Organization of work with personal data. Processing of personal data The purpose of processing personal data for the purpose

The company cannot do without obtaining personal information from employees, customers and contractors. We need names, addresses, other information. However, the company has the right to process personal data only for specific purposes. Any other use of the data is a violation that will result in administrative action.

The purposes for which information is requested must comply with the law and the needs of the company

In the course of doing business, a company deals with information that needs to be protected. Confidential information includes information about technologies, projects, developments, the specifics of transactions, etc. The law also obliges to protect information about people who work for the company, are its clients or represent contractors. The “On Personal Data” is in force in pursuance of the constitutional principle of protecting privacy (Article 2 of Law No. 152). The requirements of the law apply to any organizations that receive data from their subjects (Article 1 of Law No. 152).

A company that starts processing personal data has the right to request them only for certain purposes (Part 2, Article 5 of Law No. 152). In addition, the amount of data depends on the goals. You cannot request information that the company does not need (parts 4 and 5 of article 5 of law No. 152). For example, an online store does not have the right to demand passport data from the buyer or ask for a postal address if the client picks up the goods at his own expense.

The company itself determines the purposes of processing personal data of customers and employees

Why exactly the information was required is determined by the company (clause 2, article 3 of law No. 152). As a rule, the organization requests personal data of customers, counterparties, employees in order to:

1. Conclusion of contracts. These can be contracts with consumers of the company's services or goods, with other types of customers, with business partners, labor agreements, etc. For any contract that the company is going to sign, personal data will be required - an employee who acts in its interests, a representative counterparty or the counterparty itself, if it is a private person. Including data is needed so that the company can fulfill its obligations.
2. Systematization of information about personnel, maintenance personnel records and office work. Employee data is required not only for the conclusion of employment contracts, but also for all other operations within the framework of the employment relationship.
3. Compliance with the requirements of the law on the deduction of taxes to the budget, insurance premiums, etc. The company withholds personal income tax, contributions from employees and transfers these amounts to the state, the Pension Fund of the Russian Federation and other organizations (Article 22 of Law No. 152, Article 86 of the Labor Code of the Russian Federation).
4. Formation of statistics. For this, the data must be depersonalized (clause 9, part 1, article 6 of law No. 152).

Guest, get acquainted -!

The company is obliged to notify the subject of personal data about the purposes of processing

The company is obliged to notify the employee or client of the purpose for which it requests his personal data for processing (clause 4, part 4, article 9 of Law No. 152). This is done as part of obtaining consent to provide information. The list of goals should:

• be comprehensive and specific;
• comply with the provisions of the charter, as well as local acts of the organization;
• correspond to what goals the company actually pursues.

For example, the bank requests information from the client. The purpose of the processing is to maintain his account, including:

• account opening,
• account management,
• operations for transferring funds from and to the account,
• client consultation.

Another example of information is the listing of the purposes of processing personal data of employees in the company's policy. The organization confirms that the information is used:

• when working with resumes of applicants;
• to fulfill the company's obligations under an employment agreement;
• to comply with labor, tax and pension laws;
• to organize training of employees, improve their professional level;
• when calculating and calculating salaries;
• to control the quality of work of employees;
• when providing various guarantees and benefits, etc.

Consent to processing must be obtained from the data subject in almost all cases. If the purpose of the collection is to promote the company on the market or political agitation, the operator is obliged to prove that the person has given consent (part 1 of article 15 of law No. 152). Otherwise, it is considered that it was not requested.

In addition to the agreement with the employee or client, the purpose of obtaining data must be reflected in a special document - the company's policy on working with such data. It must be a public document. As a rule, it is published on the organization's website in a special section.

Professional help system for lawyers, where you will find the answer to any, even the most complex question.

Work with personal information must be carried out in strict accordance with the law. In particular, one of fundamental principles processing of personal data is the strict observance of the purposes of use stated in the permission from the owner, and the volumes specified in it.

The concept of personal data and the principles of their processing

One of the provisions establishes the requirement that all personal information about citizens Russian Federation must be located on servers located within the country. It is not allowed to replenish your information on the basis of that taken from sites located outside Russian borders.

In a situation where a person considers any messages about him to be untrue, he can contact the operator (in accordance with Article 14 of Law 152-FZ) with a request to delete or correct them accordingly.

In case of refusal, such a person has the right to apply to the court.

Consent to the processing of personal data

Such a document must contain following sections:

1. The document indicates who expresses consent, passport data are indicated.
2. The name of the operator to whom the permission is given is given.
3. Write for what purposes of processing consent is given.
4. Specifically, a list of data is listed, for the processing of which permission is given.
5. All operations with them in question are listed.
6. The period of validity of the permit.
7. The signature is put, its transcript and date.

A permit drawn up according to the model gives permission only for what is specifically indicated in it.

The use of the information in question is necessary for:

1. Document management in the HR department.
2. Conclusion of contracts and performance of other legal actions.
3. In connection with the implementation of the requirements of tax legislation.
4. Other purposes of a similar kind.

In doing so, it should be noted that:

• in each such case, the receipt of information is determined by regulatory enactments;
• it is carried out in a certain composition, volume, for a specific period and only to fulfill the stated goals.

Examples of Purposeful Use of Personal Information

In various areas of the economy and public life, the personal data of citizens is vital.

AT medical institution it is important to know the details of a person's health throughout his life. In this case, the owner of personal information is the patient. The operator who uses them is a clinic or other medical facility. She is required to obtain permission from Roskomnadzor for processing. If the polyclinic transmits data, for example, to a specialized hospital, it must obtain the written consent of the citizen.

For bank it is vital when granting a loan to reasonably assume whether the candidate will be able to repay the money borrowed or not have suitable financial resources. This will require details about income, employment, family composition and some others. The owner of the information is the client. The bank is the operator that carries out the processing. The client has the right to revoke permission to use information about him. The purpose of working with information is to ensure compliance with the requirements of the banking legislation of the Russian Federation.

It is impossible to do without providing this or similar information. But at the same time, it is important that its use does not violate the requirements of current regulations.

Rules and principles for working with information

It can be understood that it is impossible for a random person to obtain source texts directly from anonymized information. However, this organization itself will be able to restore it later.

Violations related to misuse of personal data

Starting from July 1, 2017, the Code of Administrative Offenses was amended to determine liability for violating Law No. 152-FZ. In case of violation of the established rules, the law provides for appropriate penalties.

If information is collected in cases where for this there is no legal basis or the processing is carried out for illegal purposes, a fine is imposed. For individuals, the amount will be from 1 to 3 thousand rubles, officials will pay from 5 to 10 thousand rubles, enterprises - from 30 to 50 thousand rubles.

If there was disclosure of information, the penalty is charged in connection with each individual such case. It can be from 500 to 1000 rubles. from the employee whose fault the violation occurred. If we are talking about an organization that is responsible for what happened, then the amount increases. Now it can be from 5 to 10 thousand rubles.

The regulation in question states that Compliance with the provisions of the law 152-FZ should be monitored by Roskomnadzor. Prior to the processing under Article 22 of the Personal Data Protection Act, he must send a notification there. In particular, he conducts appropriate checks and, if violations are detected, issues an order on the shortcomings that need to be eliminated. If a order not executed, a fine is imposed on the guilty person, which can be 20 thousand rubles.

The author of the next video will tell you how to properly organize work with other people's data.

Since the end of summer, the Law on Personal Data has been in force in new edition. The rules for obtaining and protecting information have changed. For the employer, this means only one thing - additional paperwork. In the article we will talk about how to draw up a regulation on working with personal data of employees and appoint a person responsible for organizing work with personal data.

What is personal data

Federal Law No. 152-FZ of July 27, 2006 "On Personal Data" (hereinafter - Law No. 152-FZ) determines personal data as any information directly or indirectly related to to an individual (to the subject of personal data). This is stated in paragraph 1 of Art. 3 of Law N 152-FZ.

According to Part 1 of Art. 85 Labor Code employee's personal data is understood as information relating to a particular employee, which is necessary for the employer in connection with labor relations. We are talking about data such as:

• Full Name;
• Date and place of birth;
• address;
• marital status;
• position (profession);
• salary, other income;
• possession real estate, cash deposits and etc.;
• education, qualifications, vocational training, information on advanced training;
• habits and hobbies, including harmful ones (alcohol, drugs, etc.);
• biography facts and previous labor activity(place of work, amount of earnings, criminal record, military service, work in elected positions, public service and etc.);
• physiological features, health;
• business and other personal qualities;
• other information.

Scroll personnel documents, which contain the personal data of employees, is given in Table. 1 on p. 76.

Table 1. Documents containing personal data of employees

N	Document	Intelligence
1	Questionnaire, autobiography, personal personnel record sheet (to be completed upon admission work)	Personal and biographical data worker
2	a copy of the document, identity card worker	Full name, date of birth, address registration, marital status, family composition
3	Personal card (form N T-2, approved by the Decree Goskomstat of Russia dated 05.01.2004 N 1)	FULL NAME. employee, place of birth, family composition, education, and data of the document certifying personality
4	Employment history	Information about seniority, previous places of work
5	Copies of certificates of incarceration marriage, childbirth	Family composition, family changes position
6	Military registration documents	Information about the attitude of the employee to military duty required employer to carry out military registration of workers
7	Certificate of income from the previous places of work	Full name, data on the amount of income and withheld personal income tax
8	Education documents	Confirm the qualifications of the employee justify the occupation of a certain positions
9	Mandatory documents pension insurance	Full name, personal data
10	Labor contract	Information about the position of the employee salary, place of work, workplace, and other employee's personal data
11	Orders for personnel	Information about admission, transfer, layoffs and other events related to work worker

Personal data processing operator

According to Law N 152-FZ, a person (legal or natural) who organizes and (or) carries out the processing of personal data, determines their composition, processing purposes, actions performed with personal data, is called operator(Clause 2, Article 3 of Law N 152-FZ). In our case, this is the employer.

Processing of personal data- any action performed with them. Operations for the processing of personal data:

• collection;
• record;
• systematization;
• accumulation;
• storage;
• clarification (update, change);
• extraction;
• usage;
• transfer (distribution, provision, access);
• depersonalization;
• blocking;
• removal;
• destruction of personal data.

Regulations on working with personal data

The procedure for the processing of personal data by the operator may be established in the Regulation on working with personal data of employees (hereinafter referred to as the Regulation). unified form there is no document. Consider how to draw up this document, taking into account the requirements of Law N 152-FZ. The regulation consists of several sections. They are presented in Table. 2. It also briefly indicates the information that the sections should contain. Detailed information is presented in a fragment of the Regulations on the personal data of employees, which is given on p. 80.

Table 2. Structure of the Regulations on personal data of employees

N	Duty	Section content
1	General provisions	The purpose of the adoption of the Regulation
		Issues regulated by the Regulation
		Links to regulations. Point to what documents are based on Position. In organizations where government civil servants, reference is made to: - Federal Law of July 27, 2004 N 79-FZ "On the State Civil Service of the Russian Federation"; - Decree of the President of the Russian Federation of May 30, 2005 N 609 "On approval of the Regulation on personal data public civil servant Russian Federation and the conduct of his personal affairs"; - regulatory acts of the subject of the Russian Federation
2	Basic concepts. Composition of personal employee data	Basic concepts. Definitions of concepts are given "personal data", "processing of personal data", "use of personal data", the period of storage of documents is indicated, etc. Separately, it should be indicated what applies to personal data in a particular company with taking into account its features (data used in work, for example, information about work on sensitive objects, on obtaining permission to state secret, health compliance for professions associated with heavy and harmful conditions, etc.)
		The list of documents of the organization that contain personal data
3	Receipt personal data workers	The procedure for obtaining personal data. It is indicated that the data is received and processed with the written consent of the employee. Indicates cases where consent is not required
4	Usage personal data	Purposes of using personal information of employees
5	Treatment personal data	Conditions to be observed when processing personal employee data
6	Broadcast personal data (Access to personal data)	The procedure for the transfer of personal data within organizations (internal access), third parties and government agencies (external access)
7	Responsibility for breaking the rules regulating processing and protection personal data	Specify who is responsible for violation of the rules of storage and use personal data

Fragment of the Regulations on personal data of employees

Entry into force of the Regulations

The regulation on personal data is approved by the head of the company and put into effect by an order for the organization (a sample is given on p. 90). An entry on the approval of the Regulations must be made in the register of local regulations.

If there is a union

If the company has a trade union, the Regulations must be agreed with it. To do this, the draft regulation is sent to the elected body of the trade union (Article 372 of the Labor Code of the Russian Federation). He must express his opinion (in writing) no later than five working days from the date of receipt of the draft. If the trade union does not agree with the project or has proposals for its improvement, the administration has two options. The first is to agree. The second is to conduct additional consultations with the trade union within three days after receiving a reasoned opinion in order to reach a mutually acceptable solution. If this does not help, a protocol of disagreements should be drawn up. After that, the administration has the right to adopt the Regulations without taking into account the requirements of the trade union. However, he will be able to appeal the Regulation or start the procedure for a collective labor dispute in the manner prescribed by Ch. 61 of the Labor Code.

Familiarization of employees with the Regulation

Employees must be familiar with the Regulation against signature (clause 8, article 86 of the Labor Code of the Russian Federation). This fact can be fixed:

• in the text of the employment contract of each employee (listing local regulations with which the employee is familiar before signing the contract);
• - a sheet of familiarization with the Regulations (sample on p. 91);
• - a journal for familiarizing employees with local regulations (sample on p. 91).

Sample sheet of familiarization with local regulations

N p/n	Name of the local regulation	the date	Signature
1	Internal labor regulations OOO "Cherny Les"	03.10.2011	Evstakhov
2	Regulations on wages, bonuses and social security of employees of Cherny forest"	03.10.2011	Evstakhov
3	Information security instruction, approved by the Order dated 15.06.2008 N 1	03.10.2011	Evstakhov
4	Regulation on personal data	03.10.2011	Evstakhov
5	Regulation on liability workers for damage caused by Cherny Les LLC	03.10.2011	Evstakhov

Fragment of the log of familiarization withRegulationabout personal data

Note. Period of storage of personal data

Local regulations (regulations, instructions) on personal data must be stored permanently. As for the statements of employees on consent to data processing (they will be discussed in the following issues), other documents of the employee, they are stored for 75 years. This is stated in the List approved by the Order of the Ministry of Culture of Russia dated August 25, 2010 N 558.

Administrative responsibility

Measures of administrative responsibility (fines are mainly provided, disqualification is not applied in this case) for the enterprise and its officials for violation of the procedure for obtaining, processing, storing and protecting personal data of employees are given in Table. 3.

Table 3. Responsibility for violation of the procedure for obtaining, processing, storing and protecting personal data of employees

It is carried out on the basis of the implementation of laws and other regulations.

What is the processing of personal data? This process includes the following steps:

Legal regulation of work with personal data covers all processes and stages of work with them.

Target

What is the processing of personal data for? The processing of personal data of an employee is carried out at the enterprise, in the organization in order to facilitate him.

Main purposes of personal data processing:

• in employment;
• in the device educational institution or for training, advanced training;
• in order to protect the organization of labor;
• for promotion and control, for career opportunities;
• to control the quantity and quality of work performed.

The legislation provides for the accumulation and transmission of personal data of an employee solely for the purpose of his development and the appropriate use of his abilities and experience. , include multifunctional goals.

The purpose of processing employees' personal data includes the use and processing of personal data through their synthesis and interconnection, which determine the relevance of the employee's capabilities in the context of the organization of the production process.

The goals set and announced for the processing of personal data cannot be changed without notifying the employee.

Who is carried out?

Personal data is understood as such information that contains basic information about a person of interest to a certain circle of representatives of state and other services.

In particular, in production (in an organization), personal data is of interest to the employer, who manages the organization of labor in production based on information about his employees.

The employer has the right to request any personal data available in the employee's records. In addition to him, access to personal data has a limited circle of persons who carry out operational work. As a rule, these are the secretariat and personnel officers.

An operator carrying out information activities with personal data, before starting the designated work, is instructed. He gets acquainted with the rules of work and principles prohibiting the disclosure of information contained in personal data.

The implementation of the listed types of work can pursue only those goals that caused the collection of information. Misuse of personal data or their disclosure is considered a gross violation, for which liability is imposed.

Violations

As discussed earlier, violations in the processing of personal data are considered:

The operator's work with personal data is subject to strict control by authorized services, and for shortcomings, unintentional or deliberate violations, the operator is held liable.

For all unauthorized actions in the processing of personal data, punishment may follow: disciplinary, administrative, in some cases - criminal.

In accordance with Part 2 of Art. 85 of the Labor Code of the Russian Federation processing of personal data of an employee - is the receipt, storage, combination, transfer or any other use of the employee's personal data.

The processing of the employee's personal data may be carried out solely for the purpose of ensuring compliance with laws and other regulatory legal acts, assisting the employee in employment, training and promotion, ensuring metropolitan security, as well as controlling the quantity and quality of work performed by him and ensuring the safety of property (clause 1 article 86 of the Labor Code of the Russian Federation).

According to paragraph 3 of Art. 3 federal law“On personal data” the processing of personal data is actions (operations) with personal data, including the collection, systematization, accumulation, storage, clarification (updating, changing), use, distribution (including transfer), depersonalization, blocking, destruction of personal data. It should be borne in mind that regardless of the number of functional operations listed in the legislation legal regulation should cover all stages of personal data processing - from receipt to destruction without any exceptions and exceptions.

The said Law refers to the principles of personal data processing as follows:

• lawfulness of the purposes and methods of processing and good faith;
• compliance of the purposes of processing with the purposes predetermined and declared during the collection of personal data, as well as the authority of the operator;
• compliance of the volume and nature of the processed data, methods of processing with the purposes of their processing;
• the reliability of personal data, their sufficiency for the purposes of processing, the inadmissibility of processing personal data that is not related to the purposes stated during the collection of data;
• the inadmissibility of combining databases created for incompatible purposes information systems personal data.

The processing of personal data of an employee begins with their receipt. By general rule all personal data should be obtained from the employee himself. In exceptional cases, when the employee's personal data can only be obtained from a third party, the employee must be notified of this in advance and written consent must be obtained from him. The employer is obliged to inform the employee about the purposes, alleged sources and methods of obtaining personal data, as well as the nature of the personal data to be obtained and the consequences of the employee's refusal to give written consent to receive them (clause 3 of article 86 of the Labor Code of the Russian Federation). However, the employer does not have the right to receive and process the personal data of the employee about his political, religious and other beliefs and private life (clause 4 of article 86 of the Labor Code of the Russian Federation). Also, the employer cannot request information about the health status of the employee, if this does not apply to resolving the issue of the employee’s ability to perform labor function(Article 88 of the Labor Code of the Russian Federation).

The Labor Code of the Russian Federation imposes separate requirements on the organization and technology of processing personal data by the employer. The obligation to familiarize employees and their representatives against signature with the documents of the employer establishing the procedure for processing personal data of employees, as well as their rights and obligations in this area, implies the need to develop and adopt an appropriate local regulatory legal act. Such an act, depending on the specifics of the activity and the discretion of the employer, may be referred to as a regulation or instruction and, as a rule, includes the following sections:

• basic concepts and provisions;
• processing of personal data of an employee;
• formation of personal data of the employee;
• accounting, storage and transfer of personal data of an employee;
• the rights and obligations of the employee in the field of processing and protection of his personal data.

Such a local normative legal act determines the confidentiality regime (limited access) of the employee's personal data with a specific employer. Employees of the employer who receive the personal data of the employee are required to comply with this regime, which must be indicated not only in their job descriptions, but also in the employment contracts. The regulation (instruction) on the protection of personal data is the main document reflecting the specifics of the processing and transfer of personal data of an employee within a particular organization, at a certain individual entrepreneur. If there is an automated component within the framework of this activity, the employer does not have the right to make decisions regarding the employee based on personal data obtained solely as a result of their automated processing or electronic receipt(Clause 6, Article 86 of the Labor Code of the Russian Federation). An employer may not be limited to adopting a provision on the protection of personal data of employees in his organization. However, the presence of this local act is mandatory, and its absence is considered by the state labor inspectorate as a serious violation of labor legislation.

For this and other violations of the rules governing the receipt, processing and employee, the employer may bring the perpetrators to material, disciplinary liability, and the relevant government bodies- to civil, administrative and criminal.