You will learn about current changes in the Constitutional Court by becoming a participant in the program developed jointly with Sberbank-AST CJSC. Students who successfully complete the program are issued certificates of the established form.
The program was developed jointly with Sberbank-AST CJSC. Students who successfully complete the program are issued certificates of the established form.
The organization enters into an agreement for the supply and provision of services with individuals (including individuals who are individual entrepreneurs), and clients provide their personal data: last name, first name, patronymic, residential address, registration address, passport data, TIN information and pension certificate. Should an organization obtain written consent from its counterparties – individuals – to process personal data?
Having considered the issue, we came to the following conclusion:
Processing of personal data of counterparties - individuals (including individuals who are individual entrepreneurs) with whom the organization has an agreement directly can be carried out without consent to the processing of personal data, provided that this data will not be distributed or provided to third parties without consent subject of personal data and will be processed only for the purpose of fulfilling supply (service) contracts concluded with them.
Rationale for the conclusion:
In accordance with Art. 3 of the Federal Law of July 27, 2006 N 152-FZ “On Personal Data” (hereinafter referred to as Law N 152-FZ), personal data (hereinafter referred to as PD) is any information relating to an individual directly or indirectly identified or determined on the basis of such information (to the subject of personal data). Any action (operation) or set of actions (operations) performed using automation tools or without using such tools with PD, including collection, recording, systematization, accumulation, storage, clarification (updating, changing), extraction, use, transfer (distribution , provision, access), depersonalization, blocking, deletion, destruction of PD are recognized as PD processing (Clause 3, Part 1, Article 3 of Law No. 152-FZ). The PD operator, as follows from clause 2 of Art. 3 of Law N 152-FZ, is a person, including a legal entity, who organizes and (or) carries out the processing of personal data, as well as determining the purposes of processing personal data, the composition of personal data to be processed, and actions (operations) performed with personal data. In this case, a person is recognized as a PD operator, regardless of any registration, the presence or absence of special permits, but by virtue of the very fact of his activities related to PD processing.
Therefore, your organization in this case is the PD operator.
Cases in which the processing of personal data without the consent of the subject of such data is allowed are established by Art. 6 of Law No. 152-FZ. Moreover, they are established in an exhaustive manner. For example, PD processing is allowed if it is necessary for the execution of an agreement to which the PD subject is a party or beneficiary or guarantor, as well as for concluding an agreement at the initiative of the PD subject or an agreement under which the PD subject will be a beneficiary or guarantor (p 5 Part 1 Article 6 of Law No. 152-FZ). Within the meaning of this norm, the person who is given the opportunity to process personal data is a party to the specified agreement. By virtue of Part 1 of Art. 22 of Law N 152-FZ, before starting PD processing, operators are required to notify the authorized body for the protection of the rights of PD subjects (hereinafter referred to as the authorized body) of their intention to process PD, except for the cases provided for in Part 2 of Art. 22 of Law No. 152-FZ. Thus, it is not necessary to notify the authorized body if PD was received by the operator in connection with the conclusion of an agreement to which the PD subject is a party, despite the fact that PD is not distributed, not provided to third parties without the consent of the PD subject and is used by the operator solely for the execution of the specified agreement and conclusion agreements with the subject of personal data (clause 2, part 2, article 22 of Law No. 152-FZ).
Read more Confirmation of the vehicle's environmental class
Thus, the processing of personal data of counterparties - individuals (including individual entrepreneurs) with whom the organization has directly concluded supply agreements (or provision of services) can be carried out without consent to the processing of personal data and without notifying the authorized body, provided that this data will not be distributed and provided to third parties without the consent of the PD subject and will be processed only for the purpose of concluding relevant agreements with them (determined by the Investigative Committee for civil cases of the Moscow City Court dated 04/06/2012 N 33-8687). If an organization intends to process personal data in other cases not related to the execution of a contract, then it is obliged to obtain consent to process personal data.
We note that, despite the fact that in the case under consideration, the operator falls under an exception and is not required to obtain the consent of the PD subject for processing and notify Roskomnadzor about working with PD, this does not exempt him from the need to apply measures to protect PD. Persons guilty of violating the requirements of Law No. 152-FZ bear civil, criminal, administrative, disciplinary and other liability provided for by the legislation of the Russian Federation (Article 24 of Law No. 152-FZ).
Expert of the Legal Consulting Service GARANT
The answer has passed quality control
October 30, 2013
The material was prepared on the basis of individual written consultation provided as part of the Legal Consulting service.
Since July of this year, the Law on Personal Data is the Federal Law of July 27, 2006 “On Personal Data” (hereinafter referred to as the Law, as amended by Article 3 of the Federal Law of July 25, 2011. Many amendments affected the obligations of operators for the processing of personal data, which , let us remind you that all companies and entrepreneurs are if they have an employee and clause 2 of Article 3 of the Law. Therefore, we will talk further about such responsibilities. In particular, how, in the light of the latest amendments, employers must draw up basic documents in the field of protection personal data (PD) of their employees.After all, the manager often delegates the solution to this issue to the chief accountant, considering him a universal specialist.
Is it possible to include consent to the processing of personal data in a contract?
For example, PD processing is allowed if it is necessary for the execution of an agreement to which the PD subject is a party or beneficiary or guarantor, as well as for concluding an agreement at the initiative of the PD subject or an agreement under which the PD subject will be a beneficiary or guarantor (p 5 Part 1 Article 6 of Law No. 152-FZ). Within the meaning of this norm, the person who is given the opportunity to process personal data is a party to the specified agreement.
By virtue of Part 1 of Art. 22 of Law N 152-FZ, before starting PD processing, operators are required to notify the authorized body for the protection of the rights of PD subjects (hereinafter referred to as the authorized body) of their intention to process PD, except for the cases provided for in Part 2 of Art. 22 of Law No. 152-FZ. Moscow On establishing a list of persons with access to personal data of employees In accordance with Art. 88 of the Labor Code of the Russian Federation and paragraph.
Do the requirements of the Personal Data Protection Act apply to a contract?
Answer to the question: The answer to your question depends on the purposes for which personal data is processed.
If only for the purpose of fulfilling a contract, for example, payment of fees, taxes, then consent to the processing of personal data from the contractor is not required. If personal data will be used for another purpose, for example, transferring the contractor’s data to the bank to issue a card, then consent is required.
Processing of personal data is possible only with the written consent of the subject of personal data, with the exception of certain cases when such (Art.
6 of the Law of July 27, 2006 No. 152-FZ).
At the same time, the subjects of personal data can be both employees working under an employment contract and citizens with whom the organization has entered into civil law contracts. Thus, an organization in general must obtain consent to process personal data, including citizens,
Statement on personal data
Any employer must put on paper its policy in the field of processing and protection of employee PD in clause 2, part 1, art. 18.1 of the Law; clause 8 art. 86, articles 87, 88 of the Labor Code of the Russian Federation. It is more convenient to do this in one local regulatory act, which must be approved by order and can be called whatever you like, most often - the Regulation on Personal Data.
Attention
The Regulations on PD and amendments to it (if they were made) must be familiarized to all employees against signature in Part 1 of Art. 18 Law; clause 8 art. 86, art. 88 Labor Code of the Russian Federation.
This is what should be contained in the PD Regulations:
- list of processed PD clause 2 art. 3 Laws. That is, all those employee PD that you need to prepare personnel documentation, prepare reports to the Federal Tax Service, extra-budgetary funds and perform other duties assigned to you by law, as well as collective and labor agreements. For example, this is the passport data of employees, information about their education, marital status, military service, health status, income, etc.;
- purposes of processing PD clause 2 art. 3, part 2 art. 5 of the Law. They can be rewritten from the Labor Code and paragraph 1 of Art. 86 Labor Code of the Russian Federation;
- list of actions with PD clause 2 art. 3 Laws. They are listed in the definition of “processing of personal data”. For example, this is the collection of PD, its accumulation, clarification, storage, deletion, etc. clause 3 art. 3 of the Law In principle, employers can take all of the actions specified in this definition;
We tell the manager
For violation of the procedure for processing personal data, administrative liability is provided for in Art. 13.11 Code of Administrative Offenses of the Russian Federation. Judges are involved in it on the basis of verification materials from Roskomnadzor authorities and Decision of the Primorsky Regional Court dated July 4, 2011 No. 7-12-228/11. But based on the results of inspections, Roskomnadzor authorities prefer to issue an order to eliminate the identified violations of clause 82 of the Administrative Regulations for Conducting Inspections. approved By Order of Roskomnadzor dated December 1, 2009 No. 630; Resolution of the Federal Antimonopoly Service of the Moscow Region dated September 8, 2011 No. A40-129858/10-147-805; FAS VSO dated 05/12/2011 No. A33-10809/2010, dated 04/05/2011 No. A19-25289/09, Fourth AAS dated 10/04/2010 No. A58-3498/2010. If these violations are corrected in a timely manner, then you will be subject to a fine in Art. 19.5 of the Code of Administrative Offenses of the Russian Federation is not worth it. In addition, for non-compliance with the procedure for processing personal data (as a violation of labor legislation and Part 1 of Article 5.27 of the Code of Administrative Offenses of the Russian Federation), labor inspectors are trying to fine them, but the courts do not agree with them. Resolution of the Ninth AAS dated June 14, 2006 No. 09AP-4259/2006-AK .
- rights and obligations of employees in the field of processing PD, clause 8 of Art. 86 Labor Code of the Russian Federation. They can also be rewritten from the Law on PD and the Labor Code and Art. 14 Law; Art. 89 Labor Code of the Russian Federation. For example, employees have the right to access their personal data and information about their processing under Part 1 of Art. 14, part 1 art. 18, part 1 art. 20 Law;
- procedure for processing personal data, including storage, use and transfer and clause 8 of Art. 86, articles 87, 88 of the Labor Code of the Russian Federation. Here you need to indicate:
Read more After how many years is a criminal record removed from the database?
— general requirements for processing PD Articles 5-7, Art. 9 of the Law; Art. 86, Art. 88 Labor Code of the Russian Federation. In particular, all PD of the employee must be obtained from him/herself regarding clause 3 of Art. 86 of the Labor Code of the Russian Federation, they can be processed only in accordance with the purposes of their collection and part 4 of Art. 5 of the Law; clause 1 art. 86 of the Labor Code of the Russian Federation, you cannot disclose them to third parties without the consent of the employee and Art. 7 of the Law; Art. 88 Labor Code of the Russian Federation. The employer is obliged to familiarize employees with local regulations establishing the procedure for processing PD, clause 8 of Art. 86 of the Labor Code of the Russian Federation, allow access to personal data only to authorized employees, Art. 88 Labor Code of the Russian Federation;
- composition and list of your measures to ensure the protection of P D art. 18.1, Art. 19 of the Law. For example, list where PD is stored, which employees have access to it without additional permission, how access to PD is obtained for other employees, what information security tools are used on computers, etc.;
- responsibility of employees for violation of requirements for the processing and protection of personal data. They may bear disciplinary, material, administrative and even criminal liability under Art. 90 Labor Code of the Russian Federation; Part 1 Art. 24 Laws.
Advice
If you already have a Regulation and it was drawn up in accordance with the previous version of the Law on PD, then the Regulation needs to be finalized taking into account the latest amendments.
How to write personal data in a contract
/ / The Receiving Party provides access to Personal Data only to persons who need it to fulfill the obligations of the Receiving Party to the Transferring Party, and only if they have accepted obligations to ensure the safety of the Personal Data that has become known to them under the terms of this Agreement.
We recommend reading: Procedure for payment for work on weekends and holidays
2.7. The Receiving Party undertakes, at the request of the Transferring Party, to provide information about the state of affairs regarding the protection of personal data. Sample obligation on non-disclosure of personal data of employees of an order on non-disclosure of personal data Download Responsibility for violation of Art.
24 of Federal Law No. 152-FZ states that violation of the rules for handling personal information entails liability established by the legislation of the Russian Federation.
Employment contract non-disclosure of personal data
Free legal advice: All of Russia EXAMPLE In turn, the contents of accounting registers and internal accounting reports are a trade secret (Article 10 of the Federal Law of November 21, 1996 No. 129-FZ “On Accounting”). IT IS FORBIDDEN! Provide for a condition on non-disclosure of trade secrets in the employment contracts of all employees of the organization, without exception. When concluding an employment contract with a person whose labor function will be related to access to information constituting a trade secret, a condition on access to this information, as well as mutual obligations of the parties to the employment contract, associated with such access must be specified in the employment contract.
However, the employer should include a clause on non-disclosure of trade secrets in employment contracts only for those employees who actually have access to such information in connection with the performance of their job duties. It is important that the order has its own serial number. Sample obligation An obligation to non-disclose an employee’s personal data must be signed by all subordinates whose activities during working hours involve the processing and use of private information.
By signing a non-disclosure agreement, individuals take responsibility not only not to talk about their colleagues, but also to follow the established “Regulations” in everything.
Please note: Bringing to justice a person who has violated an obligation is only possible when an official document exists between the employee and the organization. An oral agreement between a subordinate and an employer to keep it secret is unprovable and cannot be used in court as evidence of his guilt.
The provisions of this chapter are based on the Constitution of the Russian Federation, according to Art.
23 and 24 of which every person is guaranteed the right to privacy, personal and family secrets, while the collection, storage, use and dissemination of information about the private life of a person without his consent is not allowed.
Consent to the processing of personal data
4.91 Reviews::148088 Votes:33 Updated:11/15/2016 File type .doc (Microsoft Word 97) Document type: Personal data is information that directly or indirectly relates to a specific person.
The nature of responsibility is specified in Art.
The development of computer technology has made it possible to collect and systematize this data. If this information is not secure, it can easily be stolen and used for criminal purposes. To protect this information, Federal Law No. 152-FZ of July 27, 2006 was adopted in 2006, which defines the principles and conditions for their processing.
Article 3 of the Law “On Personal Data” defines the processing of personal data as any actions that are performed with them, namely: collection, recording, systematization, accumulation, storage, clarification, use, transfer to third parties, depersonalization, blocking, deletion, destruction.
According to Art. , Law 152-FZ, during processing
Is it possible to include consent to the processing of personal data in an employment contract with an employee?
Answer to the question: It is advisable to formalize consent to the processing of personal data in a separate document.
Consent to the processing of personal data can be given by the subject of personal data or his representative in any form that allows confirmation of the fact of its receipt, and the form must be either written or electronic (with electronic digital signatures) (Part 1, Part 4 of Art. 9 of the Law of July 27, 2006
No. 152-FZ). In this case, the consent of the subject of personal data to the processing of his personal data must include: 1) last name, first name, patronymic, address of the subject of personal data, number of the main document proving his identity, information about the date of issue of the specified document and the issuing authority; 2) last name, first name, patronymic, address of the representative of the subject of personal data, number of the main document proving his identity, information about the date of issue of the specified document and
Document paragraphs
The laws of the Russian Federation do not approve the exact form of the consent form, therefore, for the agreement to have legal force, you only need to ensure that it contains all the information dictated by paragraph 4 of Article 9 of Law No. 152-FZ.
Any person can develop a consent form that suits exactly what information he wants to reflect in it and how it will subsequently be processed.
The agreement includes the following items:
- First you must indicate your first name, last name, and patronymic.
- Then the subject of the agreement indicates which document he uses to verify his identity and its number.
- Indicates by whom and when this document was issued.
- You must write the place of your permanent registration.
- And specify the name of the organization to which you give your consent.
- Then the purposes for which the operator processes your personal data are indicated.
- And a list of personal information that you submit for processing.
- The next paragraph includes information about what actions the operator can do with the data with the consent of the subject.
- It is mentioned that the agreement is valid indefinitely (read more about storage and processing periods here).
- Can be revoked at any time, and in case of misuse, revoked by written statement.
- It is stated that the subject has the right to receive information about how his data is processed.
- Enter the number, signature, surname, first name and patronymic.
- And after the information that you are familiar with No. 152-FZ, the date, your signature and full name are also put.
How to correctly include a clause on non-disclosure of personal data in a contract?
1,168 lawyers are now on the site Consult with a lawyer online Ask a lawyer 1,168 lawyers are ready to answer now Answer in 15 minutes Hello, please tell me, the Chairman of the House Council enters into an agreement with an advertising distributor, it is necessary to include in the agreement a clause on the confidentiality of personal data (the advertising distributor’s wish) so that his passport the data was not recognized by third parties.
Last name, first name, patronymic (individual entrepreneur), passport series number.
How to write this correctly? 04 May 2020, 14:16, question No. 1986224 Lyudmila, Mr. Hello, please tell me,
Is the clause on the processing of personal data legal in an agreement between legal entities?
The processing of personal data must be limited to the achievement of specific, pre-defined and legitimate purposes. Processing of personal data that is incompatible with the purposes of collecting personal data is not permitted. According to Part 4 of Art. 5Federal Law of July 27, 2006 N 152-FZ (as amended on July 29, 2020) “On Personal Data” Only personal data that meets the purposes of their processing is subject to processing. According to Part 5 of Art. 5Federal Law of July 27, 2006 N 152-FZ (as amended on July 29, 2020) “On Personal Data” The content and volume of personal data processed must correspond to the stated purposes of processing. The personal data processed should not be redundant in relation to the stated purposes of their processing.
This is interesting: 1s 8.3 zup in which document is the certificate 182n printed?
Good afternoon. When concluding an agreement for the provision of services between legal entities, one party included in the agreement the clause “Consent to the processing of personal data”, which states that the other party provides passport data (document number, date of issue, full name, registration, citizenship, postal address, date of birth) Director of the institution and chief accountant. Is such a requirement legal?
Consent to the processing of personal data
25892 Relatively recently, a new document called “” was introduced into circulation in Russia.
Sochi Collapse Online legal consultation Response on the website within 15 minutes Answers from lawyers (1) 286 answers 119 reviews Chat Free assessment of your situation Lawyer, Nizhny Novgorod Free assessment of your situation Good afternoon, Lyudmila.
Very quickly it became widespread and is currently widely used in a variety of organizations, from government budgetary institutions to commercial companies. FILES are a written permission of a citizen of the Russian Federation, which he gives to the interested party to receive, collect, store and use personal information about himself.
The document also guarantees a person that information about him will be used for strictly defined purposes and will be protected from unlawful actions.
Now consent must be written almost everywhere: when submitting documents for a child to kindergarten or school; during employment; when concluding an agreement with a bank, insurance company, etc.
Is it possible to include a clause of consent to the processing of personal data when concluding a contractual agreement in the contract itself?
You can do so in the contract itself; the law does not prohibit this. The main thing is that everything is spelled out in accordance with the Law “On Personal Data”. Article 9. on the processing of his personal data 1.
The subject of personal data decides to provide his personal data and consents to their processing freely, of his own free will and in his own interest. must be specific, informed and conscious. Consent to the processing of personal data can be given by the subject of personal data or his representative in any form that allows confirmation of the fact of its receipt, unless otherwise provided by federal law.
If consent to the processing of personal data is received from a representative of the subject of personal data, the powers of this representative to give consent on behalf of the subject of personal data are verified by the operator. 2. Consent to the processing of personal data may be withdrawn by the subject of personal data.
Selected features of contractual regulation of personal data processing
When regulating certain types of public relations, the legislator separately specifies the features of contractual regulation of PD processing. In particular:
- provisions on the protection of information about citizens must contain agreements concluded between the organization providing utility services and organizations that take meter readings, accrue, prepare and deliver payment documents to individuals (subclause “e” of clause 32 of the rules for the provision of utility services to owners and users of premises in apartment buildings and residential buildings, approved by Decree of the Government of the Russian Federation dated May 6, 2011 No. 354);
- an agreement to assess the effectiveness of PD protection measures can only be concluded with an organization that has a license to carry out activities for the technical protection of confidential information (clause 6 of the composition and content of organizational and technical measures to ensure the security of personal data..., approved by order of the FSTEC of Russia dated 18.02. 2013 No. 21);
- in accordance with Part 1 of Art. 15.3 of the Law “On State Defense Order” dated December 29, 2012 No. 275-FZ, at the request of regulatory authorities, organizations and authorities are required to submit documents and information, including agreements, despite the PD contained in them.
Consent to the processing of PD in the agreement on the provision of CG
Consent to the processing of personal data can be specified in the contract for the provision of utility services.
An agreement containing provisions for the provision of CG (including the management agreement for apartment buildings) can be concluded with the contractor (clause 6 and clause “a”, clause 9 of Rules No. 354):
- in writing;
- by the consumer performing actions indicating his intention to consume CG or the actual consumption of such services (implicit actions).
The contract is considered concluded from the moment the consumer begins to use utilities and pay for them. This means that the consumer agrees with all the terms of the contract, including the processing of personal data.
I’m writing to you - what more: the Ministry of Telecom and Mass Communications clarified the issue of disclosing information containing personal data
105500
What relates to the personal data of an individual and how they relate to the use of cash registers
Personal data (PD) includes any data that allows one or another to identify an individual - this is stated in paragraph 1 of Article 3 of Law No. 152-FZ, which regulates the use of personal data in Russia (LINK).
Identification in this case can be direct - based on personal data as such (for example, if it is a person’s full name and date of birth), or indirect - based on a comparison of existing personal data and information obtained in one way or another on the side.
For example, indirect identification can be carried out by e-mail address - which can, alternatively, be entered as a search criterion for the desired user in the interface of any messenger - for example, Mail Agent or Skype. Very often people indicate their real data in messengers.
Thus, the range of data that can be legitimately classified as “personal data” can, in principle, be as wide as desired. There are judicial precedents in which even Cookie files on a computer were considered personal data - as a type of identifier for an individual.
But how are personal data and the cash register of a commercial enterprise connected?
The fact is that at the checkout it is possible to carry out several types of operations with personal data at once. The law distinguishes the following operations:
- treatment;
- spreading;
- adjustment;
- target transfer;
- deletion.
In principle, any of them can be carried out at the checkout. In this case, we can talk about the following main legal mechanisms for the use of personal data:
- using the buyer’s personal data to provide him with an electronic cash receipt - in accordance with the requirements of Law No. 54-FZ;
- use of the buyer’s personal data when processing the return of goods.
Certain nuances characterize the use of personal data by an online store.
Let's take a closer look at how a trading company must legally use personal data in these cases - let's start with the traditional, offline trading format.
When sending an electronic cash receipt to the buyer’s email or phone number at his request
An electronic check from the online cash register can be sent to the buyer by e-mail or telephone, which he reports before making payments to the seller.
First of all, let’s decide whether these contacts are considered personal data?
From the point of view of being considered as indirect identifiers - absolutely. This or that interested person can, as we noted above, use e-mail to search for a person’s account. A telephone number, in principle, can be used for similar purposes. An interested person can call it - so that, relatively speaking, introducing himself as an employee of a cellular operator, unobtrusively clarify the full name of the user of the number to “adjust the database.”
Thus, buyers transfer “contact” personal data to sellers in order to receive an electronic receipt. As a result, sellers have obligations under the provisions of Law No. 152-FZ for the correct use of personal data. Key responsibilities in this area include:
- ensuring the confidentiality of the buyer’s personal data;
- ensuring secure storage of personal data in accordance with the law.
In general, the Personal Data Operator - an individual or organization that has received someone's personal data - is generally obliged to request their owner's consent to process the data, and in writing. But there is an exception to this rule: consent is not required if the transfer of data to the Operator is related to its compliance with certain legal requirements.
In this case, we are talking about fulfilling the requirements of Law No. 54-FZ. Therefore, it is legitimate to say that the seller should not ask for consent.
But what about privacy?
In the context of the provisions of Law No. 54-FZ, the seller’s task in terms of fulfilling the obligations under consideration is simplified to a certain extent. The fact is that in practice, the functions of ensuring the confidentiality of personal data (and ensuring their secure storage) in the case of using cash register equipment according to Law No. 54-FZ are assigned not to the seller, but to the Fiscal Data Operator - the organization that carries out sending electronic cash receipts to customers' contact information.
The seller enters into a mandatory agreement with OFD - again, in accordance with Law No. 54-FZ, and OFD carries out all procedures related to the transfer of an electronic check within the framework of it. The contract usually stipulates the conditions for the use of personal data. Of course, the OFD side has its own obligations to ensure the security of the use of buyers’ personal data, which is transferred by the seller - but that’s a different story. The seller does not need to think about this.
At the same time, obviously, there is a certain “intermediate period” of circulation of personal data - between the moment the seller receives it from the buyer and the moment it is actually transferred to the Fiscal Data Operator. Relatively speaking, the seller, having asked the buyer for a phone number orally, can, before entering it into the cash register program, which transfers the data to the OFD, quietly write it down “on a piece of paper” - in order to then use it in some other way. Of course, a similar procedure is possible after transferring data to the OFD.
This means that the seller, in theory, can still allow a violation of the confidentiality of personal data. But it is within his power to guarantee the prevention of such a violation. For these purposes, the trading enterprise is developing a special document - the Regulation on the Protection of Personal Data (often referred to as the Privacy Policy and in other ways - but the name is not the main thing here, the content of the document is more important). It regulates how store employees handle the personal data of customers at their disposal. The provision will be mandatory for employees and can be considered as the main guiding standard when handling personal data.
Let us immediately note that the jurisdiction of the Regulations will also extend to those legal relations within the framework of which another procedure noted by us will be carried out in which personal data is used - the return of goods. We will consider the specifics of drawing up the Regulations for both cases later, but for now we will familiarize ourselves with the specifics of using personal data specifically when returning.
When returning goods
Return of goods is a fiscal procedure, which, in accordance with Law No. 54-FZ, requires reflection in the fiscal memory of the cash register (as well as the previously carried out release of goods with the receipt of revenue represented by payment from the buyer). In addition, along with the mandatory fiscalization of returns, this procedure must be additionally documented taking into account the legislation on the protection of consumer rights and other regulations related to legal purchase and sale relations.
Taking into account the entire set of legal norms applied when returning goods, the seller generally must:
- request from the buyer an application to return the goods;
- agree with the buyer on the invoice for the goods - alternatively, using the TORG-13 form, or use a similar document on the basis of which changes will be made to the accounting records (if the seller has the status of a legal entity and is required to keep accounting);
- generate a cash receipt with the “return receipt” sign - after receiving the returned goods and issuing funds to the client.
What about personal data? They will be requested by the seller, at a minimum, for the purpose of filling out an application for returning the goods. And this is “classic” personal data for direct identification of an individual - full name and passport data. The application is certified by the personal signature of the buyer - accordingly, the accuracy of the personal data will be guaranteed by the owner himself.
Does the seller need to ask the buyer for consent to process personal data in this case?
There is a widespread view among lawyers that it is lawful not to request such consent. It is based on the fact that the acceptance of personal data by the seller in the scenario under consideration is determined, first of all, by the action of the contract for the purchase and sale of goods. Within the framework of this agreement, the return is carried out, and, accordingly, personal data is requested in the prescribed manner. And, since subparagraph 5 of paragraph 1 of Article 6 of Law No. 152-FZ determines that consent is not required precisely if personal data is transferred within the framework of a contract, the corresponding norm is taken into account. At the same time, the contract must assume that the personal data carrier acts as a “party” or “beneficiary”.
It is important that the federal law does not directly explain in what form the contract must be concluded. In the case of a regular purchase of goods at a store checkout, this form takes on a “fiscal” character: the criteria for recognizing the contract as concluded are:
- issuance and payment of goods;
- certification of the fact of its issue and payment by cashier's check.
Thus, it is completely legitimate to talk about classifying such a transaction as an exception in which consent is not sought.
However, in any case, it would not be superfluous for the seller to request from the buyer, before processing the return of the goods, written consent to the processing of personal data. There is always a possibility that the inspection authorities will have questions for the company regarding the organization of the procedure for processing personal data. For example, if it turns out that the company uses any personal data for purposes not related to the execution of contracts (as an option, in advertising mailings). Despite the fact that these mailings will not be related to “cash” procedures, inspection authorities may pay increased attention to establishing the degree of validity of these mailings - which, in turn, require consent. As a result, they will ask questions about the lack of consent to the processing of personal data when returning goods.
Moreover, this procedure - requesting consent, as a rule, is not at all complicated.
Responsibility for violation
The legal consequences of failure by a trade enterprise to comply with the requirements of the legislation on the protection of personal data are determined on the basis of the provisions:
- Administrative legislation.
Basically these are the norms of Art. 13.11 Code of Administrative Offenses of the Russian Federation (LINK). Thus, the following fines are provided:
- for processing personal data without obtaining consent, when necessary - up to 20,000 rubles (for the head of a company or individual entrepreneur) or up to 75,000 rubles (for a trading enterprise as a legal entity);
- for incorrect (not corresponding to the stated purposes) processing of personal data - up to 10,000 rubles (manager or individual entrepreneur), or up to 50,000 rubles (legal entity);
- for the absence of a Privacy Policy - up to 6,000 rubles (firm managers), up to 10,000 rubles (business owners as individual entrepreneurs), up to 30,000 rubles (legal entities);
- for refusal to inform an individual about the procedure for processing his personal data - up to 6,000 rubles (firm managers), up to 15,000 rubles (entrepreneurs), up to 40,000 rubles (legal entity).
The provisions of Art. 5.39 of the Code of Administrative Offenses of the Russian Federation (LINK) provides for a fine for refusing to familiarize an individual with the Privacy Policy of a commercial enterprise - 10,000 rubles (per head of an organization or individual entrepreneur).
- Criminal legislation.
Illegal processing of personal data that constitutes a person’s personal secret may be accompanied by the application of sanctions to the violator in the form of a fine of up to 200,000 rubles, disqualification, correctional labor, and imprisonment of up to 2 years.
Separate sanctions may be applied to the store based on claims by the affected parties in civil proceedings.
You can contact specialists who will help in resolving all issues related to the protection of personal data in your enterprise - more details HERE.
Lifehack according to 152-FZ
First, a small but important digression.
Recently, an acquaintance from a trading company asked me to look at their agreement with a web studio. They were going to improve the store's website. First of all, I opened the terms of reference and saw that the guys were planning to register the owner of the site with Roskomnadzor as a personal data operator. I thought, “Are they serious?” And he himself answered: “Unfortunately, yes.” The same advice will be in seven out of ten articles-instructions on compliance with the Law “On Personal Data” (152-FZ). Advisers say: “First of all, submit an application to be included in the register of personal data operators.” And many people follow this recommendation.
Now attention! Article 22 of the same law determines that if data processing is necessary for the execution of a contract, then there is no need to notify Roskomnadzor.
Do you sell goods/services online? Great! If you do not use the data for anything else, then you do not need to submit a notification to Roskomnadzor. Here is such a simple recipe. Well, now to the topic.
Basis of legitimate interest in practice
Let's assume that a development company provides access to a web service under a license.
Personal data is used to conclude a contract and collect statistics (not impersonal). There are two purposes of data processing: fulfillment of the contract and improvement of the product, solving technical problems. The first purpose relates to the contractual basis (subsection (b) of Article 6(1)) and does not require consent.
The second goal can be achieved based on:
a) consent (subsection (b) of Article 6(1)), b) basis of legitimate interest (subsection (f) of Article 6(1)).
If a company decides to use the consent basis, it will have to add an unchecked checkbox to the order form. How many users will agree to provide data for collecting statistics? Hardly.
When applying the legitimate interest basis, the company only talks about rights, without requiring active action (Article 21 (4) GDPR). Moreover, if the overriding interest over the rights of the data subject is justified, the company is entitled to process the data regardless of the refusal.
Will the company be able to answer the questions to apply the legitimate interest basis? Let's check:
| Purpose of use | Increasing product stability to protect the interests of the licensee. |
| Necessity | It is impossible to obtain statistics in a set of necessary parameters in any other way. |
| Balance of interests | The treatment is balanced and the potential harm is not significant. |
| Openness | Data processing is open and obvious to the data subject. |
As we can see, the company has every reason not to obtain consent. But you should remember the limitations:
- Before collecting personal data, the subject must be informed of the purposes and legitimate interests of the processing (Art. 13(1) point (d), Art. 14(2) point (b) GDPR). That is, the application must be publicly motivated and documented.
- The data subject must be granted the right to object to processing (Article 21), the right to erasure and restriction.
On the other hand, when collecting statistics, you can simply comply with the law in another way: anonymize the data. The processing of anonymized data is not regulated by the GDPR.
Personal data and contract: we process and do not ask
The basis is similar in content to Russian legislation (remember the story from the introduction).
According to sub. (b) art. 6(1) GDPR, if data processing is necessary for the performance of a contract, you can carry out it without difficulty – and, most importantly, without consent. Even before the conclusion of the contract, but provided that the actions were requested by the data subject himself (for example, he sent an application).
It’s worth making a note here: data should be processed only to the extent necessary to fulfill the contract. If information is needed to fill out CRM fields, then it remains outside this basis.
Simple example
. The company sells products online. When making a purchase, the client provides personal data, the store processes it in connection with the execution of the contract. Do I need to get consent? No, unless the data is redundant and will not be used in any other way.
It is only necessary to inform the user that the data is still being processed, and also tell about the processing methods, protection measures and provide other information in accordance with the GDPR (Article 5, Article 13, 14).
The store only needs to add a notice of familiarization with the policy to the order form. There is no need to require that the proverbial consent box be ticked, or to create technical conditions in order to be able to confirm the receipt of consent (clause 42 of the preamble). I would like to note that it would be nice to have a checkbox indicating that you are familiar with the policy.
However, if a company wants to use personal data, for example, for targeted advertising mailings, then this no longer falls under the contractual basis. In this case, the processing has two purposes, the second of which must be based on consent or on the basis of legitimate interest (more on this below).
