Protection of employee personal data. Obligations of the operator when processing personal data


Every day, people perform many online operations that involve the use of a citizen’s personal data. Most of them don't know simple rules safety when using the Internet. For this reason, the government has placed the responsibility of protecting these citizens on the agencies that use employee information.

The main legal document regulating the processing of personal information by various organizations is the Law “On Personal Data” dated July 27, 2006 No. 152-FZ.

The provisions of the law apply to organizations that work with the processing of personal information of citizens or those who have access to it.

Actions that are not regulated by Law 152-FZ:

  • Personal information is processed by individuals for personal needs. It should be noted that processing should not violate the rights of the data owner;
  • Organization of archives, which is regulated by archiving legislation in Russian Federation;
  • Processing of personal data that contains information related to state secrets;
  • Personal data that relates to the activities of the judicial authorities and which were submitted in court;
  • Personal information related to the activities of courts.

Did you know that the law with the previous number 151 is devoted to the issue.

When was it accepted?

152-FZ was adopted by the State Duma on July 8, 2006. It was approved by the Federation Council on July 14, 2006. The last revision of the law occurred on February 22 of this year. It was valid until March 1, 2017.

Procedure for using personal data

According to the law of the Russian Federation, the head of the company must approve the procedure for using personal information. The required standards are specified in the organization's local data protection document. They must comply with the requirements of legal acts of the Russian Federation and 152-FZ.

A personal data operator is a government, municipal body or individual or legal entity that organizes the processing of personal information and determines the purposes of their use.

The operator's responsibilities include :

1. When collecting personal information, the operator provides, at the request of a citizen, information about whose data he received, information that is provided for in Art. 14 part 7 152-FZ.

2. If a citizen is obliged to provide his information according to the law of the Russian Federation, the operator must explain to him that in case of refusal, he may face legal consequences.

3. If the personal information received by the operator for processing was not provided by its owner, he is obliged to provide him with the following information:

  • Full name and address of the operator;
  • For what purpose is the data processed and on the basis of what legal acts;
  • Rights of the citizen whose data was obtained;
  • From what source was the personal information obtained?

4. According to the provisions of 152-FZ, the operator appoints a responsible person in a certain organization who organizes the processing of received materials. The authorized person receives instructions on further actions from the operator.

Processing of personal information under 152-FZ is permitted in the following cases:

  • Analysis of personal information may be carried out with the consent of the citizen whose data was obtained;
  • If the processing of information is required to achieve the goals provided for by the law of the Russian Federation or international treaties of Russia;
  • Analysis of information is necessary for the court;
  • Processing of information is required to protect the life of a citizen;
  • Produced for statistical or research purposes, with the exception of the purposes specified in Article 15, 152-FZ.

By the way, the text of the law on postal service is also important to study. Details

Latest changes to the Federal Law “On the Protection of Personal Data”

Since legislative acts often undergo adjustments, changes were also made to 152-FZ.

Due to the entry into force of Federal Law No. 230-FZ of July 3, 2016, the conditions for the analysis of personal information described in Federal Law 152 have undergone changes.

Article 3

Article 3 of the law describes the basic concepts that are used in the act: personal data, operator, processing of personal information, as well as dissemination and provision of personal information. The presented article has not undergone any changes in the latest edition.

Article 5

Article 5 of the federal law describes the principles of information analysis. It is noted that the processing of information is carried out only in accordance with the law and the combination of the database with personal information citizens is prohibited. There were no changes to the current article as of last edit.

Article 7

In 7 tbsp. 152-FZ states that operators and other responsible persons who have access to personal data are obliged not to disseminate information without obtaining the consent of the owner. The article has not undergone any changes.

Article 9

In 9th century 152-FZ provides information about the subject’s consent to the processing of his personal data. Provides information on how to create written consent.

At the last revision, there were no changes to the current article.

Article 19

19, Article 152 of the Federal Law specifies measures to ensure the security of personal information during its analysis.

Download 152-FZ

To allow conflict situation or other issues related to the protection of personal data, study the latest edition of 152-FZ of the Russian Federation. All amendments, additions and changes are presented. You can download the amended law at

Hello!
We are a state-owned enterprise (FSUE), non-employees must provide their passport information to receive a one-time one-day pass.

Previously, the process looked like this: if you invite a visitor, you request his data by email or write down by phone, fill out and print the form in Excel and take it to the security guard for signature, after which it is already printed and taken to the checkpoint, where the visitor’s PD is checked against the passport he presented. and on this basis they issue him a visitor pass.

We have written a small web application that is available on the enterprise’s internal network and allows you to enter all the visitor’s data (both full name and personal data), but does not allow them to be subsequently viewed and edited; the ability to view and correct entered passport data is available only to security department employees, distinction access is carried out on application level in the program code, based on the settings stored in the database.

The stack uses Microsoft products - IIS and MSSQL Server, the application is implemented on the ASP.NET MVC framework, and the browser acts as the client part.

Currently, one third-party organization is working to certify other systems that process personal data; for the system being described, they proposed an option using limited number PC, because according to them, processing pers. data occurs (potentially) on all machines of the enterprise. That is, they offer to install special software on, roughly speaking, 50 PCs and make possible work with the application only from these machines. We are not very happy with this option; ideally, we would like any user local network the enterprise had the opportunity to enter all the visitor’s data into the database (it can be assumed that the visitor’s consent for the use of his data is available).
For other systems everything was simpler, there was a limited circle of users (for example, the entire accounting department), they were simply transferred to a separate subnet behind a firewall, here this is not possible, as far as I understand, because access control does not occur on network level, and on the application side, in the logic of the server part of the application.

It seems to me that this situation is not unique, can anyone tell me what options there are for organizing the protection of personal data in accordance with the requirements of the law, I am interested in schemes that would be arranged by regulatory authorities.

Thank you in advance.

P.S. I forgot to clarify, many enterprise PCs have access to the Internet through our proxy server, the entire network is domain-based, and authentication in the application is also domain-based. There is a server room for secure server placement; we are only interested in options for software or hardware data protection.

Regarding violations of the law on personal data. They will come into force on July 1, 2017 and will affect everyone who collects, processes and stores any personal data.

Fines were divided by type of violation and increased tenfold. For example, if you do not post a privacy policy on the website, individual entrepreneurs can be fined 10 thousand rubles, and the company - 30 thousand. And if you process personal data without the consent of an online store client or a subscriber to information course, then the fine for a legal entity will be up to 75 thousand rubles. The director of a company or entrepreneur will have to pay up to 20 thousand. If there are several violations, then there will be several fines.

You urgently need to get your websites in order. Checks are already underway 💻

Currently, only the prosecutor’s office can issue protocols of violations. The fine does not depend on the type of violation and is for an individual entrepreneur or director a maximum of 1000 rubles, and for a legal entity - 10 thousand rubles. The procedure takes a lot of time, the fines are small, so they rarely check and not everyone.

How do I find out if I am a personal data controller?

Personal data is any data about a person by which he can be identified. The law does not contain a list of such data, so you have to guess for yourself. For example, by name or login it is impossible to understand what kind of person he is, but by name and phone number or name and email - you can.

Most likely, you are a personal data operator if you somehow receive the following information from any people in any combination:

  • last name
  • surname,
  • some physical address,
  • email,
  • telephone,
  • date or place of birth,
  • photograph,
  • link to a personal website or social network,
  • profession,
  • education,
  • income level,
  • Family status.

This means that all owners of sites that have personal accounts, forms feedback, subscription or registration, where you can buy something, place an ad, fill out a form, are operators of personal data. Even if the site only has a button to order a call or send a message, this is also the processing of personal data.

And if I record a friend's phone number or a girl's email on a dating site, do I need to comply with this law?

No no need. The law does not apply to data for personal and family needs. But if you hand over a friend’s phone number to collectors or publish an ad with a girl’s email address on a misogynist forum, this is already a violation.

How to work with personal data correctly so as not to break the law?

At a minimum you need:

  • obtain written consent from each visitor, client or subscriber to the processing, storage and distribution of personal data;
  • publish in open access information about everything related to the personal data of clients and visitors;
  • request only the data that is needed for specific purpose. For example, you cannot ask for your home address or passport information to subscribe to an email newsletter;
  • use data only for the purposes specified in the documents and about which the person was warned;
  • inform, upon request of a person, what data you have about him, how and why it is processed and to whom you transferred it;
  • delete, upon request, the data that is used to send information about discounts and promotions;
  • store databases in a safe place, protect them from hacking and leakage;
  • train employees to work with personal data;
  • register with Roskomnadzor.

What? Should I register somewhere else?

Yes, by law, personal data operators must notify Roskomnadzor. Moreover, this must be done before data processing begins or as soon as possible. Roskomnadzor will enter information about the operator into the general register and will issue it upon request.

Notification may not be submitted if:

  • Only employee data is processed;
  • personal data was obtained only for the execution of a specific contract with specific person and will no longer be used, much less distributed;
  • the person himself published this data in the public domain;
  • you only have the client’s full name and nothing else.

I have a website and I receive personal data. What should I do?

If you have not done anything yet, then you are already breaking the law and you may be fined now. Even if your site is maintained by a web studio or a remote IT specialist, the fine will still be issued to the company or individual entrepreneur listed on the site.

Prepare public documents and post them on the website so that they are accessible on all pages. It could be Terms of use, like Lamoda, sales rules, legal notice, like M-Video, privacy policy, like Restaurant, Adidas or Ozone. You can specify the conditions for processing personal data in a regular contract or offer, as Sberbank does.

Do not use other people's documents. You can take them as a guide, but you need to write down your own list of data and purposes of use. What a bank needs to issue a loan or an online store to deliver goods will not be needed for an email newsletter or bulletin board. Requesting unnecessary data is a violation of the law and a reason for a fine.

Implement a solution that will clearly establish that the person has agreed to the processing of personal data. This could be a check mark on the registration form or a warning when placing an order. To be on the safe side, have your web pages certified by a notary.

Prepare internal documents on the storage of personal data and the responsibility of employees who work with it. Orders, regulations and job descriptions no need to make it public.

If necessary, send a notification to Roskomnadzor. If you are sure that the notification does not need to be sent, draw up the documents in such a way that it will be clear during the check. For example, write in the policy that you use personal data only for the execution of a specific contract. Or indicate that you are creating a resource on which data is made publicly available at the user’s request.

Is it true that personal data can only be stored on Russian servers? If I host in Europe, am I breaking the law?

There is a lot of uncertainty in the law regarding this matter. On the one hand, databases need to be collected, processed and stored Russian servers. But there is a separate article about cross-border data transfer. Explanations on this matter have been published on the website of the Ministry of Telecom and Mass Communications, but they also contain many contradictions.

Draw your own conclusions about where to store the data. If you don’t know what to do, send a request to Roskomnadzor or the Ministry of Telecom and Mass Communications. You can also contact your hoster: most often such companies have ready-made solutions.

Calm down, everyone! No one will be fined because of some forms on the site and unnecessary papers.

In the Tambov region, the prosecutor's office fined law firm for filling out a feedback form without the user’s consent to the processing of personal data. The courts supported it.

The director of the management company was fined for passing on debtors' data to lawyers in order to draw up statements of claim. He did not obtain consent to process personal data from the residents. The Constitutional Court did not help him.

In Astrakhan, prosecutors fine website owners for alphabetical feedback forms.

In addition to fines in favor of the state, for violating the rules for processing personal data, they may be subject to compensation for moral damages and even imprisonment.

There is a lot that is unclear in the law on personal data. We figured it out and answered

Not all companies and individual entrepreneurs know whether they are personal data operators and whether they need to transfer information about themselves to Roskomnadzor. Let's figure out who the service is monitoring more closely and how to notify citizens about the start of processing personal information.

Who are personal data operators and what do they do?

Most people know that personal data (hereinafter referred to as PD) includes information about the last name, first name and patronymic of a citizen, information from his passport, number mobile phone, residential address, e-mail. What other information could be included in this list? It turns out that any: an exhaustive list is not presented anywhere, and in principle there cannot be one. This is confirmed by the formulation in Federal Law dated July 27, 2006 No. 152-FZ:

Personal data - any information relating to a directly or indirectly identified or identifiable individual (subject of personal data).

It turns out that in some cases the last name, first name and car number will be enough to identify a citizen, while in others you will also need his driver’s license number and registration address.

A personal data operator is a state or municipal body, legal or individual, which:

  • independently or jointly with other persons organizes and/or carries out the processing of personal data;
  • determines the purposes of working with personal information, its composition, as well as actions (operations) with it.

That is, anyone who requests and uses personal data is their operator. And everyone who has access to and processes information by which a citizen can be identified actually works with personal data and is responsible for failure to comply with the law on their protection.

Let's imagine who might be classified as PD operators. Banks? Yes! Sites that collect material about subscribers? Yes! Legal and accounting companies providing various services? Yes! Shops and beauty salons offering to purchase a bonus card? Yes again! Homeowners' associations, universities, kindergartens, travel agencies, medical institutions, automated systems, including government ones? Yes Yes Yes! PD operators are everywhere, in every field!

Obligations of the operator when processing personal data

Everyone who deals with personal data is obliged to comply with certain rules for collecting, ensuring security, clarifying, blocking and destroying this type of information. According to Law No. 152-FZ, operators must:

Registration with Roskomnadzor as a personal data operator

The law stipulates that before starting work with personal information, it is necessary to contact the authorized supervisory authority and notify about the start of work with personal information. This does not mean that every company must be included in the Roskomnadzor register of personal data operators. This list does not include:

  • employers. They collect and store information in accordance with labor legislation, for example, when drawing up employment contracts, various personnel orders;
  • cell phone or landline company telephone communication, if the data is obtained solely for the provision of communication services under a concluded contract, it is not distributed or provided to third parties without the consent of the subject of the personal data;
  • public associations or religious organizations that gain access to the data of their members (participants) to achieve the purposes provided for in constituent documents;
  • organizations and individuals using publicly available information that subjects of personal data themselves disclosed, for example, on personal websites;
  • any companies that operate a pass system. If a citizen’s passport data is copied to obtain a one-time pass to the organization’s territory, there will be no need to register;
  • systems with the status of state automated information systems, as well as state PD systems created to protect state security and public order. There are a lot of them, and among them are the Era-Glonass and Management systems, AIS for accounting of non-profit and religious organizations and many others at the federal and regional level;
  • citizens and organizations that process information without the use of automation tools (computers). In doing so, they must be guided by the requirements approved Government Decree of September 15, 2008 N 687;
  • organizations that request data to ensure the safe operation of the transport complex, for example, when booking and purchasing tickets, including through online services of carriers or intermediaries.

Taking into account such formulations, many of the organizations are no longer included in the register of operators processing personal data maintained by Roskomnadzor. But those to whom exceptions do not apply must be on the list of the regulatory authority.

The registration procedure consists of submitting a notification in a certain form. It can be found through the Roskomnadzor personal data register, the government services portal, or using Order of the Ministry of Telecom and Mass Communications of Russia dated December 21, 2011 N 346. Free download required document You can also find it at the end of this article.

Regardless of the method of informing officials, the notification must indicate:

  • full and abbreviated name of the company indicating the organizational and legal form, as well as legal and postal addresses, TIN;
  • the purposes of processing stated in the constituent documents or actually carried out;
  • categories of PD that will be processed;
  • subjects whose PD is planned to be processed, including relationships with them, for example, passenger, borrower, subscriber, depositor, policyholder;
  • the basis on which there is a right to processing (for example, articles Air Code of the Russian Federation or civil status law on acts of civil status), including the availability of a license for the type of activity being carried out;
  • description of the PD processing methods used and their list: manual, automated or mixed processing;
  • information about the persons responsible for organizing the processing of personal data, their telephone numbers, postal addresses, email;
  • information about encryption (cryptographic) means;
  • start date, as well as conditions and terms for termination of PD processing;
  • information about where the data is stored during its processing, including about the country where the databases with information about the personal data of citizens of the Russian Federation are located;
  • information about ensuring the security of personal data in accordance with the requirements established Decree of the Government of the Russian Federation dated November 1, 2012 N 1119.

Please note that registration of a personal data operator on the Roskomnadzor website is carried out within 30 days. If an electronic application is submitted, the company will have to send to territorial body Additionally, a paper copy of the notice. If the information is insufficient, officials will send a request to clarify the submitted documents. It is impossible to refuse to accept a notification and enter information about an organization into the register.

If, by various reasons, the organization has changed the purposes of processing PD or needs to make other changes, within 10 days it sends a letter to Roskomnadzor in the prescribed form. The document can be found below. In addition, the site’s readers can download a form of the document required to exclude a company from the register.

All services provided by Roskomnadzor in this case are free.

Responsibility for refusal to register in the register

Current legislation provides for administrative liability for violation of requirements for the protection of personal data. According to Federal law dated 02/07/2017 No. 13-FZ, which came into effect on July 1, 2017, in Article 13.11 of the Code of Administrative Offenses of the Russian Federation There are several offenses for which personal data operators may be fined. Depending on the offense, fines for legal entities under this article they vary from 15,000 to 75,000 rubles, and for individual entrepreneurs - from 5,000 to 20,000 rubles.

Refusal to register in the register may be regarded as failure to provide information to the regulatory authority. The punishment for this is provided for in Article 19.7 of the Code of Administrative Offenses of the Russian Federation . According to it, officials face a fine of 300 to 500 rubles, and legal entities - from 3,000 to 5,000 rubles.


2024 gtavrl.ru.