> >

Personal data processing policy: how to draw up a document. What is the purpose of processing personal data? The purpose of processing personal data is to

Work with personal information must be carried out in strict accordance with the law. In particular, one of the fundamental principles of processing personal information is strict adherence to the purposes of use stated in the permission from the owner and the scope specified therein.

The concept of personal data and principles of their processing

One of the provisions establishes the requirement that all personal information about citizens Russian Federation must be located on servers located within the country. It is not allowed to supplement your information based on that taken from sites located outside Russian borders.

In a situation where a person considers any messages about him to be untrue, he can contact the operator (in accordance with Article 14 of Law 152-FZ) with a request to delete or adjust them accordingly.

In case of refusal, such a person has the right to go to court.

Consent to the processing of personal data

Such a document must contain following sections:

  1. The document indicates who expresses consent and their passport details.
  2. The name of the operator to whom permission is given is given.
  3. They write for what purposes of processing consent is given.
  4. The list of data for the processing of which permission is given is specifically listed.
  5. All operations with them in question are listed.
  6. Period of validity of the permit.
  7. A signature, its decoding and date are placed.

A permit drawn up according to the sample gives permission only for what is specifically stated in it.

The use of the information in question is necessary for:

  1. Maintaining documents in the HR department.
  2. Concluding contracts and performing other legal actions.
  3. In connection with compliance with tax legislation requirements.
  4. Other purposes of a similar kind.

It should be noted that:

  • in each such case, obtaining information is determined by regulations;
  • it is carried out in a certain composition, volume, for a specific period and only to fulfill the stated goals.

Examples of targeted use of personal information

In various spheres of the economy and public life, the personal data of citizens is vital.

IN medical institution It is important to know details about a person's health throughout his life. In this case, the owner of personal information is the patient. The operator who uses them is a clinic or other medical institution. She is required to obtain permission from Roskomnadzor for processing. If a clinic transfers data, for example, to a specialized hospital, it must obtain the written consent of the citizen.

For the bank It is vital when granting a loan to make a reasonable guess as to whether the applicant will be able to repay the money borrowed or does not have suitable financial resources. This will require details about income, employment, family composition and some others. The owner of the information is the client. The bank is the operator that carries out the processing. The client has the right to revoke permission to use information about him. The goals of working with information are to ensure compliance with the requirements of banking legislation of the Russian Federation.

It is impossible to do without providing this or similar information. But it is important that its use does not violate the requirements of current regulations.

Rules and principles for working with information


It can be understood that a random person cannot directly obtain information from anonymized information. source texts. However, this organization itself will be able to restore it later.

Violations related to misuse of personal data

Starting from July 1, 2017, changes were made to the Code of Administrative Offenses, which define liability for violation of Law No. 152-FZ. In case of violation established rules the law provides for appropriate penalties.

If information is collected in cases where this there is no legal basis or processing is carried out for illegal purposes, a fine is imposed. For individuals, the amount will be from 1 to 3 thousand rubles, officials will pay from 5 to 10 thousand rubles, enterprises - from 30 to 50 thousand rubles.

If there was disclosure of information, the fine is assessed in connection with each individual such case. It can range from 500 to 1000 rubles. from the employee through whose fault the violation occurred. If we are talking about an organization that is responsible for what happened, then the amount increases. Now it can range from 5 to 10 thousand rubles.

The regulatory act in question states that compliance with the provisions of law 152-FZ should be monitored by Roskomnadzor. Before processing under Article 22 of the Personal Data Protection Law begins, he must send a notification there. In particular, he carries out appropriate checks and, if violations are detected, issues orders regarding deficiencies that need to be eliminated. If the order was not executed, a fine is imposed on the perpetrator, which can amount to 20 thousand rubles.

The author of the next video will tell you how to properly organize work with other people’s data.

On July 1, 2017, Federal Law No. 13-FZ dated 02/07/2017 came into force, which amends Art. 13.11 of the Code of Administrative Offenses and provides for an expansion of the list of grounds for bringing to administrative responsibility for illegal activities and a significant increase in fines.

One of the mandatory documents that the personal data operator must prepare in order to comply with the requirements Federal Law dated July 27, 2006 No. 152-FZ, called the Policy regarding the processing of personal data, it explains how the company works with the data of employees, clients and other individuals. This file is freely available on almost all sites that have any form of collecting personal data.

How to correctly draw up a Personal Data Processing Policy, what sections must be included? Roskomnadzor provides clarifications on these issues.

Structure of the Personal Data Processing Policy

  • General provisions
  • Purposes of collecting personal data
  • Legal grounds for processing personal data
  • Volume and categories of personal data processed, categories of personal data subjects
  • Procedure and conditions for processing personal data
  • Updating, correction, deletion and destruction of personal data, responses to requests from subjects for access to personal data

1. General goals

In this section, you actually answer the question - what is the Personal Data Processing Policy for? It also explains the basic concepts used in the document, as well as the rights and obligations of the operator and the subject of personal data.

2. Purposes of collecting personal data

Art. 5 of Federal Law No. 152-FZ of July 27, 2006 requires the determination of specific, legitimate purposes for data collection. Therefore, it is not possible to process personal data that does not correspond to these purposes.

Roskomnadzor indicates that the purposes of processing personal data may include:

  • from the analysis of legal acts regulating the activities of the operator;
  • from the purposes of the activities actually carried out by the operator;
  • from the activities provided for by the operator’s constituent documents;
  • from specific business processes of the operator in specific information systems ah personal data (by structural divisions of the operator and their procedures in relation to certain categories of personal data subjects).

3. Legal grounds for processing personal data

Federal Law No. 152-FZ dated July 27, 2006 is not the legal basis for the processing of personal data. This role is fulfilled by the legal acts in accordance with which the operator processes the data.

Thus, in the Data Processing Policy, the following legal grounds can be specified: federal laws and regulatory legal acts adopted on their basis regulating relations related to the activities of the operator; operator's statutory documents; agreements concluded between the operator and the subject of personal data; consent to the processing of personal data (in cases not directly provided for by the legislation of the Russian Federation, but corresponding to the powers of the operator).

4. Volume and categories of personal data processed, categories of personal data subjects

It is important that the volume of personal data processed does not diverge from the stated purposes of processing.

Categories of personal data subjects may include: employees - both current and former, candidates for vacancies, relatives of employees, clients and counterparties (individuals), representatives or employees of clients and counterparties.

Roskomnadzor draws attention to the fact that for each category of subjects and in relation to specific purposes, all personal data processed should be indicated. All cases of processing of special categories of personal data and biometric personal data (if applicable) are described separately.

5. Procedure and conditions for processing personal data

What is stated in this section:

  • list of actions performed with personal data;
  • methods of processing personal data;
  • terms of processing of personal data.

If, in order to achieve the goals of processing personal data, the operator interacts with third parties, then he needs to:

  • explain the conditions for the transfer of personal data to third parties (including cross-border data transfer);
  • indicate the name and location of third parties;
  • indicate the purpose of data transfer and its volume;
  • list processing actions, methods and other conditions of processing, including requirements for the protection of processed personal data.

The operator has the right to transfer personal data to the bodies of inquiry and investigation, as well as other authorized bodies on the grounds provided by law.

The Personal Data Processing Policy should include information on compliance with the requirements for confidentiality of personal data (they are named in Article 7 of the Federal Law of July 27, 2006 No. 152-FZ) and information on taking measures (Part 2 of Article 18.1, Part 1 of Art. 19).

In addition, the operator must indicate the condition for terminating the processing of personal data. This may be the achievement of processing goals, expiration of consent to processing, withdrawal of consent of the subject of personal data to processing, identification of unlawful data processing.

Special attention should be paid to such an issue as the storage of personal data. Firstly, the deadlines must be mentioned. Secondly, databases located on the territory of the Russian Federation are used. Thirdly, the fact is taken into account that storage must be carried out in a form that allows identifying the subject of personal data no longer than required by the purposes of processing. Fourthly, it is necessary to mention other storage conditions, including when processing data without the use of automation tools.

6. Updating, correction, deletion and destruction of personal data, responses to requests from subjects for access to personal data

According to Art. 21 No. 152-FZ, personal data must be updated by the operator if the fact of inaccuracy of personal data is confirmed. The same applies to confirmation of the unlawfulness of processing.

Personal data is subject to destruction when the purposes of their processing are achieved and in the event that the subject of personal data withdraws consent to their processing, unless: otherwise provided by the agreement to which the subject of personal data is a party, beneficiary or guarantor; otherwise is not provided for in another agreement between the operator and the subject of personal data. The operator does not have the right to process without the consent of the subject of personal data on the grounds provided for by Federal Law No. 152-FZ of July 27, 2006 or other federal laws.

Based on Art. 20 the operator is obliged to inform the subject of personal data information about the processing of personal data carried out by him upon request.

Roskomnadzor recommends including in the Personal Data Processing Policy regulations for responding to requests and appeals from personal data subjects, their representatives, and authorized bodies regarding the inaccuracy of data, the illegality of their processing, withdrawal of consent and access to their data. It would be a good idea to add appropriate forms of requests and appeals to the Policy.

Posting the Personal Data Processing Policy in the office and on the website

Any person whose data is processed by the company has the right to familiarize itself with the Personal Data Processing Policy. Therefore, it must be posted in a publicly accessible place. For example, use an information stand for this.

If a company collects personal data via the Internet, it is obliged to post the Policy on the website. A site visitor can view it by clicking on the link.

To learn about the most important changes affecting business, join our channel on

Nowadays, no activity can be done without information. Each organization stores information about employees, partners, and clients. Unauthorized access to them leads to their loss or modification, which negatively affects the company's activities. The purposes of processing personal data in organizations are the same, since this is enshrined in law. This is discussed in the article.

What does processing mean?

Each person can get acquainted with information about another citizen both when performing work duties and during non-work communication, when browsing the Internet, reading a newspaper. This collection of information is not considered processing. This is just an overview of the information.

If personal information is specifically collected for use or storage, then this will be the processing of personal data. This process is observed in educational institutions, hospitals. Information is registered, entered into databases, classified for use for legal purposes. If a writer or journalist collects information, he can use it for creative purposes.

Processing methods

Personal information is processed in 2 ways:

  1. Automated.
  2. Not automated.

The second option involves processing performed with the participation of a citizen. If this happens without automation tools, then the data must be separated from other information. This is done by marking, for example, in the margins of forms. It is prohibited to place personal information on a single medium if it is known that the purposes of processing personal data are incompatible.

If personal information of citizens is classified into different categories, then it is necessary to use an individual medium for each type. Which systems can be classified as automated and which are not? This is revealed by the following facts:

  1. Personal information contained in the personal data system may be processed through a non-automated process if its use is carried out in the personal presence of a person.
  2. It cannot be argued that the data is processed automatically, given that it is located in the personal information information system.

Automated processing is performed using computing tools. Processing refers to all actions that are performed on the provided data. This process includes collection, recording, use, destruction.

Goals

The purposes of processing personal data in the organization are the same. Information is needed for:

  1. Conclusion, execution, termination of contracts in cases provided for by law and the Charter of the organization. Such transactions can occur with citizens, individual entrepreneurs, and legal entities.
  2. Personnel records of the enterprise, compliance with the law, conclusion and fulfillment of obligations under agreements.
  3. assistance to employees in employment, training, and use of benefits.
  4. Compliance with tax legislation regarding the payment of taxes and the transfer of personal data to the Pension Fund.
  5. Filling out statistical documents based on legal norms.

Each purpose for processing personal data in an organization is mandatory, as it is enshrined in law. That is why all institutions require information about employees, clients, and partners. The purposes of processing personal data allow us to conduct business in a legal manner.

Rules and order

The manager must receive the following information about his employees:

  1. Education.
  2. Work experience, previous position.
  3. Data about the family and their work.
  4. Health information.

When processing employee information, HR specialists must follow several rules:

  1. Process information based on legal norms, assist in employment, assist in training and career advancement, monitor the quality of assignments performed.
  2. Personal information is provided by the employee. If for some reason they cannot be obtained from the employee, but only from a third party, it is necessary to obtain written consent to disclose the information.
  3. A career employee cannot independently use information about religious orientation or trade union activities if this is not related to work. If this information concerns a work relationship, written permission is required.
  4. The manager controls the employees of the personnel department, as well as their compliance with these rules.
  5. All employees must sign to confirm that they are familiar with the rules of the regulations.

The purposes of processing personal data according to Law No. 152 are mandatory for every employer. Based on Art. 22, the manager can take actions with the personal information of employees without notifying Roskomnadzor.

Principles

It is important to know not only the purposes for collecting and processing personal data, but also the principles. They are indicated in Art. 5 ch. 2 Federal Law No. 152:

  1. It is important to respect the legality and integrity of the purposes and methods of processing.
  2. Compliance with the purposes stated at the time of collection.
  3. Correspondence of the volume and nature of the information processed and methods to the goals.
  4. Reliability of information.
  5. It is inadmissible to combine databases for incompatible purposes.
  6. Storage in a form that allows the data subject to be identified, and for no longer than required by the purposes. Then they are destroyed.

The purposes of processing the employee’s personal data are achieved using the conditions specified in Art. Chapter 6 2:

  1. Processing is carried out with the consent of the subjects.
  2. If this is contractually entrusted to another person, then confidentiality is important.
  3. Processing of special information in a special manner.

There are a few exceptions where subject permission is not required. This happens when:

  1. The procedure is carried out on the basis of the Federal Law, which establishes its purpose, conditions, and the range of subjects whose information is subject to processing.
  2. Everything is done to fulfill the contract.
  3. Requires fulfillment of statistical and other scientific purposes.
  4. It is necessary to protect life, health, and vital interests if it is impossible to obtain permission.
  5. Postal delivery is in progress.
  6. The professional activity of a journalist is carried out.
  7. Information subject to publication on the basis of the law is processed.

Agreement

To protect a person from unwanted use information about him, his consent to the processing of personal data is required. The purpose of processing must be lawful, otherwise it is prohibited. Consent is provided when applying for a job, opening a bank account, and for other important transactions.

There is no single form of permission. It is drawn up in free form on the form used by the enterprise. The period during which the permit is valid is indicated in the document itself. The purposes of processing personal data in the organization are also indicated there.

Responsibility of the organization

The specialist responsible for receiving, processing, and storing personal information is appointed by the director of the institution. It also determines the persons who have access to the information. The document must be executed by order. Typically the following are responsible for processing information:

  1. Heads of HR department.
  2. Personnel inspectors.
  3. HR managers.
  4. Deputy HR managers.
  5. HR specialists.

Based on Federal Law No. 152, the employee collecting and processing personal data is an operator. This is what the leader is. Purposes of processing personal data in educational institution the same as in organizations.

Transfer and storage

Documentation with personal information about employees is stored in fireproof cabinets or safes. The director of the personnel department must have the keys to them. If he is absent, then the deputy is in charge. If it is necessary to transfer personal information of an employee, the personnel employee must remember the following rules:

  1. It is prohibited to transfer personal information to third parties without written permission. The exception is cases when data is required to prevent harm to health and in situations established by law. It is also prohibited to disclose information for commercial purposes without consent.
  2. If it is necessary to transfer employee data, then it is necessary to notify those for whom this information is used that the information can only be used for the purpose of the request.
  3. A personnel employee may use only the information necessary to perform his or her job duties.
  4. The personnel employee does not have the right to find out information about the employee’s health status.

An exception is considered to be circumstances related to the performance of employees’ duties.

Responsibility

If employees violate the procedure for collecting, processing, and issuing information, they bear disciplinary and criminal liability according to the law. In Art. 5 of the Federal Law states that personal information collected for processing automated principles or other means, must be made in such a way that the data subject can be identified.

The determination of the subject cannot be longer than required for processing. If it is completed, then personal data cannot be destroyed for some time. Personal data of employees is stored in the institution for 75 years. Thus, every enterprise must comply with the rules for storing and processing information.

This instruction for the processing of personal data (hereinafter referred to as the Instruction) was developed in accordance with the Federal Law of July 27, 2006. No. 152-FZ “On Personal Data”. This instruction defines the procedure for processing personal data and measures to ensure the security of personal data at CardsProService LLC in order to protect the rights and freedoms of individuals and citizens when processing their personal data, including the protection of rights to privacy, personal and family secrets.

1. TERMS AND DEFINITIONS

1) Personal Information- any information related to directly or indirectly determined or determined to an individual(to the subject of personal data);

2) Operator (Customer) - state body, municipal body, legal entity or individual, independently or jointly with other persons organizing and (or) carrying out the processing of personal data, as well as determining the purposes of processing personal data, the composition of personal data to be processed, actions (operations) performed with personal data;

3) Processing of personal data- any action (operation) or set of actions (operations) performed using automation tools or without the use of such means with personal data, including collection, recording, systematization, accumulation, storage, clarification (updating, changing), extraction, use, transfer (distribution, provision, access), depersonalization, blocking, deletion, destruction of personal data;

4) Automated processing of personal data- processing of personal data using means computer technology;

5) Dissemination of personal data- actions aimed at disclosing personal data to an indefinite number of persons;

6) Providing personal data- actions aimed at disclosing personal data to a certain person or a certain circle of persons;

7) Blocking personal data- temporary cessation of processing of personal data (except for cases where processing is necessary to clarify personal data);

8) Destruction of personal data- actions as a result of which it becomes impossible to restore the content of personal data in the personal data information system and (or) as a result of which material media of personal data are destroyed;

9) Authorized persons of the Customer- persons acting in accordance with the agreement on
confidentiality concluded with the Customer.

10) ABOUTdepersonalization of personal data- actions as a result of which it becomes impossible without using additional information determine the ownership of personal data to a specific subject of personal data;

11) Personal data information system- the totality of personal data contained in databases and ensuring their processing information technologies And technical means;

12) Cross-border transfer of personal data- transfer of personal data to
the territory of a foreign state to an authority of a foreign state, a foreign individual or a foreign legal entity;

13) Executor- CardsProService LLC (123610, Moscow, Krasnopresnenskaya embankment, building 12, office building 1, room Id, room 42; OGRN 1157746550070).

2. ORDER TO PROCESS PERSONAL DATA

2.1. The Customer, being the Operator of personal data, in accordance with clause 3 of Art. 6 of the Federal Law of July 27, 2006 No. 152-FZ “On Personal Data”, instructs, and the Contractor undertakes to process personal data of subjects, in the interests of the Customer and in pursuance of
User Agreement.

3. PROCEDURE FOR INTERACTION OF THE PARTIES

3.1. The basis for the Contractor to process personal data of subjects carried out in the interests of the Customer is the User Agreement.

3.2. The procedure for organizing the collection of consents of personal data subjects for the processing and transfer of their personal data, as well as the purposes of processing personal data, the composition of personal data to be processed, actions (operations) performed with personal data:

3.2.1. Purpose of processing personal data.

The processing of personal data is entrusted for the purpose of implementing loyalty programs.

3.2.2. List of personal data, the processing of which is entrusted to the Contractor

  • Full Name;
  • Place, year and date of birth;
  • Contact number;
  • Registration address;
  • Address of place of actual residence (stay);
  • Passport data (series, passport number, by whom and when issued);
  • Telephone number (home, work, mobile).
3.2.3. List of actions (operations) with #nbsp;personal data that the Contractor is entrusted to perform:
  • Collection of personal data.
  • Systematization of personal data.
  • Accumulation of personal data.
  • Use of personal data for the implementation of loyalty programs and communication with subjects of personal data.
  • Storage of personal data.
  • Clarification (updating, changing) of personal data:

  • Extraction (unloading) - upon additional written instructions from the Customer.
  • Depersonalization of personal data:
    -
    - at the legal request of the subject of personal data, with mandatory written notification to the Customer;
    - at the request of the authorities government regulation to protect the rights of personal data subjects, with mandatory written notification to the Customer.
  • Blocking personal data:
    - upon additional written instructions from the Customer;
    - at the legal request of the subject of personal data, with mandatory written notification to the Customer;
    - at the request of state regulatory authorities for the protection of the rights of personal data subjects, with mandatory written notification to the Customer.
  • Deleting personal data:
    - upon additional written instructions from the Customer;
    - at the legal request of the subject of personal data, with mandatory written notification to the Customer;
    - at the request of state regulatory authorities for the protection of the rights of personal data subjects, with mandatory written notification to the Customer.
  • Destruction of personal data - upon additional written instructions from the Customer.
3.2.4. Procedure for processing personal data

The processing of personal data must be limited to the achievement of specific, pre-defined and legitimate purposes. Processing of personal data that is incompatible with the purposes of collecting personal data is not permitted.
It is not allowed to combine databases containing personal data, the processing of which is carried out for purposes that are incompatible with each other.
Only personal data that meets the purposes of their processing are subject to processing.
The content and volume of personal data processed must correspond to the stated purposes of processing. The personal data processed should not be redundant in relation to the stated purposes of their processing.
When processing personal data, the accuracy of personal data, their sufficiency, as well as relevance in relation to the purposes of processing personal data must be ensured.
The storage of personal data must be carried out in a form that allows identifying the subject of personal data, no longer than required by the purposes of processing personal data, unless otherwise specified by the terms of the contract. The processed personal data is subject to destruction or depersonalization upon achievement of the processing goals or in the event of the loss of the need to achieve these goals, unless otherwise determined by the terms of the contract.

3.2.5. Organization of personal data protection

Objects of protection

  • information containing personal data of subjects;
  • computer media containing personal data of subjects;
  • personal data information systems;
  • personal data of subjects contained in electronic databases of personal data information systems.
3.2.6. Measures to organize and ensure the security of personal data

To ensure the security of personal data, the Contractor must take the following measures:

  • Necessary legal, organizational and technical measures or ensure their adoption to protect personal data from unauthorized or accidental access, destruction, modification, blocking, copying, provision, distribution of personal data, as well as from other unlawful actions in relation to personal data.
  • Providing access to the Contractor's employees to personal data processed on behalf of the Customer, after they have signed an Obligation of Non-Disclosure of Personal Data, studying the Customer's requirements for the procedure for processing and protecting personal data, local regulations regulating the procedure for organizing and ensuring the protection of personal data and undergoing training on the procedure for handling with personal data.
  • Identification of threats to the security of personal data during their processing in personal data information systems.
  • Application of organizational and technical measures to ensure the security of personal data during their processing in personal data information systems necessary to fulfill the requirements for the protection of personal data, the implementation of which ensures the levels of personal data security established by the Government of the Russian Federation.
  • Assessing the effectiveness of measures taken to ensure the security of personal data before putting into operation the personal data information system.
  • Accounting for computer storage media of personal data.
  • Detection of facts of unauthorized access to personal data and taking measures.
  • Restoration of personal data modified or destroyed due to unauthorized access to it.
  • Establishing rules for access to personal data processed in the personal data information system, as well as ensuring registration and accounting of all actions performed with personal data in the personal data information system.
  • Monitoring the measures taken to ensure the security of personal data and the level of security of personal data information systems.
3.2.7. Destruction of personal data

Destruction of personal data of subjects can be carried out by the Contractor only:

  • upon additional written instructions from the Customer;
  • at the legal request of the subject of personal data, with mandatory written notification to the Customer;
  • at the request of state regulatory authorities for the protection of the rights of personal data subjects, with mandatory written notification to the Customer.
The destruction of processed personal data of subjects must be guaranteed and ensure the impossibility of restoring the content of personal data in the personal data information system or the media containing them.

3.2.8. Procedure for terminating the processing of personal data

Termination of processing of personal data is carried out:

  • in case of termination of the contractual relationship that is the basis for the processing of personal data;
  • upon additional written instructions from the Customer;
  • by written order of government regulatory authorities.
In all cases of termination of the processing of personal data, the further purpose of the databases is determined by the Customer with the preparation of a written notice of the further purpose of the personal data bases.

4. RIGHTS AND OBLIGATIONS OF THE PARTIES

4.1. The customer undertakes:

4.1.1. If the subject of personal data withdraws consent to the processing of personal data and there are no grounds specified in paragraphs 2 - 11 of part 1 of article 6, part 2 of article 10 and part 2 of article 11 of the Federal Law of July 27, 2006 No. 152-FZ “On personal data" allowing processing
personal data without the consent of the subject, send a written order to the Contractor to carry out work to delete or depersonalize the subject’s personal data.

4.1.2. Upon receipt of a request from the subject of personal data to provide the information specified in Part 7 of Article 14 of the Federal Law of July 27, 2006 No. 152-FZ “On Personal Data”, or the subject’s demands for the refinement of his personal data, their blocking or destruction in the event , if personal data is incomplete, outdated, inaccurate, illegally obtained or is not necessary for the stated purpose of processing, send a written order to the Contractor to
providing information or performing specific actions with the subject’s personal data.

4.2. The Contractor undertakes:

4.2.1. Process personal data legally, in strict accordance with the terms of this Instruction.

4.2.2. At the first written request of the Customer, transfer (return) the personal data bases processed on his behalf in the manner specified in the request.

4.2.4. At the request of the authorized body for the protection of the rights of personal data subjects, provide evidence of receipt of the consents of personal data subjects collected within the framework of this Instruction for the processing of their personal data or proof of the existence of the grounds specified in paragraphs 2 - 11 of part 1 of article 6, part 2 of article 10 and part 2 of Article 11 of the Federal Law of July 27, 2006 No. 152-FZ “On Personal Data,” allowing the processing of personal data without the consent of the subject.

In accordance with Part 2 of Art. 85 Labor Code of the Russian Federation processing of employee personal data - this is the receipt, storage, combination, transfer or any other use of the employee’s personal data.

The processing of an employee’s personal data can be carried out solely for the purpose of ensuring compliance with laws and other regulations, assisting the employee in employment, training and promotion, ensuring the capital’s security, as well as monitoring the quantity and quality of the work he performs and ensuring the safety of property (clause 1 Article 86 of the Labor Code of the Russian Federation).

According to paragraph 3 of Art. 3 of the Federal Law “On Personal Data”, the processing of personal data is actions (operations) with personal data, including collection, systematization, accumulation, storage, clarification (updating, changing), use, distribution (including transfer), depersonalization, blocking , destruction of personal data. It should be borne in mind that regardless of the number of functional operations listed in the legislation legal regulation must cover all stages of personal data processing - from receipt to destruction, without any exceptions or exemptions.

The principles for processing personal data include the following:

  • legality of the purposes and methods of processing and fairness;
  • compliance of the purposes of processing with the goals predetermined and stated when collecting personal data, as well as with the powers of the operator;
  • compliance of the volume and nature of the data processed, methods of processing with the purposes of their processing;
  • the reliability of personal data, their sufficiency for the purposes of processing, the inadmissibility of processing personal data that is not related to the purposes stated when collecting data;
  • the inadmissibility of combining databases of personal data information systems created for incompatible purposes.

The processing of an employee’s personal data begins with its receipt. By general rule All personal data should be obtained from the employee himself. In exceptional cases, when the employee’s personal data can only be obtained from a third party, the employee must be notified of this in advance and written consent must be obtained from him. The employer is obliged to inform the employee about the purposes, intended sources and methods of obtaining personal data, as well as the nature of the personal data to be received and the consequences of the employee’s refusal to give written consent to receive it (Clause 3 of Article 86 of the Labor Code of the Russian Federation). However, the employer does not have the right to receive and process the employee’s personal data about his political, religious and other beliefs and private life (Clause 4 of Article 86 of the Labor Code of the Russian Federation). Also, the employer cannot request information about the employee’s health status if this does not relate to the issue of the employee’s ability to perform a labor function (Article 88 of the Labor Code of the Russian Federation).

The Labor Code of the Russian Federation imposes certain requirements on the organization and technology of processing personal data by the employer. The obligation to familiarize employees and their representatives, against signature, with the employer’s documents establishing the procedure for processing personal data of employees, as well as their rights and responsibilities in this area, presupposes the need to develop and adopt an appropriate local regulatory legal act. Such an act, depending on the specifics of the activity and the discretion of the employer, can be called a regulation or instruction and, as a rule, includes the following sections:

  • basic concepts and provisions;
  • processing of employee personal data;
  • generation of employee personal data;
  • recording, storage and transfer of employee personal data;
  • rights and obligations of the employee in the field of processing and protection of his personal data.

Such a local regulatory legal act defines the confidentiality regime ( limited access) personal data of an employee at a specific employer. The employer's employees who receive the employee's personal data are required to comply with this regime, which must be indicated not only in their job descriptions, but also in the employment contracts concluded with them. The regulation (instruction) on the protection of personal data is the main document reflecting the specifics of the processing and transfer of an employee’s personal data within a specific organization, for a specific individual entrepreneur. If there is an automated component within this activity, the employer does not have the right to make decisions regarding the employee based on personal data obtained solely as a result of their automated processing or electronic receipt (clause 6 of Article 86 of the Labor Code of the Russian Federation). An employer may not be limited to adopting a provision on the protection of personal data of employees in its organization. However, the presence of this local act is mandatory, and its absence is considered by the state labor inspectorate as a serious violation of labor legislation.

For this and other violations of the rules governing receipt, processing and the employee, the employer can hold the perpetrators to material, disciplinary liability, and the corresponding government bodies- to civil, administrative and criminal.

Internet
The most interesting:
Label each polygon and measure the lengths of the sides of each
Connecting YouTube to TV
Names of large numbers Solving a compound problem