Federal Law is constantly being improved and changed so that our freedom and rights, as well as our privacy, are always protected, and all access to personal data is protected by a thousand locks. But what is this – personal data? What is in the public domain and who has the right to request it? Is there a law regulating the non-disclosure of personal data?

Dear readers! Our articles talk about typical ways to resolve legal issues, but each case is unique.

If you want to know how to solve exactly your problem - contact the online consultant on the right or call free consultation:

What is personal data?

Individual

PD of ordinary citizens includes:

• information about place and date of birth;
• residence;
• data contained in the passport;
• SNILS;
• benefits for individuals.

Employee

Employee PD includes information that is important for the employer in connection with employment.

It is also worth noting that the issue that concerns the management of employees’ personal files has not yet been regulated at the legislative level, so most often in practice the employer in them full details included.

Namely:

• data specified in the passport;
• SNILS;
• military registration;
• existing education;
• a completed application form, which is given to the employee upon employment;
• employment contract.

Physiological PD, which allow the operator to determine the identity of their owner.

Foreign distribution of PD. This type of information dissemination can be divided into three types:

1. countries belonging to the Council of Europe Convention (CCE);
2. countries that are not members of the CSE, but are implementing a set of measures aimed at protecting personal data rights;
3. countries belonging to the CSE do not implement a set of measures aimed at protecting personal data rights.

If data is transferred to the latter group, then a legal pretext, supported by law, or the consent of the owner, or a serious reason to preserve the interests of the owner himself is necessary.

Transfer of personal data to state information systems and municipal information systems. Here the processing takes place in accordance with the functioning Federal Laws.

Processing PD during political speeches or when promoting any goods, services or works. Restrictions controlled by the Federal Law: despite the acquisition of information from sources that are public, an indication of the owner’s agreement is required, the presentation of which may not be in writing.

Special categories

According to Federal Law dated July 27, 2006 N 152-FZ(as amended on February 22, 2017) “On personal data”, the PD categories are divided into four groups:

• It is not permitted to process data that in one way or another touch on the topic of religion, political views, personal life, nationality, not counting those individual points indicated in paragraph 2.
• Processing of the PD listed in paragraph 1 is permitted.

But provided that:

1. written permission has been received from their owner for processing personal data;
2. they are publicly available;
3. PD is associated with information related to the health of its owner, and access to it is currently necessary to preserve his life;
4. it is necessary when implementing judicial measures;
5. it occurs due to the entry into force of the legislation of the Russian Federation on security and investigative activities.

Which ones are public?

The very fact of including PD into the category of “public” is possible only after the written agreement of its owner.

Public access data may include (subject to paragraph 1) the following:

• Year and place of birth;
• place of residence, etc.

If the individuality of personal data is lost, there is no need for permission from their owner to enter information into public access. All information PD is removed from public access at the request of the owner himself or by decision of the court, as well as other government agencies.

Personal data information system and operator - what is it?

Personal data information system (IS) is a system that is a combination of PD located in a database and various types of equipment, thanks to which PD processing using automation tools becomes a reality.

A very important concept is “operator”. According to Federal Law-152, an operator is a state or municipal body, a legal entity or an individual who, alone or collectively with other persons processes PD, he also determines its purpose, necessity and composition.

All procedures carried out to establish the protection of personal data during their processing in the information system should be carried out only by those people or companies that are members of the list previously created by the operator. And only they can have permission allowing them to access the data.

It is also necessary to take preventive measures to help avoid prohibited access to information.

For these purposes, all views and activity are recorded and reflected in an electronic log, which is the responsibility of the operator to check.

Constant monitoring of how PD is processed by operators, verification and control, and the procedure for protecting documentation is carried out by Roskomnadzor.

Means of protection and protection of personal data

Reliability PD is provided by:

• establishing risks when processing personal data in the information system;
• constant use of technical and organizational measures to establish security in accordance with the security levels established by the Government of the Russian Federation;
• procedure for improving the means and effectiveness of protection;
• constant review of machine PD media;
• instant detection of unauthorized entry;
• recovery of personal data that was infected with a virus or destroyed during a database hack;
• recording and accounting of all actions that are performed in the information system;
• cooperation with private security is used;
• the database is protected by passwords known only to people who have access rights;

Sample consent to provide personal data

Providing PD is an action of a certain nature through which PD is disclosed to any person or group of persons.

If you need to create consent to provide your personal data, then you must indicate in writing the following:

• Full name, place of residence, data stated in the passport;
• Full name and place of residence of the representative of the PD owner, data contained in the passport, power of attorney;
• name or full name of the operator who receives consent;
• the purposes for which PD is processed;
• list of PD to which you consent to access;
• the name or full name and address of the person who, as designated by the operator, will process the data;
• the period during which permission to access the owner’s information will be valid;
• signature of the PD owner.

Refusal to provide to third parties

Federal Law-N152 “On Personal Data” started operating in 2006., but a full report on their PD had to be provided since 2010, when Federal Law No. 210 “On the organization of the provision of state and municipal services” was adopted.

And if now you receive calls from banks and collectors who will not leave not only you, but also your relatives and colleagues in peace, then it’s time to revoke your consent to process personal data. Of course, they have already been transferred to these organizations, but this step will help you scare away the ransomware.

Keep in mind that the application must be sent not only to the actual address of the bank branch where you took out the loan, but also to the legal address.

Send your application by registered mail: this way you will have notification of receipt. Indicate the address that you registered when concluding the loan agreement.

Attach yours to the refusal copy of passport and loan agreement: This will help your organization quickly find your documents and make changes accordingly.

But do not forget that each situation requires individual measures. Some of them require cooperation with relevant authorities, such as the police.

According to Article 24 of Federal Law N 261-FZ, persons who are guilty of causing moral harm to the owner of personal data in violation of the law of processing and storing them are obliged bear criminal liability for disclosure and distribution, namely to compensate for moral damage, in addition to property, as well as losses suffered by the owner of the personal data.

Download a sample application for revocation of personal data.

Changing an employee's personal data

Employee's application for amendments to documents

An employee whose PD has been modified needs to draw up a document in free form, in which he needs to indicate the reason for the changes that have occurred, and tell about the adjustments that must be made to the existing documents.

If you change your last name, then the application must be submitted under your old last name, because you are still listed under that name in the organization.

You must attach copies of relevant documents to your application that will confirm the changes that have occurred.

Order to amend documents

The need for the employer to draw up a change in the employee’s personal data is not supported by Labor legislation. But this necessity is chosen to convey information to all interested parties (HR officers and accountants).

The date of the completed order must be identical to the date on which the employee submitted the application with all proposed copies of documents.
The order must be signed by the employee as a sign that he is familiar with it.

Notice about the processing of personal data

It is a very common mistake for operators to notify about the processing of personal data when it was possible not to do so. And if you still decide to notify Roskomnadzor, here are some recommendations:

• Read very carefully Part 2 of Article 22 of the Federal Law of the Russian Federation dated July 27, 2006. N 152-FZ “On personal data”.
• Look at the data that is processed for you. Some cases will require you to make adjustments with PD carriers.

One of the reasons why you may not notify about the processing of PD is indicated in clause 2, part 2, article 22 of the Federal Law and looks like this:

Let's take the example of establishing a business relationship with an individual to perform a service. To make it clear that everything is ready and you didn’t have to just drive several tens of kilometers, the foreman prudently took your phone number to announce the good news. And in this case, the contract must stipulate “The workshop undertakes to notify the client by phone **** about the completion of the service.”

Learn how to protect your personal data from the video:

In our situation, a serious dispute arose between the HR specialist and the head. accountant. The dispute is as follows: when hiring an employee, a HR specialist takes a scanned copy of personal documents and enters personal data into the accounting system. Ch. The accountant needs this data to issue an employee’s electronic signature. The HR specialist refuses to provide Ch. to the accountant as a scan. copies of personal documents and data from the accounting system in electronic form, states that transferring scanned copies of employee personnel documents to the accounting department directly is not possible. Only the employee himself can send scans of his documents to the accounting department upon request from the accounting department. Is this HR approach justified? Article 86 of the Labor Code does not directly address this. Is there arbitration practice on this issue? How can it be justified that an employee is not obliged to provide personal documents to the same employer twice?

Judicial practice on this issue has not developed. However, the following must be taken into account. Both the personnel officer and the accountant are representatives of the employer. That is, neither the personnel officer nor the accountant act on their own behalf, they act on behalf of the employer.

The employee submits documents not to the personnel officer as an individual, but to the employer through his representative. The status of a personnel officer and an accountant in this case is equivalent. The employer has the right to process the employee’s personal data, as stated in Art. 86 Labor Code of the Russian Federation. Therefore, both a personnel officer and an accountant can process the data.

Rationale
(Information that will help you make the right decision is highlighted in color)

Nina Kovyazina, Deputy Director of the Department of Education and Human Resources of the Russian Ministry of Health

Is it possible for non-HR employees to be given the right to access the personal data of other employees?

Yes, you can if employees need access to such information to perform certain job functions.

Only specially authorized persons who need such access to perform specific functions can have access to personal data of employees. This is stated in Article 88 of the Labor Code of the Russian Federation.

As a rule, due to the specific nature of their activities, employees should have access to personal data:

personnel service employees;

accounting staff;

general director and, if necessary, his deputies;

heads of departments and immediate supervisors.

In this case, each of these categories of employees is assigned its own access level. For example, accounting department employees may be given access to the address information of employees and their marital status, and department heads may be given access to personal information exclusively for their subordinates.

The access levels of certain persons, as well as the specific procedure for transferring personal data of employees within the organization must be prescribed in its local documents, for example, in the Regulations on the protection of personal data of employees (paragraph 5 of Article 88 of the Labor Code of the Russian Federation). Authorized persons must be familiar with the provisions of the document and warned about their rights and obligations, as well as responsibility for using information for other purposes (clause 8, part 1, article 86 of the Labor Code of the Russian Federation)*.

2. Labor Code of the Russian Federation

Article 86. General requirements for the processing of employee personal data and guarantees of their protection

In order to ensure the rights and freedoms of man and citizen, the employer and his representatives, when processing the employee’s personal data, are obliged to comply with the following general requirements:

1) the processing of an employee’s personal data can be carried out solely for the purpose of ensuring compliance with laws and other regulations, assisting employees in employment, education and career advancement, ensuring the personal safety of employees, monitoring the quantity and quality of work performed and ensuring the safety of property*;

2) when determining the volume and content of the employee’s personal data to be processed, the employer must be guided by the Constitution of the Russian Federation, this Code and other federal laws;

3) all personal data of the employee should be obtained from him. If the employee’s personal data can only be obtained from a third party, then the employee must be notified about this in advance and written consent must be obtained from him. The employer must inform the employee about the purposes, intended sources and methods of obtaining personal data, as well as the nature of the personal data to be obtained and the consequences of the employee’s refusal to give written consent to receive it;

4) the employer does not have the right to receive and process information about the employee that, in accordance with the legislation of the Russian Federation in the field of personal data, belongs to special categories of personal data, except for cases provided for by this Code and other federal laws;

5) the employer does not have the right to receive and process the employee’s personal data about his membership in public associations or his trade union activities, except for the cases provided for by this Code or other federal laws;

6) when making decisions affecting the interests of an employee, the employer does not have the right to rely on the employee’s personal data obtained solely as a result of their automated processing or electronic receipt;

7) protection of the employee’s personal data from unlawful use or loss must be ensured by the employer at his expense in the manner established by this Code and other federal laws;

8) employees and their representatives must be familiarized, against signature, with the employer’s documents establishing the procedure for processing personal data of employees, as well as their rights and obligations in this area;

9) employees should not waive their rights to maintain and protect secrets;

10) employers, employees and their representatives must jointly develop measures to protect the personal data of employees.

Any information relating to a directly or indirectly identified or identifiable individual is recognized as personal data (Clause 1, Article 3 of the Federal Law of July 27, 2006 No. 152-FZ “On Personal Data”, hereinafter referred to as Law No. 152-FZ).

Personal data includes last name, first name, patronymic, year, month, date and place of birth, address, family, social and property status, education, profession, income and other information about a specific person. The amount of wages paid to an employee relates to his personal data (Roskomnadzor letter No. 08KM-3681 dated 02/07/2014).

Circle of information about wages

The concept “” includes not only the official salary or tariff rate of the employee, but also compensation and incentive payments due to him (allowances, additional payments, bonuses) (Part 1 of Article 129 of the Labor Code of the Russian Federation).

Access to personal data

Personal data refers to information to which access is limited (Articles 2, 3, 5 and 6 of Law No. 152-FZ).

In what cases can personal data be disclosed to a third party?

Personal data is provided to third parties when it is necessary to prevent a threat to the life and health of an employee and in other situations established by the Labor Code or other federal laws (Article 88 of the Labor Code of the Russian Federation, Article 7 of Law No. 152-FZ).

In what cases can personal data not be transferred to a third party?

In paragraph 4 of the clarification dated December 14, 2012, Roskomnadzor specialists examined several situations when it is impossible to provide personal information about an employee.

Thus, you cannot transfer data about an employee if:

The request was made by a person or organization not authorized by federal law to receive such information. For example, the person requesting personal data is not a state labor inspector, prosecutor, law enforcement or security officer, etc.;

There is no written consent of the employee to provide information about him to the person who made the request. If the employee has not consented to the transfer of personal information to any of his relatives, the employer or his representative has no right to transfer the employee’s personal data to his wife.

The wife’s request to provide her with information about her husband’s salary is also not grounds for providing personal information without the employee’s consent. This is also confirmed by Roskomnadzor specialists in letter dated 02/07/2014 No. 08KM-3681.

Protection of personal data and responsibility for their disclosure

The legislation establishes various types of liability for the disclosure of personal data. Accounting employees, due to their job responsibilities, have access to personal data of company employees (in particular, information about their salaries).

Disciplinary responsibility

If the employee’s personal data has not been kept secret by the company, the director has the right to reprimand him or even fire him (Clause 6, Part 1, Article 81, Articles 90 and 192 of the Labor Code of the Russian Federation).

However, if the accountant decides to challenge in court on the basis of paragraph 6 of part 1 of Article 81 of the Labor Code for the disclosure of personal data of another employee, the company administration will have to prove the following:

The information that the dismissed accounting accountant unlawfully disclosed relates to the personal data of another employee;

They became known to the employee in connection with the performance of his job duties;

The dismissed employee agreed not to disclose such information.

This is stated in paragraph 43 of the resolution of the Plenum of the Supreme Court of the Russian Federation dated March 17, 2004 No. 2.

Administrative responsibility

For the disclosure of information about personal data of employees, the culprit may be subject to an administrative fine in the amount provided for in Article 13.14 of the Code of Administrative Offenses of the Russian Federation, namely from 4,000 to 5,000 rubles.

How to correctly refuse to provide information

The company must develop and approve a local regulatory act that regulates the procedure for processing, storing, using and protecting personal data of employees - the regulation on personal data of employees (Article 8, paragraphs 7 and 8 of Article 86, Article 87 and 88 Labor Code of the Russian Federation).

In particular, it is necessary to specify the procedure for transferring personal data of employees to third parties.

Request in writing

In the provision on personal data of employees, it is advisable to establish that the company considers only written requests for the provision of personal data, since with an oral request it is difficult to identify the person who makes the request for the provision of personal data of the employee. See a sample request below.

Written consent of the employee

A separate paragraph of the regulation on personal data of employees should indicate that information can be provided to relatives or family members only with the written consent of the employee himself (except for cases provided for by law).

Please note: the employee himself has the right to determine to which person (organization) he is ready to provide his personal data. It is not necessary that the list of these persons include the employee’s spouse. For a sample of an employee’s written consent to provide his personal data, see below.

Notice of refusal

The provision on personal data should also describe the procedure for the actions of authorized representatives of the company if, by virtue of the law, a positive response cannot be given to the request. In this case, the accountant issues a written notice to the applicant about the refusal to provide the employee’s personal data.

The notification may refer to Article 88 of the Labor Code and the corresponding paragraph of the internal regulations on personal data of employees. See below for a sample notice.

1. The subject of personal data has the right to receive the information specified in part 7 of this article, except for the cases provided for in part 8 of this article. The subject of personal data has the right to demand from the operator clarification of his personal data, blocking or destruction of it if the personal data is incomplete, outdated, inaccurate, illegally obtained or is not necessary for the stated purpose of processing, as well as take measures provided by law to protect his rights .

2. The information specified in part 7 of this article must be provided to the subject of personal data by the operator in an accessible form, and it should not contain personal data relating to other subjects of personal data, unless there are legal grounds for the disclosure of such personal data. data.

3. The information specified in Part 7 of this article is provided to the subject of personal data or his representative by the operator upon application or upon receipt of a request from the subject of personal data or his representative. The request must contain the number of the main document identifying the subject of personal data or his representative, information about the date of issue of the specified document and the issuing authority, information confirming the participation of the subject of personal data in relations with the operator (contract number, date of conclusion of the contract, conventional verbal designation and (or) other information), or information otherwise confirming the fact of processing of personal data by the operator, the signature of the subject of personal data or his representative. The request can be sent in the form of an electronic document and signed with an electronic signature in accordance with the legislation of the Russian Federation.

4. If the information specified in part 7 of this article, as well as the personal data being processed, was provided for review to the subject of personal data at his request, the subject of personal data has the right to contact the operator again or send him a repeated request in order to obtain the information specified in part 7 of this article, and familiarization with such personal data no earlier than thirty days after the initial application or sending of the initial request, unless a shorter period is established by federal law, a regulatory legal act adopted in accordance with it or an agreement to which it is a party or beneficiary or the guarantor for which is the subject of personal data.

5. The subject of personal data has the right to contact the operator again or send him a repeated request in order to obtain the information specified in part 7 of this article, as well as in order to familiarize himself with the processed personal data before the expiration of the period specified in part 4 of this article, in the event if such information and (or) the processed personal data were not provided to him for review in full based on the results of consideration of the initial application. A repeated request, along with the information specified in Part 3 of this article, must contain a justification for sending a repeated request.

6. The operator has the right to refuse the subject of personal data to fulfill a repeated request that does not meet the conditions provided for in parts 4 and 5 of this article. Such refusal must be motivated. The obligation to provide evidence of the validity of the refusal to fulfill a repeated request lies with the operator.

7. The subject of personal data has the right to receive information regarding the processing of his personal data, including containing:

1) confirmation of the fact of processing of personal data by the operator;

2) legal grounds and purposes of processing personal data;

3) the purposes and methods of processing personal data used by the operator;

4) name and location of the operator, information about persons (except for the operator’s employees) who have access to personal data or to whom personal data may be disclosed on the basis of an agreement with the operator or on the basis of federal law;

5) the processed personal data related to the relevant subject of personal data, the source of their receipt, unless a different procedure for the presentation of such data is provided for by federal law;

6) terms of processing of personal data, including periods of their storage;

7) the procedure for the exercise by the subject of personal data of the rights provided for by this Federal Law;

8) information about completed or intended cross-border data transfer;

9) name or surname, first name, patronymic and address of the person processing personal data on behalf of the operator, if the processing has been or will be entrusted to such a person;

10) other information provided for by this Federal Law or other federal laws.

8. The right of the subject of personal data to access his personal data may be limited in accordance with federal laws, including if:

1) the processing of personal data, including personal data obtained as a result of operational investigative, counterintelligence and intelligence activities, is carried out for the purposes of national defense, state security and law enforcement;

2) the processing of personal data is carried out by authorities that detained the subject of personal data on suspicion of committing a crime, or brought charges against the subject of personal data in a criminal case, or applied a preventive measure to the subject of personal data before bringing charges, with the exception of those provided for by the criminal procedure legislation of the Russian Federation cases where the suspect or accused is allowed to become familiar with such personal data;

3) the processing of personal data is carried out in accordance with the legislation on combating the legalization (laundering) of proceeds from crime and the financing of terrorism;

4) the personal data subject’s access to his personal data violates the rights and legitimate interests of third parties;

5) the processing of personal data is carried out in cases provided for by the legislation of the Russian Federation on transport security, in order to ensure the sustainable and safe functioning of the transport complex, protect the interests of the individual, society and the state in the field of the transport complex from acts of illegal interference.

1. The operator is obliged to inform, in the manner prescribed by Article 14 of this Federal Law, the subject of personal data or his representative information about the availability of personal data relating to the relevant subject of personal data, as well as provide the opportunity to familiarize himself with these personal data when contacting the subject of personal data or his representative or within thirty days from the date of receipt of the request of the subject of personal data or his representative.

Should the payroll clerk report personal data to the chief accountant or director?

Personal data of employees including: passport data, monthly salary amount. Should the payroll clerk report them to the chief accountant or director of his enterprise?

Question. Should the payroll clerk report any personal data of employees (passport data or monthly salary amount) to the chief accountant or director of his company?

Answer. It must if the provision of personal data of employees to the chief accountant or director is enshrined in the local act of the enterprise and the employee’s consent to the processing of his personal data has been obtained.

In general, employees may have access to personal data only specially authorized persons who need such access to perform specific functions. This is stated in Article 88 of the Labor Code of the Russian Federation.

Please note that the employer independently develops a system for protecting employees’ personal data. To do this, it is necessary to develop a special local act, for example, the Regulation on the Protection of Personal Data. The regulations are approved by the head of the organization. Familiarize it with the organization's employees against their signature. This is stated in paragraph 8 of part 1 of article 86 of the Labor Code of the Russian Federation.

The list of persons with access to personal data of employees and the access levels of certain persons, as well as the specific procedure for transferring personal data of employees within the organization must be determined by the employer. These conditions can be specified in the Regulations on the protection of personal data of employees (paragraph 5 of Article 88 of the Labor Code of the Russian Federation). Authorized persons must be familiar with the provisions of the document and warned about their rights and obligations, as well as responsibility for using information for other purposes (clause 8, part 1, article 86 of the Labor Code of the Russian Federation).

Meanwhile, the procedure for access to personal data is not established by law. And such access can be issued by order of the organization. Such an order should reflect who (position, full name), to what personal data and for what purpose (what actions are performed using the personal data of employees) has access to:

Limited Liability Company "Yunost"

On establishing a list of persons having access

to personal data of employees

In accordance with Art. 88 of the Labor Code of the Russian Federation and clause 4.1 of the Regulations on personal

data from Yunost LLC

I ORDER:

1. Determine the list of Company employees who have access to

personal data of employees, in accordance with the appendix to this order.

2. Entrust control over the execution of the order to the head of the personnel department

Orlov I.V.

General Director Bogatov T.S. Bogatov

Appendix to the order dated 03.02.2015 N 16

List of employees who have access to work with personal data

The following have been familiarized with the order:

Vorobyova A.N. Vorobyova 02/03/2015

Orlova I.V. Orlova 02/03/2015

Kirillova A.O. Kirillova 02/03/2015

Valueva O.Yu. Valueva 02/03/2015

What personal data of an employee is the organization entitled to receive?

The accounting and personnel departments store documents containing personal data of employees - salary statements, personal cards, personal files and others. All personal data of an employee can only be obtained from him. If personal information can only be obtained from third parties, then first notify the employee about this and obtain written consent from him. At the same time, inform the employee about the purposes, intended sources and methods of obtaining personal data. In addition, inform the employee of the nature of the personal data to be collected and the consequences of the employee’s refusal to consent to receiving it. This procedure is provided for in paragraph 3 of part 1 of Article 86 of the Labor Code of the Russian Federation.

Be careful: salary information is also personal data. This is stated in the letter of Roskomnadzor dated February 7, 2014 No. 08KM-3681. There is liability for the fact that an accountant incorrectly stores or protects data on accruals and payments to employees. For example, salary information cannot be shared with his ex-wife without the employee's consent.

The organization does not have the right to collect personal data that is not directly related to the employee’s work activity, for example, information about religion, political leanings, living conditions, etc. This information constitutes a citizen’s personal or family secret, which he has the right not to disclose to anyone. This is stated in paragraph 4 of part 1 of Article 86 of the Labor Code of the Russian Federation and Law of July 27, 2006 No. 152-FZ.

Having received personal data, the employer undertakes not to distribute it or disclose it to third parties without the consent of the employee ().

Public personal data

What personal data is considered public?

Public information is generally known information and other information to which access is not limited. Such information may be used by any persons at their discretion, subject to legally established restrictions on its distribution. This is stated in paragraphs, Article 7 of the Law of July 27, 2006 No. 149-FZ.

Public personal data is data that the subject of personal data has made available as such. Public personal data may include information accessible to an unlimited number of persons (for example, data from open directories, address books, etc.).

Since anyone has access to them, they no longer require special security.

When processing such data, the operator does not need to notify the authorized body for the protection of the rights of personal data subjects (clause 4, part 2, article 22 of the Law of July 27, 2006 No. 152-FZ).

Consent to personal data processing

How to obtain an employee’s consent to the processing of his personal data

In the course of its activities, the employer needs to process personal data of employees. The processing of such data, with the exception of certain cases, occurs only with the written consent of employees. In this case, the consent must include the following information:

last name, first name, patronymic, address of the employee, details of the passport (another document proving his identity), including information about the date of issue of the document and the issuing authority;

name or surname, first name, patronymic and address of the employer (operator) receiving the employee’s consent;

purpose of processing personal data;

list of personal data for the processing of which consent is given;

name or surname, first name, patronymic and address of the person processing personal data on behalf of the employer, if the processing will be entrusted to such a person;

a list of actions with personal data for which consent is given, a general description of the methods used by the employer for processing personal data;

the period during which the employee’s consent is valid, as well as the method of its withdrawal, unless otherwise established by federal law;

employee signature.

Such requirements are established in part 4

If an employee is incapacitated, written consent to the processing of his personal data is given by his legal representative: parent, guardian (Part 6 of Article 9 of the Law of July 27, 2006 No. 152-FZ).

An employee may at any time withdraw consent to the processing of his personal data by sending feedback to the employer in any form. In such a situation, the organization has the right to continue processing personal data without the consent of the employee, taking into account the restrictions specified in paragraphs 2-11 of part 1 of article 6, part 2 of article 10 and part 2 of article 11 of the Law of July 27, 2006 No. 152-FZ, for example, to implement justice or protection of the life (health) of the employee himself. This is stated in Part 2 of Article 9 of the Law of July 27, 2006 No. 152-FZ.

It should be noted that if a dispute arises, the obligation to provide evidence that the employee’s consent to the processing of his personal data has been obtained rests with the employer (Part 3 of Article 9 of the Law of July 27, 2006 No. 152-FZ).

With the consent of the employee, the organization also has the right to entrust the processing of personal data to another person (Part 3 of Article 6 of the Law of July 27, 2006 No. 152-FZ). In this case, the employer will continue to be responsible to the employee for the actions of the specified person, and the person processing personal data on behalf of the employer will be responsible directly to the employer (Part 5 of Article 6 of the Law of July 27, 2006 No. 152-FZ) .

It should be noted that the employer must obtain consent to the processing of personal data not only from employees, that is, persons with whom he has an employment relationship, but also from applicants, as well as from persons with whom civil law contracts have been concluded in the organization. This is stated in paragraph 5 of the clarifications of Roskomnadzor dated December 14, 2012.

Situation: what should be understood by the processing of an employee’s personal data

Protection of personal information

How to organize the protection of personal data of employees in an organization

To prevent disclosure of personal data, create a reliable system for protecting it. The procedure for receiving, processing, transferring and storing such information is established in a local act of the organization, for example in (Article, Labor Code of the Russian Federation,). The regulations are approved by the head of the organization. Familiarize it with the organization's employees against their signature. This is stated in Part 1 of Article 86 of the Labor Code of the Russian Federation.

Also, the organization must appoint a person responsible for working with personal data (Part 5 of Article 88 of the Labor Code of the Russian Federation). As a rule, such an employee is a personnel service employee, since it is he who most often comes across personal data of employees in the course of his work. Appoint the person responsible for working with personal data by order in any form.

Specific measures to ensure the security of employees' personal data during their processing are provided for in the Law of July 27, 2006 No. 152-FZ and the Requirements approved. Based on them, an organization can develop its own personal data protection system.

Thus, when processing personal data in an information system, it is necessary to ensure the protection and security of personal data. At the same time, a threat to the security of personal data is a set of conditions and factors that create the danger of unauthorized (including accidental) access to personal data during their processing in the system, which may result in:

destruction;

change;

blocking;

copying;

provision;

spreading;

other illegal actions with personal data.

It should be noted that the choice of specific information security means for the information system for processing personal data is carried out by the employer in accordance with the regulations of the FSB of Russia and the FSTEC of Russia. Determination of the type of threats to the security of personal data relevant to the system for processing and protecting personal data is made taking into account the assessment of possible harm and in accordance with the regulations of the mentioned bodies (clause , Requirements approved by Decree of the Government of the Russian Federation of November 1, 2012 No. 1119).

When processing personal data in systems, four levels of security can be established depending on the category of data and the number of employees about whom the system contains information. Depending on the level of security, the employer should take various measures to protect personal data processing systems provided for in paragraphs 13-16 of the Requirements approved by Decree of the Government of the Russian Federation of November 1, 2012 No. 1119. For example, establishing a regime for ensuring the security of premises in which personal data is located, appointing persons responsible for ensuring the security of personal data in the information system, etc. Specific requirements for the specified measures to ensure the security of personal data during their processing are established by the composition and content of organizational and technical measures approved by order of the FSTEC of Russia dated February 18, 2013 No. 21.

To control the security of personal data during their processing, the employer or a person authorized by him carries out control checks at least once every three years, the specific timing of which is determined by the employer independently. If necessary, organizations or individual entrepreneurs that have a license to carry out activities for the technical protection of confidential information can be involved in conducting an inspection on a contractual basis (clause 17 of the Requirements approved by Decree of the Government of the Russian Federation of November 1, 2012 No. 1119).

Statement on personal data

Situation: is the Regulation on working with personal data of employees a mandatory document?

Yes it is.

The procedure for storing, processing and using personal data of employees is established by the employer, taking into account the requirements of the Labor Code of the Russian Federation and other federal laws (). This means that the employer must independently determine the procedure for such processing and enshrine it in a local regulatory act, in particular, the Regulations on working with personal data of employees. All employees of the organization, when hired, must be familiarized with the Regulations for signature (Part 3 of Article 68 of the Labor Code of the Russian Federation).

Based on the above, it follows that the Regulations on working with personal data are a mandatory document of the organization, and its absence entails administrative liability (). The courts also point to this (see, for example, the resolution of the Federal Antimonopoly Service of the Moscow District dated October 26, 2006 No. KA-A40/10220-06).

An example of how to draw up a Regulation on working with personal data of employees

The head of the organization approved the Regulations on working with personal data of employees.

There is no personnel service in the organization. The organization's accountant V.N. was appointed responsible for maintaining personnel records. Zaitseva.

Situation: how to protect personal information located in a computer database

To prevent unauthorized access to personal information located in a computer database, the Regulations establish a procedure for protecting such information. The higher the risk of unauthorized access to personal data, the more measures must be taken to protect such information. For example, an organization can introduce a system of individual passwords that will change at certain intervals, limit employee access to computers on which personal data is stored, and store disks and floppy disks with such information in locked cabinets.

The processing of personal data in the information system must be carried out in accordance with the provisions of paragraphs 8–16 of the Requirements approved by Decree of the Government of the Russian Federation of November 1, 2012 No. 1119.

An organization can ensure the protection of personal data both independently and with the involvement of third-party organizations licensed to carry out activities to protect confidential information. Such clarifications are given in paragraph 17 of the Requirements approved by Decree of the Government of the Russian Federation of November 1, 2012 No. 1119.

Situation: is it possible for employees who do not work in the HR service to be given the right to access the personal data of other employees?

Yes, you can if employees need access to such information to perform certain job functions.

Only specially authorized persons who need such access to perform specific functions can have access to personal data of employees. This is stated in the Labor Code of the Russian Federation.

As a rule, due to the specific nature of their activities, employees should have access to personal data:

personnel service employees;

accounting staff;

general director and, if necessary, his deputies;

heads of departments and immediate supervisors.

In this case, each of these categories of employees is assigned its own access level. For example, accounting department employees may be given access to the address information of employees and their marital status, and department heads may be given access to personal information exclusively for their subordinates.

The access levels of certain persons, as well as the specific procedure for transferring personal data of employees within the organization must be prescribed in its local documents, for example, in the Regulations on the protection of personal data of employees (paragraph 5 of Article 88 of the Labor Code of the Russian Federation). Authorized persons must be familiar with the provisions of the document and warned of their rights and obligations, and will also be complied with, and the organization will be able to post the personal data of employees who agree with such placement on the corporate website.

In order to ensure the rights of its employees, the organization and its representatives, when processing personal data, are obliged to comply with the requirements regulated by the Labor Code of the Russian Federation. Persons guilty of violating the rules governing the protection of personal data are subject to administrative and criminal liability (). Or they may be fired with the wording “for disclosing the personal data of another employee on the basis of subparagraph “c” of paragraph 6 of part 1 of Article 81 of the Labor Code of the Russian Federation.” employee to process his personal data.

At the same time, the staffing table contains information about salaries and bonuses of employees. The staffing table is a local document of the organization and does not relate to personal data. The head of a structural unit, if necessary, can refer to this document if this is provided for in the job description of the head or a local act of the organization. This will allow him to obtain the necessary information without contacting the accounting department.

Vladislav Volkov answers:

Deputy Head of the Department of Taxation of Personal Income and Administration of Insurance Contributions of the Federal Tax Service of Russia

“Inspectors will compare the income of individuals in 6-NDFL with the amount of payments calculated for insurance premiums. Inspectors will begin to apply this control ratio starting with reporting for the first quarter. All control ratios for checking 6-NDFL are given in. For instructions and samples of filling out 6-NDFL for the first quarter, see the recommendations.”