• Register of personal data processing operators. Is a company required to register in the Register of Personal Data Operators?

    The activities of any organization inevitably involve the processing of personal data in an information system (ISPD). Every enterprise that uses confidential information about employees, clients, partners and other individuals is required to register as a personal data operator.

    Procedure for storing and protecting personal data

    Organization of protection confidential information takes place in several stages:

    • Checking the initial work on the processing of personal data (audit of local regulatory framework, analysis information flows PD and ISPD in general, identifying shortcomings and threats to the security of the information system, making proposals to correct shortcomings, improve personal data protection systems).
    • Development of a regulatory framework for personal data protection. This stage includes classification of ISPD and registration as a personal data operator in Roskomnadzor.
    • Design of a personal data protection system - selection of methods, measures and classes of personal data protection means, development technical documentation for the creation of an ISPD, as well as the development of specific measures to protect information in each specific ISPD.
    • Implementation of data protection systems – putting into operation personal data protection systems and setting up existing information protection systems.
    • Assessment of compliance with the ISPD, within the framework of which evaluation tests of the ISPD are carried out and the corresponding Certificate is issued.

    Registration as a personal data operator in the Roskomnadzor Register is part of the overall process of organizing the processing and protection of personal data.

    Stages of registering an ISPDn operator in Roskomnadzor

    Registration of an ISPDn operator includes the following steps:

    • Development and adoption of a regulatory framework for the processing and protection of personal data.
    • Filling out the notification form of the intention to process personal data on the website of the territorial body of Roskomnadzor.
    • Sending a notification to the information system of the Authorized Body for the Protection of the Rights of Personal Data Subjects.
    • Print the completed form with signatures.
    • Sending a printed form of notification to the appropriate territorial body of Roskomnadzor at the place of registration of the operator.

    We invite you to prepare the documents necessary for registration as a personal data operator using our online service. This page contains acts, instructions, regulations, journals, notices and other documents.

    Often used with this pattern:

    • Information letter on making changes to information in the register of operators processing personal data
    • Consent to transfer personal data to third parties
    • List of personal data subject to protection in ISPDn
    • Protection of personal data in educational institutions

    Popular documents and procedures:

    Registration of an operator of personal data for internal use

    point 4 - every legal entity must do this. person or individual entrepreneur, if it involves the processing of personal data of employees and clients?

    We are a company that has created and is discussing a system where the personal data of the customer’s clients is present, a set of these documents is not suitable for us, it is more suitable when the employer processes the data of his employees, but the same is not entirely true.

    Hello! I have a few questions about setting up templates. 1) Please tell me how to configure ISPD system templates in order to classify the system under current type 1 threats and the need to ensure the 1st level of security. In this case, will the proposed templates be consistent with each other? 2.) Is it possible to pre-fill all system documents (28 documents) with the initially entered data (name of legal entity, category of personal data), or do they need to be entered each time when filling out a separate system document?

    Please specify what is the minimum possible level of PD security that can be created based on your templates? (we are interested in minimizing costs for the system. Personal data of employees and contractors will be processed. We do not process special categories of personal data and biometric data)

    Hello! We are interested in using the mechanism for maintaining and recording tasks as part of the work responsibilities of our employees by registering an account ( personal account) with the employee’s name (username) and providing a unique identifier (login) and password for this entry, as recommended in your template “Intellectual Property Regulations”, clause 6.2. At the same time, clause 6.4 of the mentioned Intellectual Property Regulations states that all addresses of corporate email and all logins or user names in the Software Tools are indicated in a special internal document approved by the General Director of the Company, which is updated and brought to the attention of all employees of the Company as necessary, i.e. the data is disclosed to other persons. Please clarify the following questions: 1.) whether the data refers to personal data (and if so, to what category), account(personal account) with the employee’s name (username) and a unique identifier (login) and password of the employee in internal system Operator, employee email address in the Operator’s internal system? 2.) if such data relates to personal data, then will there be any specific features of their use in your ISPD templates (would this entail the need to purchase cryptographic means protection, etc.)?

    Hello! According to the law, there is no need to notify the regulator when processing personal data processed in accordance with labor laws. What about candidates who are not hired? Their data remains, do we have the right to store it without notifying the regulator? For example, if the candidate did not pass the probationary period (here there is an obvious employment relationship). Or, for example, was he not even allowed to take the test? We just don’t need this data today, but tomorrow we put up a profile, invited a person and hired him. Will this be the disposition of Article 86 of the Labor Code in the part “processing of an employee’s personal data can be carried out solely for the purpose of ensuring compliance with laws and other regulations, assisting employees in finding employment” and, accordingly, can be carried out without the knowledge of the regulator?

    Hello. Is the package of data processing documents designed for employees or contractors?

    Do you need to fill out documents online or after downloading just in WORD?

    Hello! If you process personal data of your employees or clients, then it is imperative to protect them. It is necessary to develop the correct set of local regulations presented in the procedure, as well as ensure technical measures, if processing is carried out in an automated or partially automated mode, and organizational. The only exception concerns the submission of a notification to Roskomnadzor for registration as an operator of personal data. All these exceptions are prescribed in Article 22, paragraph 2 of 152-FZ. The most common exceptions are the processing of personal data of employees within the framework of labor legislation, the processing of personal data of clients as part of the execution of a contract (for example, in order to deliver goods to a client, you need to know his address, passport details).

    Hello! According to paragraph 2 of Art. 3 of Law No. 152-FZ, the personal data operator means, in particular, legal entity, independently or jointly with other persons organizing and (or) carrying out the processing of personal data. Processing of personal data means any action (operation) or set of actions (operations) performed using automation tools or without the use of such tools with personal data, including collection, recording, systematization, accumulation, storage, clarification (updating, changing), extraction , use, transfer (distribution, provision, access), depersonalization, blocking, deletion, destruction of personal data (clause 3 of Article 3 of Law No. 152-FZ). Thus, if, when you perform work on maintaining the site, you carry out any or one or a combination of the actions listed above - according to the law, you are the operator of personal data, with all the ensuing responsibilities. The law does not make exceptions for those operators who did not collect personal data directly from subjects, but received personal data from another operator. Operator – the one who carries out the processing, i.e. any person carrying out at least one of those specified in Art. 3 Federal Law No. 152 actions with PD. And in this case, we recommend that you follow the procedure: http://www..Thank you for using the service!

    Hello! You need to answer the questions in the questionnaire on the left side of the page - package necessary documents will be generated automatically. If the value entered in any document is identical to another document in the general package, then it will be automatically filled in in this document. Document templates are suitable for ensuring the 1st level of personal data security. We draw your attention to the fact that in addition to developing documentation, it is also necessary to develop and implement technical protection measures. The composition and content of such “basic” measures are defined in FSTEC Order No. 21 dated February 18, 2013 “On approval of the Composition and content of organizational and technical measures to ensure the security of personal data when processed in information systems personal data.” Thank you for using our service!

    see answer below

    Hello! Personal data is any information that allows you to accurately identify individual(within the meaning of Federal Law dated July 27, 2006 N 152-FZ “On Personal Data”). IN in this case, individual corporate email addresses and logins or user names are personal data of employees that are necessary for the employer in connection with employment relationships, which in itself does not entail the specifics of applying a special protection regime (subject to compliance with the requirements established by Chapter 14 of the Labor Code of the Russian Federation ). We recommend that you familiarize yourself with the procedure located at the link: http://www.. Thank you for using our service!

    Hello. The employer has the right, without notifying Roskomnadzor, to process personal data of candidates for positions, save their resumes, forming both a paper and electronic database of applicants, if they have their written consent. This conclusion based on the fact that, according to clause 1, part 2, art. 22 of the Federal Law of July 27, 2006 No. 152-FZ “On Personal Data”, without notifying the authorized body, data processed in accordance with labor legislation may be processed. Personal data of applicants may be stored in the database of the employer, if so given in writing consent of the candidate and the period of such storage is indicated. As for former employees (as those who did not pass the test), we believe that if the Labor Code of the Russian Federation or other laws does not impose an obligation on the employer to process the data of former employees, then such processing should be carried out only with notification of Roskomnadzor (unless there are other grounds for processing personal data without filing notifications, for example, processing of personal data without the use of automation tools). We recommend that you clarify this issue with the authorized body. Thank you for your request.

    22 Article 152-FZ read. But since we do not enter into employment relationships with all applicants whose personal data we collect (we accept them for testing or at least invite them to interviews), Roskomnadzor still needs to be notified in this case

    Hello. The processing of personal data of applicants is also carried out within the framework of labor legislation. According to the position of the Fourth Arbitration Court of Appeal, the basis provided for in paragraph 1 of Part 2 of Art. 22 of Federal Law No. 152-FZ of July 27, 2006 “On Personal Data” also applies to personnel selection activities (Resolution No. 04AP-127/2018 dated February 7, 2018 in case No. A19-17054/2017). This is due to the fact that labor legislation is regulated not only by the Labor Code of the Russian Federation, but also by other regulations. Thus, Federal Law of April 19, 1991 N 1032-1 “On employment in Russian Federation" it is stipulated that employers promote employment policies, in particular, through employment. We believe that the written consent of the applicant to store certain of his data for the period specified in the consent will be sufficient to comply with the law in this area. There is no need to notify Roskomnadzor. However, To avoid disputes, we recommend that you clarify this issue with the authorized body. Thank you for your appeal.

    Thank you! I read the court decision. It's a tricky question. This court decision suggests that Roskomnadzor’s position is to notify, but the Irkutsk Region Administration, together with the appeal, sided with the legal entity. Considering the well-known position of Roskomnadzor, it is unknown whether the AS of our region will take our side. That's why we sent a letter with a question.

    Hello. Thank you for your response. It would be interesting and useful to see the outcome of your message on our discussion page. Best regards, FreshDoc company.

    I'll be sure to post how they respond! Your advice helped me a lot in developing a legal position on this issue)

    Wrote. What do you think they answered? Nothing! That is, of course, they answered, but about nothing. The essence of the letter comes down to the fact that it is up to you to submit a notice or not. I wanted to ensure that in case of verification I had their answer, but it didn’t work out. And to hide behind a court decision in another region... We don’t yet have an Anglo-Saxon legal system, and the continental one, and for me the main conclusion from the reasoning part of the court’s decision, is the vision of Roskomnadzor, and whether our regional court will stand on our side, as it did in Irkutsk, is unknown

    Hello. Thanks for your response. The presence of a response from Roskomnadzor is not a guaranteed protection against prosecution. For the court, the opinion of the department, whatever it may be, is also not decisive. We recommend forming your own reasoned opinion, and, if possible, obtaining judicial decisions that are appropriate to the case. Best regards, FreshDoc company.

    In any case, whether there is a Notification or not, any operator must comply with the requirements of Articles 18.1, 19 of Federal Law No. 152 when processing personal data: appoint a responsible person, develop and approve a policy and regulation on personal data, etc. Moreover, Roskomnadzor conducts Scheduled inspections in relation to all operators, and not only in relation to those included in the Roskomnadzor register according to the Notification

    Hello. Yes, it is the responsibility of the PD operator to take measures necessary and sufficient to ensure the fulfillment of the obligations provided for by the Federal Law of July 27, 2006 No. 152-FZ “On Personal Data”, regardless of its presence/absence in the register of operators (sending a notification to Roskomnadzor). At the same time, in order to fulfill the requirements provided for in Art. 22 Federal Law of July 27, 2006 No. 152-FZ “On Personal Data”, the operator, before starting the processing of personal data, is obliged to notify Roskomnadzor of his intention to process personal data, otherwise he faces a fine under Art. 19.7 Code of Administrative Offenses of the Russian Federation.

    Hello. The range of subjects of personal data is established in section 3 “Personal data processed in ISPD” of the Regulations on the processing and protection of personal data, which is included in the package of documents and can be found at the link https://www.site/?oid=7086347. It, in particular, establishes that the data of the following subjects is processed: employees of the Operator; shareholders/founders of the Operator, persons associated with employees, shareholders, founders (children for whom alimony is paid, wives, etc.); clients (consumers of the Operator’s services); individual entrepreneurs - counterparties of the Operator; clients of organizations, counterparties of the Operator (service corporate clients). It was also found that this list may be revised. Thank you for reaching out.

    You can fill out the documents directly on the website.

    In what cases is it necessary to notify Roskomnadzor about the processing of personal data? The answer is in the article.

    Question: Are we required by law to register in the register of personal data operators of Roskomnadzor? in paragraph 2 of Art. 22 of the Law of July 27, 2006 No. 152-FZ “On Personal Data” states that, 2. The operator has the right to process personal data without notifying the authorized body for the protection of the rights of personal data subjects. We are not required to register in the register?

    Answer: There is no need to register in the register of personal data operators of Roskomnadzor, since there is no registration procedure. Before processing personal data, the operator is obliged to send a notification to Roskomnadzor (Clause 1, Article 22 of Law No. 152-FZ). Roskomnadzor maintains a register of operators based on notifications.

    At the same time, there are exceptions to this rule of law, listed in detail in paragraph 2 of Art. 22 of Law No. 152-FZ.

    Rationale

    Storage of personal data in Russia. What features are there for employee information?

    If the company processes personal data not only of employees and contractors - individuals. That is, virtually any company is obliged to notify officials about the processing of personal data.

    As a general rule, the employer is obliged to send a notification to Roskomnadzor about the start of processing personal data (Part 1, Article 22 of Law No. 152-FZ). Many companies still haven't done this. They justify it this way: the employer processes personal data only of its employees. Therefore, the company falls under the exception established in clause 1, part 2, art. 22 of Law No. 152-FZ. According to this standard, the employer has the right to process personal data in accordance with labor legislation without notifying Roskomnadzor.

    But in most cases, the position that notification is not required is erroneous. After all, the employer processes data not only of employees, but also of other entities. For example, representatives of counterparties when receiving powers of attorney or employees of other companies belonging to the same group as the employer. In such cases, it is recommended to send a notification to Roskomnadzor.

    In what form should Roskomnadzor be notified?

    Include in the notification information about the personal data of employees (clause 7 of the Temporary Recommendations for filling out the notification form, approved by Roskomnadzor on December 30, 2014). Exceptions established in Part 2 of Art. 22 of Law No. 152-FZ are not applicable in this case.

    Roskomnadzor will enter the information from the notification into the register of operators within 30 days from the date of receipt of the document. There is no need to pay money for this (Part 4, Part 5 of Article 22 of Law No. 152-FZ).

    Employers who have not notified Roskomnadzor risk receiving a letter from officials. In response, employers will be required to send a notice or justify the reasons for not sending it. In the latter case, the risk of Roskomnadzor verifying the validity of this type of justification increases. Thus, according to the annual report for 2014, Roskomnadzor sent more than 58 thousand such letters to operators (

    February 21, 2014 at 11:45 pm

    Or maybe not notify about the processing of personal data?

    • Information security

    Part one of Article 22 of the Federal Law of July 27, 2006 N 152-FZ “On Personal Data” (hereinafter in the article - the Law) provides for the obligation of the operator processing personal data to notify the Roskomnadzor authority before processing begins. Immediately (in the second part of the article) the Law proposes the grounds on which the operator has the right not to notify about processing. These cases are quite common. But since the Law does not prohibit notification even if there are such cases, a number of operators choose to take the notification route. It may be worth not giving notice, or even thinking about how to qualify for the “exceptions.” There are at least 3 reasons for this.

    It is difficult to answer the question “Why?” for all those who decided to send a notification to the Roskomnadzor body if it was possible not to do this. Of course, marketing campaigns (image, openness) cannot be ruled out. However, in a number of cases they notify out of ignorance or based on the position “It’s better to play it safe.” I would like to draw attention to the well-known right of operators processing personal data not to notify Roskomnadzor authorities about processing and here are several reasons for this.

    1. The person who submitted the notification about the processing of personal data must bear the burden of constantly updating the submitted information. This obligation is provided for in Part 7. Art. 22 Laws. If the operator processing personal data does not submit a notification of a change in information (change of the operator’s address, change in the categories of personal data being processed, change of the person responsible for processing personal data and his contacts, etc.), then he may be brought to administrative liability. It would seem that it was difficult: something changed in the organization, I took and sent a letter. As practice shows, in most cases this is forgotten. For example, those who entered the Register (the Register includes everyone who submitted a notification about processing) of operators processing personal data before July 1, 2011 were required to additionally send the information provided for in clauses 5, 7.1, 10 and 11 by January 1, 2013 3 of Article 22 of the Law (legal basis for the processing of personal data, full name of the person responsible, etc.). As can be seen from the Roskomnadzor register of personal data operators, more than half of the operators have not done this to date. The idea that all these organizations have not undergone any internal changes related to the processing of personal data is also questionable. I suggest you also think about whether you will timely monitor the relevance of entries in the Register in the long term, if there is an opportunity not to do this at all?
    2. Roskomnadzor authorities plan inspections of operators processing personal data using the departmental unified information system - UIS. All operators who submitted notifications are already in it, and therefore the likelihood of being included in the inspection plan increases many times over. Organizations inspected by Roskomnadzor in other areas (communication services, distribution networks, media, broadcasting) are automatically checked for compliance with legislation in the field of personal data if they have notified Roskomnadzor about the processing.
    3. If the personal data operator decided to notify the Roskomnadzor body about processing, although he had the right not to do so, then it will not be possible to be excluded from the Register due to the fact that he could not notify at all. This possibility is not provided for either by the Law or the relevant Administrative Regulations. Or rather, it is provided only for general reasons.
    If you were planning to send a notification, but the above somehow caught your attention, the general recommendations are simple.
    1. Carefully read (understand) Part 2 of Art. 22 of the Federal Law of the Russian Federation of July 27, 2006 N 152-FZ “On Personal Data”.
    2. See what personal data is processed on you and in connection with what.
    3. In some cases, it may be necessary to adjust your work with personal data carriers. I'll give an example to make it clear what I mean.
    One of the possibilities not to notify about the processing of personal data is provided for in clause 2, part 2, art. Law 22 goes like this
    received by the operator in connection with the conclusion of an agreement to which the subject of personal data is a party, if personal data is not distributed or provided to third parties without the consent of the subject of personal data and is used by the operator solely for the execution of the specified agreement and the conclusion of contracts with the subject of personal data

    So, you entered into an agreement with an individual for some service. Took a person's number mobile phone, to inform about the readiness of the service. In most cases, a mobile phone number is not needed for the purpose of fulfilling the contract. If the client’s mobile phone number is taken, his consent to the processing of personal data is additionally required. However, in this case, you do not fall under the exception in the Law, which allows you not to notify about the processing of personal data.
    If the contract with this individual stipulates the need to have a mobile phone number for the purposes of fulfilling the contract, then you are already claiming the right to fall under the exception.
    You can play with the need to have a mobile phone number for the purpose of fulfilling a contract something like this: “The organization undertakes to notify the client by phone No. x... x about readiness...”.

    How to organize the processing of personal data of employees. Register of personal data operators of Roskomnadzor. How to obtain an employee’s consent to the processing of his personal data.

    Question: Is the municipal unitary enterprise obligated to register with the register of personal data operators of Roskomnadzor, as well as develop a set of documents on the protection of personal data?

    Answer: Yes, a municipal unitary enterprise is obliged to register in the register of personal data operators, as well as develop a set of documents on the protection of personal data if the municipal unitary enterprise employs employees and the municipal unitary enterprise processes their personal data or the municipal unitary enterprise processes the personal data of various individuals (clients, partners).

    Rationale

    How to organize the processing of employee personal data

    The concept of personal data

    What personal data of an employee is the organization entitled to receive?

    Public personal data

    Question from practice: what personal data is considered public

    Public information is generally known information and other information to which access is not limited. Such information may be used by any persons at their discretion, subject to legal compliance. established restrictions for its distribution. This is stated in paragraphs, Article 7 of the Law of July 27, 2006 No. 149-FZ.

    Public personal data is data that the subject of personal data has made available as such. Public personal data may include information available to an unlimited number of persons (for example, data from open directories, address books etc.).

    Since anyone has access to them, they no longer require special security.

    When processing such data, the operator does not need to notify the authorized body for the protection of the rights of personal data subjects (clause 4, part 2, article 22 of the Law of July 27, 2006 No. 152-FZ).

    Consent to personal data processing

    How to obtain an employee’s consent to the processing of his personal data

    In the course of its activities, the employer needs to process personal data of employees. The processing of such data, with the exception of certain cases, occurs only with the written consent of employees. In this case, the consent must include the following information:

    • last name, first name, patronymic, address of the employee, details of the passport (another document proving his identity), including information about the date of issue of the document and the issuing authority;
    • name or surname, first name, patronymic and address of the employer (operator) receiving the employee’s consent;
    • purpose of processing personal data;
    • list of personal data for the processing of which consent is given;
    • name or surname, first name, patronymic and address of the person processing personal data on behalf of the employer, if the processing will be entrusted to such a person;
    • list of actions with personal data for which consent is given, general description methods used by the employer for processing personal data;
    • the period during which the employee’s consent is valid, as well as the method of its withdrawal, unless otherwise established by federal law;
    • employee signature.

    Such requirements are established in part 4

    If an employee is incapacitated, written consent to the processing of his personal data is given by his legal representative: parent, guardian (Part 6 of Article 9 of the Law of July 27, 2006 No. 152-FZ).

    An employee may at any time withdraw consent to the processing of his personal data by sending feedback to the employer in any form. In such a situation, the organization has the right to continue processing personal data without the consent of the employee, taking into account the restrictions specified in paragraphs 2-11 of part 1 of article 6, part 2 of article 10 and part 2 of article 11 of the Law of July 27, 2006 No. 152-FZ, for example, to administer justice or protect the life (health) of the employee himself. This is stated in Part 2 of Article 9 of the Law of July 27, 2006 No. 152-FZ.

    It should be noted that if a dispute arises, the obligation to provide evidence that the employee’s consent to the processing of his personal data has been obtained rests with the employer (Part 3 of Article 9 of the Law of July 27, 2006 No. 152-FZ).

    With the consent of the employee, the organization also has the right to entrust the processing of personal data to another person (Part 3 of Article 6 of the Law of July 27, 2006 No. 152-FZ). In this case, the employer will continue to be responsible to the employee for the actions of the specified person, and the person processing personal data on behalf of the employer will be responsible directly to the employer (Part 5 of Article 6 of the Law of July 27, 2006 No. 152- Federal Law).

    It should be noted that the employer must obtain consent to the processing of personal data not only from employees, that is, persons with whom he has an employment relationship, but also from applicants, as well as from persons with whom civil law contracts have been concluded in the organization. This is stated in paragraph 5 of the clarifications of Roskomnadzor dated December 14, 2012.

    Universal Consent

    Question from practice: Is it possible, when concluding an employment contract, to obtain written consent from the employee to provide his personal data to third parties in all necessary situations before dismissal?

    No, you can't.

    To transfer employee data to third parties, the organization is required to obtain the written consent of this employee. Without the written consent of the employee, his personal data may be transferred to third parties when this is necessary in order to prevent a threat to the life and health of the employee, and in other cases provided for by federal laws. Such rules are established by part 1 of article 88 of the Labor Code of the Russian Federation.

    The Labor Code of the Russian Federation does not contain requirements for the content of written consent for the transfer of data. However, paragraph 1 of Article 9 of the Law of July 27, 2006 No. 152-FZ establishes that consent to the processing of personal data must be specific, informed and conscious. It follows from this that the organization must request written consent from the employee for each case of transfer of his personal data to a third party. Only under such conditions can the requirement of specificity and informed consent be considered fulfilled. The list of information that must be contained in written consent to the transfer of personal data is established in paragraph 4 of Article 9 of the Law of July 27, 2006 No. 152-FZ.

    Processing personal data of performers according to GPA

    Question from practice: Is it necessary to obtain written consent for the processing of personal data of citizens with whom civil law contracts have been concluded?

    Yes, in general it is necessary, in the same manner as with full-time employees.

    Processing of personal data is possible only with the written consent of the subject of personal data, with the exception of certain cases when such processing is possible without their consent (). At the same time, the subjects of personal data can be both employees working under an employment contract and citizens with whom the organization has entered into civil law contracts.

    Thus, an organization in general must obtain consent to the processing of personal data, including citizens with whom civil law contracts have been concluded, in order to exclude any disputes regarding unauthorized transfer of data outside the scope of the terms of the civil law contract.

    The refusal of the performer to give such consent is not an obstacle to concluding a civil contract.

    Data processing without consent

    In what cases is the employee’s consent to transfer personal data not required?

    In some cases, the processing of personal data is possible without the consent of the employee. For example, if the processing of personal data is necessary for the purpose of fulfilling a contract concluded with an employee or to achieve the goals provided for by law for the implementation and fulfillment of the functions, powers and responsibilities assigned by Russian legislation to the operator, it can be carried out without the consent of the employee - the subject of personal data. This is stated in the Law of July 27, 2006 No. 152-FZ.

    Such cases include the transfer of information to:

    • Pension Fund of the Russian Federation ();
    • tax authorities ();
    • military commissariats ();
    • other bodies, when the obligation to transfer to them information related to the employee’s personal data is assigned to the employer by law or is necessary to achieve the goals established by law (for example, courts, prosecutor’s office, etc.).

    In addition, consent is not required in following cases:

    • the obligation to process is provided for by law, including the publication and posting of personal data of employees on the Internet (for example, Law of November 21, 2011 No. 323-FZ, Law of February 9, 2009 No. 8-FZ and a number of other acts);
    • personal data of close relatives of the employee is processed to the extent provided for by the personal card (according to the unified form No. T-2 or an independently developed form), as well as in cases of receiving alimony, processing social benefits and access to state secrets;
    • processing information about the employee’s health status relates to the issue of his ability to perform his job function;
    • data processing is related to the employee’s performance job responsibilities, including during his business trip;
    • the processing of personal data is carried out when implementing access control to the territory of the employer’s office buildings and premises, provided that the organization of access control is carried out by the employer independently.

    If the local document provides options for settlements with employees or in general at the moment is not registered, then employees have the right to independently decide whether to receive their salary through a cash register or on a bank card. And if the employer decides to transfer salaries to all employees bank cards, then each employee should be asked to consent to the processing of personal data and their transfer to a third party - the bank. In such a situation, employees have the right not to give consent, and the employer, in the absence of such consent, will not be able to continue processing the data and transfer to the bank information about those employees who refused.

    More on the topic: Is it necessary to obtain employee consent again for the processing of personal data when changing banks to transfer salaries?

    Question from practice: Is it necessary to obtain employee consent for the processing of personal data again when changing banks to transfer salaries?

    No, it is not necessary, provided that the existing consents did not indicate the specific bank to which the data was provided. If the previous consent was drawn up for a specific bank, then the employer will have to obtain a new consent for general rules ().

    In addition, there is no need to obtain consent if the organization’s local documents provide for the payment of wages specifically for bank cards and the employee, upon hiring or in the process of work, was familiarized with these documents (Part 2 of Article 9 of the Law of July 27, 2006 No. 152-FZ). See details.

    Roskomnadzor notification

    How to notify the regulatory agency about the start of processing personal data of employees

    Before processing personal data of employees, the employer must notify the territorial body of Roskomnadzor of the intention to carry out processing. The exceptions are cases of processing personal data:

    • processed in accordance with labor laws;
    • made publicly available by employees;
    • received by the organization in connection with the conclusion of an agreement to which the employee is a party (provided that personal data is not distributed or provided to third parties without the consent of the employee and is used by the employer solely for the execution of the specified agreement and the conclusion of other agreements with the employee);
    • relating to members (participants) of a public association or religious organization;
    • including only the last names, first names and patronymics of employees;
    • necessary for the purpose of an employee’s one-time entry into the employer’s territory and for other similar purposes;
    • included in personal data information systems that, in accordance with federal laws, have the status of state automated information systems, as well as in state personal data information systems created to protect state security and public order;
    • processed without the use of automation tools in accordance with legislative acts establishing requirements for ensuring the security of personal data during their processing and for respecting the rights of personal data subjects;
    • processed in cases provided for by Russian legislation on transport security.

    In case of termination of processing of personal data, the employer is also obliged to notify the authorized body about this. This must be done within ten working days from the date of termination of data processing. The standard form for notification of termination of data processing has not been approved, so the employer can draw it up in any form ().

    Question from practice: what should be understood by the processing of employee personal data

    Personal data protection

    How to organize the protection of personal data of employees in an organization

    To prevent disclosure of personal data, create a reliable system for protecting it. The procedure for receiving, processing, transferring and storing such information is established in a local act of the organization, for example in (Article, Labor Code of the Russian Federation,). The regulations are approved by the head of the organization. Introduce it to the employees of the organization against their signature. This is stated in Part 1 of Article 86 of the Labor Code of the Russian Federation.

    Also, the organization must appoint a person responsible for working with personal data (Part 5 of Article 88 of the Labor Code of the Russian Federation). As a rule, such an employee is a personnel service employee, since it is he who most often comes across personal data of employees in the course of his work. Appoint the person responsible for working with personal data by order in any form.

    Specific measures to ensure the security of employees' personal data during their processing are provided for in the Law of July 27, 2006 No. 152-FZ and the Requirements approved. Based on them, the organization can develop its own own system protection of personal data.

    Thus, when processing personal data in an information system, it is necessary to ensure the protection and security of personal data. At the same time, a threat to the security of personal data is a set of conditions and factors that create the danger of unauthorized (including accidental) access to personal data during their processing in the system, which may result in:

    • destruction;
    • change;
    • blocking;
    • copying;
    • provision;
    • spreading;
    • other illegal actions with personal data.

    It should be noted that the choice of specific information security means for the information system for processing personal data is carried out by the employer in accordance with the regulations of the FSB of Russia and the FSTEC of Russia. Determining the type of threats to the security of personal data relevant to the system for processing and protecting personal data is made taking into account the assessment of possible harm and in accordance with the regulations of the mentioned bodies (clause , Requirements approved by Decree of the Government of the Russian Federation of November 1, 2012 No. 1119).

    When processing personal data in systems, four levels of security can be established depending on the category of data and the number of employees about whom the system contains information. Depending on the level of security, the employer should take various measures to protect personal data processing systems provided for in paragraphs 13-16 of the Requirements approved by Decree of the Government of the Russian Federation of November 1, 2012 No. 1119. For example, establishing a regime for ensuring the security of premises in which personal data is located, appointing persons responsible for ensuring the security of personal data in the information system, etc. Specific requirements for the specified measures to ensure the security of personal data during their processing are established by the composition and content of organizational and technical measures approved by order of the FSTEC of Russia dated February 18, 2013 No. 21.

    To control the security of personal data during their processing, the employer or a person authorized by him carries out control checks at least once every three years, the specific timing of which is determined by the employer independently. If necessary, organizations or organizations can be involved in conducting the inspection on a contractual basis. individual entrepreneurs who have a license to carry out technical protection activities confidential information(clause 17 of the Requirements approved by Decree of the Government of the Russian Federation of November 1, 2012 No. 1119).

    Statement on personal data

    Question from practice: is the Regulation on working with personal data of employees mandatory document

    Yes, it is.

    The procedure for storing, processing and using personal data of employees is established by the employer, taking into account the requirements of the Labor Code of the Russian Federation and other federal laws (). This means that the employer must independently determine the procedure for such processing and enshrine it in a local regulatory act, in particular, the Regulations on working with personal data of employees. All employees of the organization, when hired, must be familiarized with the Regulations for signature (Part 3 of Article 68 of the Labor Code of the Russian Federation).

    Based on the above, it follows that the Regulations on working with personal data are a mandatory document of the organization, and its absence entails administrative liability (). The courts also point to this (see, for example, the resolution of the Federal Antimonopoly Service of the Moscow District dated October 26, 2006 No. KA-A40/10220-06).

    An example of the design of the Regulations on working with personal data of employees

    The head of the organization approved the Regulations on working with personal data of employees.

    There is no personnel service in the organization. The organization's accountant V.N. was appointed responsible for maintaining personnel records. Zaitseva.

    Question from practice: how to protect personal information located in a computer database

    To prevent unauthorized access for personal information located in a computer database, establish in the Regulations a procedure for protecting such information. The higher the risk of unauthorized access to personal data, the more measures must be taken to protect such information. For example, an organization can introduce a system of individual passwords that will change at certain intervals, limit employee access to computers on which personal data is stored, and store disks and floppy disks with such information in locked cabinets.

    The processing of personal data in the information system must be carried out in accordance with the provisions of paragraphs 8–16 of the Requirements approved by Decree of the Government of the Russian Federation of November 1, 2012 No. 1119.

    An organization can ensure the protection of personal data both independently and with the assistance of third party organizations who have a license to carry out activities to protect confidential information. Such clarifications are given in paragraph 17 of the Requirements approved by Decree of the Government of the Russian Federation of November 1, 2012 No. 1119.

    Question from practice: Is it possible for non-HR employees to be given the right to access the personal data of other employees?

    Yes, you can if employees need access to such information to perform certain job functions.

    Only specially authorized persons who need such access to perform specific functions can have access to personal data of employees. This is stated in the Labor Code of the Russian Federation.

    As a rule, due to the specific nature of their activities, employees should have access to personal data:

    • personnel service employees;
    • accounting staff;
    • general manager and, if necessary, his deputies;
    • heads of departments and immediate supervisors.

    In this case, each of these categories of employees is assigned its own access level. For example, accounting employees can be given access to the address data of employees and their marital status, heads of departments - in terms of personal information exclusively about their subordinates.

    The access levels of certain persons, as well as the specific procedure for transferring personal data of employees within the organization must be prescribed in its local documents, for example, in the Regulations on the protection of personal data of employees (paragraph 5 of Article 88 of the Labor Code of the Russian Federation). Authorized persons must be familiar with the provisions of the document and warned of their rights and obligations, as well as responsibility for using information for other purposes ().

    Advice: the conditions for posting personal data of employees on the corporate website are stated in the Regulations on working with personal data. At the same time, make an appendix to it, in which you indicate a list of employees who agree (or disagree) to the posting of personal data. Thus, the requirement will be met, and the organization will be able to post the personal data of employees who agree with such placement on the corporate website.

    In order to ensure the rights of its employees, the organization and its representatives, when processing personal data, are obliged to comply with the requirements regulated by the Labor Code of the Russian Federation. Persons guilty of violating the rules governing the protection of personal data are subject to administrative and criminal liability (). Or they may be fired with the wording “for disclosing the personal data of another employee on the basis of subparagraph “c” of paragraph 6 of part 1 of Article 81 of the Labor Code of the Russian Federation.”

    Question from practice: Does the head of a structural unit have the right to demand that the accounting department provide monthly information on the accrued salaries of employees subordinate to him?

    Information about amounts accrued to employees refers to personal data (clause 1, article 3 of Law No. 152-FZ of July 27, 2006). The immediate supervisor can request them if the appropriate permission is established in a local regulatory act and the employee’s consent to the processing of his personal data has been obtained.

    At the same time, the staffing table contains information about salaries and bonuses of employees. The staffing table is a local document of the organization and does not relate to personal data. The head of a structural unit, if necessary, can contact this document, if provided job description leader or local act of the organization. This will allow him to obtain the necessary information without contacting the accounting department.

    Refusal to process data

    Question from practice: what to do if a person refuses to consent to the processing of his personal data

    The organization has the right to continue to process a person’s personal data without his consent if there are certain grounds. At the same time, the volume of such processing is quite large and allows the organization to carry out current activities without disruption.

    In particular, the employer may not require consent to the processing of personal data from applicants for concluding an employment and civil law contract, sending personalized reports to the authorities Pension Fund RF, tax reporting in the Federal Tax Service of Russia, information about those liable for military service in military commissariats, as well as for storing documents with personal data, including employment and civil contracts, personal cards, personal files, etc. That is, when the employer fulfills the obligations imposed on him by law responsibilities.

    Such rules are established in paragraphs 2-11 of part 1 of article 6, part 2 of article 10 and part 2 of article 11 of the Law of July 27, 2006 No. 152-FZ.

    To carry out all other actions, the organization must obtain the person’s consent to process his personal data (Part 4 of Article 9 of the Law of July 27, 2006 No. 152-FZ).

    Attention: Current legislation does not oblige a person to give consent to the processing of personal data, therefore refusal on his part cannot be considered a violation and grounds for refusal to conclude a contract. A staff employee also cannot be fired or subject to other disciplinary action for refusing to provide consent to the processing of personal data.

    Question from practice: what to do if an employee refuses to provide personal data of family members to fill out personnel documents

    Depersonalization of personal data refers to actions as a result of which it becomes impossible without the use additional information determine the ownership of personal data to a specific person ().

    If it is necessary to depersonalize personal data, the heads of organizations approve:

    • rules for working with anonymized data;
    • list of positions of employees responsible for carrying out measures to anonymize processed personal data.

    Such rules are provided for in subparagraph “b” of paragraph 1 of the list approved by Decree of the Government of the Russian Federation of March 21, 2012 No. 211.

    Specific requirements and methods for depersonalizing personal data processed in information systems are established in the Requirements and methods approved by Roskomnadzor Order No. 996 dated September 5, 2013.

    The main requirement for the depersonalization of personal data is to ensure not only protection from unauthorized use, but also the possibility of their processing. To do this, anonymized data must have properties that preserve the basic characteristics of anonymized personal data. Such properties, in particular, include:

    • completeness, that is, preservation of all information about specific people or groups of people that was available before depersonalization;
    • structuredness, that is, preservation of structural connections between anonymized data specific person or groups of people that existed before depersonalization;
    • applicability, that is, the ability to solve problems of processing personal data without first depersonalizing the entire volume of records about people;
    • anonymity, that is, the impossibility of unambiguously identifying data subjects obtained as a result of depersonalization, without the use of additional information.

    The main requirements for methods of anonymizing personal data are:

    • ensuring the required properties of anonymized data;
    • compliance with the requirements for the characteristics of the methods;
    • implementation of methods in various programs;
    • solving the assigned tasks of processing personal data.

    To the most promising and convenient for practical application The following depersonalization methods include:

    • the method of introducing identifiers, that is, replacing part of the personal data with identifiers and creating a table of correspondence of identifiers to the original data;
    • method of changing the composition or semantics, that is, changing the composition or semantics of personal data by replacing the results of statistical processing, summarizing or deleting part of the information;
    • decomposition method, that is, dividing an array of personal data into several parts with subsequent separate storage;
    • shuffling method, that is, rearranging individual records, as well as groups of records in an array of personal data.

    For the sake of security when working with personal data of employees, commercial organizations also have the right, but are not obliged, to engage in depersonalization (Clause 3 of Article 3 of Law No. 152-FZ of July 27, 2006). If an organization decides to anonymize personal data, then the specific method of anonymization must be enshrined in a local act, for example, in the Regulations on working with personal data of employees (Article , Labor Code of the Russian Federation,).

    Checks of compliance with requirements for the processing of personal data

    How compliance checks for the processing of personal data are carried out

    Roskomnadzor conducts inspections of the employer regarding the processing of personal data. Order No. 312 of the Ministry of Telecom and Mass Communications of Russia dated November 14, 2011 approved the Administrative Regulations for the execution by this service of the functions of exercising state control (supervision).

    The subject of control over the employer’s activities related to the processing of personal data are:

    • documents the nature of the information in which suggests or allows the inclusion of personal data;
    • personal data information systems;
    • processing activities.

    Roskomnadzor carries out both scheduled and unscheduled inspections in the form of documentary or on-site inspections (Law No. 294-FZ of December 26, 2008). The rights and obligations of Roskomnadzor officials during inspections are determined, respectively, by paragraphs and Administrative Regulations approved by Order of the Ministry of Telecom and Mass Communications of Russia dated November 14, 2011 No. 312.

    The time frame for checking an employer’s activities in processing personal data during both scheduled and unscheduled checks cannot exceed 20 working days. At the same time, for small businesses, the total period of on-site scheduled inspections cannot exceed one year:

    • 50 hours - for a small enterprise;
    • 15 hours - for a micro-enterprise.

    IN exceptional cases the period for conducting an on-site scheduled inspection may be extended, but by no more than 20 working days, and for small and micro enterprises - by no more than 15 hours. This is possible if during the inspection the need arises to:

    • complex and lengthy research and testing;
    • special examinations and investigations.

    Only those employees who have undertaken to comply with the rules for working with personal data and have violated them () can be subject to disciplinary liability. Financial liability may arise if, in connection with a violation of the rules for working with personal data, the organization suffers direct actual damage ().

    For violating the procedure for collecting, storing, using or distributing personal data, the organization and its officials will be fined. During one inspection, Roskomnadzor may detect several different violations. Then he will collect several fines at once.

    The amount of fines depends on the type of offense committed. Thus, officials can be fined in the amount of 3,000 to 20,000 rubles, individual entrepreneurs - in the amount of 5,000 to 20,000 rubles, organizations - in the amount of 15,000 to 75,000 rubles. For more information about the fines for violations in working with personal data, see the table.

    Such measures of liability are provided for in articles of the Code of the Russian Federation on Administrative Offenses.

    Criminal liability for the head of the organization (another person responsible for working with personal data) may be punished for illegal:

    • collecting or distributing information about the private life of an employee that constitutes his personal or family secret, without his consent;
    • dissemination of this information in a public speech, publicly displayed work or media.

    The following penalties are provided for these violations:

    • a fine of up to 200,000 rubles. (or in the amount of the convicted person’s income for a period of up to 18 months);
    • compulsory work for up to 360 hours;
    • correctional labor for up to one year;
    • forced labor for a term of up to two years with or without deprivation of the right to hold certain positions or engage in certain activities for a term of up to three years;
    • arrest for up to four months;
    • imprisonment for a term of up to two years with deprivation of the right to hold certain positions or engage in certain activities for a term of up to three years.

    In this case, the same acts committed by a person using his official position are punishable:

    • a fine in the amount of 100,000 to 300,000 rubles. (or in the amount of the convicted person’s income for a period of one to two years);
    • deprivation of the right to hold certain positions or engage in certain activities for a period of two to five years;
    • forced labor for a term of up to four years with or without deprivation of the right to hold certain positions or engage in certain activities for a term of up to five years;
    • arrest for a term of four to six months;
    • imprisonment for a term of up to four years with deprivation of the right to hold certain positions or engage in certain activities for a term of up to five years.

    Question from practice: Is it possible to provide for non-disclosure of confidential information in employee employment contracts?

    Yes, you can.

    But only for those employees who directly work with personal data: HR officers, HR managers, secretaries (). In this case, when hiring, familiarize the employee with the Regulations on working with personal data.

    Question from practice: Is it possible to provide information about an employee’s work in an organization by telephone to representatives of other companies, such as banks?

    Yes, you can, but only with the written consent of the employee himself.

    Personal data means any information directly or indirectly relating to a specific individual (subject of personal data) (Part 1 of Article 3 of the Law of July 27, 2006 No. 152-FZ). At the same time, the list of personal data is not exhaustive, that is, any information relating to a specific person is his personal data. Thus, the place of work and the fact of work itself, requested from an organization, for example, by a credit institution to confirm the fact of work or by a potential employer about a former employee, are personal data. Therefore, it is possible to transfer employee data to other organizations only in compliance with general requirements on the processing of personal data, that is, only with the consent of the employee himself (clause 3, part 1, article 86 of the Labor Code of the Russian Federation,).

    Thus, it is possible to provide information about the fact that employees are working by telephone to unidentified persons, including those who pose as bank specialists, but only with the written consent of the employee himself, regardless of whether he continues to work in the organization or has already quit.

    Question from practice: Is the employer obliged, at the request of the bailiff service, to report the fact of work in the organization of the debtor employee?

    The fact of working in an organization refers to the employee’s personal data. The bailiff conducting enforcement proceedings has the right to request from the organization information about employees in respect of whom court decisions on the payment of alimony or other types of awarded payments were made, including information related to personal data. This request the employer has no right to ignore it. Such rules are established by Law of October 2, 2007 No. 229-FZ.

    At the same time, the employer has the right to report the fact of work in the organization of a debtor employee without his consent to transfer personal data to third parties, since in this case the processing of personal data is necessary for the administration of justice, the execution of a judicial act subject to execution in accordance with the legislation of Russia on enforcement proceedings (clause 3, part 1, article 6, clause 6, part 2, article 10, part 2, article 11 of the Law of July 27, 2006 No. 152-FZ).

    Thus, the employer is obliged to respond to the request of the bailiff service about the fact of the work of the debtor employee. Obtain employee consent to

    Margarita Orlova answers,

    Head of the Department of Administration of Insurance Contributions of the Federal Insurance Service of Russia

    “To confirm the main type of activity for a separate division that pays contributions independently, submit the same documents as for the organization as a whole. The only difference is that they reflect information only on the division and submit it to the Social Insurance Fund branch at the place of registration of such division. How to pay contributions until you have received a notification from the Social Insurance Fund about the tariff for the current year - you will find out in the recommendation.”

    Legal requirements for the personal data operator

    The operator is obliged to ensure the confidentiality of personal data. Article 7 of the Federal Law of the Russian Federation of July 27, 2006 N 152-FZ “On Personal Data” (hereinafter referred to as FZ-152) states that the operator is not obliged to protect personal data if it is anonymized or publicly available. The personal data operator does not have the right to process data without the consent of the personal data subject, that is, the person to whom this data belongs. However, in Art. 6 Part 2 of Federal Law-152 provides for a number of cases when the consent of the subject is not required.
    In particular, the consent of the subject is not required if his personal data is processed on the basis of the Federal Law defining the purpose and content of such processing (Article 6, paragraph 2, part 2). For example, according to Federal law No. FZ-3266-1 “On Education”, graduates of secondary educational institutions do not have to obtain consent to the processing of their personal data for admission to the Unified State Exam. Bodies and organizations involved in conducting the Unified State Exam carry out “...transfer, processing and provision of results received in connection with the conduct of the Unified State Exam<…>personal data of students, participants of the unified state exam<…>in accordance with the requirements of the legislation of the Russian Federation in the field of personal data without obtaining the consent of these persons to process their personal data” (Article 15, clause 5.1). The April issue of the magazine “Personal Data” contains a large material devoted specifically to this problem.
    Another case when the processing of personal data does not require the consent of the subject: the execution of a contract, one of the parties to which is the subject of personal data. As an example, any agreement between a company and an individual for the provision of services is suitable. Mass useful information on this topic can be found in the specialized press. The operator must also provide the necessary organizational and technical measures to suppress attempts of illegal access to personal data.

    Required documents

    Each personal data operator is required to have a package of documents confirming the protection of personal data of employees and clients.

    The list of required documents may vary depending on the specifics of personal data processing, organizational structure and other features of each individual enterprise.

    In accordance with this package of documents, the enterprise must implement technical means protection of personal data.

    Preparation of documents necessary to protect personal data

    There are several ways to prepare documents in accordance with the requirements of 152-FZ “On Personal Data”:

    Protective equipment

    Almost every organization has a personal data information system (abbreviated ISPDn), which may contain, for example, the employee’s last name, first name, passport data, TIN, etc. An operator works with this information system. Depending on what data is contained in the ISPD of a particular organization, this ISPD may belong to one of four classes, each of which provides different means for protecting personal data.

    See also

    Links

    • www.rsoc.ru Register of operators processing personal data
    • www.pd.rsoc.ru Personal data portal of the Authorized body for the protection of the rights of personal data subjects
    • www.privacy-journal.ru Information and analytical journal "Personal Data"

    Wikimedia Foundation. 2010.

    See what a “Personal Data Operator” is in other dictionaries:

      Personal data operator- 2) operator state body, municipal body, legal or natural person, independently or jointly with other persons organizing and (or) carrying out the processing of personal data, as well as determining the purposes of processing... ... Official terminology

      Any action (operation) or set of actions (operations) performed using automation tools or without the use of such means with personal data, including collection, recording, systematization, accumulation, storage, ... ... Wikipedia

      The subject of personal data is an individual who is directly or indirectly identified or determined using personal data. Contents 1 Interaction with the subject of personal data ... Wikipedia

      A set of measures of a technical, organizational and organizational technical nature aimed at protecting information relating to a specific or determined on the basis of such information individual (subject of personal ... ... Wikipedia

      This article or section describes the situation in relation to only one region. You can help Wikipedia by adding information for other countries and regions. Contents 1 Definition ... Wikipedia

      Number: 152 Federal Law Adoption: by the State Duma on July 26, 2006 Entry into force: January 26, 2007 Federal Law of the Russian Federation of July 27, 2006 No. 152 Federal Law “On Personal Data” is a federal law regulating processing activities (using ... Wikipedia

      Basic model of threats to the security of personal data during their processing in personal data information systems (extract)- Terminology Basic model threats to the security of personal data during their processing in personal data information systems (extract): Automated system a system consisting of personnel and a set of automation equipment... ...

      RIGHTS OF PERSONAL DATA SUBJECTS WHEN MAKING DECISIONS BASED ON EXCLUSIVELY AUTOMATED PROCESSING OF THEIR PERSONAL DATA- according to the Federal Law “On Personal Data” dated July 27, 2006 No. 152 FZ, consist in prohibiting the adoption of decisions based solely on automated processing of personal data that give rise to legal consequences in relation to... ...

      operator- 4.22 operator: Any object that carries out the operation of the system. Note 1 The operator role and the user role may be assigned simultaneously or sequentially to the same person or organization. Note 2 In the context of this... ... Dictionary-reference book of terms of normative and technical documentation

      OPERATOR- according to the Federal Law “On Personal Data” dated July 27, 2006 No. 152 FZ, - a state body, municipal body, legal entity or individual organizing and/or carrying out the processing of personal data, as well as determining the purposes... Records management and archiving in terms and definitions

    Read more: