What does the term “personal data” mean?
The law clearly defines this concept: personal data means all information that directly relates to a person as an individual. This:
- Full Name;
- Date and place of birth;
- information from your passport, work book and other documents;
- as well as some characteristics of his personality.
It should be noted that consent to the processing of personal data is required even though not all of this information is confidential and classified.
In particular, they can be divided into three main types:
- publicly available data (full name, gender, date, place of birth, citizenship, etc.)
- biometric (physiological characteristics of an individual, his external parameters)
- special (nationality, religion, health, etc.). This also includes, to some extent, information about a person’s place of work, his relationship with the law, habits, etc.
According to the law, consent to the processing of personal actions is strictly necessary only when it concerns the last two of the above categories, but it is often written in relation to information that is publicly available.
What is personal data and who collects it
Personal data is all the data that a website visitor leaves in data collection forms: feedback, subscription to the newsletter, registration or in your personal account.
The law states that this is “any information relating to a directly or indirectly identified or identifiable individual (personal data subject).” For example:
- First name, last name and patronymic
- Address
- Phone number
- Date of Birth
- Photo
- Links to profiles on social networks
Moreover, some data are considered personal not on their own, but in combination with each other. For example, by first name, last name and patronymic it is impossible to accurately identify a person, but in combination with an address it is possible. But, in order not to understand the combinations, it is easier to consider all this data as personal and work with it correctly.
Each online store collects personal data - when placing an order, the buyer leaves his contacts or address. Even if a person did not buy anything, but simply subscribed to the newsletter, this is also considered the collection of personal data.
According to the law, you cannot simply collect personal data. It is necessary to obtain the user's informed consent (that is, require some action from him, and not just notify him) and let him know exactly how his data will be used. And, of course, it’s important to store this data correctly. We'll tell you how to do it.
Why is consent to processing during employment formed?
When a person gets a job, he gives the employer’s representative his personal documents: passport, work book, SNILS, education certificate, medical book, military ID, etc. As soon as these papers reach the HR specialist’s desk, they receive confidential status (which is ensured by Article 14 of the Labor Code of the Russian Federation), therefore, for their further use (and there is no way to do without this in HR records), it is necessary to obtain the written consent of the employee (clause. 8, Article 65 of the Labor Code of the Russian Federation).
This document should describe in detail how, for what purpose and what specific information from personal data will be used, processed and stored.
It should be noted that by law, all personal information provided to the employer can only be used for business purposes.
Results
According to current legislation, the processing of most personal data about a person must be carried out with his written consent. The document containing such consent does not have a specific form, but there is a list of mandatory information that must be included in it. The final list of necessary personal data is developed by the recipient of this information.
Sources:
- Federal Law of July 27, 2006 N 152-FZ “On Personal Data”
- Labor Code of the Russian Federation
You can find more complete information on the topic in ConsultantPlus. Free trial access to the system for 2 days.
If the employee refuses to sign the consent
The legislation of the Russian Federation clearly states that consent must be only and exclusively voluntary, that is, the employer does not have the right to force a subordinate to sign this document, therefore in the practice of HR specialists there are people who refuse to sign consent to the processing of personal data.
This is usually caused by the fact that they do not understand the true purpose of the document: to protect the rights of the employee, but on the contrary, they are afraid that personal information about them will fall into the hands of unscrupulous citizens.
In these cases, the law allows the processing of personal data without the employee’s consent, but only when it is necessary to implement the terms and purposes of a previously concluded employment contract.
Here we should separately emphasize that this applies only to those employees of the organization who are already enrolled in its staff, but in relation to new employees, consent to the processing of personal data must be obtained - without it, in most cases, today it is even impossible to accept a person for work. work. This is due to the fact that an employment contract has not yet been concluded between the parties, which means that the employer does not yet have an obligation to fulfill it.
It is logical that the administration of the enterprise strives to avoid situations where, for example, even in such trifles as issuing a pass to the company’s territory, the lack of consent to the processing of personal data can play a negative role.
How to properly submit a request for review
There is no single template for writing a review. There is a universal application form on the Roskomnadzor website; its form can be used as a sample by entering the necessary details and information. But you can type the application yourself or even write it by hand. The main thing is that it contains the necessary information.
If a citizen has given consent to the processing of his personal data, he can withdraw this consent
This can be done by written or electronic application. The operator is obliged to stop processing personal data within 30 days. Termination of work with personal data does not entail the termination of relations with the operator organization. And in some cases, work with data can continue without the consent of the citizen.
Here is a list of what must be indicated in the application:
- official name of the operator (if it is an organization) or full name (if it is a private individual);
- operator address;
- Full name, passport details, address of the subject of personal data (that is, the applicant himself);
- content of the application. That is, it must set out the requirement to stop further processing of data and revoke previously given consent;
- date of;
- signature and its decoding.
The applicant may describe in detail the reason why he wants to withdraw his consent, or may limit himself to a simple phrase “due to their unlawful use.”
What is the penalty for disclosing personal data?
As mentioned above, the actions that the employer can perform with the personal data of employees are clearly stated in the text of the consent.
If powers are exceeded to some extent, and, even more so, if some kind of abuse occurs, the most serious liability may arise: ranging from disciplinary and administrative, even criminal.
In order for the employee to have a clear idea of whether the information requested from him does not go beyond what is required by law or whether the authority of the company’s employees according to the text of the consent is not exceeded, one should analyze the document in advance (possibly even using the help of a qualified lawyer) and only then put sign your consent.
In particular, information about whether a citizen has served time in prison is needed only when the position for which he is applying directly requires the absence of a criminal record (in other words, if an applicant wants to work as an advertising manager, he has the right not to have such data give).
Where to apply?
As already mentioned, the application can be sent to the operating organization in three ways: a paper application drawn up in two copies can be taken directly to the expedition (the place where correspondence is accepted), by registered mail with notification or by e-mail, if this is allowed by the functionality of the operator’s page . Usually now all organizations have their official email addresses.
Separately, it is worth briefly dwelling on such an aspect of working with personal data as their recall from collectors - professional debt collectors. The fact is that collectors can work with personal data without asking for the debtor’s consent. This is allowed by the provisions of Law No. 152-FZ. Collectors acquire a database of personal data of borrowers from banks or microfinance organizations along with a portfolio of credits (loans) under an agreement for the assignment of rights of claim (assignment).
However, withdrawal of consent to the processing of personal data is also possible in this situation, and in the same way - in writing. After the consent is revoked, collectors will not be able to actively work with the debtor’s data (call him on available numbers, write to existing email addresses, send SMS messages).
In this case, the withdrawal of personal data is called a little differently - refusal to interact. After submitting a refusal to interact with collectors, they have the right to communicate with the debtor by regular paper letters through Russian Post.
However, it should be remembered that the debt itself will not go away. And collectors will retain their right to sue you and receive a court order or a full-fledged court decision. And then hand over the documents to the bailiffs, who will conduct full-fledged enforcement proceedings to search for your property, seize accounts and write off money from them. Remember - judicial practice in this matter is always on the side of those citizens or legal entities to whom you owe money.
But after you have paid the collectors in full and received a document confirming the repayment of the debt, you will be able to revoke your personal data from these bloodsuckers (or knights of cloak and dagger, whatever you prefer to call them).
After receiving the application for revocation, the operator is obliged to stop working with the specified data within 30 days, remove it from everywhere (from all its databases) and destroy it. But although the law says that consent can be withdrawn at any time, in fact the regulations provide for a whole list of cases when the processing of personal data after the withdrawal of consent continues without the consent of the citizen.
Is it possible to revoke consent?
Typically, the action with consent to the processing of personal data occurs like this: when applying for a job, a person signs a document, after which he safely forgets about it. But in some cases, there is a need to revoke a previously signed consent. As a rule, this happens when an employer violates the conditions for storing, using and ensuring the secrecy of information received at its disposal, as well as upon dismissal.
In order to issue a review, you just need to write a statement in free form, demand in it to stop the collection, processing, use, storage of personal data and destroy all information about the subordinate (you must refer to Law No. 152-FZ: clause 1 of article 9 and paragraph 5 of article 22).
This requirement must be met no later than one month after writing the review.
How to revoke a subject’s consent to the processing of personal data: sample application
Circumstances may arise such that an individual decides to revoke the permit, for example, if the company does not justify trust and leaks information or does not comply with the requirements for the conditions of its storage. The law gives the right to do this by drawing up an application in any form and submitting it to the operator. Sending in the form of an electronic document is allowed, but only if the subject has a digital signature confirming its authenticity. The operator has 30 days to comply with the applicant's requirements.
