Upon achievement of the purposes of processing personal data. Determining the purposes of processing personal data and how to work with them. Introduction of the Regulations into force
The company cannot do without obtaining personal information from employees, clients and contractors. We need names, addresses, and other information. However, the company has the right to process personal data only for specific purposes. Any other use of the data is a violation that will result in administrative action.
The purposes for which information is requested must be consistent with the law and the needs of the company.
In the course of doing business, a company deals with information that needs to be protected. Confidential information includes information about technologies, projects, developments, the specifics of transactions, etc. The law also requires the protection of information about people who work for the company, are its clients or represent counterparties. The “On Personal Data” is in effect in pursuance of the constitutional principle of protecting private life (Article 2 of Law No. 152). The requirements of the law apply to any organizations that receive data from their subjects (Article 1 of Law No. 152).
A company that begins to process personal data has the right to request it only for certain purposes (Part 2 of Article 5 of Law No. 152). In addition, the volume of data depends on the goals. You cannot request information that the company does not need (Parts 4 and 5 of Article 5 of Law No. 152). For example, an online store does not have the right to require passport data from the buyer or ask to indicate mailing address, if the client picks up the goods by self-pickup.
The company itself determines the purposes for processing personal data of clients and employees
What exactly the information was needed for is determined by the company (Clause 2, Article 3 of Law No. 152). As a rule, an organization requests personal data of clients, contractors, and employees for the purposes of:
- Conclusion of contracts. These could be contracts with consumers of the company's services or goods, with other types of clients, with business partners, employment agreements, etc. For any contract that the company is going to sign, personal data will be required - an employee who acts in its interests, a representative the counterparty or the counterparty itself, if it is a private person. Including data is needed so that the company can fulfill its obligations.
- Systematization of information about personnel, maintaining personnel records and office work. Employee data is necessary not only for concluding employment contracts, but also for all other transactions within the framework of the employment relationship.
- Compliance with the requirements of the law on the deduction of taxes to the budget, insurance contributions, etc. The company withholds personal income tax contributions from employees and transfers these amounts to the state, the Pension Fund and other organizations (Article 22 of Law No. 152, Article 86 of the Labor Code of the Russian Federation).
- Formation of statistics. For this purpose, the data must be anonymized (Clause 9, Part 1, Article 6 of Law No. 152).
Guest, meet - !
The company is obliged to warn the subject of personal data about the purposes of processing
The company is obliged to notify the employee or client of the purpose for which it requests his personal data for processing (Clause 4, Part 4, Article 9 of Law No. 152). This is done as part of obtaining consent to provide information. The list of goals should:
- be comprehensive and specific;
- comply with the provisions of the charter, as well as local acts of the organization;
- correspond to what goals the company actually pursues.
For example, a bank requests information from a client. The purpose of processing is to service his account, including:
- opening an account,
- account keeping,
- operations for transferring funds from and to an account,
- client consultation.
Another example of information is listing the purposes for processing personal data of employees in the company policy. The organization stipulates that the information is used:
- when working with applicants’ resumes;
- to fulfill the company's obligations under the employment agreement;
- to comply with labor, tax and pension laws;
- to organize employee training and improve their professional level;
- when calculating and accruing wages;
- to control the quality of employee work;
- when providing various guarantees and benefits, etc.
Consent to processing must be obtained from the data subject in almost all cases. If the purpose of the collection is to promote the company on the market or political propaganda, the operator is obliged to prove that the person has given consent (Part 1, Article 15 of Law No. 152). Otherwise it is considered that it was not requested.
In addition to the agreement with the employee or client, the purposes for obtaining data must be reflected in a special document - the company policy on working with such data. This must be a public document. As a rule, it is published on the organization’s website in a special section.
Professional reference system for lawyers, in which you will find the answer to any, even the most complex question.
1. The processing of personal data must be carried out in compliance with the principles and rules provided for by this Federal Law. Processing of personal data is permitted in the following cases:
1) the processing of personal data is carried out with the consent of the subject of personal data to the processing of his personal data;
2) the processing of personal data is necessary to achieve the goals provided for by the international treaty Russian Federation or by law, to implement and fulfill the functions, powers and responsibilities assigned by the legislation of the Russian Federation to the operator;
3) the processing of personal data is carried out in connection with the participation of a person in constitutional, civil, administrative, criminal proceedings, legal proceedings in arbitration courts;
3.1) processing of personal data is necessary for the execution of a judicial act, an act of another body or official, subject to execution in accordance with the legislation of the Russian Federation on enforcement proceedings (hereinafter referred to as the execution of a judicial act);
4) processing of personal data is necessary for the execution of powers federal bodies executive power, bodies of state extra-budgetary funds, executive bodies of state power of the constituent entities of the Russian Federation, bodies local government and functions of organizations involved in providing, respectively, government and municipal services, provided for by the Federal Law of July 27, 2010 N 210-FZ "On the organization of the provision of state and municipal services", including registration of the subject of personal data on the unified portal of state and municipal services and (or) regional portals state and municipal services;
(see text in the previous edition)
5) processing of personal data is necessary for the execution of an agreement to which the subject of personal data is a party or beneficiary or guarantor, as well as for concluding an agreement on the initiative of the subject of personal data or an agreement under which the subject of personal data will be a beneficiary or guarantor;
(see text in the previous edition)
6) the processing of personal data is necessary to protect the life, health or other vital interests of the subject of personal data, if obtaining the consent of the subject of personal data is impossible;
7) the processing of personal data is necessary to exercise the rights and legitimate interests of the operator or third parties, including in cases provided for by the Federal Law “On the Protection of Rights and Legitimate Interests” individuals when carrying out activities to repay overdue debts and make changes to the federal law“On microfinance activities and microfinance organizations”, or to achieve socially significant goals, provided that the rights and freedoms of the subject of personal data are not violated;
(see text in the previous edition)
8) the processing of personal data is necessary for the professional activities of the journalist and (or) the legal activities of the media mass media or scientific, literary or other creative activity, provided that the rights and legitimate interests of the subject of personal data are not violated;
9) the processing of personal data is carried out for statistical or other research purposes, with the exception of the purposes specified in Article 15 of this Federal Law, subject to the mandatory anonymization of personal data;
10) processing of personal data is carried out, access to which is provided by an unlimited number of persons by the subject of personal data or at his request (hereinafter referred to as personal data made publicly available by the subject of personal data);
11) processing of personal data subject to publication or mandatory disclosure in accordance with federal law is carried out.
1.1. Processing of personal data of objects of state protection and members of their families is carried out taking into account the features provided for by Federal Law of May 27, 1996 N 57-FZ “On State Protection”.
2. Features of the processing of special categories of personal data, as well as biometric personal data, are established in accordance with this Federal Law.
3. The operator has the right to entrust the processing of personal data to another person with the consent of the subject of personal data, unless otherwise provided by federal law, on the basis of an agreement concluded with this person, including a state or municipal contract, or by adoption of a relevant act by a state or municipal body (hereinafter - operator's instructions). The person processing personal data on behalf of the operator is obliged to comply with the principles and rules for processing personal data provided for by this Federal Law. The operator’s instructions must define a list of actions (operations) with personal data that will be performed by the person processing personal data and the purposes of processing, the obligation of such a person must be established to maintain the confidentiality of personal data and ensure the security of personal data during their processing, as well as the requirements for the protection of processed personal data must be specified in accordance with Article 19 of this Federal Law.
4. A person processing personal data on behalf of an operator is not required to obtain the consent of the subject of personal data to process his personal data.
5. If the operator entrusts the processing of personal data to another person, the operator is responsible to the subject of personal data for the actions of the specified person. The person processing personal data on behalf of the operator is responsible to the operator.
Carried out on the basis of compliance with laws and other regulations.
What is the processing of personal data? This process includes the following steps:
Legal regulation of working with personal data covers all processes and stages of working with them.
Target
Why is the processing of personal data necessary? The processing of an employee’s personal data is carried out at the enterprise or organization in order to facilitate it.
The main purposes of processing personal data:
- in getting a job;
- in the device in educational institution or for training, advanced training;
- for the purpose of labor protection;
- for promotion and control over career opportunities;
- to monitor the quantity and quality of work performed.
The legislation provides for the accumulation and transmission of an employee’s personal data solely for the purpose of his development and the appropriate use of his abilities and experience. ,
include multifunctional goals.
The purposes of processing personal data of employees include the use and processing of personal data through their synthesis and interrelation, which determine the relevance of the employee’s capabilities in the conditions of organizing the production process.
The set and stated goals for the processing of personal data cannot be changed without notifying the employee.
Carried out by whom?
Personal data means information that contains basic information about a person of interest to a certain circle of representatives of government and other services.
In particular, in production (in an organization), personal data is of interest to the employer, who manages the organization of work in production based on information about its employees.
The employer has the right to request any personal data available in the employee’s records. In addition to him, access to personal data has a limited circle of persons who carry out operational work. As a rule, these are the secretariat and personnel department employees.
Operator carrying out information activities with personal data, before starting the designated work, an instruction is given. He gets acquainted with the operating rules and principles prohibiting the disclosure of information contained in personal data.
The implementation of the listed types of work can pursue exclusively the purposes that were the reason for collecting information. Misuse of personal data or their disclosure is considered gross violation for which responsibility is charged.
Violations
As discussed earlier, violations in the processing of personal data are considered:
The operator’s work with personal data is subject to strict control by authorized services, and the operator is held liable for shortcomings, unintentional or deliberate violations.
All unauthorized actions during the processing of personal data may result in punishment: disciplinary, administrative, and in some cases criminal.
Since the end of summer, the Personal Data Law has been in effect in new edition. The rules for obtaining and protecting information have changed. For the employer, this means only one thing - additional paperwork. In this article we will talk about how to draw up regulations on working with personal data of employees and appoint someone responsible for organizing work with personal data.
What is personal data
Federal Law No. 152-FZ of July 27, 2006 “On Personal Data” (hereinafter referred to as Law No. 152-FZ) defines Personal Information as any information directly or indirectly related to an individual (to the subject of personal data). This is stated in paragraph 1 of Art. 3 of Law No. 152-FZ.
According to Part 1 of Art. 85 Labor Code Personal data of an employee means information relating to a specific employee, which is necessary for the employer in connection with labor relations. It's about about data such as:
- Full Name;
- Date and place of birth;
- address;
- Family status;
- position (profession);
- salary, other income;
- ownership of real estate, cash deposits, etc.;
- education, qualifications, professional training, information about advanced training;
- habits and hobbies, including harmful ones (alcohol, drugs, etc.);
- biography facts and previous work activity(place of work, amount of earnings, criminal record, military service, work in elected positions, public service and etc.);
- physiological characteristics, health;
- business and other personal qualities;
- other information.
Scroll personnel documents, which contain personal data of employees, is given in table. 1 on p. 76.
Table 1. Documents containing personal data of employees
| N | Document | Intelligence |
| 1 | Questionnaire, autobiography, personal personnel records sheet (to be completed upon admission to work) |
Personal and biographical information employee |
| 2 | Copy of the document, identification document employee |
Full name, date of birth, address registration, marital status, family composition |
| 3 | Personal card (form N T-2, approved by the Resolution Goskomstat of Russia dated 01/05/2004 N 1) |
FULL NAME. employee, place of birth, family composition, education, and identification document details personality |
| 4 | Employment history | Information about work experience, previous places of work |
| 5 | Copies of certificates of conclusion marriage, birth of children |
Family composition, changes in family position |
| 6 | Military registration documents | Information about the employee’s attitude towards military duty required to the employer to implement military registration of employees |
| 7 | Certificate of income from previous places of work |
Full name, information about the amount of income and withheld personal income tax |
| 8 | Education documents | Confirms the qualifications of the employee, justify the occupation of a certain positions |
| 9 | Mandatory documents pension insurance |
Full name, personal data |
| 10 | Employment contract | Information about the employee's position, salary, place of work, workplace, as well as other employee personal data |
| 11 | Orders for personnel | Information about admission, transfer, dismissal and other events, related to work activities employee |
Personal data processing operator
According to Law N 152-FZ, the person (legal or individual) who organizes and (or) carries out the processing of personal data, determines its composition, the purposes of processing, and the actions performed with personal data is called operator(Clause 2 of Article 3 of Law No. 152-FZ). In our case, this is the employer.
Processing of personal data- any action performed with them. Operations for processing personal data:
- collection;
- recording;
- systematization;
- accumulation;
- storage;
- clarification (update, change);
- extraction;
- usage;
- transmission (distribution, provision, access);
- depersonalization;
- blocking;
- deletion;
- destruction of personal data.
Regulations on working with personal data
The procedure for processing personal data by the operator may be established in the Regulations on working with personal data of employees (hereinafter referred to as the Regulations). Unified form no document. Let's consider how to draw up this document taking into account the requirements of Law N 152-FZ. The regulation consists of several sections. They are presented in table. 2. It also briefly indicates the information that the sections should contain. Detailed information is presented in a fragment of the Regulations on personal data of employees, which is given on p. 80.
Table 2. Structure of the Regulations on personal data of employees
| N | Duty | Section Contents |
| 1 | General provisions | Purpose of adoption of the Regulations |
| Issues governed by the Regulations | ||
| Links to regulations. Point to on the basis of which documents is it compiled? Position. In organizations where government officials work civil servants, reference is given to: - Federal Law of July 27, 2004 N 79-FZ "About state civil service Russian Federation"; - Decree of the President of the Russian Federation dated May 30, 2005 N 609 “On approval of the Personal Data Regulations state civil servant Russian Federation and the management of his personal affairs"; - regulatory acts of a constituent entity of the Russian Federation |
||
| 2 | Basic concepts. Composition of personal employee data |
Basic concepts. Definitions of concepts are given "personal data", "processing of personal data", "use of personal data", the storage period for documents, etc. is indicated. It must be stated separately what applies to personal data in a specific company with taking into account its features (data used in work, for example, information about working on sensitive objects, on obtaining access to state secret, about health compliance for professions associated with heavy and harmful conditions, etc.) |
| List of documents of the organization that contain personal data |
||
| 3 | Receipt personal data workers |
Procedure for obtaining personal data. Indicates that the data is received and processed based on the written consent of the employee. Indicates cases where consent is not required |
| 4 | Usage personal data |
Purposes for using personal information of employees |
| 5 | Treatment personal data |
Conditions observed when processing personal data employee data |
| 6 | Broadcast personal data (Access to personal data) |
The procedure for transferring personal data internally organizations (internal access), third parties And government agencies(external access) |
| 7 | Responsibility for violation of norms, regulating processing and protection personal data |
Identifies those who are responsible for violation of storage and use rules personal data |
Fragment of the Regulations on personal data of employees
Introduction of the Regulations into force
The regulation on personal data is approved by the head of the company and put into effect by order of the organization (a sample is given on p. 90). A record of approval of the Regulations must be made in the register of local regulations.
If there is a trade union
If the company has a trade union, the Regulations must be agreed upon with it. To do this, the draft regulations are sent to the elected body of the trade union (Article 372 of the Labor Code of the Russian Federation). He must express his opinion (in writing) no later than five working days from the date of receipt of the project. If the union does not agree with the project or has proposals for its improvement, the administration has two options. The first is to agree. The second is to conduct additional consultations with the trade union within three days after receiving a reasoned opinion in order to achieve a mutually acceptable solution. If this does not help, a protocol of disagreement should be drawn up. After this, the administration has the right to adopt the Regulations without taking into account the demands of the trade union. However, he will be able to appeal the Regulations or begin the procedure for a collective labor dispute in the manner prescribed by Chapter. 61 Labor Code.
Familiarization of employees with the Regulations
Employees must be familiar with the Regulations against signature (clause 8 of Article 86 of the Labor Code of the Russian Federation). This fact can be recorded:
- in the text employment contract each employee (list of local regulations with which the employee is familiar with before signing the contract);
- - a sheet for familiarizing yourself with the Regulations (sample on p. 91);
- - a logbook for familiarizing employees with local regulations (sample on p. 91).
Sample sheet for familiarization with local regulations
| N p/p |
Name of local regulatory act | date | Signature |
| 1 | Internal labor regulations LLC "Black Forest" |
03.10.2011 | Evstakhov |
| 2 | Regulations on remuneration, bonuses and social security of employees of Cherny LLC forest" |
03.10.2011 |
Evstakhov |
| 3 | Information security instructions, approved by Order dated June 15, 2008 N 1 |
03.10.2011 | Evstakhov |
| 4 | Statement on personal data | 03.10.2011 | Evstakhov |
| 5 | Provision on liability workers for damage caused to Black Forest LLC |
03.10.2011 | Evstakhov |
Fragment of the introduction logRegulationsabout personal data
Note. Personal data storage period
Local regulations (regulations, instructions) on personal data must be stored permanently. As for employee statements of consent to data processing (they will be discussed in future issues), and other employee documents, they are stored for 75 years. This is stated in the List approved by Order of the Ministry of Culture of Russia dated August 25, 2010 N 558.
Administrative responsibility
Administrative liability measures (mostly fines are provided, disqualification is not applied in this case) for an enterprise and its officials for violating the procedure for receiving, processing, storing and protecting personal data of employees are given in Table. 3.
Table 3. Responsibility for violating the procedure for obtaining, processing, storing and protecting personal data of employees
Work with personal information must be carried out in strict accordance with the law. In particular, one of fundamental principles processing of personal information is strict compliance with the purposes of use stated in the permission from the owner and the scope specified therein.
The concept of personal data and principles of their processing
One of the provisions establishes a requirement according to which all personal information about citizens of the Russian Federation must be located on servers located in the country. It is not allowed to supplement your information based on that taken from sites located outside Russian borders.
In a situation where a person considers any messages about him to be untrue, he can contact the operator (in accordance with Article 14 of Law 152-FZ) with a request to delete or adjust them accordingly.
In case of refusal, such a person has the right to go to court.
Consent to the processing of personal data
Such a document must contain following sections:
- The document indicates who expresses consent and their passport details.
- The name of the operator to whom permission is given is given.
- They write for what purposes of processing consent is given.
- The list of data for the processing of which permission is given is specifically listed.
- All operations with them in question are listed.
- Period of validity of the permit.
- A signature, its decoding and date are placed.
A permit drawn up according to the sample gives permission only for what is specifically stated in it.
The use of the information in question is necessary for:
- Maintaining documents in the HR department.
- Concluding contracts and performing other legal actions.
- In connection with compliance with tax legislation requirements.
- Other purposes of a similar kind.
It should be noted that:
- in each such case, obtaining information is determined by regulations;
- it is carried out in a certain composition, volume, for a specific period and only to fulfill the stated goals.
Examples of targeted use of personal information
In various spheres of the economy and public life, the personal data of citizens is vital.
IN medical institution
It is important to know details about a person's health throughout his life. In this case, the owner of personal information is the patient. The operator who uses them is a clinic or other medical institution. She is required to obtain permission from Roskomnadzor for processing. If a clinic transfers data, for example, to a specialized hospital, it must obtain the written consent of the citizen.
For the bank It is vitally important when granting a loan to reasonably assume whether the candidate will be able to repay the borrowed money or does not have suitable financial resources. This will require details about income, employment, family composition and some others. The owner of the information is the client. The bank is the operator that carries out the processing. The client has the right to revoke permission to use information about him. The goals of working with information are to ensure compliance with the requirements of banking legislation of the Russian Federation.
It is impossible to do without providing this or similar information. But it is important that its use does not violate the requirements of current regulations.
Rules and principles for working with information
It can be understood that a random person cannot obtain source texts directly from anonymized information. However, this organization itself will be able to restore it later.
Violations related to misuse of personal data
Starting from July 1, 2017, changes were made to the Code of Administrative Offenses, which define liability for violation of Law No. 152-FZ. If the established rules are violated, the law provides appropriate punishments.
If information is collected in cases where this No legal basis or processing is carried out for illegal purposes, a fine is imposed. For individuals, the amount will be from 1 to 3 thousand rubles, officials will pay from 5 to 10 thousand rubles, enterprises - from 30 to 50 thousand rubles.
If there was disclosure of information, the fine is assessed in connection with each individual such case. It can range from 500 to 1000 rubles. from the employee through whose fault the violation occurred. If we are talking about an organization that is responsible for what happened, then the amount increases. Now it can range from 5 to 10 thousand rubles.
In the current normative act stated that compliance with the provisions of law 152-FZ should be monitored by Roskomnadzor. Before processing under Article 22 of the Personal Data Protection Law begins, he must send a notification there. In particular, he carries out appropriate checks and, if violations are detected, issues orders regarding deficiencies that need to be eliminated. If the order was not executed, a fine is imposed on the perpetrator, which can amount to 20 thousand rubles.
The author of the next video will tell you how to properly organize work with other people’s data.
