Draws: Ilya Alekseev
Federal Law No. 152-FZ of July 27, 2006 “On Personal Data” (PD Law) protects personal information from unlawful disclosure.
Personal data is any information that allows you to identify a specific person: passport details, name, phone number, temperature measurement result with a thermal imager, photograph and even death certificate.
The list of such data is open. This means that any information that allows you to identify a person can be classified as personal data.
Every operator must ensure the integrity of personal data: government agencies, organizations of all forms of ownership and individuals (Article 19 of the Federal Law on Personal Data N 152-FZ).
Operators - state and municipal authorities, any companies, individuals who collect personal information and carry out other operations for their processing.
In practice, the requirements of the Personal Data Law apply to every company that employs employees or uses call centers or conducts any activity using personal information.
Several departments supervise the work of operators:
- Roskomnadzor.
- Federal Service for Technical and Export Control (FSTEK).
- FSB of Russia.
- Prosecutor's Office of the Russian Federation.
Categories of personal data
Personal data is divided into categories:
- general;
- special;
- biometric data;
- impersonal.
General category. Information on the basis of which a certain person can be identified: last name, date and place of birth, gender, education, financial status, etc.
This list is open.
Special category. It is prohibited to process some data: race, nationality, religion, health status.
Processing of special information is possible in exceptional situations (to protect the vital interests of the subject of personal data and other persons) with written consent.
Biometrics. Allows you to identify a person by the physical characteristics of the body when the operator uses them for authentication:
- fingerprints;
- DNA;
- retinal scan;
- iris recognition.
Biometrics can only be used with written consent, except in certain cases (for the execution of international treaties, in the interests of justice, etc.).
Impersonal. Information is depersonalized during processing, as a result of which it becomes impossible to correlate the data with a specific person.
How personal data is transferred
The use of confidential information about employees within the company itself is regulated by the Personal Data Regulations, which are adopted by the manager. Employees must be familiar with this procedure, which is confirmed by their personal signatures.
The organization must provide for a circle of persons who are granted authorized access to personal information on duty. These persons must sign a Non-Disclosure Obligation, the form of which is also developed within the organization.
Requirements for the transfer of personal data
- Prohibition of providing data to any third parties or bodies without the written consent of the individual himself (exception - threat to life and/or health).
- Prohibition on commercial use of obtained data.
- When transferring, clearly regulate the purpose of communicating information and warn the receiving person about it.
- A person who is authorized to use personal data may do so only to the extent of the job description.
- Deviation from the established procedure entails serious liability for the guilty person.
How to process personal data
The only way to avoid claims from Roskomnadzor and impressive fines, which can reach 18 million rubles. — properly organize the protection and processing of personal information.
Processing of personal data - any actions with personal information, performed both with and without the use of automation tools: collection, systematization, depersonalization, other operations.
In order not to violate the law, the company must adhere to a number of rules.
- Notify Roskomnadzor before starting processing. There is no need to notify when dealing with confidential data:
- company employees;
- when concluding contracts;
- in a number of other cases (Part 2 of Article 22 of Federal Law No. 152-FZ).
- Develop a company policy for data processing and place it in the public domain: on the website or in a visible place in the office (if there is no website).
- Determine the purposes of working with personal data and work with them strictly for the stated purposes.
- Process data using databases located on the territory of the Russian Federation.
- Adopt local regulations that define the rules for conducting operations with personal data. The legislation does not contain a list of documents that a company is required to have.
The manager must independently decide which local acts need to be adopted for a given company in order to avoid claims from regulatory authorities.Most often this is:
- data processing regulations;
company recruitment rules;
- introduction of access control;
- list of data storage locations;
- regulations for clarification and destruction of personal data.
- Appoint a person who is responsible for the security of personal data processing.
- Approve the list of employees who are allowed to work with information.
Personal data – key concepts
The personal data of an employee in an organization is something that an employer is constantly faced with.
Even when a potential employee does not yet work in the organization, but only sends a resume, he is already making his personal data available to the employer. Constant work with personal data occurs during personnel records management - the organization communicates with the outside world every day, the personnel service processes a huge array of documents and all of them contain someone’s personal information.
Personal data is any information relating directly to a specific person . This is information that can be used to identify a person.
Receiving, storing, clarifying, adjusting and other actions with data is their processing. Personal data is most often processed by human resources services.
A processor is any organization that collects and stores data. That is, absolutely any organization.
| Valentina Mitrofanova will tell you what's new in labor legislation this week. Watch the new episode of Personnel Review. |
Organization of personal data protection
Various options are used to protect personal data:
- Technical. They consist of a program of measures to protect software from unauthorized access.
To protect software, it is necessary to involve IT specialists, model threats, determine the degree of PD security and ensure security. - Physical. This is a restriction of access to personal data for unauthorized persons in the form of allowing only certain employees to work with information; introduction of access control; organization of data storage places and others.
- Organizational and legal. They involve the development and implementation by the company of a policy for the processing of personal data, provisions on data protection, the issuance of orders to appoint a person in charge, and the implementation of control measures.
How necessary is the Personal Data Statement?
The employer, taking into his care individuals with their inherent set of personal data, is legally obliged to take care of the methods of processing them approved by the state. At the same time, he must be guided by the above regulatory framework, and reflect individual subtleties in special internal documents.
How to draw up an order to approve the regulation on the protection of personal data of employees?
Employers have recently been required to independently regulate the specifics of their actions with employees’ personal data. Art. 90 of the Labor Code of the Russian Federation establishes the responsibility of the person hiring personnel for leakage or misuse of confidential information provided by employees, and responsibility is provided for in all areas of law - disciplinary, administrative, criminal and civil.
Therefore, at each enterprise it is necessary to develop and approve at least three mandatory internal acts regarding work with such information:
- regulation on the protection of personal data of hired employees;
- obligation to keep confidential (non-disclosure) received personal information;
- the employee’s consent to the processing of personal data.
NOTE! The first document is developed and secured on the basis of an order from the organization’s management, the second must be signed by those persons who collect personal data and have access to it (human resources department, security department, accounting department, etc.). Employees are required to familiarize themselves with this documentation upon signature. The consent of the person being hired can be expressed by signing the corresponding line in the questionnaire or personal card.
Composition of the Personal Data Regulations
Sections of this document contain the following necessary subclauses:
- general information;
- listing of data considered personal in a particular company;
- regulations for the use of this information;
- features of access to this information;
- measures taken in case of violation of the principles of information processing, and the responsibility of those responsible;
- attachments (an application form for an employee to consent to the processing and/or verification of personal data provided, a form of obligation not to disclose the received information to employees who will use it).
Source of personal data
Legitimate, from the point of view of official legislative documents adopted in our country, is only one way to obtain confidential information - from the citizen himself, who wished to voluntarily communicate it orally or in writing.
Indirect methods of obtaining personal information about a person (for example, a request for a previous place of work) can only be used if the employee has given his written consent.
FOR YOUR INFORMATION! In order to be able to obtain information about an employee not only directly from him, HR workers sometimes use a technique that is not prohibited by law. The application form filled out during employment may contain the item “I do not object to verification of the data provided” or “I allow you to receive information about me from the following sources (indicate which ones).”
If an employer receives a request about an employee who once worked for him, it is better to play it safe and require written permission to provide personal data, signed by the individual himself. This even applies to situations where law enforcement officers require this information (instead of permission, there may be an order signed by their management).
What are the consequences of failure to comply with the requirements for processing personal data?
A full range of legal liability is provided for violation of the law:
- disciplinary - for unlawful processing of data by a company employee;
- civil law - in the form of compensation for losses, compensation for moral damage;
- administrative - when provided for by the Code of Administrative Offences;
- criminal - for causing harm to the most protected public interests.
The most common punishment is the imposition of an administrative fine.
Article 13.11 of the Code of Administrative Offenses of the Russian Federation establishes nine offenses, including liability for data processing when this is not provided for by law; deviations from the company’s stated goals and other illegal actions.
Guilty actions are subject to punishment, the minimum and maximum amounts of which are given in the table.
| Amount of fine | Citizens | Officials | Legal entities and individual entrepreneurs |
| Minimum | Warning or Fine 1 – 3 thousand rubles. | Fine 5 – 10 thousand rubles. | Fine 30 – 50 thousand rubles. |
| Maximum | Fine 30 – 50 thousand rubles. | Fine 100 – 200 thousand rubles. | Fine 1 – 6 million rubles. |
| For repeated violation | Fine 50 – 100 thousand rubles. | Fine 500 – 800 thousand rubles. | Fine 6 – 18 million rubles. |
Employee consent to the processing of personal data
You need to obtain consent if:
- the request for information about the employee came from a third party;
- the employer sends requests to other organizations;
- the employer processes information about those included in the personnel reserve;
- the processing of personal data of the employee’s relatives exceeds the established volume (more data is required than indicated in the personal card).
Personal data is confidential information, which means there should not be free access to it, otherwise it ceases to be such. In this regard, the employer has the right to transfer such information about employees to other persons only with their written consent.
An exception to the rule is situations where the life and health of workers are at risk. In addition, the law provides for the processing of an employee’s personal data without the consent of the person being inspected, if he is a law enforcement officer.
The statement of consent is addressed to the employer represented by the general director. However, the latter has the right to entrust the processing of personal data to other employees of the organization (Part 3 of Article 6 of the Law on Personal Data). Most often these are personnel officers and accountants. Consent can be issued both on paper and electronically. However, in this case it must be signed with an electronic signature (Part 4 of Article 9 of the Law on Personal Data). There is no unified consent form. It can be designed in any form.
The heading must indicate that this is consent to the processing of personal data, and not anything else.
Next, the full name of the person being checked is written down by hand, then the series and number of the passport, who issued it. After which the name of the organization to which the person being inspected gives permission to perform the inspection is indicated. Subsequently, it is necessary to indicate the grounds for verification.
Be sure to describe in detail what exactly the person being tested gives his consent to. At the end of the document there must be a signature of the person being verified.
An employee who has given consent to the processing of his personal data has the right to withdraw such consent at any time (Part 2 of Article 9 of the Law on Personal Data).
If the employee does not agree
If the employee does not agree to the processing of personal data, explain the consequences.
Explain to the employee that without his consent it is impossible to issue a VHI policy, congratulate him on his birthday, give gifts to children on holidays, use his full name when creating an email address, on business cards, or post information on the company portal. As a rule, given such arguments, employees change their position and consent to data processing.
An employer has the right to process an employee’s personal data without his consent, provided that the volume does not exceed that established by law. For example, to fulfill the terms of an employment contract. Without the consent of an employee, it is possible to process his personal data in cases that provide for a collective agreement, local acts of the employer adopted in the manner established by Article 372 of the Labor Code of the Russian Federation.
Basic regulatory documents relating to the processing of personal data
The main difficulty that companies face when organizing the protection of personal information is that the requirements for the processing of personal information are established not only by federal laws, but also in many departmental regulations.
The principles for the protection of personal information, requirements for operators and processing rules are established in:
- Convention for the Protection of the Rights of Individuals with regard to Automatic Processing of Personal Data of January 28, 1981, ETS No. 108.
The Convention establishes the basic principles and obligations of each state party to the Convention to ensure respect for fundamental human rights and freedoms and privacy. - Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.
Better known as GDPR – General Data Protection Regulation. Relevant for companies that operate with European partners. - Federal Law of July 27, 2006 No. 152-FZ “On Personal Data”.
The Federal Law defines concepts, establishes the principles and conditions for processing personal data, the rights of subjects whose personal data is processed, the obligations of operators, determines the authorized body and establishes liability for violations. - Federal Law of July 27, 2006 N 149-FZ “On information, information technologies and information protection.” Federal Law No. 149-FZ defines the right to access information, conditions for limiting access, requirements for information protection, and responsibility for disclosing restricted information.
- Labor Code of the Russian Federation, Chapter 14 - in relation to the protection of personal information of employees of an organization.
- Decree of the President of the Russian Federation of March 6, 1997 N 188 “On approval of the list of confidential information.”
The Decree lists the general criteria by which information can be classified as personal data. - Resolution of the Government of the Russian Federation dated November 1, 2012 N 1119 “On approval of requirements for the protection of personal data during their processing in personal data information systems.”
The resolution defines the levels of information security and discloses the content of measures that ensure the secure processing of confidential data. - Order of the FSTEC of Russia dated February 18, 2013 N 21 “On approval of the composition and content of organizational and technical measures to ensure the security of personal data during their processing in personal data information systems.”
- Order of the Federal Service for Supervision of Communications, Information Technologies and Mass Communications dated September 5, 2013 N 996 “On approval of requirements and methods for anonymization of personal data.”
The order establishes the rules for depersonalizing information. - Order of the FSB of Russia dated July 10, 2014 N 378 “On approval of the composition and content of organizational and technical measures to ensure the security of personal data...”.
The order approved a list of organizational and technical measures to ensure the security of personal data.
In addition, provisions for the protection of confidential information are established in other federal laws; regulations, orders, instructions of ministries and departments.
Storage and use of personnel data
The employer is obliged to introduce a procedure for storing and using information about employees (Article 87 of the Labor Code of the Russian Federation).
It is recommended not to combine employee documents into a personal file. Since the positions of Roskomnadzor and the courts are not clear - personal files are considered redundant in relation to the stated purposes of processing.
The rules for the transfer of personal data impose a number of restrictions on the employer. Restrictions are established in accordance with Article 88 of the Labor Code of the Russian Federation:
- notify persons who have access to employee information that it should only be used for the purposes for which it was communicated;
- transfer of data within one company must take place in accordance with the rules of the local act with which the employee has been familiarized;
- Only specially authorized persons have access to data;
- It is prohibited to make inquiries about an employee’s health from a medical institution.
Employees have the right to be provided with full information about their personal information and its processing (to whom the information was transferred and for what purpose). You also need to provide employees with free access to their personal information and medical data. Remember that the employee has the right to appeal the employer’s illegal actions in court and bring the offending official to criminal or administrative liability.
Appointment of those responsible for organizing data protection
The operator must appoint a person responsible for operations with confidential data.
The responsible person is obliged:
- monitor compliance with legislation in the field of personal data protection by the operator and employees;
- inform employees about the rules for processing confidential data;
- receive and process requests from personal data subjects.
In Russian organizations that operate in EU countries, a data protection officer (DPO) must be appointed.
The responsible person can be an employee - the head of the company, legal department, other departments, or a third party - an independent expert or firm.
What is personal data and its processing. What is included in personal information
The term “processing of personal data” was introduced by the Law “On Personal Data” dated July 27, 2006 No. 152-FZ.
The processing of personal data refers to various actions with personal information of people (in particular, collection, storage, systematization, use, transfer to other persons, etc.) that are performed by individuals or organizations.
What is included in personal information about a person? The law does not directly speak about this, although it uses the phrase “any information” that relates to a person. Accordingly, we can conclude that personal data is full name, date of birth, address, phone number, email, link to a profile on a social network, etc.
Conclusion
Every year, control by Roskomnadzor becomes stricter, and the responsibility of operators becomes higher:
| Period | Protocols issued | Amount of fines |
| 2018 | 156 | 437 thousand rubles. |
| 2019 | 215 | 1 million 99 thousand rubles |
The table shows that in 2022, administrative liability increased by 22% compared to the previous year.
In 2022, the situation worsened: liability for incorrect processing of personal data became stricter. Moreover, individual entrepreneurs are equal in scope of responsibility to legal entities.
Only strict adherence to the requirements of the law when processing confidential information will avoid violations and prosecution.
Save:
Storing personal data of employees
Federal Law No. 242 of July 21, 2014 “On amendments to certain legislative acts of the Russian Federation in terms of clarifying the procedure for processing personal data in information and telecommunication networks” provides for storage exclusively on Russian servers. Employees' personal information contained in their personnel files must be retained by the organization for 75 years.
Read also “How to store personal data of employees”
Processing principles
Federal law states that any processing of personal data must be based on certain principles that each operator must adhere to. Among them:
- legality and fairness – the purposes of processing personal data must be legal, all subjects and operators must be in equal conditions;
- specificity – the processing of personal data should be carried out only to achieve specific goals and objectives pre-defined by the operator. Processing by any means is not permitted if it is incompatible with the declared purposes;
- avoiding redundancy – the operator must process only the amount of personal data that corresponds to the intended purposes. It is unacceptable to request excessive information from the subject of personal data;
- accuracy, sufficiency and relevance - all incorrect information must be deleted either by the operator independently or at the request of the subject; if the data changes, they must be updated in a timely manner;
- minimal identification - storage of personal data in conditions of use of automation tools should occur in such a way that identification of their subject would be possible only for a strictly defined time and for solving certain tasks.
Transfer of personal data
In the course of work, there is often a need to transfer an employee’s personal data both within the organization and to third parties. This means that the employer must keep strict records of them. It is recommended to use log books that indicate:
- dates of issue and return of the document,
- Title of the document,
- period of use,
- purpose of issuance,
- FULL NAME. and the position of the person who received the document with the employee’s personal data.
Access to personal data of employees should be carried out only by specially authorized persons.
At the same time, they have the right to receive only the data that is necessary to perform specific functions. Situation: if documents containing personal data are compiled on more than one sheet, when returning them, the person who received the documents must be present in person to check the availability of all available documents according to the inventory. At the same time, an employee receiving the personal file of another employee for temporary use does not have the right to make any notes, corrections, make new entries, remove documents from the personal file or place new ones in it.
The employer should keep a log of the release of personal data of employees to organizations and government bodies, in which it is necessary to register incoming requests, record information about the person who sent the request, the date of transfer of personal data or notification of refusal to provide it, and note what information was transferred.
To increase the level of protection of personal information in the accounting system, it is possible to introduce mandatory regular checks of the availability of documents and other storage media containing personal data of employees, as well as establish a procedure for working with them. In this regard, it is necessary to develop and maintain a log of checks for the availability of documents containing the employee’s personal data.
Obtaining personal data
The employer should remember that all personal data of the employee should be obtained from him (Clause 3, Article 86 of the Labor Code of the Russian Federation).
In some cases, consent to the processing of personal data of an employee (applicant) is not required if this information is received:
- from the documents presented when concluding an employment contract;
- based on the results of a mandatory preliminary medical examination regarding the state of health;
- to the extent provided for by personal card N T-2, incl. personal data of close relatives;
- from a recruitment agency acting on behalf of the applicant;
- from the applicant’s resume posted on the Internet and accessible to an unlimited number of people.
If the employee’s personal data can only be obtained from a third party, the employee must be notified in advance and his written consent must be obtained.
The notification must indicate:
- the purpose of obtaining the employee’s personal data from a third party;
- intended data sources (from whom information will be requested);
- methods of obtaining data, their nature;
- possible consequences of an employer’s refusal to obtain information from a third party.
If the purposes of collecting information differ from those listed in paragraph 1 of Art. 86 of the Labor Code of the Russian Federation - the employer does not have the right to request it from third parties even with the consent of the employee.
