Responsible for organizing the processing of personal data


Who is the person responsible for personal data?

All actions with personal data of employees at the enterprise are regulated by Federal Law No. 152-FZ dated July 27, 2006 “On Personal Data”, the Labor Code of the Russian Federation, and local regulations. A priori, the employer is responsible for the safety of all information, but he has the right to appoint a person responsible for their processing, protection and control over compliance with the law. This does not relieve the employer of responsibility, but allows him to delegate some of his powers for the rational distribution of his responsibilities in this area. These responsibilities are assigned either to one employee or to a group from the administrative and management apparatus. They are performed additionally along with the employee’s main job functions.

The employer decides who to appoint as responsible. There are no special requirements. Most often, these responsibilities are assigned to those employees who need access to such information to perform basic functions: HR specialist, accountant, secretary. It can also be assigned to any other employee. This work is strictly regulated by local regulations and job descriptions.

https://youtu.be/jhWSEa217Lw

Example document

Limited Liability Company “VasilkoViKo”
INN/KPP 468416546316341/6546316546

legal address: Russia, Nenets Autonomous Okrug, Amderma, st. Severnaya, 13

Order No. 17

on the appointment of a person responsible for the processing of personal data

Amderma 11/14/2022

In order to ensure the protection of personal data of employees of VasilkoViKo LLC and in accordance with the requirements of Chapter 14 of the Labor Code of the Russian Federation, the Law “On Personal Data” dated July 27, 2006 No. 152-FZ,

I ORDER:

  1. Appoint the head of the HR department, Larisa Viktorovna Sukhoveeva, as responsible for the processing of personal data of employees of VasilkoViKo LLC from November 14, 2022.
  2. To the head of the HR department, Sukhoveyeva Larisa Viktorovna: organize activities for the collection, storage, destruction and other processing of personal data of employees, ensure compliance with the requirements of the legislation of the Russian Federation in the field of personal data, organize familiarization of employees with local regulatory legal acts of the employer in the field of processing and protection of personal data as appropriate their approval and publication,
  3. To submit to the head of the HR department, Larisa Viktorovna Sukhoveyeva, for approval by November 20, 2022, a list of persons who have access to the personal data of employees at VasilkoViKo LLC.
  4. In the absence of Sukhoveyeva L.V. for good reasons, appoint the chief specialist of the HR department, Andrey Viktorovich Duev, as her replacement.
  5. I reserve control over the execution of this order.

General Director Ruzakov Ruzakov A.D.

The following have been familiarized with the order:

Suhoveeva L.V.

Duev A.V.

Job description

The rights, functions and responsibilities of this specialist, the limits of his powers are determined and detailed by the job description of the person responsible for the processing of personal data - a special organizational and administrative document that defines the procedure for each operation with personal data. A clear form of instructions is not established by law. It is permissible to simply list the main job responsibilities in it. But the more detailed all production processes are described, the less likely it is that disagreements will arise both with employees and with the law.

The most common type of instruction is a document containing the following sections:

  • general provisions;
  • functions;
  • responsibilities;
  • rights;
  • responsibility.

The document also contains provisions on the procedure for amending it and references to legislative acts.

Appointment of a responsible person

This person is appointed at the enterprise by order of the manager. The document indicates the full name and position of the employee. If it is replaced, changes must be made to the order or a new one must be issued, which will indicate another employee assigned to perform such functions.

The rights, duties and powers of such a specialist are not reflected in the appointment order. They must be included in the Regulations on PD processing. Such information is also included in the job description of this employee.

There are no special requirements in the Labor Code of the Russian Federation regarding the content of this information in job descriptions. But, in accordance with Part 2 of Art. 152 of the law on personal data, this documentation is approved by a separate administrative document (order) of the company.

Every company needs to know that as of July 1, 2017, changes were adopted to Art. 13.11 of the Code of Administrative Offences. Their introduction made it possible to significantly increase liability for violations in relation to the company’s work with personal information.

This means that you need to be very careful in preparing the documentation necessary for work in the organization (orders, instructions, job descriptions) and in the work of the responsible person appointed by this order.

Compliance with legal regulations is a requirement that must be fulfilled by a responsible employee. The fulfillment of these requirements will depend on the careful fulfillment of the duties assigned to him and the correct sequence of his actions, which will allow the company to avoid the imposition of serious penalties.

General provisions

The initial part of the job description of the person responsible for personal data lists the general parameters of the specialist’s professional activity and basic points. This section typically defines:

  • name of the position, basic requirements for the employee - special education, qualifications, length of service, work experience;
  • the person who appoints and dismisses from office;
  • documents that the employee must follow in his activities;
  • procedure for replacing an employee, his subordination.

Skills and abilities are especially important. Important requirements for knowledge of legislation in the field of personal data, labor organization, and the basics of office work using modern information technologies are indicated here.

Step-by-step instructions for use

The appointment of the person responsible for processing personal data is carried out by the head of the legal entity. This is stated in Part 1 of Article 22.1 of Federal Law No. 152.

To appoint a responsible person, the head of the organization must:

  1. Select a responsible employee.
  2. Prepare the necessary documents.
  3. Issue an appointment order.
  4. Preparation of documents

The work with personal information in the company is regulated by several documents. In order to issue an appropriate order, the manager needs to prepare a local regulatory framework.

Documents regulating work with personal data in the company:

  • job description;
  • internal regulations on the processing of personal data.

Job description

The employee's job description must contain not only the duties prescribed by law, but also additional requirements for the person occupying the chosen position. The description should be concise and understandable.

The manager does not have to develop a new job description - he can supplement the existing document with the necessary information. After publication, the manager, clerk or personnel officer familiarizes the relevant employee with the new job description and asks him to sign the papers.

We recommend that you read the articles about the operator, processing policy, notification, automated and manual processing, data centers and the purposes of processing.

Drawing up the regulations

All rights and obligations, as well as responsibilities of the authorized person, must be reflected in more detail in the internal regulations on the processing of personal data.

The document must also contain a description of the procedure for storing and using private information. All employees of the company must familiarize themselves with the regulations.

Read more about important information about the legal support for the processing of personal data here.

Issuance of an order

After the local regulatory framework is ready, the head of the organization needs to issue an order. The publication is carried out according to the general rules of office work in any form on the company’s letterhead.

The order must contain:

  1. order number;
  2. document's name;
  3. date and place of issue of the order;
  4. the word “I command”;
  5. regulations on the appointment of a responsible person;
  6. provision on the person replacing the responsible person during his absence;
  7. provision on the person exercising control over the execution of the order;
  8. manager's signature;
  9. signatures of people who have read the order.

The order indicates the position of the employee and his initials. If an employee is replaced, changes are made to the document or a new order is prepared.

Functions

This section records the employee's tasks. They are enshrined in Art. 22.1 of Law No. 152-FZ and oblige the person responsible:

  • monitor the organization’s compliance with relevant laws, including information security requirements;
  • bring to the attention of employees the provisions of legislation and local regulations on data processing issues;
  • organize the reception and processing of requests and requests from data owners.

A more detailed list is formulated in the next section of the document.

Nature of the instructions

To defense

Information on the requirements implemented in relation to the protection of confidential information was approved by the Government of the Russian Federation in Resolution of the Cabinet of Ministers of the Russian Federation of November 1, 2012 N 1119 “On approval of requirements for the protection of personal data during their processing in personal data information systems.” All responsibilities for protecting personal data fall on the operator collecting and processing them.

  1. Any system that works with personal information uses means of protection against current threats and appropriate information technologies.
  2. The operator identifies current threats and also assesses their potential harm according to the algorithm of paragraph 5 of part 1 of Article 18 of the Federal Law “On Personal Data”. Develop an appropriate threat model and apply it in practice to protect information.
  3. The operator sets the security level for personal data.
      Level 1 is established for systems processing special categories of personal data or biometric information, as well as operators working with more than one hundred thousand personal data subjects (if they are not employees).
  4. Level 2 is assigned to operators processing information of more than one hundred thousand subjects (if they are employees), publicly available data of more than one hundred thousand subjects, biometric data of less than one hundred thousand subjects.
  5. Level 3 is assigned to systems that work with information belonging to 10 thousand subjects who are not employees of the operator.
  6. Level 4 is received by systems that work with publicly available personal data information, which is considered impersonal and does not make it possible to identify a person.

The fourth level of security is provided by the following positions:

  • organizing access to the premises where the information system is located (without the possibility of accidental entry);
  • ensuring the safety of physical PD platforms;
  • approval of a document with a list of persons to whom the system is available.

The third level is due to one additional requirement, compared to level 4 - to appoint an official responsible for safety. At the second level, a mandatory restriction of access to the personal data directory is added only for officials of the operator.

And operators with the first level of security must automatically enter into the electronic accounting tool changes in the powers of employees who have access to personal data, and also create a structural unit (or assign it to an existing one) whose responsibilities include ensuring the security of personal information.

Watch a video about how to protect personal data:

Towards processing in information systems

Chapter 2 of the Federal Law “On Personal Data” entitled “Principles and conditions for processing personal data” includes the basic requirements for this process.

  • An information systems operator works with data based on legislative acts.
  • In the system, processing is limited to actions necessary to achieve specific goals defined in advance. Processing that is incompatible with the purposes of collection is a violation.
  • Merging databases that contain personal data collected for different purposes is not permitted.
  • Only data that meets the purposes of processing is processed.
  • Redundancy in relation to the stated purposes of processing is not allowed.

Important! When processing personal data, the operator must ensure the accuracy of the information, its sufficiency, and maintenance of relevance. If the information turns out to be inaccurate or incomplete, the operator takes measures to clarify it as soon as possible.

It is noteworthy that there is a mandatory requirement for processing - the consent of the subject to the processing of personal data with information about the purposes of such a procedure.

For storage, the operator must approve two regulatory documents:

  1. Policy regarding PD processing.
  2. Agreement on the processing of personal information.

The subject has the right to familiarize himself with the statutory documents and only after that give or refuse consent to the processing of his personal information.

For storage

PD is stored in a form that makes it possible to identify the subject only within the established time limits. In addition, the storage of information (including terms) may be established by regulations at various levels.

Personal data, according to the new requirements of Roskomnadzor for their protection, must be stored only on the territory of the Russian Federation (physically servers or data centers must be located within the state).

Towards security

Article 19 of the Federal Law “On Personal Data” specifies security requirements on the part of the operator. They include the following activities:

  1. Implement a wide range of measures, including technical and organizational ones.
  2. Organize a procedure for assessing the conformity of protective equipment.
  3. Evaluate the effectiveness of security measures.
  4. Maintain records of machine storage media of confidential information.
  5. Detect facts of unauthorized access, restore information if it was deleted or changed during unauthorized access.
  6. Establish rules for access to systems with confidential information.

As you can see, the legislation of the Russian Federation imposes a lot of requirements on transactions with personal data. This is due to the nature of the information and the fact that it must be kept confidential.

Reference! The activities of operators are controlled by several legislative acts designed to minimize the possibility of unauthorized entry.

Among the systems, there are systems with different levels of security depending on the characteristics of the data itself.

Uncontrolled distribution of personal data is considered a violation and may result in damage to the subject of information that should be confidential. The requirement is not taken into account only for anonymized information.

Responsibilities

In this part, the instructions of the person responsible for organizing the processing of personal data describe the procedure for collecting, storing, transferring, destroying and otherwise using them. The complete list is not regulated.

Responsibilities can be conveniently divided into 4 parts:

  1. Professional - the same in different enterprises, regardless of their size, legal form and other factors (for example, monitoring compliance with data security, maintaining relevant logs, etc.).
  2. Special - specific to a particular employer (for example, drawing up training programs within one’s competence).
  3. Mandatory for all professions (compliance with internal regulations, deadlines for preparing documentation, etc.).
  4. Describing the attitude towards equipment, tools, equipment provided by the employer (careful attitude towards office equipment, using it only for work purposes, etc.).

It is recommended to avoid duplication of employee responsibilities specified in the employment contract.

What is the best way to comply with the law?

  • On your own;
  • Engage a lawyer;
  • Contact your system integrator;
  • “Wait for the thunder to strike”;
  • Use services for automated preparation of documents based on personal data.

Let's look at each one separately.

Complying with the law yourself

To fulfill the requirements, it is necessary not only to know the law “On Personal Data” itself and the by-laws, but also to understand the technical aspects in order to describe personal data information systems in organizational and administrative documentation.

It will take you or your employee up to 2 months to find and develop templates for documents on personal data, study legislation and practice. And this will not guarantee results: you can make a mistake in something.

Complying with the law with the help of a lawyer

A good enough way is if the lawyer or law firm you trust has the necessary information security knowledge.

To prepare documents on personal data, in addition to knowledge of the law itself, it is also necessary to know the by-laws of technical content and be able to regulate technical issues.

When choosing this option, check with the lawyer exactly what documents he will develop, whether he will reflect technical issues in them, and whether he has experience working with Roskomnadzor.

Compliance with the law with the involvement of a system integrator

As a rule, large companies and large government agencies turn to system integrators.

Pros: high level of information security services provided, guarantees, turnkey work (development of documentation on personal data and implementation of technical protection).

Disadvantages: high cost (in most cases, exceeding 1,000,000 rubles) and a long project implementation period due to the inflexibility of business processes.

"Wait for the thunder to strike"

The only advantages: the absence of any costs in the short term.

Cons: sooner or later the law will have to be implemented. And it’s better to do this before the requirements are completely tightened.

Roskomnadzor is working to tighten penalties - a bill has already been passed in the first reading to increase fines to a minimum of 30,000 rubles and a maximum of 300,000 rubles for one violation.

Compliance with the law using services for automated preparation of documents on personal data

Pros: simplicity and accessibility to people who are not information security specialists; low cost; prompt preparation of documents and consultations with security experts.

Some of the services also provide financial guarantees with reimbursement of Roskomnadzor fines and assistance in passing inspections.

Obvious disadvantages: the method is not suitable for large state-owned companies and will not help with the full implementation of the personal data protection system checked in the public sector by the FSTEC of Russia and the FSB of Russia.

Rights

There is no need to include in the section those employee rights that are established by the Labor Code and the employment contract. The additional rights of the specialist and his powers are listed here. These are actions, for example:

  • get acquainted with draft decisions of the organization’s management relating to its activities;
  • submit proposals for improvement of work related to the performance of specific duties for management’s consideration;
  • sign documents within their competence;
  • receive information and documents necessary to perform their job duties;
  • conduct correspondence with organizations on issues within its competence;
  • demand from the management of the organization assistance in the performance of their official duties and rights;
  • improve your professional qualifications;
  • other rights and social guarantees.

Rights and obligations

The list of rights of responsible persons is not fixed by law. Typically, such persons are permitted to conduct internal audits to ensure that the firm's data processing activities comply with legal requirements. They also have the right to make proposals to management to improve the handling of personal data of the company’s employees and clients.

Responsibilities are enshrined in Part 4 of Article 22.1 of Federal Law No. 152. The one who is responsible for working with personal information and processing it must:

  1. Provide instructions to company employees on compliance with laws and explain the content of local regulations regarding the processing and storage of personal information.
  2. Monitor compliance with technical and administrative measures taken by the company to protect personal data - check the procedure for filling out personal information carriers and access logs.
  3. Register and respond to requests received by the company from clients and regulatory authorities.

To avoid “leakage” of information, the head of the company can also authorize the person responsible:

  • for the development of local documents in the field of personal information;
  • to keep records of personal information carriers and obtain employee access to them.

Responsibility

An employee is held accountable for failure to perform or improper performance of his official duties as provided for in the instructions, for causing material damage to the employer, for offenses committed in the course of his activities. The list of violations and liability measures contained in the instructions of the person responsible for the processing of personal data are described in a general form. Determining the degree of guilt of an employee, as well as the measures of his possible punishment, is based on the relevant sections of labor, civil and criminal legislation. The employer does not have the right to independently introduce new types of liability.

What kind of personal data are there?

Special personal data:

relate to race and nationality, political views, religious or philosophical beliefs, health conditions, intimate life.

Biometric personal data:

characterize the physiological and biological characteristics of a person, on the basis of which his identity can be established.

Public personal data:

made publicly available by an individual or contained in special directories.

Other personal data:

everything that does not fall into any of the above categories.

There are special requirements for the processing of special and biometric personal data.

Rating
( 2 ratings, average 4.5 out of 5 )
Did you like the article? Share with friends:
Для любых предложений по сайту: [email protected]