How to determine the purposes of processing personal data. Determining the purposes of processing personal data and how to work with them
In accordance with Part 2 of Art. 85 Labor Code of the Russian Federation processing of employee personal data - this is the receipt, storage, combination, transfer or any other use of the employee’s personal data.
The processing of an employee’s personal data can be carried out solely for the purpose of ensuring compliance with laws and other regulations, assisting the employee in employment, training and promotion, ensuring the capital’s security, as well as monitoring the quantity and quality of the work he performs and ensuring the safety of property (clause 1 Article 86 of the Labor Code of the Russian Federation).
According to paragraph 3 of Art. 3 of the Federal Law “On Personal Data”, the processing of personal data is actions (operations) with personal data, including collection, systematization, accumulation, storage, clarification (updating, changing), use, distribution (including transfer), depersonalization, blocking , destruction of personal data. It should be borne in mind that regardless of the number of functional operations listed in the legislation, legal regulation must cover all stages of the processing of personal data - from receipt to destruction, without any exceptions or exemptions.
The principles for processing personal data include the following:
- legality of the purposes and methods of processing and fairness;
- compliance of the purposes of processing with the goals predetermined and stated when collecting personal data, as well as with the powers of the operator;
- compliance of the volume and nature of the data processed, methods of processing with the purposes of their processing;
- the reliability of personal data, their sufficiency for the purposes of processing, the inadmissibility of processing personal data that is not related to the purposes stated when collecting data;
- the inadmissibility of combining databases of personal data information systems created for incompatible purposes.
The processing of an employee’s personal data begins with its receipt. As a general rule, all personal data should be obtained from the employee himself. In exceptional cases, when the employee’s personal data can only be obtained from a third party, the employee must be notified of this in advance and written consent must be obtained from him. The employer is obliged to inform the employee about the purposes, intended sources and methods of obtaining personal data, as well as the nature of the personal data to be received and the consequences of the employee’s refusal to give written consent to receive it (Clause 3 of Article 86 of the Labor Code of the Russian Federation). However, the employer does not have the right to receive and process the employee’s personal data about his political, religious and other beliefs and private life (Clause 4 of Article 86 of the Labor Code of the Russian Federation). Also, the employer cannot request information about the employee’s health status if this does not relate to the issue of the employee’s ability to perform a labor function (Article 88 of the Labor Code of the Russian Federation).
The Labor Code of the Russian Federation imposes certain requirements on the organization and technology of processing personal data by the employer. The obligation to familiarize employees and their representatives, against signature, with the employer’s documents establishing the procedure for processing employees’ personal data, as well as their rights and responsibilities in this area, presupposes the need to develop and adopt an appropriate local regulatory legal act. Such an act, depending on the specifics of the activity and the discretion of the employer, can be called a regulation or instruction and, as a rule, includes the following sections:
- basic concepts and provisions;
- processing of employee personal data;
- generation of employee personal data;
- recording, storage and transfer of employee personal data;
- rights and obligations of the employee in the field of processing and protection of his personal data.
Such a local regulatory legal act determines the confidentiality regime (limited access) of an employee’s personal data at a particular employer. The employer's employees who receive the employee's personal data are required to comply with this regime, which must be indicated not only in their job descriptions, but also in the employment contracts concluded with them. The regulation (instruction) on the protection of personal data is the main document reflecting the specifics of the processing and transfer of an employee’s personal data within a specific organization, for a specific individual entrepreneur. If there is an automated component within this activity, the employer does not have the right to make decisions regarding the employee based on personal data obtained solely as a result of their automated processing or electronic receipt (clause 6 of Article 86 of the Labor Code of the Russian Federation). An employer may not be limited to adopting a provision on the protection of personal data of employees in its organization. However, the presence of this local act is mandatory, and its absence is considered by the state labor inspectorate as a serious violation of labor legislation.
For this and other violations of the rules governing receipt, processing and the employee, the employer can bring the perpetrators to material and disciplinary liability, and the relevant government bodies to civil, administrative and criminal liability.
1. The processing of personal data must be carried out in compliance with the principles and rules provided for by this Federal Law. Processing of personal data is permitted in the following cases:
1) the processing of personal data is carried out with the consent of the subject of personal data to the processing of his personal data;
2) the processing of personal data is necessary to achieve the goals provided for by an international treaty of the Russian Federation or law, to implement and fulfill the functions, powers and responsibilities assigned by the legislation of the Russian Federation to the operator;
3) the processing of personal data is carried out in connection with the participation of a person in constitutional, civil, administrative, criminal proceedings, proceedings in arbitration courts;
3.1) processing of personal data is necessary for the execution of a judicial act, an act of another body or official, subject to execution in accordance with the legislation of the Russian Federation on enforcement proceedings (hereinafter referred to as the execution of a judicial act);
4) the processing of personal data is necessary for the execution of the powers of federal executive authorities, bodies of state extra-budgetary funds, executive authorities of state authorities of the constituent entities of the Russian Federation, local government bodies and the functions of organizations involved in the provision of state and municipal services, respectively, provided for by the Federal Law of July 27, 2010 year N 210-FZ "On the organization of the provision of state and municipal services", including registration of the subject of personal data on a single portal of state and municipal services and (or) regional portals of state and municipal services;
(see text in the previous edition)
5) processing of personal data is necessary for the execution of an agreement to which the subject of personal data is a party or beneficiary or guarantor, as well as for concluding an agreement on the initiative of the subject of personal data or an agreement under which the subject of personal data will be a beneficiary or guarantor;
(see text in the previous edition)
6) the processing of personal data is necessary to protect the life, health or other vital interests of the subject of personal data, if obtaining the consent of the subject of personal data is impossible;
7) the processing of personal data is necessary to exercise the rights and legitimate interests of the operator or third parties, including in cases provided for by the Federal Law "On the protection of the rights and legitimate interests of individuals when carrying out activities to repay overdue debts and on amendments to the Federal Law" On microfinance activities and microfinance organizations", or to achieve socially significant goals, provided that the rights and freedoms of the subject of personal data are not violated;
(see text in the previous edition)
8) the processing of personal data is necessary for the professional activities of a journalist and (or) the legal activities of a mass media outlet or scientific, literary or other creative activities, provided that the rights and legitimate interests of the subject of personal data are not violated;
9) the processing of personal data is carried out for statistical or other research purposes, with the exception of the purposes specified in Article 15 of this Federal Law, subject to the mandatory anonymization of personal data;
10) processing of personal data is carried out, access to which is provided by an unlimited number of persons by the subject of personal data or at his request (hereinafter referred to as personal data made publicly available by the subject of personal data);
11) processing of personal data subject to publication or mandatory disclosure in accordance with federal law is carried out.
1.1. Processing of personal data of objects of state protection and members of their families is carried out taking into account the features provided for by Federal Law of May 27, 1996 N 57-FZ “On State Protection”.
2. Features of the processing of special categories of personal data, as well as biometric personal data, are established in accordance with this Federal Law.
3. The operator has the right to entrust the processing of personal data to another person with the consent of the subject of personal data, unless otherwise provided by federal law, on the basis of an agreement concluded with this person, including a state or municipal contract, or by adoption of a relevant act by a state or municipal body (hereinafter - operator's instructions). The person processing personal data on behalf of the operator is obliged to comply with the principles and rules for processing personal data provided for by this Federal Law. The operator’s instructions must define a list of actions (operations) with personal data that will be performed by the person processing personal data and the purposes of processing, the obligation of such a person must be established to maintain the confidentiality of personal data and ensure the security of personal data during their processing, as well as the requirements for the protection of processed personal data must be specified in accordance with Article 19 of this Federal Law.
4. A person processing personal data on behalf of an operator is not required to obtain the consent of the subject of personal data to process his personal data.
5. If the operator entrusts the processing of personal data to another person, the operator is responsible to the subject of personal data for the actions of the specified person. The person processing personal data on behalf of the operator is responsible to the operator.
Since the end of summer, the Law on Personal Data has been in force in a new version. The rules for obtaining and protecting information have changed. For the employer, this means only one thing - additional paperwork. In this article we will talk about how to draw up regulations on working with personal data of employees and appoint someone responsible for organizing work with personal data.
What is personal data
Federal Law No. 152-FZ of July 27, 2006 “On Personal Data” (hereinafter referred to as Law No. 152-FZ) defines Personal Information as any information directly or indirectly related to an individual (to the subject of personal data). This is stated in paragraph 1 of Art. 3 of Law No. 152-FZ.
According to Part 1 of Art. 85 of the Labor Code, personal data of an employee means information relating to a specific employee, which is necessary for the employer in connection with labor relations. We are talking about data such as:
- Full Name;
- Date and place of birth;
- address;
- Family status;
- position (profession);
- salary, other income;
- ownership of real estate, cash deposits, etc.;
- education, qualifications, professional training, information on advanced training;
- habits and hobbies, including harmful ones (alcohol, drugs, etc.);
- biographical facts and previous work activity (place of work, amount of earnings, criminal record, military service, work in elected positions, public service, etc.);
- physiological characteristics, health;
- business and other personal qualities;
- other information.
The list of personnel documents containing personal data of employees is given in table. 1 on p. 76.
Table 1. Documents containing personal data of employees
| N | Document | Intelligence |
| 1 | Questionnaire, autobiography, personal personnel records sheet (to be completed upon admission to work) |
Personal and biographical information employee |
| 2 | Copy of the document, identification document employee |
Full name, date of birth, address registration, marital status, family composition |
| 3 | Personal card (form N T-2, approved by the Resolution Goskomstat of Russia dated 01/05/2004 N 1) |
FULL NAME. employee, place of birth, family composition, education, and identification document details personality |
| 4 | Employment history | Information about work experience, previous places of work |
| 5 | Copies of certificates of conclusion marriage, birth of children |
Family composition, changes in family position |
| 6 | Military registration documents | Information about the employee’s attitude towards military duty required to the employer to implement military registration of employees |
| 7 | Certificate of income from previous places of work |
Full name, information about the amount of income and withheld personal income tax |
| 8 | Education documents | Confirms the qualifications of the employee, justify the occupation of a certain positions |
| 9 | Mandatory documents pension insurance |
Full name, personal data |
| 10 | Employment contract | Information about the employee's position, salary, place of work, workplace, as well as other employee personal data |
| 11 | Orders for personnel | Information about admission, transfer, dismissal and other events, related to work activities employee |
Personal data processing operator
According to Law N 152-FZ, the person (legal or individual) who organizes and (or) carries out the processing of personal data, determines its composition, the purposes of processing, and the actions performed with personal data is called operator(Clause 2 of Article 3 of Law No. 152-FZ). In our case, this is the employer.
Processing of personal data- any action performed with them. Operations for processing personal data:
- collection;
- recording;
- systematization;
- accumulation;
- storage;
- clarification (update, change);
- extraction;
- usage;
- transmission (distribution, provision, access);
- depersonalization;
- blocking;
- deletion;
- destruction of personal data.
Regulations on working with personal data
The procedure for processing personal data by the operator may be established in the Regulations on working with personal data of employees (hereinafter referred to as the Regulations). There is no unified form of the document. Let's consider how to draw up this document taking into account the requirements of Law N 152-FZ. The regulation consists of several sections. They are presented in table. 2. It also briefly indicates the information that the sections should contain. Detailed information is presented in a fragment of the Regulations on personal data of employees, which is given on p. 80.
Table 2. Structure of the Regulations on personal data of employees
| N | Duty | Section Contents |
| 1 | General provisions | Purpose of adoption of the Regulations |
| Issues governed by the Regulations | ||
| Links to regulations. Point to on the basis of which documents is it compiled? Position. In organizations where government officials work civil servants, reference is given to: - Federal Law of July 27, 2004 N 79-FZ "On the state civil service of the Russian Federation"; - Decree of the President of the Russian Federation dated May 30, 2005 N 609 “On approval of the Personal Data Regulations state civil servant Russian Federation and the management of his personal affairs"; - regulatory acts of a constituent entity of the Russian Federation |
||
| 2 | Basic concepts. Composition of personal employee data |
Basic concepts. Definitions of concepts are given "personal data", "processing of personal data", "use of personal data", the storage period for documents, etc. is indicated. It must be stated separately what applies to personal data in a specific company with taking into account its features (data used in work, for example, information about working on sensitive objects, on obtaining access to state secret, about health compliance for professions associated with heavy and harmful conditions, etc.) |
| List of documents of the organization that contain personal data |
||
| 3 | Receipt personal data workers |
Procedure for obtaining personal data. Indicates that the data is received and processed based on the written consent of the employee. Indicates cases where consent is not required |
| 4 | Usage personal data |
Purposes for using personal information of employees |
| 5 | Treatment personal data |
Conditions observed when processing personal data employee data |
| 6 | Broadcast personal data (Access to personal data) |
The procedure for transferring personal data internally organizations (internal access), third parties and government agencies (external access) |
| 7 | Responsibility for violation of norms, regulating processing and protection personal data |
Identifies those who are responsible for violation of storage and use rules personal data |
Fragment of the Regulations on personal data of employees
Introduction of the Regulations into force
The regulation on personal data is approved by the head of the company and put into effect by order of the organization (a sample is given on p. 90). A record of approval of the Regulations must be made in the register of local regulations.
If there is a trade union
If the company has a trade union, the Regulations must be agreed upon with it. To do this, the draft regulations are sent to the elected body of the trade union (Article 372 of the Labor Code of the Russian Federation). He must express his opinion (in writing) no later than five working days from the date of receipt of the project. If the union does not agree with the project or has proposals for its improvement, the administration has two options. The first is to agree. The second is to conduct additional consultations with the trade union within three days after receiving a reasoned opinion in order to achieve a mutually acceptable solution. If this does not help, a protocol of disagreement should be drawn up. After this, the administration has the right to adopt the Regulations without taking into account the demands of the trade union. However, he will be able to appeal the Regulations or begin the procedure for a collective labor dispute in the manner prescribed by Chapter. 61 Labor Code.
Familiarization of employees with the Regulations
Employees must be familiar with the Regulations against signature (clause 8 of Article 86 of the Labor Code of the Russian Federation). This fact can be recorded:
- in the text of the employment contract for each employee (listing of local regulations with which the employee is familiar with before signing the contract);
- - a sheet for familiarizing yourself with the Regulations (sample on p. 91);
- - a logbook for familiarizing employees with local regulations (sample on p. 91).
Sample sheet for familiarization with local regulations
| N p/p |
Name of local regulatory act | date | Signature |
| 1 | Internal labor regulations LLC "Black Forest" |
03.10.2011 | Evstakhov |
| 2 | Regulations on remuneration, bonuses and social security of employees of Cherny LLC forest" |
03.10.2011 |
Evstakhov |
| 3 | Information security instructions, approved by Order dated June 15, 2008 N 1 |
03.10.2011 | Evstakhov |
| 4 | Statement on personal data | 03.10.2011 | Evstakhov |
| 5 | Provision on liability workers for damage caused to Black Forest LLC |
03.10.2011 | Evstakhov |
Fragment of the introduction logRegulationsabout personal data
Note. Personal data storage period
Local regulations (regulations, instructions) on personal data must be stored permanently. As for employee statements of consent to data processing (they will be discussed in future issues), and other employee documents, they are stored for 75 years. This is stated in the List approved by Order of the Ministry of Culture of Russia dated August 25, 2010 N 558.
Administrative responsibility
Administrative liability measures (mostly fines are provided, disqualification is not applied in this case) for an enterprise and its officials for violating the procedure for receiving, processing, storing and protecting personal data of employees are given in Table. 3.
Table 3. Responsibility for violating the procedure for obtaining, processing, storing and protecting personal data of employees
Carried out on the basis of compliance with laws and other regulations.
What is the processing of personal data? This process includes the following steps:
Legal regulation of working with personal data covers all processes and stages of working with them.
Target
Why is the processing of personal data necessary? The processing of an employee’s personal data is carried out at the enterprise or organization in order to facilitate it.
The main purposes of processing personal data:
- in getting a job;
- in placement in an educational institution or for training, for advanced training;
- for the purpose of labor protection;
- for promotion and control over career opportunities;
- to monitor the quantity and quality of work performed.
The legislation provides for the accumulation and transmission of an employee’s personal data solely for the purpose of his development and the appropriate use of his abilities and experience. ,
include multifunctional goals.
The purposes of processing personal data of employees include the use and processing of personal data through their synthesis and interrelation, which determine the relevance of the employee’s capabilities in the conditions of organizing the production process.
The set and stated goals for the processing of personal data cannot be changed without notifying the employee.
Carried out by whom?
Personal data means information that contains basic information about a person of interest to a certain circle of representatives of government and other services.
In particular, in production (in an organization), personal data is of interest to the employer, who manages the organization of work in production based on information about its employees.
The employer has the right to request any personal data available in the employee’s records. In addition to him, access to personal data has a limited circle of persons who carry out operational work. As a rule, these are the secretariat and personnel department employees.
The operator carrying out information activities with personal data undergoes instructions before starting the designated work. He gets acquainted with the operating rules and principles prohibiting the disclosure of information contained in personal data.
The implementation of the listed types of work can pursue exclusively the purposes that were the reason for collecting information. Misuse of personal data or their disclosure is considered a gross violation for which liability is imposed.
Violations
As discussed earlier, violations in the processing of personal data are considered:
The operator’s work with personal data is subject to strict control by authorized services, and the operator is held liable for shortcomings, unintentional or deliberate violations.
All unauthorized actions during the processing of personal data may result in punishment: disciplinary, administrative, and in some cases criminal.
(1 ratings, on average: 5,00 out of 5) 
Loading...
