which consent is given;
- name or surname, first name, patronymic and address of the person processing personal data on behalf of the employer, if the processing will be entrusted to such a person;
- list of actions with personal data for which consent is given, general description methods used by the employer for processing personal data;
- the period during which the employee’s consent is valid, as well as the method of its withdrawal, unless otherwise established by federal law;
- employee signature.
If an employee is incapacitated, written consent to the processing of his personal data is given by his legal representative: parent, guardian (Part 6 of Article 9 of Law No. 152-FZ of July 27, 2006).
An employee can at any time withdraw consent to the processing of your personal data by sending feedback to the employer in any form. In such a situation, the organization has the right to continue processing personal data without the consent of the employee, taking into account the restrictions from paragraphs 2–11 of part 1 of Article 6, part 2 of Article 10 and part 2 of Article 11 of the Law of July 27, 2006 No. 152-FZ. For example, to do justice or protect the life or health of the employee himself. This is stated in Part 2 of Article 9 of the Law of July 27, 2006 No. 152-FZ.
If a dispute arises, the obligation to provide evidence that the employee’s consent to the processing of his personal data has been received rests with the employer (Part 3 of Article 9 of Law No. 152-FZ of July 27, 2006).
With the consent of the employee, the organization also has the right to entrust the processing of personal data to another person (Part 3 of Article 6 of Law No. 152-FZ of July 27, 2006). In this case, the employer will continue to be responsible to the employee for the actions of the specified person, and whoever directly processes personal data on behalf of the employer will be responsible directly to the employer (Part 5, Article 6 of Law No. 152-FZ of July 27, 2006).
Consent to the processing of personal data the employer must receive not only from employees with whom there is an employment relationship, but also from applicants, as well as from people with whom civil law contracts have been concluded in the organization. This is stated in paragraph 5 of the Roskomnadzor clarification dated December 14, 2012.
Is it necessary to obtain consent from the employee for the processing of personal data during employment?
It all depends on what information the organization wants to receive.
The employer may receive, store and transmit only that information about the employee that is necessary for the execution of the employment contract (clause 2, 5, part 1, article 6 of Law No. 152-FZ of July 27, 2006, hereinafter referred to as Law No. 152-FZ, para. 1, 2 clarifications of Roskomnadzor dated December 14, 2012, hereinafter referred to as the Clarifications). The employee is a party to the employment contract, so it is not necessary to obtain his consent to process personal data in all cases. For example, an employer has the right to process personal data that it has received without the employee’s consent:
- based on the results of a mandatory preliminary medical examination (Article 69 of the Labor Code, clause 3 of the Explanations);
- from the documents that the employee presented when concluding an employment contract (Article 65 of the Labor Code);
- from recruitment agency acting on behalf of the applicant (paragraph 12, paragraph 5 of the Explanations);
- from the candidate’s resume on the Internet, accessible to an unlimited number of people (clause 10, part 1, article 6 of Law No. 152-FZ, paragraph 12, clause 5 of the Explanations).
Consent is not required for data processing to the extent provided personal card. You can also request information from the employee about his close relatives (clause 2 of the Explanations).
Consent is needed when you want to receive some kind of information from the applicant Additional information, which is not necessary for the execution of an employment contract. For example, a personal email address or telephone number. Also obtain consent if you share the employee’s personal data with third parties. For example, a security organization that monitors access control on the territory of your company, or a third-party organization that keeps records of your company (clause 5 of the Explanations).
Is it necessary to obtain consent to process an employee’s personal data to produce a badge for him?
The answer to the question depends on the purpose of making the badge. Consent will be required unless this procedure falls under cases where data processing is not required.
Employee personal data is information, necessary for the organization and relating to a specific individual, that is, a specific employee. Examples of such information may include the employee’s last name, first name, and patronymic. This is stated in paragraph 1 of Article 3 of the Law of July 27, 2006 No. 152-FZ.
In general, the processing of an employee’s personal data requires his consent (clauses 2–11, part 1, article 6, part 2, article 10, part 2, article 11 of the Law of July 27, 2006 No. 152-FZ). At the same time, the law provides for exceptional cases when consent is not required. For example, if the processing of data involves an employee performing job responsibilities, including during his business trip. Or if the processing of personal data is carried out during the implementation of access control on the territory of the employer’s office buildings and premises, provided that the employer organizes access control independently. This is stated in paragraphs 1–5 of the explanations of Roskomnadzor dated December 14, 2012.
Thus, if the production of a badge based on the purpose falls under the specified exceptions, then it is not necessary to obtain additional consent from the employee. If this does not apply and the production of a badge is a one-time procedure not directly related to the employee’s work activity, then consent must be obtained.
If you take a photo on your badge, be sure to obtain the employee’s consent to process personal data. A photograph is biometric data (definition Supreme Court dated 03/05/2018 No. 307-KG18-101).
Prepare documents in the “Personal Data” service
Disciplinary, material, administrative and criminal liability for violations in working with personal data
For violation of the procedure for receiving, processing, storing and protecting personal data of employees, disciplinary, material, administrative and criminal liability is provided (Part 1 of Article 24 of the Law of July 27, 2006).
To disciplinary liability
Only those employees who have accepted obligations to comply with the rules for working with personal data and have violated them can be involved.
Material liability
may occur if, in connection with a violation of the rules for working with personal data, the organization has suffered direct actual damage (Article 192, Article 238 of the Labor Code).
For violating the procedure for collecting, storing, using or distributing personal data, the organization and its officials will be fined. During one inspection, Roskomnadzor may detect several different violations. Then he will collect several fines at once.
The amount of fines depends on the type of offense committed. Thus, officials can be fined in the amount of 3,000 to 20,000 rubles, individual entrepreneurs - in the amount of 5,000 to 20,000 rubles, organizations - in the amount of 15,000 to 75,000 rubles.
Criminal liability
According to Article 137 of the Criminal Code, for the head of an organization or another person responsible for working with personal data, this may occur if it is illegal:
- collect or disseminate information about the private life of an employee that constitutes his personal or family secret, without his consent;
- disseminate information about the employee's life through a public speech, publicly displayed work, or the media.
The following penalties are provided for these violations:
- a fine of up to 200,000 rubles. (or in the amount of the convicted person’s income for a period of up to 18 months);
- compulsory work for up to 360 hours;
- correctional labor for up to one year;
- forced labor for a term of up to two years with or without deprivation of the right to hold certain positions or engage in certain activities for a term of up to three years;
- arrest for up to four months;
- imprisonment for a term of up to two years with deprivation of the right to hold certain positions or engage in certain activities for a term of up to three years.
If, as a result of violations committed by the employer when working with personal data, the employee’s rights are violated, then he also has the right to demand compensation for moral damage from the organization. Compensation for moral damage is carried out regardless of compensation for property damage and other losses incurred by the employee. This is stated in Part 2 of Article 24 of the Law of July 27, 2006. The procedure for compensation for moral damage is regulated by civil law ().
TIN is not personal data
Each taxpayer is assigned a single TIN for all types of taxes and fees throughout the Russian Federation. It is formed as digital code, consisting of a sequence of numbers characterizing the tax authority code (4 characters), serial number records about a person in the Unified State Register of Real Estate (6 characters) and a control number (2 characters).
The TIN is actually a record number about a person in the Unified State Register of Taxpayers and is not information included in the list of personal data; it is used solely for the purpose of streamlining the accounting of taxpayers within the system of tax authorities, and also serves only to speed up the processing of a huge flow of information in the interests of respecting the rights of taxpayers .
Note: Letter of the Ministry of Finance No. 03-01-11/76554 dated October 25, 2018.