The purpose of processing personal data under labor law. Determining the purposes of processing personal data and how to work with them

This information is any action or operation with the subject’s personal data: collection, recording, systematization, accumulation, storage, clarification, extraction, use, transfer, depersonalization, blocking, deletion, destruction.

Why collect information about the subject and consent to its analysis?

For the client/patient

Information about a citizen’s health status belongs to a special category of personal data. According to Part 2, Clause 4, Art. 10 Federal Law No. 152, processing of such information is permitted without the consent of the subject, provided that it is carried out for the purposes of:

• establishing a diagnosis;
• disease prevention;
• provision of medical and medical-social services.

This rule is valid for situations where the processing is carried out by a professional doctor who is obliged to maintain medical confidentiality in accordance with the legislation of the Russian Federation.

The exception is those situations where it is impossible to obtain consent, but is necessary to protect the life or health of the patient.

If a person uses any service - enters into an agreement, applies for a loan - that is, he is a client, personal information about him can also be processed in accordance with Federal Law No. 152.

Client data can be used for:

1. Providing consulting, information and intermediary services.
2. Conclusion and execution of an agreement with a client.
3. Conducting HR and accounting services.
4. Other transactions not prohibited by the legislation of the Russian Federation.

For an employee of the organization

The employer has the right to his employees, it is enshrined in Art. 22 Federal Law No. 152. Purposes of processing personal data in the organization:

• Registration of civil contracts with citizens provided for by the Legislation of the Russian Federation and the Charter of the enterprise.
• Personnel records, compliance with laws and registration of obligations under employment and civil law contracts.
• Assistance in finding employment, obtaining education or promotion, registration and use of benefits.
• Ensuring the personal safety of the employee and the safety of property.
• Compliance with the requirements of tax and pension legislation when calculating contributions to pension insurance.
• Formation of statistics in accordance with the Labor, Tax Codes and federal laws.
• Monitoring the work performed by the employee.

(Article 86 of the “Labor Code of the Russian Federation” dated December 30, 2001 No. 197-FZ). Personal information about an employee classified as “special” is not subject to processing by the employer.

The validity period of the Consent to the processing of personal data must be established; this may be a specific date or event, for example, dismissal or withdrawal of consent by an employee.

Examples

Banking sector

Bank "Financial" The purpose of processing the client’s personal data is to carry out banking and other operations, including:

1. Opening and maintaining bank accounts.
2. Transfer of funds to bank accounts.
3. Transfer of funds from individuals - individuals and legal entities without opening a bank account.
4. Purchase and sale of foreign currency.
5. Providing consulting and information services, including through an email address.

Medical organization

Medical organization "Health". Purpose of processing:

• Organization of medical care.
• Issuing preferential prescriptions.
• Payment of bills in the compulsory medical insurance and voluntary medical insurance system.
• Use for statistics and research work.
• Informing via SMS notifications about test results, ongoing promotions and specialists’ work schedules.

Conclusion

With a client or patient, not everything is as simple as it seems at first glance. Just like that, without consent and warning, they cannot be transferred to third parties or used for purposes with which the subject does not agree. If a person is faced with the fact that his personal data has been leaked, he can always turn to Roskomnadzor or the court.

Didn't find the answer to your question? Find out how to solve exactly your problem - call right now:

On July 1, 2017, Federal Law No. 13-FZ dated 02/07/2017 came into force, which amends Art. 13.11 of the Code of Administrative Offenses and provides for an expansion of the list of grounds for bringing to administrative responsibility for illegal activities and a significant increase in fines.

One of the mandatory documents that the personal data operator must prepare in order to comply with the requirements of the Federal Law of July 27, 2006 No. 152-FZ is called the Policy regarding the processing of personal data; it explains how the company works with the data of employees, clients and other individuals. This file is freely available on almost all sites that have any form of collecting personal data.

How to correctly draw up a Personal Data Processing Policy, which sections must be included? Roskomnadzor provides clarifications on these issues.

Structure of the Personal Data Processing Policy

• General provisions
• Purposes of collecting personal data
• Legal grounds for processing personal data
• Volume and categories of personal data processed, categories of personal data subjects
• Procedure and conditions for processing personal data
• Updating, correction, deletion and destruction of personal data, responses to requests from subjects for access to personal data

1. General goals

In this section, you actually answer the question - what is the Personal Data Processing Policy intended for? It also explains the basic concepts used in the document, as well as the rights and obligations of the operator and the subject of personal data.

2. Purposes of collecting personal data

Art. 5 of Federal Law No. 152-FZ of July 27, 2006 requires the determination of specific, legitimate purposes for data collection. Therefore, it is not possible to process personal data that does not correspond to these purposes.

Roskomnadzor indicates that the purposes of processing personal data may include:

• from the analysis of legal acts regulating the activities of the operator;
• from the purposes of the activities actually carried out by the operator;
• from the activities provided for by the operator’s constituent documents;
• from specific business processes of the operator in specific information systems of personal data (by structural divisions of the operator and their procedures in relation to certain categories of personal data subjects).

3. Legal grounds for processing personal data

Federal Law No. 152-FZ dated July 27, 2006 is not the legal basis for the processing of personal data. This role is fulfilled by the legal acts in accordance with which the operator processes the data.

Thus, in the Data Processing Policy, the following legal grounds can be specified: federal laws and regulations adopted on their basis governing relations related to the activities of the operator; operator's statutory documents; agreements concluded between the operator and the subject of personal data; consent to the processing of personal data (in cases not expressly provided for by law Russian Federation, but corresponding to the operator’s authority).

4. Volume and categories of personal data processed, categories of personal data subjects

It is important that the volume of personal data processed does not diverge from the stated purposes of processing.

Categories of personal data subjects may include: employees - both current and former, candidates for vacancies, relatives of employees, clients and counterparties (individuals), representatives or employees of clients and counterparties.

Roskomnadzor draws attention to the fact that for each category of subjects and in relation to specific purposes, all personal data processed should be indicated. All cases of processing of special categories of personal data and biometric personal data (if applicable) are described separately.

5. Procedure and conditions for processing personal data

What is stated in this section:

• list of actions performed with personal data;
• methods of processing personal data;
• terms of processing of personal data.

If, in order to achieve the goals of processing personal data, the operator interacts with third parties, then he needs to:

• explain the conditions for the transfer of personal data to third parties (including cross-border data transfer);
• indicate the name and location of third parties;
• indicate the purpose of data transfer and its volume;
• list processing actions, methods and other conditions of processing, including requirements for the protection of processed personal data.

The operator has the right to transfer personal data to the bodies of inquiry and investigation, as well as other authorized bodies on the grounds provided for by law.

The Personal Data Processing Policy should include information on compliance with the confidentiality requirements of personal data (they are named in Article 7 of the Federal Law of July 27, 2006 No. 152-FZ) and information on taking measures (Part 2 of Article 18.1, Part 1 of Art. 19).

In addition, the operator must indicate the condition for terminating the processing of personal data. This may be the achievement of processing goals, expiration of consent to processing, withdrawal of consent of the subject of personal data to processing, identification of unlawful data processing.

Special attention should be paid to such an issue as the storage of personal data. Firstly, the deadlines must be mentioned. Secondly, databases located on the territory of the Russian Federation are used. Thirdly, the fact is taken into account that storage must be carried out in a form that allows identifying the subject of personal data no longer than required by the purposes of processing. Fourthly, it is necessary to mention other storage conditions, including when processing data without the use of automation tools.

6. Updating, correction, deletion and destruction of personal data, responses to requests from subjects for access to personal data

According to Art. 21 No. 152-FZ, personal data must be updated by the operator if the fact of inaccuracy of personal data is confirmed. The same applies to confirmation of the unlawfulness of processing.

Personal data is subject to destruction when the purposes of their processing are achieved and in the event that the subject of personal data withdraws consent to their processing, unless: otherwise provided by the agreement to which the subject of personal data is a party, beneficiary or guarantor; otherwise is not provided for in another agreement between the operator and the subject of personal data. The operator does not have the right to process without the consent of the subject of personal data on the grounds provided for by Federal Law No. 152-FZ of July 27, 2006 or other federal laws.

Based on Art. 20 the operator is obliged to inform the subject of personal data information about the processing of personal data carried out by him upon request.

Roskomnadzor recommends including in the Personal Data Processing Policy regulations for responding to requests and appeals from personal data subjects, their representatives, and authorized bodies regarding the inaccuracy of data, the illegality of their processing, withdrawal of consent and access to their data. It would be a good idea to add appropriate forms of requests and appeals to the Policy.

Posting the Personal Data Processing Policy in the office and on the website

Any person whose data is processed by the company has the right to familiarize itself with the Personal Data Processing Policy. Therefore, it must be posted in a publicly accessible place. For example, use an information stand for this.

If a company collects personal data via the Internet, it is obliged to post the Policy on the website. A site visitor can view it by clicking on the link.

To learn about the most important changes affecting business, join our channel on

The company cannot do without obtaining personal information from employees, clients and contractors. We need names, addresses, and other information. However, the company has the right to process personal data only for specific purposes. Any other use of the data is a violation that will result in administrative action.

The purposes for which information is requested must be consistent with the law and the needs of the company.

In the course of doing business, a company deals with information that needs to be protected. Confidential information includes information about technologies, projects, developments, the specifics of transactions, etc. The law also requires the protection of information about people who work for the company, are its clients or represent counterparties. The “On Personal Data” is in effect in pursuance of the constitutional principle of protecting private life (Article 2 of Law No. 152). The requirements of the law apply to any organizations that receive data from their subjects (Article 1 of Law No. 152).

A company that begins to process personal data has the right to request it only for certain purposes (Part 2, Article 5 of Law No. 152). In addition, the volume of data depends on the goals. You cannot request information that the company does not need (Parts 4 and 5 of Article 5 of Law No. 152). For example, an online store does not have the right to require passport data from the buyer or ask to indicate a postal address if the client picks up the goods by self-pickup.

The company itself determines the purposes for processing personal data of clients and employees

What exactly the information was needed for is determined by the company (Clause 2, Article 3 of Law No. 152). As a rule, an organization requests personal data of clients, contractors, and employees for the purposes of:

1. Conclusion of contracts. These could be contracts with consumers of the company’s services or goods, with other types of clients, with business partners, employment agreements, etc. For any contract that the company is going to sign, personal data will be required - an employee who acts in its interests, a representative the counterparty or the counterparty itself, if it is a private person. Including data is needed so that the company can fulfill its obligations.
2. Systematization of information about personnel, maintaining personnel records and office work. Employee data is necessary not only for concluding employment contracts, but also for all other transactions within the framework of the employment relationship.
3. Compliance with the requirements of the law on the deduction of taxes to the budget, insurance contributions, etc. The company withholds personal income tax contributions from employees and transfers these amounts to the state, the Pension Fund and other organizations (Article 22 of Law No. 152, Article 86 of the Labor Code of the Russian Federation).
4. Formation of statistics. For this purpose, the data must be anonymized (Clause 9, Part 1, Article 6 of Law No. 152).

Guest, meet - !

The company is obliged to warn the subject of personal data about the purposes of processing

The company is obliged to notify the employee or client of the purpose for which it requests his personal data for processing (Clause 4, Part 4, Article 9 of Law No. 152). This is done as part of obtaining consent to provide information. The list of goals should:

• be comprehensive and specific;
• comply with the provisions of the charter, as well as local acts of the organization;
• correspond to what goals the company actually pursues.

For example, a bank requests information from a client. The purpose of processing is to service his account, including:

• opening an account,
• account keeping,
• operations for transferring funds from and to an account,
• client consultation.

Another example of information is listing the purposes for processing personal data of employees in the company policy. The organization stipulates that the information is used:

• when working with applicants’ resumes;
• to fulfill the company’s obligations under the employment agreement;
• to comply with labor, tax and pension laws;
• to organize employee training and improve their professional level;
• when calculating and accruing wages;
• to control the quality of employee work;
• when providing various guarantees and benefits, etc.

Consent to processing must be obtained from the data subject in almost all cases. If the purpose of the collection is to promote the company on the market or political propaganda, the operator is obliged to prove that the person has given consent (Part 1, Article 15 of Law No. 152). Otherwise it is considered that it was not requested.

In addition to the agreement with the employee or client, the purposes for obtaining data must be reflected in a special document - the company policy on working with such data. This must be a public document. As a rule, it is published on the organization’s website in a special section.

Professional help system for lawyers, in which you will find the answer to any, even the most complex question.

The regulation on the processing and protection of personal data establishes the procedure for collecting, accumulating, storing, using, deleting, etc. information containing information about employees of the enterprise. The document must describe the procedure for transferring PD to third parties, features of automated and non-automated PD processing, the procedure for accessing PD, the procedure for organizing internal control and responsibility for violations during PD processing.

How to draw up a regulation on the processing and protection of personal data

The document is being developed in accordance with the legislation of the Russian Federation on personal data and regulatory and methodological documents of executive bodies of state power on issues of PD security when processed in PD information systems.

The Personal Data Protection Regulation usually consists of 11 sections:

1. General provisions.
2. Goals and objectives of PD processing.
3. Personal data processed in ISPD (full name, date of birth, contact phone number, registration address, actual residence address).
4. Access to PD.
5. Basic requirements for personal data protection.
6. Consent to PD processing.
7. Rights of the subject in relation to personal data processed by the operator.
8. Rights and obligations of the ISPDn operator.
9. Procedure for processing and protecting personal data.
10. Peculiarities of processing personal data of the operator’s employees.
11. Liability for violation of this provision.

The provisions on the processing and protection of personal data apply to all processes of collection, systematization, accumulation, storage, clarification, use, distribution (including transfer), depersonalization, blocking, destruction of personal data, carried out using automation tools and without their use.

Subjects of personal data

PD subjects include:

• Operator's employees.
• Candidates for employment.
• Clients (consumers of operator services).
• Individual entrepreneurs are the operator’s counterparties.
• Clients of organizations, counterparties of the operator (servicing corporate clients).
• Other individuals whose personal data is processed by the operator.

The regulation on the processing and protection of personal data comes into force from the moment of its approval and is valid indefinitely until it is replaced by a new regulation. All employees of the organization must be familiar with this document against signature.

Regulations on the processing and protection of personal data

General provisions

1.1.

This Regulation has been developed in accordance with the legislation of the Russian Federation on personal data (hereinafter referred to as PD) and regulatory and methodological documents of executive bodies of state power on issues of PD security when processed in PD information systems (hereinafter referred to as PDIS).

1.2.

For the purposes of these Regulations, the following terms are used:

personal data (PD) - any information related to directly or indirectly determined or determined to an individual(to the subject of personal data);

operator - a state body, municipal body, legal entity or individual who, independently or jointly with other persons, organizes and (or) carries out the processing of personal data, as well as determining the purposes of processing personal data, the composition of personal data to be processed, actions (operations) performed with personal data;

PD processing - any action (operation) or set of actions (operations) performed using automation tools or without the use of such tools with PD, including collection, recording, systematization, accumulation, storage, clarification (updating, changing), extraction, use, transfer (distribution, provision, access), depersonalization, blocking, deletion, destruction of personal data;

automated processing of personal data - processing of personal data using computer technology;

distribution of personal data - actions aimed at disclosing personal data to an indefinite number of persons;

provision of PD - actions aimed at disclosing PD to a certain person or a certain circle of persons;

PD blocking - temporary cessation of PD processing (except for cases where processing is necessary to clarify PD);

destruction of PD - actions as a result of which it becomes impossible to restore the content of PD in the ISPD and/or as a result of which the material media of PD are destroyed;

depersonalization of personal data - actions as a result of which it becomes impossible without the use additional information determine whether the PD belongs to a specific PD subject;

personal data information system (PDIS) - a set of personal data contained in databases and ensuring their processing information technology And technical means;

cross-border transfer of personal data - transfer of personal data to the territory of a foreign state to an authority of a foreign state, a foreign individual or a foreign legal entity.

1.3.

This Regulation determines the procedure and conditions for the processing of PD in (hereinafter referred to as the Operator), including the procedure for transferring PD to third parties, features of automated and non-automated PD processing, the procedure for accessing PD, the PD protection system, the procedure for organizing internal control and liability for violations during processing PD, other questions.

1.4.

This Regulation applies to all processes of collection, systematization, accumulation, storage, clarification, use, distribution (including transfer), depersonalization, blocking, destruction of personal data, carried out using automation tools and without their use.

1.5.

This Regulation comes into force from the moment it is approved by the Operator and is valid indefinitely until it is replaced by a new Regulation.

1.6.

All changes to the Regulations are made by order.

1.7.

All employees of the Operator must be familiar with these Regulations upon signature.

Goals and objectives of PD processing

2.1.

Processing of personal data should be limited to achieving specific, pre-defined and legitimate purposes. Processing of personal data that is incompatible with the purposes of collecting personal data is not permitted.

2.2.

It is not allowed to combine databases containing personal data, the processing of which is carried out for purposes that are incompatible with each other.

2.3.

Only personal data that meets the purposes of their processing are subject to processing.

2.4.

2.5.

Processing of personal data of the Operator's employees may be carried out solely for the purpose of ensuring compliance with laws and other regulations, assisting employees in employment, training and promotion, ensuring the personal safety of employees, monitoring the quantity and quality of work performed and ensuring the safety of the Operator's property.

2.6.

The main purposes of PD processing are:

Additional purposes for processing personal data are: .

2.7.

ISPDn provides solutions to the following tasks: .

Personal data processed in ISPDn

3.1.

The ISPD processes the personal data of the following personal data subjects:

3.1.1.

Operator's employees;

3.1.2.

clients (consumers of the Operator’s services);

3.1.3.

individual entrepreneurs - counterparties of the Operator;

3.1.4.

clients of organizations, counterparties of the Operator (servicing corporate clients);

3.2.

This list may be revised as necessary.

3.3.

Personal data of PD subjects includes:

3.4.

Complete lists of processed personal data are formed in the list of personal data subject to protection in the Operator's information system.

Access to personal data

4.1.

Employees of the Operator who, due to their official duties, constantly work with personal data, receive access to the required categories of personal data for the period of performance of their respective official duties based on the list of persons authorized to work with personal data, which is approved by the Head of the Operator. The list is compiled on the basis of the Concept information security and Information Security Policy.

4.2.

The list of persons who have access to personal data for the information system must be kept up to date.

4.3.

The operator has established a permitting procedure for access to personal data. The Operator's employees are provided with access to work with personal data only to the extent and extent necessary for them to perform their official duties based on the decision of the Manager

4.4.

Temporary or one-time permission to work with personal data due to official needs can be obtained by an employee of the Operator with the approval of the Manager.

4.5.

Access to PD by third parties who are not employees of the Operator without the consent of the PD subject is prohibited, with the exception of access by employees of executive authorities, carried out as part of measures to control and supervise the implementation of legislation, the implementation of the functions and powers of the relevant government bodies. The provision of information at the request or request of a government authority is carried out with the knowledge of the Head of the Operator.

4.6.

If an employee of a third-party organization needs access to the Operator’s PD, then it is necessary that the agreement with the third-party organization stipulate the terms of PD confidentiality and the obligation of the third-party organization and its employees to comply with the requirements of current legislation in the field of PD protection. In addition, in case of access to personal data by persons who are not employees of the Operator, the consent of the subjects of personal data to provide their personal data to third parties must be obtained. The specified consent is not required if PD is provided for the purpose of executing a civil contract concluded by the Operator with the PD subject.

4.7.

Access of the Operator's employee to personal data is terminated from the date of termination of the employment relationship, or the date of change in the employee's job responsibilities and/or exclusion of the employee from the list of persons entitled to access personal data. In case of dismissal, all media containing PD, which, in accordance with job responsibilities were at the employee's disposal during work, must be transferred to the appropriate official.

Basic requirements for personal data protection

5.1.

When processing personal data in the information system, the following must be ensured:

a) carrying out measures aimed at preventing unauthorized access to personal data and/or their transfer to persons who do not have the right to access such information;

b) timely detection of facts of unauthorized access to personal data;

c) preventing the impact on technical means of automated processing of personal data, as a result of which their functioning may be disrupted;

d) the possibility of immediate restoration of personal data modified or destroyed due to unauthorized access to them;

e) constant control over ensuring the level of PD security.

5.2.

The operator is obliged to take the necessary legal, organizational, technical and other measures to ensure the security of personal data.

5.3.

To develop security requirements and implement a PD security system, the Operator has developed a “Model of PD security threats when processed in an ISPD” based on a regulatory and methodological document FSTEC of Russia“Basic model of threats to the security of personal data during their processing in personal data information systems.”

5.4.

Operator in accordance with the governing document of government agencies - Decree of the Government of the Russian Federation dated November 1, 2012 No. 1119 “On approval of requirements for the protection of personal data during their processing in personal data information systems” classification of the Operator's ISPD has been carried out.

5.5.

The Commission has drawn up a Certificate of Classification of ISPD processed using automation tools:

5.6.

The operator, on the basis of the ISPD verification report and in accordance with the regulatory and methodological document of the FSTEC of Russia “Main measures for the organization and technical support of the security of personal data processed in personal data information systems,” has developed and implemented a set of measures to protect and ensure the security of personal data (“Action Plan”) to ensure the security of personal data").

5.7.

The operator uses technical means and software to process and protect personal data. A log of personal data protection means is also kept.

5.8.

The operator maintains a log of accounting and storage of removable storage media.

5.9.

The above technical means of ISPD are located in the office and premises of the Operator.

5.10.

All persons authorized to work with PD, as well as those associated with the operation and technical support of ISPD, must be familiarized with the requirements of this Regulation upon signature, and must also sign the “Agreement on ensuring the confidentiality of personal data by the Operator’s employees”, given in the Appendix to this Regulation.

5.11.

The Operator has organized a training process for the use of personal data protection means operated by the Operator. Training in this area is recommended for persons with permanent access to PD, and persons operating the hardware and software of ISPD and ISPD protection means. Persons responsible for operating ISPD information security tools must undergo mandatory training.

5.12.

Employees are obliged to immediately notify the relevant official of the Operator about the loss or shortage of storage media constituting personal data, as well as the reasons and conditions for a possible leak of personal data. If unauthorized persons attempt to obtain from an employee PD processed by the Operator, immediately notify the appropriate official of the Operator.

Consent to PD processing

6.1.

The PD subject decides to provide his PD and consents to its processing freely, of his own free will and in his own interest. Consent to the processing of personal data must be specific, informed and conscious. Consent to the processing of personal data can be given by the subject of personal data or his representative in any form that allows confirmation of the fact of its receipt, unless otherwise provided by the legislation of the Russian Federation. If consent to PD processing is received from a representative of the PD subject, the powers of this representative to give consent on behalf of the PD subject are verified by the Operator.

6.2.

Obtaining written consent for the processing of personal data is carried out by an employee of the Operator, upon receipt of personal data from the subject of the personal data, by issuing a written consent in the form established by the Operator ISPD.

Rights of the subject in relation to personal data processed by the operator

7.1.

The PD subject has the right:

To receive information from the Operator regarding the processing of his personal data. The information must be provided to the PD subject by the Operator in an accessible form, and it should not contain PD relating to other PD subjects, unless there are legal grounds for disclosing such PD. The list of information and the procedure for obtaining information are provided for by the current legislation of the Russian Federation;

Require the Operator to clarify his personal data, block it or destroy it if the personal data is incomplete, outdated, inaccurate, illegally obtained or is not necessary for the stated purpose of processing, and also take measures provided for by the legislation of the Russian Federation to protect their rights;

Subject to prior written consent when processing personal data for the purpose of promoting goods, works, services on the market by making direct contacts with potential consumers using communications, as well as for the purposes of political propaganda;

Subject to the condition of written consent when making, on the basis of exclusively automated processing of PD, decisions by the Operator that give rise to legal consequences in relation to the subject of PD or otherwise affect his rights and legitimate interests;

File objections to the Operator’s decisions based solely on automated processing of his personal data and the possible legal consequences of such a decision;

Appeal the actions or inaction of the Operator to the authorized body for the protection of the rights of personal data subjects or in court.

Rights and obligations of the ISPDn operator

8.1.

The ISPDn operator has the right:

8.1.1.

Entrust the processing of PD to another person with the consent of the PD subject, unless otherwise provided by federal law, on the basis of an agreement concluded with this person, including a state or municipal contract, or by adoption of a corresponding act by a state or municipal body.

8.1.2.

If the PD subject withdraws consent to PD processing, continue PD processing without the consent of the PD subject if there are grounds specified in the legislation of the Russian Federation.

8.1.3.

Refuse the subject of personal data to fulfill a repeated request for information that does not comply with the conditions provided for by the legislation of the Russian Federation. Such refusal must be motivated. The obligation to provide evidence of the validity of the refusal to fulfill a repeated request lies with the operator.

8.1.4.

Independently determine the composition and list of measures necessary and sufficient to ensure the fulfillment of the obligations of the IPDN Operator provided for by the legislation of the Russian Federation.

8.2.

The ISPD operator is obliged to:

8.2.1.

Before starting PD processing, the operator is obliged to notify the authorized body for the protection of the rights of PD subjects of its intention to process PD, except for cases provided for by the legislation of the Russian Federation.

8.2.2.

When gaining access to PD, do not disclose PD to third parties or distribute PD without the consent of the PD subject, unless otherwise provided by federal law.

8.2.3.

Provide evidence of obtaining the consent of the PD subject to the processing of his PD or proof of the existence of legal grounds for processing PD without the consent of the PD subject.

8.2.4.

Before the cross-border transfer of personal data begins, make sure that the foreign state into whose territory the personal data is transferred provides adequate protection of the rights of personal data subjects.

8.2.5.

At the request of the PD subject, stop processing his PD in order to promote goods, works, services on the market by making direct contacts with potential consumers using communications, as well as for the purposes of political propaganda.

8.2.6.

Explain to the PD subject the procedure for making a decision based solely on automated processing of his PD and the possible legal consequences of such a decision, provide the opportunity to object to such a decision, and also explain the procedure for the PD subject to protect his rights and legitimate interests.

The operator is obliged to consider the objection within thirty days from the date of its receipt and notify the PD subject about the results of consideration of such an objection.

8.2.7.

When collecting PD, provide the PD subject, at his request, with the information provided for by the legislation of the Russian Federation.

If the provision of PD to the Operator for the PD subject is mandatory in accordance with federal law, the Operator is obliged to explain to the PD subject the legal consequences of refusal to provide his PD.

8.2.8.

If the PD is not received from the PD subject, the Operator, except for cases provided for by the legislation of the Russian Federation, before processing such PD, provides the PD subject with the following information:

1) name or surname, first name, patronymic and address of the operator or his representative;

2) the purpose of PD processing and its legal basis;

3) intended users of personal data;

4) the rights of the subject of personal data established by this Federal Law;

5) source of obtaining PD.

8.2.9.

Take measures necessary and sufficient to ensure the fulfillment of the obligations of the IPDN Operator provided for by the legislation of the Russian Federation.

8.2.11.

When collecting PD using information and telecommunication networks, publish in the relevant information and telecommunication network a document defining its policy regarding the processing of PD, and information about the implemented requirements for the protection of PD, as well as provide the ability to access the specified document using the means of appropriate information -telecommunication network.

8.2.12.

Submit documents and local acts provided for by the legislation of the Russian Federation, and/or otherwise confirm the adoption of measures necessary and sufficient to ensure the fulfillment of the obligations of the IPDN Operator, at the request of the authorized body for the protection of the rights of PD subjects.

8.2.13.

When processing PD, take the necessary legal, organizational and technical measures or ensure their adoption to protect PD from unauthorized or accidental access to it, destruction, modification, blocking, copying, provision, distribution of PD, as well as from other unlawful actions in relation to PD.

8.2.14.

Inform, in the manner prescribed by the legislation of the Russian Federation, the subject of personal data or his representative information free of charge about the availability of personal data relating to the corresponding subject of personal data, and also provide the opportunity to familiarize yourself with these personal data when applying to the subject of personal data or his representative or within thirty days from the date of receipt of the subject’s request PD or his representative.

8.2.15.

In case of refusal to provide information about the availability of PD about the corresponding PD subject or PD to the PD subject or his representative upon their request or upon receipt of a request from the PD subject or his representative, the operator is obliged to give a reasoned response in writing containing a reference to the provision of the legislation of the Russian Federation, which is the basis for such a refusal, within a period not exceeding thirty days from the date of application of the PD subject or his representative or from the date of receipt of the request of the PD subject or his representative.

8.2.16.

Within a period not exceeding seven working days from the date the subject of the PD or his representative provides information confirming that the PD is incomplete, inaccurate or irrelevant, the Operator is obliged to make the necessary changes to them. Within a period not exceeding seven working days from the date the PD subject or his representative submits information confirming that such PD is illegally obtained or is not necessary for the stated purpose of processing, the operator is obliged to destroy such PD. The operator is obliged to notify the PD subject or his representative about the changes made and measures taken and take reasonable measures to notify third parties to whom the PD of this subject were transferred.

8.2.17.

Report to the authorized body for the protection of the rights of personal data subjects, at the request of this body, the necessary information within thirty days from the date of receipt of such a request.

8.2.18.

If unlawful processing of PD is detected, carried out by the Operator or a person acting on behalf of the Operator, the Operator, within a period not exceeding three working days from the date of this detection, is obliged to stop the unlawful processing of PD or ensure the cessation of unlawful processing of PD by a person acting on behalf of the Operator. If it is impossible to ensure the legality of PD processing, the Operator, within a period not exceeding ten working days from the date of detection of unlawful PD processing, is obliged to destroy such PD or ensure its destruction. The Operator is obliged to notify the PD subject or his representative about the elimination of violations or the destruction of PD, and if the appeal of the PD subject or his representative or the request of the authorized body for the protection of the rights of PD subjects was sent by the authorized body for the protection of the rights of PD subjects, also the specified body .

8.2.19.

If the purpose of processing personal data is achieved, the Operator is obliged to stop processing personal data or ensure its termination (if processing of personal data is carried out by another person acting on behalf of the Operator) and destroy personal data or ensure their destruction (if processing of personal data is carried out by another person acting on behalf of the Operator) on time , not exceeding thirty days from the date of achieving the purpose of PD processing, unless otherwise provided by the agreement to which the PD subject is a party, beneficiary or guarantor, another agreement between the Operator and the PD subject, or if the Operator does not have the right to process PD without the consent of the PD subject on the grounds provided for by the legislation of the Russian Federation.

8.2.20.

If the PD subject withdraws consent to the processing of his PD, stop their processing or ensure the termination of such processing (if the PD processing is carried out by another person acting on behalf of the Operator) and if the preservation of PD is no longer required for the purposes of PD processing, destroy the PD or ensure their destruction (if PD processing is carried out by another person acting on behalf of the Operator) within a period not exceeding thirty days from the date of receipt of the said response, unless otherwise provided by the agreement to which the PD subject is a party, beneficiary or guarantor, or another agreement between operator and PD subject or if the Operator does not have the right to process PD without the consent of the PD subject on the grounds provided for by the legislation of the Russian Federation.

8.2.21.

Appoint a person responsible for organizing the processing of personal data.

Procedure for processing and protecting personal data

9.1.

Ensuring the confidentiality of personal data processed by the Operator is a mandatory requirement for all persons to whom the personal data has become known.

9.2.

Operator employees who process documents are required to receive established cases consent of PD subjects to processing.

9.3.

In case of violation of the established procedure for processing PD, the Operator’s employees are liable in accordance with Section 9 of these Regulations.

9.4.

PD of subjects on paper, processed by the Operator, is stored in departments (with employees) who have permission to process the relevant PD. The right to admit employees to a non-automated ISPD is determined by order of the Manager. Personal data carriers should not be left unattended. When leaving the workplace, employees processing personal data must put the media in a safe, locked cabinet or otherwise limit unauthorized access to the media. If PD is lost or damaged, it is restored whenever possible.

9.5.

Storage locations for documents containing PD:

9.5.1.

PD of the Operator's clients (contracts, acts, agreements, questionnaires, copies of passports, other similar documents containing PD of the Operator's clients, storage media (flash cards, CDs, etc.) are stored in the main and reserve offices of the Operator, placed on the shelves and locked with a key. The responsible person exercising control is determined by order of the Manager.

9.5.2.

Personal data of the Operator's employees - documents, storage media (flash cards, CDs, etc.) are stored in the company safe and locked with a key. The responsible person exercising control is the Head of the Operator.

9.6.

Issuance of documents for review is carried out to persons admitted to the relevant information for the purpose of performing official duties, for a period of no more than one working day.

9.7.

Other storage media may be stored in the Operator’s main and backup offices, placed on shelves and locked with a key, or in the organization’s safe. The responsible person exercising control over other information carriers is determined by order of the Manager.

9.8.

When working with software automated system The operator implementing the functions of viewing and editing PD is prohibited from demonstrating screen forms containing such data to persons who do not have the appropriate clearance.

9.9.

When receiving PD by an employee of the Operator, who, in accordance with his job duties, receives PD from a client or an employee of another person, the authenticity of the PD must be checked. Entering PD received by the Operator into information system carried out by employees who have access to the relevant PD. Employees entering information are responsible for the accuracy and completeness of the entered information.

9.10.

Features of processing personal data contained on paper, without the use of automation tools (a personal computer is not used when drawing up documents) are established in accordance with the Decree of the Government of the Russian Federation of September 15, 2008 N 687 "On approval of the Regulations on the features of processing personal data carried out without the use of automation tools" .

9.11.

When manually processing different categories of personal data, a separate material medium must be used for each category of personal data.

9.12.

In case of non-automated processing of personal data on paper:

9.12.1.

It is not allowed to record on one paper medium PD, the purposes of processing of which are obviously incompatible;

9.12.2.

PD must be separated from other information, in particular by recording them on separate paper media, in special sections or in the fields of forms (forms);

9.13.

When using standard forms of documents, the nature of the information in which suggests or allows the inclusion of PD in them (hereinafter referred to as standard forms), the following conditions must be met:

9.13.1.

The standard form or related documents (instructions for filling it out, cards, registers and journals) must contain information about the purpose of non-automated processing of PD, the name (name) and address of the Operator, surname, first name, patronymic and address of the subject of PD, the source of receipt of PD, deadlines for processing personal data, a list of actions with personal data that will be performed during their processing, a general description of the methods of processing personal data used by the operator;

9.13.2.

The standard form should include a field in which the PD subject can mark his consent to non-automated PD processing, if it is necessary to obtain written consent to PD processing;

9.13.3.

The standard form must be drawn up in such a way that each of the PD subjects contained in the document has the opportunity to familiarize themselves with their PD contained in the document without violating the rights and legitimate interests of other PD subjects;

9.13.4.

The standard form should exclude the combination of fields intended for entering personal data, the purposes of processing of which are obviously incompatible.

9.14.

Storage of PD must be carried out in a form that allows identifying the subject of PD, no longer than required by the purposes of processing PD, unless the storage period for PD is established by federal law, an agreement to which the subject of PD is a party, beneficiary or guarantor.

9.15.

Cases of destruction, blocking and clarification of personal data:

9.16.

Destruction or depersonalization of part of personal data, if permitted by a tangible medium, can be carried out in a way that precludes further processing of this personal data while maintaining the possibility of processing other data recorded on a tangible medium (deletion, erasure).

9.17.

Clarification of personal data when processing them without the use of automation tools is carried out by updating or changing data on a tangible medium, and if this is not allowed technical features material carrier- by recording on the same material medium information about changes made to them or by producing a new material medium with updated PD.

9.18.

Destruction of media containing personal data is carried out in the following order:

9.18.1.

PD on paper is destroyed using shredders (document shredders) installed in the Operator’s office.

9.18.2.

PD located in the PC memory is destroyed by deleting it from the PC memory.

9.18.3.

PD located on a flash card, CD, or other storage medium is destroyed by deleting the file from the medium, if necessary, by disrupting the functionality of the flash card or CD.

9.19.

A report on the destruction of the storage medium is drawn up (for the forms of reports, see the appendices).

9.20.

The office, premises of the Operator, at the end of the working day and the absence of employees in the office premises, must be locked, the windows must be closed, the alarm must be turned on (if any).

9.21.

Network equipment and servers should be located in places inaccessible to unauthorized persons (in special rooms, cabinets, boxes).

9.22.

Cleaning of premises and maintenance of ISPD technical equipment must be carried out under the control of persons responsible for these premises and technical means in compliance with measures that exclude unauthorized access to PD, information carriers, software and hardware for processing, transmitting and protecting ISPD information.

9.23.

The responsibilities of ISPDn administrators include managing ISPDn user accounts, maintaining the regular operation of ISPDn, ensuring backup data, as well as installation and configuration of hardware and software ISPDn not related to ensuring the security of PD in ISPDn. Also, the responsibilities of ISPD administrators include ensuring compliance of the procedure for processing and ensuring the security of PD in ISPD with the requirements for confidentiality, integrity and availability of PD imposed on a specific ISPD, and general requirements on the security of personal data established by federal legislation.

9.24.

The responsibilities of ISPD administrators also include installation, configuration and administration of hardware and software protection of ISPD information, accounting and storage of machine media of PD, periodic audit of security logs and analysis of the security of ISPD, as well as participation in official investigations of violations of the established procedure for processing and ensuring the security of PD.

9.25.

In order to ensure the distribution of powers, implement mutual control and prevent the concentration of powers critical for the safety of personal data in one person, it is not recommended to combine the roles of ISPD user and ISPD administrator in the person of one employee.

9.26.

Qualification requirements and a detailed list of rights and responsibilities of ISPD administrators are set out in the relevant job descriptions, which employees appointed to these roles must be familiar with upon signature.

9.27.

The organization of internal control of the PD processing process at the Operator is carried out in order to study and assess the actual state of PD security, timely response to violations of the established procedure for their processing, as well as in order to improve this procedure and ensure its compliance.

9.28.

Measures to implement internal control over the processing and security of personal data are aimed at solving the following tasks:

9.28.1.

Ensuring compliance by the Operator’s employees with the requirements of these Regulations and regulations governing the scope of personal data.

9.28.2.

Assessing the competence of personnel involved in processing personal data.

9.28.3.

Ensuring the operability and effectiveness of ISPD technical means and PD protection means, their compliance with the requirements of authorized executive authorities on PD security issues.

9.28.4.

Detection of violations of the established procedure for processing personal data and timely prevention of the negative consequences of such violations.

9.28.5.

Taking corrective measures aimed at eliminating identified violations, both in the procedure for processing PD and in the operation of technical means of ISPD.

9.28.7.

Exercising internal control over the implementation of recommendations and instructions to eliminate violations.

9.29.

The results of control activities are documented in acts and are the basis for developing recommendations for improving the procedure for processing and ensuring the security of personal data, for modernizing the technical means of information systems and means of protecting personal data, for training and improving the competence of personnel involved in processing personal data.

Features of managing personal data of operator employees

10.1.

This section establishes additional rights and obligations of the Operator and employees when processing personal data of the Operator’s employees.

10.2.

Employee personal data is information required by the Operator in connection with labor relations and relating to a specific employee.

10.3.

Processing of an employee’s personal data can be carried out solely for the purpose of ensuring compliance with laws and other regulations, assisting employees in employment, training and promotion, ensuring the personal safety of employees, monitoring the quantity and quality of work performed and ensuring the safety of property.

10.4.

The operator does not have the right to receive and process an employee’s personal data about his membership in public associations or his trade union activities, except in cases provided for by federal laws;

10.5.

When making decisions affecting the interests of an employee, the Operator does not have the right to rely on the employee’s personal data obtained solely as a result of their automated processing or electronic receipt;

10.6.

Employees must not waive their rights to maintain and protect secrets;

10.7.

The operator undertakes not to disclose the employee’s personal information for commercial purposes without his written consent;

10.8.

The Operator undertakes to warn the Operator’s employees and third parties receiving the employee’s personal data (with his consent) that this data can only be used for the purposes for which it was communicated, and require these persons to confirm that this rule is complied with. Persons receiving an employee's personal data are required to observe a regime of secrecy (confidentiality). The confidentiality regime is ensured by signing an agreement with the person (Appendix to these Regulations). This provision does not apply to the exchange of personal data of employees in the manner established by the legislation of the Russian Federation;

10.9.

Access to personal data of employees is carried out on the basis of orders and regulations approved by the Operator.

10.10.

The operator undertakes not to request information about the employee’s health status, with the exception of information that relates to the issue of the employee’s ability to perform a job function;

10.11.

The operator undertakes to transfer the employee's PD to employee representatives in the manner established by the legislation of the Russian Federation, and to limit this information only to those employee PD that are necessary for the said representatives to perform their functions.

10.12.

An employee has the right to determine his representatives to protect his personal data.

Liability for violation of this provision

11.1.

The Operator's management is responsible for failure to ensure the confidentiality of personal data and non-compliance with the rights and freedoms of personal data subjects in relation to their personal data, including the rights to privacy, personal and family secrets.

11.4.

In cases of violation of the established procedure for processing and ensuring the security of PD, unauthorized access to PD, disclosure of PD and causing material or other damage to the Operator, its employees, clients and counterparties, the perpetrators bear civil, criminal, administrative, disciplinary and other liability provided for by the legislation of the Russian Federation.

Carried out on the basis of compliance with laws and other regulations.

What is the processing of personal data? This process includes the following steps:

Legal regulation of working with personal data covers all processes and stages of working with them.

Target

Why is the processing of personal data necessary? The processing of an employee’s personal data is carried out at the enterprise or organization in order to facilitate it.

The main purposes of processing personal data:

• in getting a job;
• in placement in an educational institution or for training, for advanced training;
• for the purpose of labor protection;
• for promotion and control over career opportunities;
• to monitor the quantity and quality of work performed.

The legislation provides for the accumulation and transmission of an employee’s personal data solely for the purpose of his development and the appropriate use of his abilities and experience. , include multifunctional goals.

The purposes of processing personal data of employees include the use and processing of personal data through their synthesis and interrelation, which determine the relevance of the employee’s capabilities in the conditions of organizing the production process.

The set and stated goals for the processing of personal data cannot be changed without notifying the employee.

Carried out by whom?

Personal data means information that contains basic information about a person of interest to a certain circle of representatives of government and other services.

In particular, in production (in an organization), personal data is of interest to the employer, who manages the organization of work in production based on information about its employees.

The employer has the right to request any personal data available in accounts about the employee. In addition to him, access to personal data has a limited circle of persons who carry out operational work. As a rule, these are the secretariat and personnel department employees.

The operator carrying out information activities with personal data undergoes instructions before starting the designated work. He gets acquainted with the operating rules and principles prohibiting the disclosure of information contained in personal data.

The implementation of the listed types of work can pursue exclusively the purposes that were the reason for collecting information. Misuse of personal data or their disclosure is considered a gross violation for which liability is imposed.

Violations

As discussed earlier, violations in the processing of personal data are considered:

The operator’s work with personal data is subject to strict control by authorized services, and the operator is held liable for shortcomings, unintentional or deliberate violations.

All unauthorized actions during the processing of personal data may result in punishment: disciplinary, administrative, and in some cases criminal.