What is personal data
Personal data is usually understood as any information relating to a person - a subject determined directly or indirectly according to the criteria of the Law “On Personal Data” dated July 27, 2006 No. 152-FZ.
Data about a person falls under the jurisdiction of Law No. 152-FZ if it is at the disposal of the personal data operator or is subject to processing with his participation (clause 1 of Article 1 of Law No. 152-FZ). In particular, the characteristics of an operator correspond to companies that have hired employees, since they process a wide range of information about the subjects in the process of building labor relations with them.
You will find a complete list of information about employees that is personal data in ConsultantPlus. This is important to know, since personal information includes not only information about the employee, but also his photo, for example. There are other interesting points. But for violations of working with personal data, quite significant fines have been established. Get free access to K+ and go to the Guide. This will protect you from mistakes and avoid liability.
How to draw up consent to the processing of personal data, see here.
See also: “Photo Pass May Incur a Personal Information Fine.”
Processing and protection of personal data
Federal Law No. 152 “On Personal Data” regulates the interactions of company employees and relations related to the processing of information provided by employees. Such personal data is information about a specific person in some area of public life. Most often you can hear this term when applying for a job in a company.
According to the legislation of the Russian Federation, personal data may contain the following information:
- Date of Birth;
- income level;
- education document;
- family status;
- occupation;
- information about income;
- place of registration;
- Full name of the employee;
- social status.
In addition, it is recommended to indicate the person's philosophical and political views, race, and religious worldview.
Roskomnadzor processes and collects information. If an employee’s rights were violated and his personal data was disclosed, the perpetrator may face administrative or criminal liability.
Why do you need a regulation on working with personal data?
Norms Art. 87 of the Labor Code of the Russian Federation, as well as clause 2 of Art. 18.1 of Law No. 152-FZ requires employers to regulate transactions with the personal data of their employees. However, the noted legal acts, as well as other federal sources of law, do not clearly define exactly how this obligation should be fulfilled. In practice, this is most often done through the development and approval by the company of an internal corporate regulation on the personal data of hired employees.
Is the provision on personal data a binding document for the employer? The answer to this question was given by ConsultantPlus experts. Get trial access to the system and proceed to the material.
Find out which article of the Code of Administrative Offenses of the Russian Federation provides for a fine for violations when processing personal data by following the link.
Position functions
The employer must store all information about the physical, psychological and documentary condition of the employee. But often this information is in danger of being disseminated in unfavorable cases. That is why the provision on the protection of personal data is intended to perform the following functions:
- Regulates the relationship between employee and employer;
- Explains the prohibition on disseminating data and providing access to it to others;
- Protects the rights and interests of a company employee in unforeseen situations;
- Punishes according to the law citizens who violate this provision.
Thus, this document ensures the safety of citizens and guarantees the non-disclosure of information about their private life.
Regulations on personal data of employees: document structure
The document in question contains local standards defining:
- goals and objectives of the company when working with personal data;
- lists of actual and potential personal data involved in the company’s business processes;
- a description of the data operations practiced by the company;
- methods of data access used in the company;
- responsibilities of company employees who use certain data when performing a job function;
- the rights of company employees to acquire authorized access to data;
- legal mechanisms for liability of company employees for violations during data transactions.
Based on the noted list of norms, the provision on the processing of personal data of employees can be represented by the following key sections:
- establishing the general provisions of the document;
- fixing the criteria for selecting personal data from the array of information involved in document flow and other areas of internal corporate communications;
- defining a list of key operations with personal data;
- regulating the implementation of relevant operations;
- defining the procedure for access of company employees and other persons to data;
- establishing the responsibilities of employees involved in data operations;
- establishing the rights of company employees in terms of gaining access to such data and carrying out the necessary operations with it;
- defining the mechanisms of responsibility of company employees for violations of local norms and provisions of the legislation of the Russian Federation regulating operations with personal data.
The regulation on intra-corporate transactions with personal data must be certified by the head of the company. All employees are required to familiarize themselves with a copy of this document against receipt (subclause 6, clause 1, article 18.1 of law No. 152-FZ).
POSITION
on the processing and protection of personal data in
Limited Liability Company "CRIMEA-PROJECT"
- GENERAL PROVISIONS
1.1. This Regulation establishes the procedure for receiving, recording, processing, accumulating and storing documents containing information related to the personal data of employees and clients of the enterprise. Employees mean persons who have entered into an employment contract with an enterprise. Clients mean persons who have entered into an agreement with the company.
1.2. The purpose of this Regulation is to protect the personal data of employees and clients of CRIMEA-PROJECT LLC from unauthorized access, disclosure, misuse or loss.
1.2. These Regulations have been developed on the basis of the Constitution of the Russian Federation, the Labor Code of the Russian Federation, the Code of Administrative Offenses of the Russian Federation, the Civil Code of the Russian Federation, the Criminal Code of the Russian Federation, as well as the Federal Law of the Russian Federation of July 27, 2006 N 152-FZ “On Personal Data”.
1.3. Personal data of employees belongs to the category of confidential, strictly protected information. The confidentiality regime of personal data is lifted in cases of depersonalization or after the expiration of 75 years of storage period, unless otherwise specified by law. Upon expiration of the storage period, paper media containing personal data of employees are handed over to the archive.
1.4. Actions for processing personal data of clients include collection, recording, systematization, accumulation, storage, clarification (updating, changing), extraction, use, transfer (distribution, provision, access), depersonalization, blocking, deletion and destruction.
1.5. This Regulation is approved and put into effect by order of the Director and is mandatory for execution by all officials of CRIMEA-PROJECT LLC who have access to personal data.
1.6. Officials of CRIMEA-PROJECT LLC who have access to personal data of employees and clients in accordance with clause 4.1 of these Regulations must be familiarized with these Regulations against receipt.
- CONCEPT AND COMPOSITION OF PERSONAL DATA
2.1. Employee personal data is information required by the employer in connection with employment relations and relating to a specific employee. Information about employees means information about facts, events and circumstances of an employee’s life that allow his or her identity to be identified.
2.2. The employee’s personal data includes:
a) information about the facts, events and circumstances of the employee’s private life, allowing him to be identified, with the exception of information that is subject to dissemination in the media in cases established by federal laws.
b) official information, as well as other information related to the employee’s professional activities, including information about incentives and disciplinary sanctions.
2.3. Documents containing personal data are:
a) passport or other identity document;
b) work book;
c) insurance certificate of state pension insurance;
d) certificate of registration with the tax authority and assignment of a TIN;
e) military registration documents;
f) documents on education, qualifications or availability of special knowledge or special training;
g) T-2 card;
h) autobiography;
i) personal sheet for personnel records;
j) medical report on health status;
k) documents containing information on wages, additional payments and allowances;
l) orders on hiring a person, on dismissal, as well as on transferring a person to another position;
m) other documents containing information intended for use for official purposes.
- CREATION, PROCESSING AND STORING OF PERSONAL DATA OF EMPLOYEES.
3.1. Documents containing the employee’s personal data are created by:
a) copying originals (passport, education document, TIN certificate, pension certificate);
b) entering information into accounting forms (on paper and electronic media);
c) obtaining the originals of the necessary documents (work book, personal personnel record sheet, autobiography, medical report).
3.2. Information containing the employee’s personal data is included in his personal file, a T-2 form card, and is also contained on electronic media, access to which is permitted to persons directly using the employee’s personal data for business purposes. The list of officials who have the right to access personal data of employees is defined in paragraph 4.1 of these Regulations.
3.3. The processing of an employee’s personal data means the receipt, storage, combination, transfer or any other use of the employee’s personal data.
3.4. In order to ensure the rights and freedoms of humans and citizens, LLC "CRIMEA-PROJECT" and its officials are required to comply with the following requirements when processing employee personal data:
3.4.1. Processing of an employee’s personal data may be carried out solely for the purpose of ensuring compliance with laws and other regulations, assisting employees in employment, training and promotion, ensuring the personal safety of employees, monitoring the quantity and quality of work performed and ensuring the safety of property.
3.4.2. When determining the volume and content of the processed personal data of an employee, officials who have access to personal data in accordance with clause 4.1 of these Regulations must be guided by the Constitution of the Russian Federation, the Labor Code and other federal laws.
3.4.3. Personal data must be obtained personally from the employee. If the employee’s personal data can only be obtained from a third party, then the employee must be notified about this in advance and written consent must be obtained from him. The official receiving personal data must inform the employee about the purposes, intended sources and methods of obtaining personal data, as well as the nature of the personal data to be received and the consequences of the employee’s refusal to give written consent to receive it.
3.4.4. Officials with access to personal data do not have the right to receive and process the employee’s personal data about his political, religious and other beliefs and private life. In cases directly related to issues of labor relations, data about the private life of an employee (information about life activities in the field of family, household, personal relationships) can be obtained and processed by the employer only with his written consent.
3.4.5. Officials with access to personal data do not have the right to receive and process the employee’s personal data about his membership in public associations or his trade union activities, except in cases provided for by federal law.
3.5. When making decisions affecting the interests of an employee, officials of KRYM-PROJECT LLC do not have the right to rely on the employee’s personal data obtained solely as a result of their automated processing or electronic receipt.
3.4. The storage of personal data of employees is carried out as follows:
3.4.1. Personal data contained on paper is stored in a locked cabinet installed at the director’s workplace.
3.4.2. Personal data contained on electronic media is stored in the director’s PC.
3.4.3. Personal data included in personal files is stored in a locked cabinet installed at the director’s workplace. Personal data contained on electronic media is stored in the director’s PC.
3.4.4. Work books and T-2 form cards are stored in a locked metal safe.
3.4.5. Access to electronic and paper media containing personal data is strictly limited to the circle of persons specified in clause 4.1 of these Regulations.
- PROCESSING OF PERSONAL DATA OF CLIENTS OF THE DESIGN ORGANIZATION
4.1. The Operator processes personal data of clients of the design organization within the framework of legal relations with the Operator regulated by part two of the Civil Code of the Russian Federation of January 26, 1996 No. 14-FZ.
4.2. The operator processes personal data of the design organization’s clients for the purpose of:
— provide services for the provision of the project product.
4.3. The operator processes the personal data of the design organization’s clients with their consent provided for the duration of the contracts concluded with them. In cases provided for by the Federal Law “On Personal Data,” consent is provided in writing. In other cases, consent is considered to be obtained when concluding an agreement or when performing implied actions.
4.4. The operator processes the personal data of the design organization’s clients during the validity period of the contracts concluded with them. The operator can process the personal data of the design organization’s clients after the expiration of the contracts concluded with them during the period established by clause 5, part 3, art. 24 parts of the first Tax Code of the Russian Federation, part 1 of Art. 29 Federal Law “On Accounting” and other regulatory legal acts.
4.5. The operator processes the following personal data of clients of the design organization:
- Full Name;
- Type, series and number of identity document;
- Date of issue of the identity document and the issuing authority;
- Address;
- Contact phone number;
- E-mail address.
- ACCESS TO PERSONAL DATA
5.1. Internal access (employees of CRIMEA-PROJECT LLC).
The following officials have access to personal data of employees who directly use them for official purposes:
a) Director of LLC "CRIMEA-PROJECT";
b) Chief engineer of the project;
c) Clerk secretary
5.1.1. Authorized persons have the right to receive only those personal data of the employee that they need to perform specific functions in accordance with the job description. All other employees have the right to receive complete information only about their personal data and their processing.
5.1.2. Obtaining information about personal data of employees by a third party is permitted only if there is a statement indicating specific personal data and the purposes for which it will be used, as well as the written consent of the employee whose personal data is requested.
5.1.3. Obtaining personal data of an employee by a third party without his written consent is possible in cases where this is necessary in order to prevent a threat to the life and health of the employee, as well as in cases established by law.
5.2. External access (other organizations and citizens).
Disclosure of information about personal data of employees to other organizations and citizens is permitted with the written consent of the employee and an application signed by the head of the organization or the citizen who requested such information.
5.2.1. Providing information about personal data of employees without their consent is possible in the following cases:
a) in order to prevent a threat to the life and health of an employee;
b) upon receipt of official requests in accordance with the provisions of the Federal Law “On Operational-Investigative Activities”;
c) upon receipt of official requests from tax authorities, bodies of the Pension Fund of Russia, Federal Social Insurance bodies, and judicial authorities.
5.2.2. The employee about whom information is requested must be notified of the transfer of his personal data to third parties, except in cases where such notification is impossible due to force majeure, namely: natural disasters, accidents, catastrophes.
5.2.3. It is prohibited to transfer an employee’s personal data for commercial purposes without his consent.
5.2.4. The transfer of information containing the employee’s personal data to his representative is carried out only if there is a duly executed Power of Attorney for the representative.
- PROTECTION OF PERSONAL INFORMATION
6.1. When transferring personal data in compliance with the conditions provided for in Section 4 of these Regulations, authorized officials are obliged to warn the persons to whom the information is transferred about responsibility in accordance with the legislation of the Russian Federation.
6.2. In order to ensure the protection of personal data stored in personal files, employees have the right to:
a) receive complete information about your personal data and the processing of this data (including automated);
b) exercise free free access to your personal data, including the right to receive copies of any record containing the employee’s personal data, except for cases provided for by federal law;
c) demand the exclusion or correction of incorrect or incomplete personal data, as well as data processed in violation of federal law. If an authorized official refuses to exclude or correct the specified personal data, the employee has the right to declare his disagreement in writing to the General Director, justifying such disagreement accordingly. The employee has the right to supplement personal data of an evaluative nature with a statement expressing his own point of view;
d) require officials with access to personal data to notify all persons who were previously informed of incorrect or incomplete personal data of the employee about all changes or exceptions made to them.
6.3. It is prohibited to transmit information about the employee’s health status, with the exception of information that relates to the issue of the employee’s ability to perform a job function.
6.4. When transferring personal data of employees to third parties, including representatives of employees, in the manner established by the current legislation of the Russian Federation and these Regulations, limit this information only to those personal data of employees that are necessary for the third parties to perform their functions.
6.5. Protection of employee personal data from unlawful use or loss is ensured at the expense of CRIMEA-PROJECT LLC in the manner prescribed by federal law.
- RESPONSIBILITY FOR DISCLOSURE OF CONFIDENTIAL INFORMATION RELATED TO PERSONAL DATA OF EMPLOYEES
7.1. Officials guilty of violating the rules governing the receipt, processing and protection of employee personal data are subject to disciplinary action. The following disciplinary sanctions may be applied to these persons:
a) remark;
b) reprimand;
c) dismissal from a position;
d) dismissal.
7.2. For each disciplinary offense, only one disciplinary sanction can be applied.
7.3. A copy of the order to apply a disciplinary sanction to an employee, indicating the grounds for its application, is given to the employee against signature within five days from the date of issuance of the order.
7.4. If within a year from the date of application of the disciplinary sanction the employee is not subject to a new disciplinary sanction, then he is considered to have no disciplinary sanction. The employer, before the expiration of a year from the date of issuance of the order to apply a disciplinary sanction, has the right to remove it from the employee on his own initiative, at the written request of the employee or at the request of his immediate supervisor.
The regulations were developed by:
Secretary-Clerk S.Yu. Yarysh
Results
Each company that has the status of a personal data operator (all employers are such) is required to approve a local legal act that regulates operations with such data. Most often, such a local act becomes a regulation approved by the general director of the company.
You can familiarize yourself with other aspects of personnel document flow in the articles:
- “Military registration in an organization - step-by-step instructions”;
- “What is the storage period for documents in the organization’s archive?”
Sources:
- Federal Law of July 27, 2006 No. 152-FZ
- Labor Code of the Russian Federation
You can find more complete information on the topic in ConsultantPlus. Full and free access to the system for 2 days.
Writing order
As soon as a citizen gets a job, he is required to provide the following documents:
- SNILS;
- identification document;
- military ID;
- Family status;
- diploma of education.
After the employer accepts this package of documents from the future employee, it is necessary to think through the conceptual apparatus that will be part of the provision. Further, information related to personal data is used to conclude an employment contract with the employee. When signing it, all personal data of the citizen are automatically entered into the employer’s register and are not subject to disclosure.
The procedure for processing and storing information
The processing of personal information of employees, according to Federal Law 152, refers to data related to the receipt, analysis, systematization and storage of information about citizens of a particular organization. This area of activity involves making changes to the register when new information is discovered, as well as deleting and blocking old, invalid ones.
The processing of personal data must comply with the following conditions:
- each database must exist separately; combining them is strictly prohibited;
- information for each employee must be truthful and relevant for a given period of time;
- the database must necessarily include information about the time of collection of this information;
- comply with all legal standards and regulations;
- The database must have a purpose and include exactly the data that is provided for by this purpose.
Structure
It is necessary to follow a clear structure when writing this official document. The labor legislation of the Russian Federation obliges every employer to draw up a provision on the protection of personal data. Each manager determines the structure for his organization independently and individually. But the document must necessarily comply with the standards prescribed in the Federal Law:
- Information received from an employee on a voluntary basis and only from his lips is recognized. In all other cases, it is considered incorrect and illegal, especially if the information is provided by third parties.
- The provision of data must be made with the personal written consent of the employee for the processing and storage of personal information.
- The document must provide for the purpose of compliance with current legislation on the territory of the Russian Federation and help employees get jobs.
- The regulation must guarantee the security and non-disclosure of personal data of each employee of the company for which it was drawn up.
- The employer undertakes to compensate for all losses associated with the leakage of important information at his own expense.
- The regulation must be signed after reading it. Only in this case will this document have legal force.
In addition, it is necessary to approve the procedure for maintaining and collecting information, and specify the rights of the employee and the employer. The last paragraph prescribes legal liability for failure to fulfill the manager’s official obligations in the field of personal data protection.