Step-by-step instructions for appointing someone responsible for organizing the processing of personal data


Is the document obligatory, its meaning

For companies operating in the commercial sector, this document is not strictly mandatory (unlike, for example, government agencies), as is the organization of the system of actions with personal data. However, many companies prefer to appoint responsible employees for working with personal information of staff, which allows them to avoid future violations during the circulation of documentation, as well as prevent various abuses.

FILES

The list of responsibilities of the employee responsible for the processing of personal data includes monitoring the protection of personal information of the organization’s employees, communicating to them the relevant regulations of the company, collecting the necessary signatures, etc.

https://youtu.be/uaCg-Fh_K24

Responsibility

The organization decides who is responsible for ensuring the inaccessibility of information about employees. The person responsible can be either one official (or group of persons) or an entire department. It is necessary to take into account the direct participation of personnel officers, accountants, and office clerks in working with personal data - for them, access is mandatory.

Read more about drawing up an order to establish a list of persons with access to personal data here.

Whether the protection of personal data complies with current legislation is controlled by Roskomnadzor, the Federal Security Service and the Federal Service for Technical and Export Control.

Failure to comply with the procedure for protecting personal data may result in liability:

  • disciplinary;
  • civil law;
  • material;
  • administrative;
  • criminal.

Disciplinary liability is the most common type of punishment to which employees who have full access to personal data are subject, as a rule, for disclosing any information.

The decision on punishment is made by the employer. The violator may be given a reprimand, warning, reprimand, and even removal from office, depending on the severity of the harm caused.

Civil liability is directly related to moral damage (it is appropriate to talk about honor, dignity and business reputation) in connection with the disclosure of his personal data.

If this fact is confirmed in court, the violator, for example, pays compensation to the injured party.

Article 243 of the Labor Code provides for financial liability (penalties) for violation of the procedure for working with personal data.

We invite you to familiarize yourself with: Sample agreement with the chairman of the housing cooperative

Administrative liability for both violation of the procedure for collecting, analyzing, and storing personal data, as well as disclosure of information.

In accordance with Article 13.11 of the Code of Administrative Offences, the first entails the imposition of the following fines:

  • for individuals – three hundred to five hundred rubles;
  • for officials - five hundred to thousand rubles;
  • for legal entities – five to ten thousand rubles.

For disclosing information, individuals are fined five hundred to one thousand rubles, officials – four to five thousand rubles. (Article 13.14 of the Code of Administrative Offenses).

Criminal liability arises for violation of privacy, including the use of official position.

Punishment may be in the form of a fine, compulsory labor, removal from a position, or imprisonment for 4 months.

Who is responsible?

The operator independently determines the circle of persons who will be responsible for working with personal data. The main responsibility lies with the employer.

The data access group must include employees who, due to their occupation, come into contact with personal data - for example, employees of the personnel department, accounting department, and office work sector.

What applies to personal data

Personal data is considered to be any information about an employee of an enterprise that concerns him personally and is documented in any papers. This includes information from the passport, INN, SNILS, work book, diploma of education and other similar certificates and certificates, hospital cards, etc.

This also includes what concerns the employee’s marital status, family ties, criminal records, financial affairs and everything else that can directly or indirectly identify a person.

Any citizen can dispose of all this data only personally, but since in modern conditions this is not always possible, he transfers consent to the processing of personal information to other persons, including a representative of the employer, who in turn bears full responsibility for the safety of this confidential information and inaccessibility to strangers.

Procedure for appointing a person responsible for personal data

First of all, the organization must draw up a regulation on personal data, which regulates the procedure for collecting personal data, and this can happen both in paper and electronic form, as well as processing, storage and protection.

If the organization has a trade union body, then this document is first agreed upon with the elected body of the trade union. If no disagreements are found, then within 3 days after the union’s response, the employer can approve the position by issuing a corresponding order from the manager.

The persons responsible for collecting personal data must act on the basis of the provision, and all employees must be familiarized with it upon signature, and newly hired employees must be familiarized with the document before signing an employment contract.

Important! Before collecting personal data of employees, it is necessary to obtain their consent to the processing of personal data in the form of an application.

A potential company employee responsible for personal data must have the necessary skills and abilities in order to promptly mitigate the risks of gaining access to important information from third parties.

An employed citizen must also have a certain share of responsibility, since not only the success of the entire enterprise, but also the absence of risks of becoming one of the participants in legal proceedings depends on the quality of his performance of direct duties.

In order to properly document the employee responsible for personal data, it is necessary to ensure that there are local regulations regulating the boundaries of this responsibility.

We invite you to read: Criminal liability for possession of hashish under the article of the Criminal Code of the Russian Federation

All the nuances related to the issues of ensuring the security of information storage are prescribed in job descriptions, but the head of the organization can appoint another employee responsible, who did not initially intend that his department would have a certain amount of important documentation.

The first step is to draw up a statement on personal data, which will say how this information is collected, how it is used and where it is stored. This provision will apply to all types of media – both paper and electronic.

The position is approved by drawing up an order signed by the manager. This order may deal with both a separate type of personal data and all its categories.

In what form should I write the order?

An order to appoint a person responsible for the processing of personal data can be written in free form, since today there is no unified form for it. True, this norm does not apply to government institutions, where standard forms are usually used, as well as those enterprises whose management has developed and approved its own unified template for administrative acts. Information about the format of orders must be indicated in the company's accounting policies.

Who should be appointed responsible?

The law determines that a business entity must independently appoint a person who will be responsible for working with personal data of employees. This means that such an employee can be any person who works in the company.

The law does not establish any requirements for him - for position, education, skills, etc.

However, this person will have to perform the functions and responsibilities assigned to the data protection officer:

  1. Carry out internal control within the company over compliance with the requirements of the law on personal data, including requirements for their protection;
  2. explain to company employees the provisions of regulations related to the processing and protection of personal data;
  3. Receive and process requests for personal data.

In addition, the performance of these duties requires skills in preparing administrative documentation, as well as understanding legislative acts. The best option for this position would be an employee of the legal department. If this is not the case, then such responsibilities can be assigned to a personnel officer or secretary.

It is possible to assign responsibility to an entire department. But in this situation, the head of this department will bear personal responsibility for working with personal data.

Attention! If an employee assigned to perform these duties leaves, a new person in charge must be selected and appointed. In this case, the first paragraph of the new order must be to declare the previous order invalid.

Sample order to appoint a person in charge

If you are faced with the task of creating an order to appoint an employee responsible for the processing of personal data, and you have not made such documents before, the sample below and comments to it will help you.

  1. At the very beginning of the order, everything is standard: first of all, write here the name of the company, the name of the order, its number and the date of preparation. Then move on to the main part.
  2. Be sure to indicate here in connection with what circumstances the order is being created (this will be its rationale) and provide a link to a provision of law or an internal company document that is directly related to the formation of the order (this will be the basis).
  3. Then enter the actual instruction on the appointment of the responsible person, indicating his position and full name.
  4. Briefly note his main functions and responsibilities (it is better to provide a complete list of them in the relevant job description), and also enter information about the employee (also position and full name) who will replace the responsible employee during his absence from work for valid reasons.
  5. In conclusion, do not forget to assign control over the execution of this order to someone from the management team of the enterprise (it should be noted that the director himself can control the implementation of the order), and also collect all the necessary signatures.

If responsibility for the lack of an order

The package of these documents will help not only comply with the law, but also protect the organization from claims from Roskomnadzor, the inspection body in this area. The rights and obligations of the regulatory body and the inspected organization are regulated by Order of the Ministry of Telecom and Mass Communications of Russia No. 312 of November 14, 2011. And from 23.02.

Inspectors pay attention to the availability of documentation and to the implementation of the security measures provided for in it. For the disclosure of personal information of employees, the employer and its officials (manager, accountant, secretary, personnel department employees) may face liability:

  • disciplinary - on the basis of paragraphs. “c” clause 6, part 1, art. 81 Labor Code of the Russian Federation;
  • administrative - on the basis of Art. 13.11 Code of Administrative Offenses of the Russian Federation (fine up to 75,000 rubles);
  • criminal - taking into account the provisions of Art. 137 of the Criminal Code of the Russian Federation (fine up to 300,000 rubles or imprisonment for up to 3-4 years).

The employer must remember that all information about the employee must be obtained from himself or from third sources, but only with his written consent. You can use this opportunity if any documents are lost.

There are often cases when information about an employee changes, for example, when a last name changes or a change in marital status. The legislation does not establish a specific period within which the employee must notify the employer of changes. Therefore, it is recommended to fix the deadlines in local regulations. The employer must be notified by means of an appropriate statement supported by documents certifying the changes.

Sample

Legislation stipulates that an economic entity must determine responsible persons for working with personal data.

To fulfill this obligation, the head of the organization issues an order approving an official to work with personal data.

In accordance with the standards, only this person must work with personal data, ensure its protection, limit access to it by third parties, and prevent unauthorized use.

Important: therefore, ignoring the drawing up of an order to the responsible person is considered a violation of the legislation on personal data.

https://www.youtube.com/watch{q}v=LZAosedf004

For such non-compliance with the law, there is liability according to the Code of Administrative Offenses in the form of issuing a warning or imposing penalties:

  • for individuals - 300-500 rubles.
  • in relation to responsible persons at the enterprise - 500-1000 rubles.
  • in relation to legal entities - 5,000 - 10,000 rubles.
Rating
( 1 rating, average 5 out of 5 )
Did you like the article? Share with friends:
Для любых предложений по сайту: [email protected]