The right to access personal data. The position or person has access to the employee's personal data. Processing of personal data of an employee - terms and types

The right to access personal data. The position or person has access to the employee's personal data. Processing of personal data of an employee - terms and types

An employee's personal data is information that an employer needs in connection with
with labor relations and relating to a particular employee. Namely:

This information is necessary for the employer to conclude labor contract, fill out a personal card No. T-2, help the employee in training, promotion, ensure his personal safety, control the quantity and quality of work performed by him.

The concept of personal data contains the List of confidential information (approved by Decree of the President of the Russian Federation of March 6, 1997 No. 188 "On approval of confidential information"). This is information about facts, events and circumstances. privacy person.

How to receive personal data

Personal data refers to confidential information, that is, to which there is no free access. Therefore, the employer is obliged to receive all personal data
about the worker only at himself. If for some reason this is not possible, then the employer has the right to request such information from unauthorized persons only with the written consent of the employee. At the same time, he needs to be informed about the purposes, sources, methods of obtaining personal data, about what kind of information the employer is interested in, as well as
about the consequences of the employee's refusal to give written consent to receive this information.

There is an exception to this rule: the employer has the right to request information, for example, from various medical institutions about contraindications and restrictions in the labor activity of their employees.

The main purpose of such an exception is to prevent and prevent a threat to the life and health of the employee.

It is allowed to transfer confidential information about an employee to other persons only with the written consent of the employee himself. It is not allowed to transfer personal information about an employee for commercial purposes. The transfer of such information without written consent is possible only in the following cases:

  • this is necessary in order to protect the life and health of the employee (the degree of threat is determined by the employer);
  • this is provided for by federal law (for example, article 228 of the Labor Code of the Russian Federation directly determines that if an accident occurs at work, then this is without fail the relatives of the victim, as well as a number of state and local authorities, should be immediately informed).

The employer is obliged to maintain confidentiality when working with personal data of employees. To do this, you need to keep special logs.

Journal of internal access to personal data of employees

In the register of internal access to personal data of employees indicate: the date of issue and return of documents (personal files) to employees of the organization; purpose of issue, name of documents issued, period of use. If there were a lot of documents, and they were issued according to the inventory, when returning, you need to check their availability according to the inventory. The employee returning the documents must be present at the same time. When issuing documents, warn that it is impossible to make notes and corrections in them, make new entries, extract documents (for example, from a personal file) or place new ones.

In the register of the issuance of personal data of employees to organizations and government bodies register: incoming requests (date of receipt, number and date of the incoming document, from which authority the request was received); date of transfer of personal data; the content of the transmitted information; date of notification of refusal to provide information (if any).

In addition, the personnel officer must regularly check the availability of documents and other media containing personal data of employees. For this, a special log should also be kept.

What information is indicated in the Regulation on the protection of personal data

The procedure for the storage and use of personal data of the company's employees is determined by the Regulations on the protection of personal data. This is a mandatory internal (local) document of the company, it is developed by the personnel department.

The law did not establish a strict form of this document, but it must comply with the requirements that apply to the protection of personal data of an employee of the Labor Code of the Russian Federation.

The regulation must state:

  • the purpose and objectives of the company in the field of personal data protection;
  • the concept and composition of personal data;
  • in which structural divisions and on what media (paper, electronic) these data are accumulated and stored;
  • how personal data is collected;
  • how they are processed and used;
  • who (by position) in the company has access to them;
  • how personal data is protected from unauthorized access;
  • the rights of the employee in order to ensure the protection of their personal data;
  • responsible for the disclosure of confidential information related to
    with personal data of employees.

Who approves the Regulation on the protection of personal data
on the protection of personal data of an employee

The regulation on the protection of personal data of an employee is approved by the head of the company or a person authorized by him. And this document is put into effect by order of the head.

The regulation on the protection of personal data looks like this:

Who has access to personal data

Every worker who, by virtue of his official duties has access
to the personal data of other employees, must sign a non-disclosure obligation.

The list of persons who have access to the employee's personal data is usually drawn up
as an appendix to the regulation.

First of all, it's the employees. personnel service, since they collect and form data about the employee, the heads of structural divisions (for example, Chief Accountant, heads of departments). However, the latter have the right to request only those data that are necessary to perform specific tasks. labor functions(for example, in order to calculate tax benefits, the accounting department will not receive all the information about the employee, but only data on the number of his dependents). Set up the application like this:


The employer is obliged to familiarize the employee with the Regulation on the protection of personal data, and the employee must sign this. The fact of acquaintance is usually made out by a receipt, which remains with the employer. Here is her sample:


All information about education, work experience, social benefits, marital status, as well as military registration. When a person fills out application forms for employment, he indicates his passport data, address of registration and residence, information about family members, phone number, information about the absence of a criminal record.

All completed documents that have such facts are considered confidential, but the limited use stamp is not affixed. Employer may have access to personal information, but only so that he has an idea about the participant labor agreement.

The head of an enterprise does not have the right to request those facts that do not relate to a particular position. Access to personal information of an employee can only be granted with the permission of the working entity itself.

Who has permission?

Giving access to an employee's personal information involves many actions and rules. You can get access on a permanent or temporary basis.

In order to arrange permanent access to personal information, you need to create a whole list of people who simply need this information for further implementation. official duties. These include:

  1. immediate supervisor;
  2. deputy director;
  3. worker personnel department.

Temporary access is granted only when information is requested for production orders. In this case, it is generally impossible to do without personal information about the employee. Access is granted only if the .

The employer ensures the complete secrecy of all received facts about the employee. The processing and collection of personal data is carried out by employees of the personnel department, who are responsible for maintaining confidentiality (read more about non-disclosure obligations and other documents).

Important! Use of information outside labor organization or without the knowledge of the employee is prohibited.

All data that characterize a person as an employee cannot be claimed or transferred to completely outsiders.

Step by step instructions

Requesting more information

  1. An employer asks for facts about an employee's health when it is relevant to work.
  2. Information is requested to transfer the employee to another place with favorable conditions.
  3. It is necessary to enter the facts only in the required volume, to perform the intended functions.

Transfer of necessary information to third parties


The personal facts of an employee can be transferred both within the organization and outside it, but only with the consent of the employee. Confidentiality is fully provided for, and there is also protection against disclosure to third parties. It is worth noting that the only exception in this matter will be the need to transfer information in order to prevent a threat to human life.

Read more about what is the provision on the protection of personal data of an employee.

  1. All information about the health status of the employee is collected.
  2. The employer indicates the employee's data only to the extent necessary to make a particular decision.
  3. This data is transferred to the relevant authorities, but only with the permission of the owner.

In the event of an accident, the employer must without fail transfer all the necessary facts to a number of state bodies.

If the rules for accessing personal information have been violated, then the violator may be subject to disciplinary liability. Penalties, remarks, reprimands or dismissal are often applied. Such punishment may be applied to those employees who are required to comply with the rules for working with personal information.

If the employee gave the disclosure of his own information, then the personnel officer and the employer do not bear disciplinary responsibility.

1. General Provisions

1.1. This Regulation has been developed in accordance with the Constitution of the Russian Federation, the Labor Code of the Russian Federation No. 197-FZ dated December 30, 2001, the Federal Law of the Russian Federation “On Information, information technology and on Information Protection" No. 149-FZ of July 27, 2006, Federal Law of the Russian Federation "On Personal Data" No. 152-FZ of July 27, 2006, Decree of the President of the Russian Federation "On Approval of the List of Confidential Information" No. 188 of March 6, 2006 .1997 and other regulatory legal acts.

1.2. This Regulation determines the procedure for processing personal data of employees "YOUR ORGANIZATION"(hereinafter referred to as the Organization) and guarantees of confidentiality of information provided by the employee to the employer.

1.3. The employee's personal data is confidential information.

2. The concept and composition of the employee's personal data

2.1. Employee's personal data - information required by the employer in connection with labor relations and relating to a particular employee.

Employee personal data includes:

    Surname, name, patronymic, year, month, date and place of birth, as well as other data contained in the employee's identity card;

    data on family, social and property status;

    data on the education of the employee, the availability of special knowledge or training;

    data on the profession, specialty of the employee;

    information about the employee's income;

    medical data, in cases provided for by law;

    information about the employee's family members;

    residence data, mailing address, phone number of the employee, as well as members of his family;

    other personal data, in determining the scope and content of which the employer is guided by this Regulation and the legislation of the Russian Federation.

3. Processing of personal data of an employee

3.1. Processing of personal data of an employee - receipt, storage, combination, transfer or any other use of personal data of an employee.

The processing of the employee's personal data is carried out to ensure compliance with laws and other regulatory legal acts, assist the employee in employment, training, promotion, ensure personal security employee, quality control and quantity of work performed and ensuring the safety of property, remuneration, use of benefits provided for by the legislation of the Russian Federation and acts of the employer.

3.2. The employer does not have the right to receive and process the personal data of the employee about his political, religious and other beliefs and private life. In cases directly related to issues of labor relations, in accordance with Article 24 of the Constitution Russian Federation the employer has the right to receive and process data on the private life of the employee only with his written consent.

The employer does not have the right to receive and process the personal data of the employee about his membership in public associations or his trade union activities, except as otherwise provided by federal law.

When making decisions affecting the interests of the employee, the employer does not have the right to rely on the employee's personal data obtained solely as a result of their automated processing or electronic receipt.

3.3. Based on the rules Labor Code RF (Article 86), as well as based on the provisions of paragraph 2 of Art. 6 of the Federal Law of the Russian Federation "On Personal Data", the processing of personal data is carried out by the employer without the written consent of the employee, except as otherwise provided by federal law.

Receipt

3.4. The employer can obtain all personal data about the employee from him.

3.5. The employee is obliged to provide the employer with reliable information about himself and promptly inform him of changes in his personal data. The employer has the right to verify the accuracy of the information provided by the employee by comparing the data provided by the employee with the documents available to the employee.

3.6. In cases where the employer can obtain the necessary personal data of the employee only from a third party, the employer must notify the employee about this and obtain written consent from him in the prescribed form (Appendix 1).

The employer is obliged to inform the employee about the purposes, methods and sources of obtaining personal data, as well as the nature of the personal data to be obtained and possible consequences refusal of the employee to give written consent to receive them.

Storage of personal data of an employee

3.7. The employee's personal data is stored in the personnel department in the employee's personal file. Personal files are stored in paper form in folders and are kept in a safe or in a fireproof cabinet.

The personal data of the employee in the personnel department is also stored in in electronic format on the local computer network. Access to electronic databases containing personal data of employees is provided by a password system. Passwords are set by the head of the HR department and communicated individually to HR employees who have access to employees' personal data.

Note: The storage of personal data of employees in the accounting department and other structural divisions of the employer, whose employees have the right to access personal data, is carried out in a manner that excludes access to them by third parties.

3.8. An employee of the employer who has access to the personal data of employees in connection with the performance of labor duties:

    ensures the storage of information containing the personal data of the employee, excluding access to them by third parties.

In the absence of an employee, there should be no documents containing personal data of employees at his workplace (compliance with the “clean desk policy”).

    when going on vacation, business trip and other cases of a long absence of an employee at his workplace, he is obliged to transfer documents and other media containing personal data of employees to a person who will be entrusted with the performance of his labor duties by a local act of the Organization (order, order).

Note: If such a person is not appointed, then documents and other media containing personal data of employees are transferred to another employee who has access to personal data of employees at the direction of the head of the structural unit.

Upon dismissal of an employee who has access to personal data of employees, documents and other media containing personal data of employees are transferred to another employee who has access to personal data of employees at the direction of the head of the structural unit.

Use (access, transfer, combination, etc.) of the employee's personal data

3.9. Employees of the employer who need personal data in connection with the performance of their labor duties in accordance with the list of positions (Appendix 2) have access to the employee's personal data.

In order to perform the assigned task and on the basis of a memo with a positive resolution of the head of the Organization, access to the personal data of the employee may be provided to another employee whose position is not included in the List of positions of employees who have access to the personal data of the employee of the Organization, and who need them in connection with with the performance of work duties.

3.10. If the employer is provided with services by legal entities and individuals on the basis of concluded agreements (or other grounds) and by virtue of these agreements they must have access to the personal data of the employees of the Organization, then the relevant data is provided by the employer only after signing a non-disclosure agreement with them.

In exceptional cases, based on the contractual relationship with the counterparty, it is allowed to have clauses on non-disclosure of confidential information in contracts, including those providing for the protection of the employee's personal data.

3.11. The procedure for obtaining access to the personal data of an employee includes:

    acquaintance of the employee against signature with this Regulation.

Note: If there are other regulations (orders, orders, instructions, etc.) regulating the processing and protection of the employee's personal data, the employee is also familiarized with these acts against signature.

    requesting from the employee (except for the head of the Organization) a written obligation to maintain the confidentiality of the employee's personal data and comply with the rules for their processing, prepared in the prescribed form (Appendix 3).

3.12. Employees of the employer who have access to the personal data of employees have the right to receive only those personal data of the employee that they need to perform specific work functions.

3.13. Access to the personal data of employees without special permission is granted to employees holding the following positions in the organization:

    Head of the organization;

    Deputy Head of the Organization;

    Chief Accountant;

    employees of the personnel department;

    software engineers of the information technology department;

    heads of structural divisions - in relation to the personal data of employees registered in the relevant structural divisions.

3.14. Admission to the personal data of the employee of other employees of the employer who do not have a properly formalized access is prohibited.

3.15. The employee has the right to free access to his personal data, including the right to receive a copy of any record (except as provided by federal law) containing his personal data. The employee has the right to make proposals for making changes to his data if inaccuracies are found in them.

3.16. The personnel department has the right to transfer the employee's personal data to the accounting department and other structural divisions, if it is necessary for the employees of the relevant structural divisions to fulfill their labor duties.

When transferring personal data of an employee, personnel department employees warn persons receiving this information, that these data can only be used for the purposes for which they are communicated, and demand a written commitment from these persons in accordance with clause 3.11. of this Regulation.

3.17. The transfer (exchange, etc.) of personal data between departments of the employer is carried out only between employees who have access to personal data of employees.

Access to personal data of an employee of third parties (natural and legal)

3.18. The transfer of the employee's personal data to third parties is carried out only with the written consent of the employee, which is drawn up in the prescribed form (Appendix 4) and must include:

    surname, name, patronymic, address of the employee, number of the main document proving his identity, information about the date of issue of the specified document and the body that issued it;

    the name and address of the employer receiving the employee's consent;

    the purpose of the transfer of personal data;

    a list of personal data, the transfer of which the employee consents to;

    the period during which the consent is valid, as well as the procedure for its withdrawal.

Note: The consent of the employee to the transfer of his personal data to third parties is not required in cases where this is necessary in order to prevent a threat to the life and health of the employee; when third parties provide services to the employer on the basis of concluded agreements, as well as in cases established by federal law and these Regulations.

3.19. It is not allowed to transfer personal data of an employee for commercial purposes without his written consent, drawn up in the prescribed form (Appendix 5).

3.20. Employees of the employer who transfer personal data of employees to third parties must transfer them with the obligatory drawing up of an act of acceptance and transfer of documents (other material media) containing personal data of employees. The act is drawn up in the prescribed form (Appendix 6), and must contain the following conditions:

    notification of the person receiving these documents of the obligation to use the received confidential information only for the purposes for which it was communicated;

    warning of liability for illegal use of this confidential information in accordance with federal laws.

The transfer of documents (other material media) containing personal data of employees is carried out if the person authorized to receive them has:

    contracts for the provision of services to the Organization;

    agreements on non-disclosure of confidential information or the presence in an agreement with a third party of clauses on non-disclosure of confidential information, including those providing for the protection of the employee's personal data;

    a letter of inquiry from a third party, which should include an indication of the grounds for obtaining access to the requested information containing the employee's personal data, its list, purpose of use, full name. and the position of the person who is entrusted with obtaining this information.

Responsibility for compliance with the above procedure for providing personal data of an employee of the Organization is borne by the employee, as well as the head of the structural unit that transfers the employee's personal data to third parties.

3.21. The representative of the employee (including a lawyer) receives personal data in accordance with the procedure established by the current legislation and these Regulations. Information is transmitted in the presence of one of the documents:

    a notarized power of attorney of the representative of the employee;

    a written application of the employee, written in the presence of an employee of the employer's personnel department (if the application is written by the employee not in the presence of an employee of the personnel department, then it must be notarized).

Powers of attorney and applications are stored in the personnel department in the personal file of the employee.

3.22. The provision of personal data of an employee to state bodies is carried out in accordance with the requirements of the current legislation and this Regulation.

3.23. An employee's personal data may be provided to relatives or members of his family only with the written permission of the employee himself, except in cases where the transfer of an employee's personal data without his consent is allowed by the current legislation of the Russian Federation.

3.24. Documents containing the employee's personal data may be sent through the federal postal service. At the same time, their confidentiality must be ensured. Documents containing personal data are enclosed in an envelope, a cover letter is attached to it. An inscription is made on the envelope stating that the contents of the envelope are confidential information, and legislation provides for liability for its illegal disclosure. Next, an envelope with cover letter is enclosed in another envelope, on which only the details provided for by the postal rules for registered mail are applied.

4. Organization of the protection of the employee's personal data

4.1. The protection of the employee's personal data from their unlawful use or loss is provided by the employer.

4.2. General organization protection of personal data of employees is carried out by the head of the personnel department.

4.3. The Head of Human Resources provides:

    familiarization of the employee against signature with this Regulation.

If there are other regulatory acts (orders, instructions, instructions, etc.) regulating the processing and protection of the employee's personal data, the employee is also familiarized with these acts against signature.

    requesting from employees (with the exception of the persons specified in paragraph 3.13 of this Regulation) a written obligation to maintain the confidentiality of the employee's personal data and comply with the rules for their processing.

    general control over compliance by the employer's employees with measures to protect the employee's personal data.

4.4. The organization and control over the protection of personal data of employees of the structural divisions of the employer, whose employees have access to personal data, is carried out by their immediate supervisors.

4.5. Subject to protection:

    information about the employee's personal data;

    documents containing personal data of the employee;

    personal data contained on electronic media.

4.6. Protecting information stored in electronic databases employer's data, from unauthorized access, distortion and destruction of information, as well as from other illegal actions, is ensured by the differentiation of access rights using account and a password system.

5. Final provisions

5.1. Other rights, obligations, actions of employees, in labor obligations which includes the processing of personal data of an employee, are also determined by job descriptions.

5.2. Persons guilty of violating the norms governing the receipt, processing and protection of personal data of an employee bear material, disciplinary, administrative, civil or criminal liability in the manner prescribed by federal laws.

5.3. Disclosure of personal data of an employee of the Organization (transferring them to third parties, including employees of the Organization who do not have access to them), their public disclosure, loss of documents and other media containing personal data of an employee, as well as other violations of obligations for their protection and processing established by these Regulations, local regulations (orders, instructions) of the Organization, entails the imposition on an employee who has access to personal data, disciplinary action- remarks, reprimands, dismissals.

An employee of the employer who has access to the personal data of the employee and has committed the specified disciplinary offense bears the full liability in case of causing damage to the employer by his actions (clause 7 of article 243 of the Labor Code of the Russian Federation).

5.4. Employees of the employer who have access to the personal data of the employee, guilty of illegal disclosure or use of the personal data of the employees of the employer without the consent of the employees out of mercenary or other personal interest and causing large damage, are criminally liable in accordance with Art. 183 of the Criminal Code of the Russian Federation.

Annex 1 - Written consent of the employee to receive his personal data from a third party

Appendix 2 - List of positions of employees who have access to the personal data of an employee of the Organization and who need them

Pass office on duty

Annex 3 - Obligation to respect the confidentiality of the employee's personal data

Annex 4 - Written consent of the employee to the transfer of his personal data to a third party

Annex 5 - Written consent of the employee to the transfer of his personal data for commercial purposes

Annex 6 - The act of acceptance and transfer of documents (other material carriers) containing the employee's personal data

The employee's personal data contains complete information, required by the employer for registration of labor relations with the employee. This article discusses how to gain access to personal data, and what is the punishment for disclosing personal information.

From this article you will learn:

  • what is included in the employee's personal data;
  • what is the procedure for granting access to personal data;
  • types of liability for disclosure of personal data.

Personal data of an employee - information requested by the employer when registering an employment relationship with an employee. Such data contains all the necessary information about the person being hired, including information about life events and facts that identify the employee.

What is included in the personal data of an employee

The employee's personal data includes information about the education received, general and work experience, marital status, social benefits, military registration. The completed questionnaires also indicate the specialty, position, passport data, information about the presence / absence of a criminal record, address of residence and registration, general information about relatives and family members, telephone, etc.

Despite the fact that the documents filled in by the employee with personal data are recognized as confidential, due to the single place of storage and processing, such documentation is not labeled as limited use.

The current norms of the Labor Code establish that the employer has the right to request from the employee only that information that characterizes the employee as a participant in the labor agreement. This means that the head of the enterprise cannot require the provision of information about the hired person that is not related to the performance of official duties in certain organization and in a specific position.

Procedure for granting access to personal data

The standard procedure for granting access to personal data includes a number of actions to comply with the rules for obtaining access to personal information on a permanent and temporary basis.

To obtain permanent access, a list of persons is formed for whom the information specified by the hired employee is necessary for the performance of labor (service) duties, including for enrolling the employee in the staff of the organization, transferring to another position, etc.

Temporary (one-time) access to personal data is usually provided when employees requesting information perform production tasks, where personal information about the employee cannot be dispensed with. In this case, the right of access is given on the basis of a prepared application with a request to process the employee's personal information.

Responsibility for disclosure of personal data

The labor legislation of the Russian Federation provides for administrative liability for the disclosure of personal information. In the event of a leak of confidential information, the prosecutor's office is responsible for bringing the perpetrators to justice.

At the moment, the Code of Administrative Offenses of the Russian Federation for the disclosure of personal data provides for the following administrative fines:

  • 500 - 1000 rubles. - for citizens;
  • 4 - 5 thousand rubles. - for officials.

In case if personal information of a person is placed in the media, published in works of literature and art, voiced in public speeches, criminal liability may be imposed. Criminal liability is also used when obtaining personal data by illegal means.

The Criminal Code of the Russian Federation provides for the following types of punishments for the disclosure of personal information:

  • payment of a fine in the amount not exceeding 200 thousand rubles;
  • the imposition of a fine in the amount of 1.5 years of the perpetrator's salary;
  • correctional labor for a period not exceeding 12 months;
  • sending the perpetrator to compulsory work lasting no more than 360 hours;
  • imprisonment for up to 24 months;
  • detention for a period not exceeding 4 months.

Thus, the use of the employee's personal data is possible only after obtaining the right of access to such information. For the disclosure of personal information, the perpetrators are subject to administrative or criminal liability.

Federal Law No. 13-FZ of 07.02.2016 (hereinafter referred to as Law No. 13-FZ) toughens administrative liability for violation of personal data protection legislation and differentiates the composition of administrative offenses. From July 1, 2017, liability for non-compliance with the rules on personal data established by Federal Law No. 152-FZ of July 27, 2006 (hereinafter referred to as Law No. 152-FZ) will increase significantly.

The maximum fine for legal entities will be 75 thousand rubles. (now - 10 thousand rubles). Obviously, employers who still do not pay due attention to the rules for processing personal data need to focus on this. Otherwise, indiscretion can result in significant financial losses for them.

New administrative fines.

Law No. 13-FZ rewritten the provisions of Art. 13.11 of the Code of Administrative Offenses of the Russian Federation. The new edition clarified the composition of administrative offenses under the legislation on personal data and increased the amount of fines.

Composition of an administrative offense

The amount of the fine

Processing of personal data in cases not provided for by the legislation of the Russian Federation, or their processing incompatible with the purposes of collecting this data, except for the cases provided for in Part 2 of this article, if these actions do not contain a criminally punishable act

For DL ​​- from 5 to 10, for legal entities - from 30 to 50.

Processing of personal data without the consent in writing of their subject to the processing of his data in cases where such consent must be obtained in accordance with the legislation of the Russian Federation, if these actions do not contain a criminally punishable act, or the processing of personal data in violation of the requirements for composition established by the legislation of the Russian Federation information included in the written consent of the subject of personal data to the processing of his data *

For DL ​​- from 10 to 20, for legal entities - from 15 to 75

Failure by the operator to comply with the obligation stipulated by the legislation of the Russian Federation to publish or otherwise provide unrestricted access to a document defining the operator's policy regarding the processing of personal data, or information about the implemented requirements for the protection of personal data

For DL ​​- from 3 to 6, for individual entrepreneurs - from 5 to 10, for legal entities - from 15 to 30.

A warning may be issued instead of a fine.

Failure by the operator to fulfill the obligation stipulated by the legislation of the Russian Federation to provide the subject of personal data with information regarding the processing of his personal data

For DL ​​- from 4 to 6, for individual entrepreneurs - from 10 to 15, for legal entities - from 20 to 40.

A warning may be issued instead of a fine.

Failure by the operator, within the time limits established by the legislation of the Russian Federation, to comply with the requirements of the subject of personal data or his representative or the authorized body for the protection of the rights of these subjects to clarify personal data, block or destroy them if the data is incomplete, outdated, inaccurate, illegally obtained or not necessary for the stated purpose of processing

For DL ​​- from 4 to 10, for individual entrepreneurs - from 10 to 20, for legal entities - from 25 to 45.

A warning may be issued instead of a fine.

Failure by the operator, when processing personal data without the use of automation tools, of the obligation to comply with the conditions that ensure, in accordance with the legislation of the Russian Federation, the safety of personal data when storing material carriers of personal data and exclude unauthorized access to them, if this resulted in illegal or accidental access to personal data, their destruction , modification, blocking, copying, provision, distribution or other illegal actions in relation to personal data, in the absence of signs of a criminally punishable act

For DL ​​- from 4 to 10, for individual entrepreneurs - from 10 to 20, for legal entities - from 25 to 50

* The specified fine is imposed for each committed violation, therefore, the initially declared amount of the fine is 15 - 75 thousand rubles. as a result, it can grow to a very impressive size.

Powers to initiate proceedings on administrative offenses under Art. 13.11 of the Code of Administrative Offenses of the Russian Federation were transferred from prosecutors to Roskomnadzor (in new edition p. 58 h. 2 art. 28.3 and part 1 of Art. 28.4 of the Code of Administrative Offenses of the Russian Federation). But these cases will still be considered by the courts (part 1 of article 23.1 of the Code of Administrative Offenses of the Russian Federation).

Note:

In addition to Roskomnadzor, Rostrud can check the employer's compliance with the requirements of legislation in the field of personal data. After all, the provisions of Ch. 14 of the Labor Code of the Russian Federation (along with Law No. 152-FZ) defines the requirements for the processing of personal data of employees and guarantees for their protection. Labor inspectors are empowered to draw up protocols on administrative offenses, including those provided for in Art. 5.27 of the Code of Administrative Offenses of the Russian Federation, in cases of violation labor law(clause 16, part 2, article 28.3 of the Code of Administrative Offenses of the Russian Federation).

Before considering the question of how an employer can avoid fines, let us explain what is meant by personal data, the processing of personal data and the operator.

Personal data.

Personal data is information that is directly or indirectly related to the subject of personal data (that is, an individual) (part 1 of article 3 of Law No. 152-FZ). That is, it allows you to unambiguously determine what kind of person we are talking about.

There are no specific instructions on what information to consider as personal data in the current legislation (they are not in Law No. 152-FZ, nor in Chapter 14 of the Labor Code of the Russian Federation). It contains only general principles. In fact, the concept under consideration is evaluative, which gives a certain scope for the qualification of certain information about individual as personal data. It is obvious that, first of all, information should be considered as such, on the basis of which an unmistakable identification of the subject of personal data is possible. The employee, as a rule, reports such information himself when applying for a job. Personal Information can also be obtained from a third party, however, with the written consent of the employee (part 3 of article 86 of the Labor Code of the Russian Federation). In turn, anonymized information cannot be classified as personal data.

  • Full Name;
  • Date and place of birth;
  • address (place of registration);
  • family, social and property status;
  • education, profession;
  • income, property and property obligations.

This is general personal data. In addition to them, Law No. 152-FZ mentions:

  • special personal data (relating to race, nationality, political views, religious or philosophical beliefs, health status, intimate life). By general rule the processing of this data is not permitted. An exception is the cases provided for by Part 2 of Art. 10 of the named law;
  • biometric personal data (characterize the physiological and biological characteristics of a person, on the basis of which his personality can be identified). For the processing of such information, the consent of the subject of personal data is required. An exception is the cases established by Part 2 of Art. eleven.

Note:

Personal data of employees, as a rule, is contained in the following documents:

  • in a passport or other identity document;
  • in the work book;
  • in documents on military registration, education, family composition;
  • in the certificate of income from the previous place of work;
  • in the application form filled out during employment;
  • in the employee's personal card (T-2 form);
  • in certificates of marriage, birth of a child;
  • in medical certificates; and etc.

The employer keeps copies of the listed documents, with the exception of questionnaires, work books and personal cards.

Processing of personal data.

The processing of personal data is understood as any action (or set of actions) performed with them (with or without the use of automation tools). Action refers to the collection, recording, systematization, accumulation, storage, clarification (updating, changing), extraction, use, transfer (distribution, provision, access), depersonalization, blocking, deletion, destruction of data (part 3 of article 3 of Law No. 152-FZ).

The purposes of processing personal data are defined in Part 1 of Art. 86 of the Labor Code of the Russian Federation, and its basic principles - Art. 5 of Law No. 152-FZ.

* According to Art. 87 of the Labor Code of the Russian Federation, the procedure for storing and using personal data of employees is established by each employer independently in compliance with the requirements of the Labor Code and other federal laws(including Law No. 152-FZ).

An important nuance: the legislation does not define the requirements for the amount of personal data that the operator (employer) can process with the consent (or without) of their subject. Therefore, the parties have the right to determine the amount of information received and processed independently. At the same time, it should be taken into account that the requirements of the law for the procedure for obtaining consent to the processing of information and for the very procedure for their processing differ depending on the type (category) of personal data.

Operator.

Operator - a person who organizes and carries out the processing of personal data (part 2 of article 3 of Law No. 152-FZ).

Any employer falls under the above definition ( entity or individual entrepreneur), who received the personal data of the employee at his disposal. This means that from now on, in accordance with the requirements of Law No. 152-FZ, he is responsible for protecting and ensuring the safety of personal data of employees.

Moreover, in accordance with Part 1 of Art. 18.1 of Law No. 152-FZ, each operator must independently determine the composition and list of measures necessary and sufficient to ensure the fulfillment of the obligations provided for by this law. One of these measures is the issuance by the operator of a local regulatory act that establishes the procedure for processing personal data of employees in the organization. The same is required of the operator by Art. 86 and 87 of the Labor Code of the Russian Federation. A local act (usually referred to as the Regulation on Personal Data) defines the rights and obligations of both the subject of personal data and the operator.

We emphasize: the presence of the designated document with the employer is mandatory. For his absence, Roskomnadzor specialists can fine the operator (and his officials) on the basis of part 3 of Art. 13.11 of the Code of Administrative Offenses of the Russian Federation.

Requirements for the execution of a provision on personal data.

When drawing up the Regulations on personal data, it is necessary to take into account the requirements for the receipt, processing, storage and use of personal data of employees established by Law No. 152-FZ and Ch. 14 of the Labor Code of the Russian Federation. Based on the mentioned regulations, in the provision on Personal Data it is necessary to indicate:

  • a list of information related to the category of personal data;
  • what documents containing the personal data of employees, the operator will submit to various government agencies (off-budget funds, tax, labor inspection, statistical agencies, etc.);
  • a list of officials authorized to process, store and use personal data and, accordingly, responsible for violation of the requirements of the law;
  • who and in what order has access to the received personal data;
  • measures aimed at the preservation and non-disclosure of personal data, as well as the procedure for their transfer (within the organization and to third parties);
  • the procedure for providing the subject of personal data with information regarding the processing of his data;
  • the procedure for clarifying the personal data of employees, their blocking and destruction;
  • conditions and procedure for storing personal data of employees.

An important nuance: the employer should take into account the requirement of Part 8 of Art. 86 of the Labor Code of the Russian Federation, which states that employees and their representatives must be familiarized with the Regulations on Personal Data against signature. In order to fulfill the specified requirement, the operator can, for example, issue an appropriate journal in which employees will sign, confirming the fact of familiarization. But there are other ways of familiarization against signature, for example, the reflection of this fact in an employment contract.

So, the provision on personal data is, perhaps, the main document, the presence of which is required by law. Its absence may become the basis for imposing a fine under Parts 3 and 4 of Art. 13.11 of the Code of Administrative Offenses of the Russian Federation. But this is not the only document that the operator must issue in order to properly comply with the requirements of the law.

Consent to the processing and transfer of personal data.

In part 1 of Art. 9 of Law No. 152-FZ states that consent must be specific, informed and conscious. It can be given by the subject of personal data (or his representative) in any form allowing to confirm the fact of its receipt, unless otherwise provided by Law No. 152-FZ. Directly that the consent of the employee to the processing of personal data must be in writing, the said law does not say.

But! Part 2 of Art. 13.11 of the Code of Administrative Offenses of the Russian Federation defines the responsibility of the operator and his officials for the processing of personal data:

  • without the consent in writing of the subject of personal data to the processing of his data in cases where such consent must be obtained under the legislation of the Russian Federation, if these actions do not contain a criminally punishable act;
  • or in violation of the requirements established by the legislation of the Russian Federation for the composition of information included in the written consent of the subject of personal data to the processing of his data.

It turns out when current legislature in the field of personal data requires obtaining consent from the subject of these data, this consent must be drawn up in writing (arbitrarily, since a single form is not provided for by law). Indeed, in the event of a dispute, it is the operator who must prove the fact of obtaining consent (part 3 of article 9 of Law No. 152-FZ). And written form consent in this case will be very helpful.

In view of the foregoing, it makes sense for the employer-operator to develop and approve, as an annex to the Regulation on Personal Data, an employee consent form for the processing and transfer of such data. We add that Law No. 152-FZ allows the issuance of consent in the form of an electronic document.

What should be included in the consent?

The requirements for the content of written consent for cases where it is required by law are established by Part 4 of Art. 9 of Law No. 152-FZ. In this case, consent must include:

  1. Full name, address of the employee, details of the document proving his identity, including the date of issue and information about the body that issued it.
  2. Upon receipt of consent from the representative of the employee - his full name, address, details of the document proving his identity, including the date of issue and information about the authority that issued it, details of the power of attorney or other document confirming the authority of the representative.
  3. Name or full name and address of the employer.
  4. Purpose of personal data processing.
  5. List of personal data to be processed.
  6. Full name and address of the person or name of the organization that processes personal data on behalf of the employer, if it is entrusted to such a person or organization.
  7. The list of actions with personal data to which the employee has given consent, general description ways to process them.
  8. The period during which the consent of the employee to the processing of his personal data is valid, and the method for withdrawing consent.
  9. Employee's signature.

In other cases (when the legislation does not require obtaining the consent of the employee), there are no special requirements for the content of consent by Law No. 152-FZ. However, general rule, under Part. 1 Article. 9 of this law (on specific, informed and conscious consent), no one has canceled. Therefore, in any case, the consent must specify the specific amount of personal data, the purposes and methods of their processing and storage.

When does consent to data processing need to be obtained and when not?

Law No. 152-FZ allows the processing of personal data of employees both with their consent (clause 1, part 1, article 6), and without it.

Here you should pay attention to Clarifications of Roskomnadzor. According to officials, the processing of an employee's personal data does not require obtaining the appropriate consent of the specified person, provided that the amount of personal data processed by the employer does not exceed the established lists, and also complies with the purposes of processing provided for by labor legislation (see table).

It is not necessary to issue the employee's consent to the processing of personal data if they are received

Source

From the documents (information) presented at the conclusion of an employment contract

Article 65, part 4 of Art. 275 of the Labor Code of the Russian Federation, clause 5, part 1, art. 6 Law No. 152-FZ

As a result of the mandatory preliminary medical examination about the state of health

Article 69 of the Labor Code of the Russian Federation, paragraph 3 of the Clarification of Roskomnadzor

From a personal card or in other cases established by the legislation of the Russian Federation (for example, upon receipt of alimony, registration of access to state secrets, registration of social benefits)

Clause 2 of the Roskomnadzor Clarification

From recruitment agency acting on behalf of an applicant for a vacant position

Clause 5 of the Roskomnadzor Clarification

From the resume of the applicant, posted on the Internet and available to an unlimited number of people

Clause 10, part 1, art. 6 of Law No. 152-FZ, clause 5 of Roskomnadzor Clarifications

If personal data about an employee can only be obtained from a third party (recall, the corresponding possibility is provided for by Article 86 of the Labor Code of the Russian Federation), then he must be notified of this in advance and consent to the processing of information must be obtained from him.

Consent is also required if the employer plans to process other employee data (for example, contact details - cell phone number, email address).

About consent to the transfer of data.

In addition to consent to the processing of data, the operator must obtain the consent of the employee to transfer them to third parties (including for commercial purposes), which follows from par. 2, 3 h. 1 tbsp. 88 of the Labor Code of the Russian Federation. This consent also clearly states what kind of operations with personal data the employer performs and what their purpose is.

Note:

The operator must warn third parties that personal data can only be used for the purposes for which they are reported, and require these persons to confirm that this rule has been observed (paragraph 4, part 1, article 88 of the Labor Code of the Russian Federation).

In some cases, the employee's consent to the transfer of personal data to third parties is not required. Let's present these cases in the table.

Consent is not issued when data is transferred*

Source

To third parties in order to prevent a threat to the life and health of an employee

Paragraph 2 of Art. 88 of the Labor Code of the Russian Federation, para. 1 p. 4 Clarifications of Roskomnadzor

To off-budget funds

Paragraph 15, part 2, art. 22 of the Labor Code of the Russian Federation, para. 3 p. 4 Clarifications of Roskomnadzor

To tax authorities and military commissariats

Subparagraphs 1, 2, 4, paragraph 3 of Art. 24 of the Tax Code of the Russian Federation, par. 5 p. 4 Clarifications of Roskomnadzor

On request trade unions in order to control compliance with labor legislation by the employer

Article 370 of the Labor Code of the Russian Federation, para. 5 p. 4 Clarifications of Roskomnadzor

At the motivated request of the prosecutor's office and law enforcement agencies

Paragraph 7 p. 4 of the Clarification of Roskomnadzor

At the request of state labor inspectors when they carry out supervisory and control activities

Paragraph 3, part 1, art. 357 of the Labor Code of the Russian Federation, para. 7 p. 4 Clarifications of Roskomnadzor

To the authorities and organizations that must be notified of a serious accident, including a fatal one

Paragraph 5 of Art. 228 of the Labor Code of the Russian Federation

* Family members, Insurance companies, credit institutions, charity organisations, non-state pension funds and other similar organizations were not included in the specified list of third parties. Therefore, the operator has the right to transfer the personal data of the employee to the mentioned persons only with his written consent.

"On Amendments to the Code of the Russian Federation on Administrative Offenses".

The text of the normative act is published in "Acts and comments for the accountant", No. 3, 2017.

"About personal data".

See the Decree of the FAS SKO dated March 11, 2014 in case No. А53-10287/2013.

Regulation on personal data, like any other local normative act approved by the head of the organization. If the organization has a representative body of workers (trade union), the designated document must be accepted subject to the requirements established by Art. 372 of the Labor Code of the Russian Federation.

“Issues relating to the processing of personal data of employees, job seekers vacancies, as well as persons in personnel reserve". Placed on the official website of the department www.rsoc.ru on 12/24/2012.

Topical issues accounting and taxation, No. 3, 2017



Popular in category:
Building materials with delivery Building materials with delivery on call
Building materials with delivery Building materials with delivery on call
read
Delivery of building materials Delivery of building materials with unloading
Delivery of building materials Delivery of building materials from...
read
Payment methods Other payment methods
Payment methods Other payment methods
read
Personal account speedline Pay for Internet speedline with a Sberbank bank card
Personal account speedline Pay online speedline banking...
read

Latest Articles
What are the forms of ownership of enterprises
read
Classification and examples of OPF
read
Weekend Pay Updates...
read
Organizational and legal forms of enterprises ...
read
Innovative activity of the teacher in...
read
The social security system and its structure
read
Ethical norms of distance when communicating
read
How should a leave arrangement be made?
read
Top