Protection of employee personal data. Who are personal data operators and what do they do?


Personal data of employees - any information necessary for the administration in connection with labor relations and relating to a specific employee (Clause 1, Article 3 of the Law of July 27, 2006 No. 152-FZ).

Full name and any other information about an individual is personal data. If you have employees or hold personal information about applicants, clients or other individuals, you must comply requirements of the law on personal data No. 152-FZ dated June 27, 2006

The accounting and personnel departments store documents containing personal data of employees - salary statements, personal cards, personal files and others. All personal data of an employee can only be obtained from him. If personal information can only be obtained from third parties, then first notify the employee about this and obtain written consent from him. Inform the employee about the purposes, intended sources and methods of obtaining personal data. In addition, inform the employee of the nature of the personal data to be collected and the consequences of the employee’s refusal to consent to receiving it.

Important! - salary information is also personal data. This is stated in the letter of Roskomnadzor dated 02/07/2014 No. 08KM-3681. For the fact that the accountant incorrectly stores or protects data on accruals and payments to employees,. For example, salary information cannot be shared with his ex-wife without the employee's consent.

The organization does not have the right to collect personal data that is not directly related to the employee’s work activity, for example, information about religion, political leanings, living conditions, etc. This information constitutes a citizen’s personal or family secret, which he has the right not to disclose to anyone. This is stated in paragraph 4 of part 1 of Article 86 of the Labor Code and Law of July 27, 2006 No. 152-FZ.

Having received personal data, the employer undertakes not to distribute it or disclose it to third parties without the employee’s consent (Article 7 of Law No. 152-FZ of July 27, 2006).

The employer keeps copies for employees

passports, military IDs, marriage certificates, birth certificates of a child, inspectors from Roskomnadzor can qualify as processing of personal data that is redundant in relation to the stated purposes of their processing. There are courts that support this position (resolutions of the Federal Antimonopoly Service of the North Caucasus District dated 04/21/2014 No. A53-13327/2013, dated 03/11/2014 No. A53-10287/2013). In this case, the organization and its officials.

Regulations on the Protection of Personal Data, Order on the appointment of a responsible person

To prevent disclosure of personal data, you need to create reliable system their protection. The procedure for receiving, processing, transferring and storing such information is established in a local act of the organization, for example, in the regulation on working with personal data of employees (.docx 52Kb). The regulations are approved by the head of the organization. Familiarize the employees with the document for signature (Article 8, clause 8, part 1, article 86, 87 of the Labor Code, clause 2, part 1, article 18.1 of the Law of July 27, 2006 No. 152-FZ).

To avoid sanctions, see the memo for what actions with personal data an accountant can be punished for.

It is necessary to appoint a person responsible for working with personal data. As a rule, such an employee is a personnel service employee, since it is he who most often comes across personal data of employees in the course of his work. Appoint the person responsible for working with personal data by order (.docx 36Kb) in any form (Part 5 of Article 88 of the Labor Code).

Note: Download another sample order “On the appointment of responsible employees for the protection of personal data” (.docx 14Kb)

When processing personal data in information system it is necessary to ensure the protection and security of personal data. At the same time, a threat to the security of personal data is a set of conditions and factors that create the danger of unauthorized (including accidental) access to personal data during their processing in the system, which may result in:

  • destruction;
  • change;
  • blocking;
  • copying;
  • provision;
  • spreading;
  • other illegal actions with personal data.

Note: Clause 6 of the requirements approved by Government Decree No. 1119 dated 01.11.2012.

To control the security of personal data during their processing, the employer or a person authorized by him carries out control checks at least once every three years, the specific timing of which is determined by the employer independently. If necessary, organizations or individual entrepreneurs that have a license to carry out activities can be involved in conducting an inspection on a contractual basis. technical protection confidential information (clause 17 of the requirements, approved by Government Decree No. 1119 dated 01.11.2012).

Consent to the processing of personal data

In the course of its activities, the employer has a need to processing of personal data of employees. The processing of such data, with the exception of certain cases, occurs only with the written consent of employees. In this case, the consent must include the following information:

  • last name, first name, patronymic, address of the employee, details of the passport (another document proving his identity), including information about the date of issue of the document and the issuing authority;
  • name or surname, first name, patronymic and address of the employer (operator) receiving the employee’s consent;
  • purpose of processing personal data;
  • list of personal data for the processing of which consent is given;
  • name or surname, first name, patronymic and address of the person processing personal data on behalf of the employer, if the processing will be entrusted to such a person;
  • list of actions with personal data for which consent is given, general description methods used by the employer for processing personal data;
  • the period during which the employee’s consent is valid, as well as the method of its withdrawal, unless otherwise established by federal law;
  • employee signature.

If an employee is incapacitated, written consent to the processing of his personal data is given by his legal representative: parent, guardian (Part 6 of Article 9 of Law No. 152-FZ of July 27, 2006).

An employee can at any time withdraw consent to the processing of your personal data by sending feedback to the employer in any form. In such a situation, the organization has the right to continue processing personal data without the consent of the employee, taking into account the restrictions from paragraphs 2–11 of part 1 of Article 6, part 2 of Article 10 and part 2 of Article 11 of the Law of July 27, 2006 No. 152-FZ. For example, to do justice or protect the life or health of the employee himself. This is stated in Part 2 of Article 9 of the Law of July 27, 2006 No. 152-FZ.

If a dispute arises, the obligation to provide evidence that the employee’s consent to the processing of his personal data has been received rests with the employer (Part 3 of Article 9 of Law No. 152-FZ of July 27, 2006).

With the consent of the employee, the organization also has the right to entrust the processing of personal data to another person (Part 3 of Article 6 of Law No. 152-FZ of July 27, 2006). In this case, the employer will continue to be responsible to the employee for the actions of the specified person, and whoever directly processes personal data on behalf of the employer will be responsible directly to the employer (Part 5, Article 6 of Law No. 152-FZ of July 27, 2006).

Consent to the processing of personal data the employer must receive not only from employees with whom there is an employment relationship, but also from applicants, as well as from people with whom civil law contracts have been concluded in the organization. This is stated in paragraph 5 of the Roskomnadzor clarification dated December 14, 2012.

Is it necessary to obtain consent from the employee for the processing of personal data during employment?

It all depends on what information the organization wants to receive.

The employer may receive, store and transmit only that information about the employee that is necessary for the execution of the employment contract (clause 2, 5, part 1, article 6 of Law No. 152-FZ of July 27, 2006, hereinafter referred to as Law No. 152-FZ, para. 1, 2 clarifications of Roskomnadzor dated December 14, 2012, hereinafter referred to as the Clarifications). The employee is a party to the employment contract, so it is not necessary to obtain his consent to process personal data in all cases. For example, an employer has the right to process personal data that it has received without the employee’s consent:

  • based on the results of a mandatory preliminary medical examination (Article 69 of the Labor Code, clause 3 of the Explanations);
  • from the documents that the employee presented when concluding an employment contract (Article 65 of the Labor Code);
  • from recruitment agency acting on behalf of the applicant (paragraph 12, paragraph 5 of the Explanations);
  • from the candidate’s resume on the Internet, accessible to an unlimited number of people (clause 10, part 1, article 6 of Law No. 152-FZ, paragraph 12, clause 5 of the Explanations).

Consent is not required for data processing to the extent provided personal card. You can also request information from the employee about his close relatives (clause 2 of the Explanations).

Consent is needed when you want to receive some kind of information from the applicant Additional information, which is not necessary for the execution of an employment contract. For example, a personal email address or telephone number. Also obtain consent if you share the employee’s personal data with third parties. For example, a security organization that monitors access control on the territory of your company, or a third-party organization that keeps records of your company (clause 5 of the Explanations).

Is it necessary to obtain consent to process an employee’s personal data to produce a badge for him?

The answer to the question depends on the purpose of making the badge. Consent will be required unless this procedure falls under cases where data processing is not required.

Employee personal data is information, necessary for the organization and relating to a specific individual, that is, a specific employee. Examples of such information may include the employee’s last name, first name, and patronymic. This is stated in paragraph 1 of Article 3 of the Law of July 27, 2006 No. 152-FZ.

In general, the processing of an employee’s personal data requires his consent (clauses 2–11, part 1, article 6, part 2, article 10, part 2, article 11 of the Law of July 27, 2006 No. 152-FZ). At the same time, the law provides for exceptional cases when consent is not required. For example, if the processing of data involves an employee performing job responsibilities, including during his business trip. Or if the processing of personal data is carried out during the implementation of access control on the territory of the employer’s office buildings and premises, provided that the employer organizes access control independently. This is stated in paragraphs 1–5 of the explanations of Roskomnadzor dated December 14, 2012.

Thus, if the production of a badge based on the purpose falls under the specified exceptions, then it is not necessary to obtain additional consent from the employee. If this does not apply and the production of a badge is a one-time procedure not directly related to the employee’s work activity, then consent must be obtained.

If you take a photo on your badge, be sure to obtain the employee’s consent to process personal data. A photograph is biometric data (definition Supreme Court dated 03/05/2018 No. 307-KG18-101).

Prepare documents in the “Personal Data” service

Disciplinary, material, administrative and criminal liability for violations in working with personal data

For violation of the procedure for receiving, processing, storing and protecting personal data of employees, disciplinary, material, administrative and criminal liability is provided (Part 1 of Article 24 of the Law of July 27, 2006).

To disciplinary liability

Only those employees who have accepted obligations to comply with the rules for working with personal data and have violated them can be involved.

Material liability

may occur if, in connection with a violation of the rules for working with personal data, the organization has suffered direct actual damage (Article 192, Article 238 of the Labor Code).

For violating the procedure for collecting, storing, using or distributing personal data, the organization and its officials will be fined. During one inspection, Roskomnadzor may detect several different violations. Then he will collect several fines at once.

The amount of fines depends on the type of offense committed. Thus, officials can be fined in the amount of 3,000 to 20,000 rubles, individual entrepreneurs - in the amount of 5,000 to 20,000 rubles, organizations - in the amount of 15,000 to 75,000 rubles.

Criminal liability

According to Article 137 of the Criminal Code, for the head of an organization or another person responsible for working with personal data, this may occur if it is illegal:

  • collect or disseminate information about the private life of an employee that constitutes his personal or family secret, without his consent;
  • disseminate information about the employee's life through a public speech, publicly displayed work, or the media.

The following penalties are provided for these violations:

  • a fine of up to 200,000 rubles. (or in the amount of the convicted person’s income for a period of up to 18 months);
  • compulsory work for up to 360 hours;
  • correctional labor for up to one year;
  • forced labor for a term of up to two years with or without deprivation of the right to hold certain positions or engage in certain activities for a term of up to three years;
  • arrest for up to four months;
  • imprisonment for a term of up to two years with deprivation of the right to hold certain positions or engage in certain activities for a term of up to three years.

If, as a result of violations committed by the employer when working with personal data, the employee’s rights are violated, then he also has the right to demand compensation for moral damage from the organization. Compensation for moral damage is carried out regardless of compensation for property damage and other losses incurred by the employee. This is stated in Part 2 of Article 24 of the Law of July 27, 2006. The procedure for compensation for moral damage is regulated by civil law ().

TIN is not personal data

Each taxpayer is assigned a single TIN for all types of taxes and fees throughout the Russian Federation. It is formed as digital code, consisting of a sequence of numbers characterizing the tax authority code (4 characters), serial number records about a person in the Unified State Register of Real Estate (6 characters) and a control number (2 characters).

The TIN is actually a record number about a person in the Unified State Register of Taxpayers and is not information included in the list of personal data; it is used solely for the purpose of streamlining the accounting of taxpayers within the system of tax authorities, and also serves only to speed up the processing of a huge flow of information in the interests of respecting the rights of taxpayers .

Note: Letter of the Ministry of Finance No. 03-01-11/76554 dated October 25, 2018.

Hello!
We are a state-owned enterprise (FSUE), non-employees must provide their passport information to receive a one-time one-day pass.

Previously, the process looked like this: if you invite a visitor, you request his data by email or write down by phone, fill out and print the form in Excel and take it to the security guard for signature, after which it is already printed and taken to the checkpoint, where the visitor’s PD is checked against the passport he presents. and on this basis they issue him a visitor pass.

We have written a small web application that is available on the enterprise’s internal network and allows you to enter all the visitor’s data (both full name and personal data), but does not allow them to be subsequently viewed and edited; the ability to view and correct entered passport data is available only to security department employees, distinction access is carried out on application level in the program code, based on the settings stored in the database.

The stack uses Microsoft products - IIS and MSSQL Server, the application is implemented on the ASP.NET MVC framework, and the browser acts as the client part.

Currently, one third-party organization is working to certify other systems that process personal data; for the system being described, they proposed an option using limited number PC, because according to them, processing pers. data occurs (potentially) on all machines of the enterprise. That is, they offer to install special software on, roughly speaking, 50 PCs and make possible work with the application only from these machines. We are not very happy with this option; ideally, we would like any user local network the enterprise had the opportunity to enter all the visitor’s data into the database (it can be assumed that the visitor’s consent for the use of his data is available).
For other systems everything was simpler, there was a limited circle of users (for example, the entire accounting department), they were simply transferred to a separate subnet behind a firewall, here this is not possible, as far as I understand, because access control does not occur on network level, and on the application side, in the logic of the server part of the application.

It seems to me that this situation is not unique, can anyone tell me what options there are for organizing the protection of personal data in accordance with the requirements of the law, I am interested in schemes that would be arranged by regulatory authorities.

Thank you in advance.

P.S. I forgot to clarify, many enterprise PCs have access to the Internet through our proxy server, the entire network is domain-based, and authentication in the application is also domain-based. There is a server room for secure server placement; we are only interested in options for software or hardware data protection.

Regarding violations of the law on personal data. They will come into force on July 1, 2017 and will affect everyone who collects, processes and stores any personal data.

Fines were divided by type of violation and increased tenfold. For example, if you do not post a privacy policy on the website, individual entrepreneurs can be fined 10 thousand rubles, and the company - 30 thousand. And if you process personal data without the consent of an online store client or a subscriber to information course, then the fine for a legal entity will be up to 75 thousand rubles. The director of a company or entrepreneur will have to pay up to 20 thousand. If there are several violations, then there will be several fines.

You urgently need to get your websites in order. Checks are already underway 💻

Currently, only the prosecutor’s office can issue protocols of violations. The fine does not depend on the type of violation and is for an individual entrepreneur or director a maximum of 1000 rubles, and for a legal entity - 10 thousand rubles. The procedure takes a lot of time, the fines are small, so they rarely check and not everyone.

How do I find out if I am a personal data controller?

Personal data is any data about a person by which he can be identified. The law does not contain a list of such data, so you have to guess for yourself. For example, by name or login it is impossible to understand what kind of person he is, but by name and phone number or name and email - you can.

Most likely, you are a personal data operator if you somehow receive the following information from any people in any combination:

  • last name
  • surname,
  • some physical address,
  • email,
  • telephone,
  • date or place of birth,
  • photograph,
  • link to a personal website or social network,
  • profession,
  • education,
  • income level,
  • Family status.

This means that all owners of sites that have personal accounts, forms feedback, subscription or registration, where you can buy something, place an ad, fill out a form, are operators of personal data. Even if the site only has a button to order a call or send a message, this is also the processing of personal data.

And if I record a friend's phone number or a girl's email on a dating site, do I need to comply with this law?

No no need. The law does not apply to data for personal and family needs. But if you hand over a friend’s phone number to collectors or publish an ad with a girl’s email address on a misogynist forum, this is already a violation.

How to work with personal data correctly so as not to break the law?

At a minimum you need:

  • obtain written consent from each visitor, client or subscriber to the processing, storage and distribution of personal data;
  • publish in the public domain information about everything related to the personal data of clients and visitors;
  • request only the data that is needed for specific purpose. For example, you cannot ask for your home address or passport information to subscribe to an email newsletter;
  • use data only for the purposes specified in the documents and about which the person was warned;
  • inform, upon request of a person, what data you have about him, how and why it is processed and to whom you transferred it;
  • delete, upon request, the data that is used to send information about discounts and promotions;
  • store databases in a safe place, protect them from hacking and leakage;
  • train employees to work with personal data;
  • register with Roskomnadzor.

What? Should I register somewhere else?

Yes, by law, personal data operators must notify Roskomnadzor. Moreover, this must be done before data processing begins or as soon as possible. Roskomnadzor will enter information about the operator into the general register and will issue it upon request.

Notification may not be submitted if:

  • Only employee data is processed;
  • personal data was obtained only for the execution of a specific contract with specific person and will no longer be used, much less distributed;
  • the person himself published this data in public access;
  • you only have the client’s full name and nothing else.

I have a website and I receive personal data. What should I do?

If you have not done anything yet, then you are already breaking the law and you may be fined now. Even if your site is maintained by a web studio or a remote IT specialist, the fine will still be issued to the company or individual entrepreneur listed on the site.

Prepare public documents and post them on the website so that they are accessible on all pages. It could be Terms of use, like Lamoda, sales rules, legal notice, like M-Video, privacy policy, like Restaurant, Adidas or Ozone. You can specify the conditions for processing personal data in a regular contract or offer, as Sberbank does.

Do not use other people's documents. You can take them as a guide, but you need to write down your own list of data and purposes of use. What a bank needs to issue a loan or an online store to deliver goods will not be needed for an email newsletter or bulletin board. Requesting unnecessary data is a violation of the law and a reason for a fine.

Implement a solution that will clearly establish that the person has agreed to the processing of personal data. This could be a check mark on the registration form or a warning when placing an order. To be on the safe side, have your web pages certified by a notary.

Prepare internal documents on the storage of personal data and the responsibility of employees who work with it. Orders, regulations and job descriptions no need to make it public.

If necessary, send a notification to Roskomnadzor. If you are sure that the notification does not need to be sent, draw up the documents in such a way that it will be clear during the check. For example, write in the policy that you use personal data only for the execution of a specific contract. Or indicate that you are creating a resource on which data is made publicly available at the user’s request.

Is it true that personal data can only be stored on Russian servers? If I host in Europe, am I breaking the law?

There is a lot of uncertainty in the law regarding this matter. On the one hand, databases need to be collected, processed and stored Russian servers. But there is a separate article about cross-border data transfer. Explanations on this matter have been published on the website of the Ministry of Telecom and Mass Communications, but they also contain many contradictions.

Draw your own conclusions about where to store the data. If you don’t know what to do, send a request to Roskomnadzor or the Ministry of Telecom and Mass Communications. You can also contact your hoster: most often such companies have ready-made solutions.

Calm down, everyone! No one will be fined because of some forms on the site and unnecessary papers.

In the Tambov region, the prosecutor's office fined law firm for filling out a feedback form without the user’s consent to the processing of personal data. The courts supported it.

The director of the management company was fined for passing on debtors' data to lawyers in order to draw up statements of claim. He did not obtain consent to process personal data from the residents. The Constitutional Court did not help him.

In Astrakhan, prosecutors fine website owners for alphabetical feedback forms.

In addition to fines in favor of the state, for violating the rules for processing personal data, they may be subject to compensation for moral damages and even imprisonment.

There is a lot that is unclear in the law on personal data. We figured it out and answered

Every day, people perform many online operations that involve the use of a citizen’s personal data. Most of them don't know simple rules safety when using the Internet. For this reason, the government has placed the responsibility of protecting these citizens on the agencies that use employee information.

The main legal document regulating the processing of personal information by various organizations is the Law “On Personal Data” dated July 27, 2006 No. 152-FZ.

The provisions of the law apply to organizations that work with the processing of personal information of citizens or those who have access to it.

Actions that are not regulated by Law 152-FZ:

  • Personal information is processed individuals for personal needs. It should be noted that processing should not violate the rights of the data owner;
  • Organization of archives, which is regulated by archiving legislation in the Russian Federation;
  • Processing of personal data that contains information related to state secrets;
  • Personal data that relates to the activities of judicial authorities and which were submitted in court;
  • Personal information related to the activities of courts.

Did you know that the law with the previous number 151 is devoted to the issue.

When was it accepted?

152-FZ was adopted by the State Duma on July 8, 2006. It was approved by the Federation Council on July 14, 2006. The last revision of the law occurred on February 22 of this year. It was valid until March 1, 2017.

Procedure for using personal data

According to the law of the Russian Federation, the head of the company must approve the procedure for using personal information. The required standards are specified in the organization's local data protection document. They must comply with the requirements of legal acts of the Russian Federation and 152-FZ.

The personal data operator is a government, municipal body or individual, entity, which organizes the processing personal information and determines the purposes of their use.

The operator's responsibilities include :

1. When collecting personal information, the operator provides, at the request of a citizen, information about whose data he received, information that is provided for in Art. 14 part 7 152-FZ.

2. If a citizen is obliged to provide his information according to the law of the Russian Federation, the operator must explain to him that in case of refusal, he may face legal consequences.

3. If the personal information received by the operator for processing was not provided by its owner, he is obliged to provide him with the following information:

  • Full name and address of the operator;
  • For what purpose is the data processed and on the basis of what legal acts;
  • Rights of the citizen whose data was obtained;
  • From what source was the personal information obtained?

4. According to the provisions of 152-FZ, the operator appoints a responsible person in a certain organization who organizes the processing of received materials. The authorized person receives instructions on further actions from the operator.

Processing of personal information under 152-FZ is permitted in the following cases:

  • Analysis of personal information may be carried out with the consent of the citizen whose data was obtained;
  • If the processing of information is required to achieve the goals provided for by the law of the Russian Federation or international treaties of Russia;
  • Analysis of information is necessary for the court;
  • Processing of information is required to protect the life of a citizen;
  • Produced for statistical or research purposes, with the exception of the purposes specified in Article 15, 152-FZ.

By the way, the text of the law on postal service is also important to study. Details

Latest changes to the Federal Law “On the Protection of Personal Data”

Since legislative acts often undergo adjustments, changes were also made to 152-FZ.

Due to the entry into force of Federal Law No. 230-FZ of July 3, 2016, the conditions for the analysis of personal information described in Federal Law 152 have undergone changes.

Article 3

Article 3 of the law describes the basic concepts that are used in the act: personal data, operator, processing of personal information, as well as dissemination and provision of personal information. The presented article has not undergone any changes in the latest edition.

Article 5

Article 5 of the federal law describes the principles of information analysis. It is noted that the processing of information is carried out only in accordance with the law and combining the database with personal information of citizens is prohibited. There were no changes to the current article as of last edit.

Article 7

In 7 tbsp. 152-FZ states that operators and other responsible persons who have access to personal data are obliged not to disseminate information without obtaining the consent of the owner. The article has not undergone any changes.

Article 9

In 9th century 152-FZ provides information about the subject’s consent to the processing of his personal data. Provides information on how to create written consent.

At the last revision, there were no changes to the current article.

Article 19

19 article 152 Federal Law indicates measures to ensure the security of personal information during its analysis.

Download 152-FZ

To allow conflict situation or other issues related to the protection of personal data, study the latest edition of 152-FZ of the Russian Federation. All amendments, additions and changes are presented. You can download the amended law at







2024 gtavrl.ru.