Purposes and methods of processing personal data. What is the purpose of processing personal data? The company is obliged to warn the subject of personal data about the purposes of processing

Since the end of summer, the Personal Data Law has been in force in new edition. The rules for obtaining and protecting information have changed. For the employer, this means only one thing - additional paperwork. In this article we will talk about how to draw up regulations on working with personal data of employees and appoint someone responsible for organizing work with personal data.

What is personal data

Federal Law No. 152-FZ of July 27, 2006 “On Personal Data” (hereinafter referred to as Law No. 152-FZ) defines personal data as any information directly or indirectly related to an individual (to the subject of personal data). This is stated in paragraph 1 of Art. 3 of Law No. 152-FZ.

According to Part 1 of Art. 85 Labor Code Employee personal data refers to information relating to a specific employee that is necessary for the employer in connection with labor relations. We are talking about data such as:

last name, first name, patronymic;
date and place of birth;
address;
marital status;
position (profession);
salary, other income;
ownership of real estate, cash deposits, etc.;
education, qualifications, vocational training, information about advanced training;
habits and hobbies, including harmful ones (alcohol, drugs, etc.);
biography facts and previous work activity(place of work, amount of earnings, criminal record, military service, work in elected positions, public service etc.);
physiological characteristics, health;
business and other personal qualities;
other information.

Scroll personnel documents, which contain the personal data of employees, is given in table. 1 on p. 76.

Table 1. Documents containing personal data of employees

N	Document	Intelligence
1	Questionnaire, autobiography, personal personnel records sheet (to be completed upon admission to work)	Personal and biographical information employee
2	Copy of the document, identification document employee	Full name, date of birth, address registration, marital status, family composition
3	Personal card (form N T-2, approved by the Resolution Goskomstat of Russia dated 01/05/2004 N 1)	Full name employee, place of birth, family composition, education, and identification document details personality
4	Work book	Information about work experience, previous places of work
5	Copies of certificates of conclusion marriage, birth of children	Family composition, changes in family position
6	Military registration documents	Information about the employee’s attitude towards military duty required to the employer to implement military registration of employees
7	Certificate of income from previous places of work	Full name, information about the amount of income and withheld personal income tax
8	Education documents	Confirms the qualifications of the employee, justify the occupation of a certain positions
9	Mandatory documents pension insurance	Full name, personal data
10	Employment contract	Information about the employee's position, salary, place of work, workplace, as well as other employee personal data
11	Orders for personnel	Information about admission, transfer, dismissal and other events, related to work activities employee

Personal data processing operator

According to Law N 152-FZ, the person (legal or individual) who organizes and (or) carries out the processing of personal data, determines its composition, the purposes of processing, and the actions performed with personal data is called operator(Clause 2 of Article 3 of Law No. 152-FZ). In our case, this is the employer.

Processing of personal data- any action performed with them. Operations for processing personal data:

collection;
recording;
systematization;
accumulation;
storage;
clarification (update, change);
extraction;
usage;
transmission (distribution, provision, access);
depersonalization;
blocking;
deletion;
destruction of personal data.

Regulations on working with personal data

The procedure for processing personal data by the operator may be established in the Regulations on working with personal data of employees (hereinafter referred to as the Regulations). Unified form no document. Let's consider how to draw up this document taking into account the requirements of Law N 152-FZ. The regulation consists of several sections. They are presented in table. 2. It also briefly indicates the information that the sections should contain. Detailed information is presented in a fragment of the Regulations on personal data of employees, which is given on p. 80.

Table 2. Structure of the Regulations on personal data of employees

N	Duty	Section Contents
1	General provisions	Purpose of adoption of the Regulations
		Issues governed by the Regulations
		Links to regulations. Point to on the basis of which documents is it compiled? Position. In organizations where government officials work civil servants, reference is given to: - Federal Law of July 27, 2004 N 79-FZ "About state civil service Russian Federation"; - Decree of the President of the Russian Federation dated May 30, 2005 N 609 “On approval of the Personal Data Regulations state civil servant Russian Federation and maintaining his personal affairs"; - regulatory acts of a constituent entity of the Russian Federation
2	Basic concepts. Composition of personal employee data	Basic concepts. Definitions of concepts are given "personal data", "processing of personal data", "use of personal data", the storage period for documents, etc. is indicated. It must be stated separately what applies to personal data in a specific company with taking into account its features (data used in work, for example, information about working on sensitive objects, on obtaining access to state secret, about health compliance for professions associated with heavy and harmful conditions, etc.)
		List of organization documents that contain personal data
3	Receipt personal data workers	Procedure for obtaining personal data. Indicates that the data is received and processed based on the written consent of the employee. Indicates cases where consent is not required
4	Usage personal data	Purposes for using personal information of employees
5	Processing personal data	Conditions observed when processing personal data employee data
6	Broadcast personal data (access to personal data)	The procedure for transferring personal data internally organizations (internal access), third parties And government agencies(external access)
7	Responsibility for violation of norms, regulating processing and protection personal data	Identifies those who are responsible for violation of storage and use rules personal data

Fragment of the Regulations on personal data of employees

Introduction of the Regulations into force

The regulation on personal data is approved by the head of the company and put into effect by order of the organization (a sample is given on p. 90). A record of the approval of the Regulations must be made in the register of local regulations.

If there is a trade union

If the company has a trade union, the Regulations must be agreed upon with it. To do this, the draft regulations are sent to the elected body of the trade union (Article 372 of the Labor Code of the Russian Federation). He must express his opinion (in writing) no later than five working days from the date of receipt of the project. If the union does not agree with the project or has proposals for its improvement, the administration has two options. The first is to agree. The second is to conduct additional consultations with the trade union within three days after receiving a reasoned opinion in order to achieve a mutually acceptable solution. If this does not help, a protocol of disagreement should be drawn up. After this, the administration has the right to adopt the Regulations without taking into account the demands of the trade union. However, he will be able to appeal the Regulations or begin the procedure for a collective labor dispute in the manner prescribed by Chapter. 61 Labor Code.

Familiarization of employees with the Regulations

Employees must be familiar with the Regulations against signature (clause 8 of Article 86 of the Labor Code of the Russian Federation). This fact can be recorded:

in the text employment contract each employee (list of local regulations with which the employee is familiar with before signing the contract);
- a sheet for familiarizing yourself with the Regulations (sample on p. 91);
- a logbook for familiarizing employees with local regulations (sample on p. 91).

Sample sheet for familiarization with local regulations

N p/p	Name of local regulatory act	Date	Signature
1	Internal labor regulations LLC "Black Forest"	03.10.2011	Evstakhov
2	Regulations on remuneration, bonuses and social security of employees of Cherny LLC forest"	03.10.2011	Evstakhov
3	Information security instructions, approved by Order dated June 15, 2008 N 1	03.10.2011	Evstakhov
4	Statement on personal data	03.10.2011	Evstakhov
5	Provision on liability workers for damage caused to Black Forest LLC	03.10.2011	Evstakhov

Fragment of the introduction logRegulationsabout personal data

Note. Personal data storage period

Local regulations (regulations, instructions) on personal data must be stored permanently. As for employee statements of consent to data processing (they will be discussed in future issues), and other employee documents, they are stored for 75 years. This is stated in the List approved by Order of the Ministry of Culture of Russia dated August 25, 2010 N 558.

Administrative responsibility

Administrative liability measures (mostly fines are provided; disqualification is not applied in this case) for an enterprise and its officials for violating the procedure for receiving, processing, storing and protecting personal data of employees are given in Table. 3.

Table 3. Responsibility for violating the procedure for obtaining, processing, storing and protecting personal data of employees

Work with personal information must be carried out in strict accordance with the law. In particular, one of fundamental principles processing of personal information is strict compliance with the purposes of use stated in the permission from the owner and the scope specified therein.

The concept of personal data and principles of their processing

One of the provisions establishes a requirement according to which all personal information about citizens of the Russian Federation must be located on servers located in the country. It is not allowed to supplement your information based on that taken from sites located outside Russian borders.

In a situation where a person considers any messages about him to be untrue, he can contact the operator (in accordance with Article 14 of Law 152-FZ) with a request to delete or adjust them accordingly.

In case of refusal, such a person has the right to go to court.

Consent to the processing of personal data

Such a document must contain following sections:

The document indicates who expresses consent and their passport details.
The name of the operator to whom permission is given is given.
They write for what purposes of processing consent is given.
The list of data for the processing of which permission is given is specifically listed.
All operations with them in question are listed.
Period of validity of the permit.
A signature, its decoding and date are placed.

A permit drawn up according to the sample gives permission only for what is specifically stated in it.

The use of the information in question is necessary for:

Maintaining documents in the HR department.
Concluding contracts and performing other legal actions.
In connection with compliance with tax legislation requirements.
Other purposes of a similar kind.

It should be noted that:

in each such case, obtaining information is determined by regulations;
it is carried out in a certain composition, volume, for a specific period and only to fulfill the stated goals.

Examples of targeted use of personal information

IN various fields economy and public life Citizens' personal data is vital.

IN medical institution It is important to know details about a person's health throughout his life. In this case, the owner of personal information is the patient. The operator who uses them is a clinic or other medical institution. She is required to obtain permission from Roskomnadzor for processing. If a clinic transfers data, for example, to a specialized hospital, it must obtain the written consent of the citizen.

For the bank It is vital when granting a loan to make a reasonable guess as to whether the applicant will be able to repay the money borrowed or does not have suitable financial resources. This will require details about income, employment, family composition and some others. The owner of the information is the client. The bank is the operator that carries out the processing. The client has the right to revoke permission to use information about him. The goals of working with information are to ensure compliance with the requirements of banking legislation of the Russian Federation.

It is impossible to do without providing this or similar information. But it is important that its use does not violate the requirements of current regulations.

Rules and principles for working with information

It can be understood that a random person cannot obtain source texts directly from anonymized information. However, this organization itself will be able to restore it later.

Violations related to misuse of personal data

Starting from July 1, 2017, changes were made to the Code of Administrative Offenses, which define liability for violation of Law No. 152-FZ. If the established rules are violated, the law provides appropriate punishments.

If information is collected in cases where this No legal basis or processing is carried out for illegal purposes, a fine is imposed. For individuals the amount will be from 1 to 3 thousand rubles, officials will pay from 5 to 10 thousand rubles, enterprises - from 30 to 50 thousand rubles.

If there was disclosure of information, the fine is assessed in connection with each individual such case. It can range from 500 to 1000 rubles. from the employee through whose fault the violation occurred. If we are talking about an organization that is responsible for what happened, then the amount increases. Now it can range from 5 to 10 thousand rubles.

The regulatory act in question states that compliance with the provisions of law 152-FZ should be monitored by Roskomnadzor. Before processing under Article 22 of the Personal Data Protection Law begins, he must send a notification there. In particular, it carries out appropriate checks and, if violations are detected, issues orders regarding deficiencies that need to be eliminated. If the order was not executed, a fine is imposed on the perpetrator, which can amount to 20 thousand rubles.

The author of the next video will tell you how to properly organize work with other people’s data.

1. The processing of personal data must be carried out in compliance with the principles and rules provided for herein Federal law. Processing of personal data is permitted in the following cases:

1) the processing of personal data is carried out with the consent of the subject of personal data to the processing of his personal data;

2) the processing of personal data is necessary to achieve the goals provided for by an international treaty of the Russian Federation or law, to implement and fulfill the functions, powers and responsibilities assigned by the legislation of the Russian Federation to the operator;

3) the processing of personal data is carried out in connection with the participation of a person in constitutional, civil, administrative, criminal proceedings, proceedings in arbitration courts;

3.1) processing of personal data is necessary for execution judicial act, act of another body or official, subject to execution in accordance with legislation Russian Federation on enforcement proceedings (hereinafter - execution of a judicial act);

4) the processing of personal data is necessary for the execution of the powers of federal executive authorities, bodies of state extra-budgetary funds, executive bodies state power subjects of the Russian Federation, bodies local government and functions of organizations involved in the provision of government and municipal services provided for by the Federal by law dated July 27, 2010 N 210-FZ "On the organization of the provision of state and municipal services", including registration of the subject of personal data on the unified portal of state and municipal services and (or) regional portals state and municipal services;

(see text in the previous edition)

5) processing of personal data is necessary for the execution of an agreement to which the subject of personal data is a party or beneficiary or guarantor, as well as for concluding an agreement on the initiative of the subject of personal data or an agreement under which the subject of personal data will be a beneficiary or guarantor;

(see text in the previous edition)

6) processing of personal data is necessary to protect the life, health or other vital interests of the subject of personal data, if obtaining the consent of the subject of personal data is impossible;

7) the processing of personal data is necessary to exercise the rights and legitimate interests of the operator or third parties, including in cases provided for by the Federal by law"On the protection of the rights and legitimate interests of individuals when carrying out activities to repay overdue debts and on introducing amendments to the Federal Law "On Microfinance Activities and Microfinance Organizations", or to achieve socially significant goals, provided that the rights and freedoms of the subject are not violated personal data;

(see text in the previous edition)

8) the processing of personal data is necessary for the implementation of professional activities journalist and (or) legal activities of the means mass media or scientific, literary or other creative activity, provided that the rights and legitimate interests of the subject of personal data are not violated;

9) the processing of personal data is carried out for statistical or other research purposes, with the exception of the purposes specified in article 15 of this Federal Law, subject to the mandatory depersonalization of personal data;

10) processing of personal data is carried out, access to which is provided by an unlimited number of persons by the subject of personal data or at his request (hereinafter referred to as personal data made publicly available by the subject of personal data);

11) processing of personal data subject to publication or mandatory disclosure in accordance with federal law is carried out.

1.1. Processing of personal data of objects of state protection and members of their families is carried out taking into account the features provided for by the Federal by law dated May 27, 1996 N 57-FZ “On State Security”.

2. Features of the processing of special categories of personal data, as well as biometric personal data, are established in accordance with this Federal Law.

3. The operator has the right to entrust the processing of personal data to another person with the consent of the subject of personal data, unless otherwise provided by federal law, on the basis of an agreement concluded with this person, including a state or municipal contract, or by adoption of a relevant act by a state or municipal body (hereinafter - operator's instructions). The person processing personal data on behalf of the operator is obliged to comply with the principles and rules for processing personal data provided for by this Federal Law. The operator’s instructions must define a list of actions (operations) with personal data that will be performed by the person processing personal data and the purposes of processing, the obligation of such a person to maintain the confidentiality of personal data and ensure the security of personal data during their processing must be established, as well as requirements for the protection of processed personal data must be specified in accordance with Article 19 of this Federal Law.

4. A person processing personal data on behalf of an operator is not required to obtain the consent of the subject of personal data to process his personal data.

5. If the operator entrusts the processing of personal data to another person, the operator is responsible to the subject of personal data for the actions of the specified person. The person processing personal data on behalf of the operator is responsible to the operator.

Carried out on the basis of compliance with laws and other regulations.

What is the processing of personal data? This process includes the following steps:

Legal regulation of working with personal data covers all processes and stages of working with them.

Target

Why is the processing of personal data necessary? The processing of an employee’s personal data is carried out at the enterprise or organization in order to facilitate it.

The main purposes of processing personal data:

in getting a job;
in the device in educational institution or for training, advanced training;
for the purpose of labor protection;
for promotion and control over career opportunities;
to monitor the quantity and quality of work performed.

The legislation provides for the accumulation and transmission of an employee’s personal data solely for the purpose of his development and the appropriate use of his abilities and experience. , include multifunctional goals.

The purposes of processing personal data of employees include the use and processing of personal data through their synthesis and interrelation, which determine the relevance of the employee’s capabilities in the conditions of organizing the production process.

The set and stated goals for the processing of personal data cannot be changed without notifying the employee.

Carried out by whom?

Personal data means information that contains basic information about a person of interest to a certain circle of representatives of government and other services.

In particular, in production (in an organization), personal data is of interest to the employer, who manages the organization of work in production based on information about its employees.

The employer has the right to request any personal data available in accounts about the employee. In addition to him, access to personal data has a limited circle of persons who carry out operational work. As a rule, these are the secretariat and personnel department employees.

The operator carrying out information activities with personal data undergoes instructions before starting the designated work. He gets acquainted with the operating rules and principles prohibiting the disclosure of information contained in personal data.

The implementation of the listed types of work can pursue exclusively the purposes that were the reason for collecting information. Misuse of personal data or their disclosure is considered a gross violation for which liability is imposed.

Violations

As discussed earlier, violations in the processing of personal data are considered:

The operator’s work with personal data is subject to strict control by authorized services, and the operator is held liable for shortcomings, unintentional or deliberate violations.

All unauthorized actions during the processing of personal data may result in punishment: disciplinary, administrative, and in some cases criminal.

Popular

Penrose mosaic and ancient Islamic patterns What is Penrose mosaic

« Penrose tiling, Penrose tiles - non-periodic tiling of the plane, aperiodic regular structures, tiling of the plane with rhombuses of two types... »

The right to receive a military mortgage by employees of the National Guard

« The Russian Guard, or National Guard, appeared in Russia relatively recently. In 2016, a paramilitary force was created on the basis of the internal troops of the Russian Ministry of Internal Affairs... »

What is the difference between CRM, ERP and CIS?

« When is it better to choose CRM and when to choose ERP? We understand the intricacies of IT products: what ERP and CRM systems are, a comparison of their functions and capabilities. CRM and... »