Regulations on the protection of personal data of employees. Personal data: main documents and new legislation Regulation on the protection of personal data

Personal data is various kinds of information that relates to a specific individual (clause 1, article 3 of the Federal Law of July 27, 2006 No. 152-FZ). Like any other information, personal data is processed, i.e. they are collected, systematized, accumulated, stored, transferred, destroyed, etc. To ensure that the processing of personal data cannot violate the rights and freedoms of a citizen, incl. the right to privacy, personal and family secrets, due protection of personal data is required. This topic is also relevant for all employers, because, in fact, they are constantly engaged in the processing of certain personal data of their employees. This includes, for example, the passport details of the employee or his address of residence, information about the education or length of service of the employee, information about the salary or marital status of the employee, etc. The importance of this area is confirmed by the fact that in the Labor Code of the Russian Federation a separate chapter is devoted to the protection of personal data of employees - Ch. 14 "Protection of personal data of an employee". We will talk about the protection of personal data in organizations in our consultation and give a sample Regulation on the protection of personal data of employees 2017.

Policy for the processing and protection of personal data of employees

General requirements for the processing of personal data of an employee, as well as issues of protection of personal data at the enterprise are contained in Art. 86 of the Labor Code of the Russian Federation.

Thus, the Labor Code of the Russian Federation establishes, in particular, the following aspects of the processing and protection of personal data:

• the processing of personal data of an employee is carried out only in order to comply with the legislation of the Russian Federation, assist employees in finding employment, obtaining education and promotion, ensuring the personal safety of employees, controlling the quantity and quality of work performed and ensuring the safety of property;
• all personal data of the employee must be obtained from him. If any personal data of an employee can only be obtained from a third party, the employee must be notified in advance about this, and written consent must be obtained from him;
• the employer must, at his own expense, ensure the protection of the employee's personal data from their unlawful use or loss;
• the employer must, against signature, familiarize the employees and their representatives with the procedure for processing the personal data of employees, as well as with their rights and obligations in this area.

At the same time, the requirements for the protection of personal data of employees cannot be considered in isolation from the issues of transferring personal data. Thus, the employer, when transferring the personal data of the employee, must comply with certain requirements.

These, in particular, include (Article 88 of the Labor Code of the Russian Federation):

• on general rule not disclose the personal data of the employee to a third party without the written consent of the employee;
• warn persons who receive personal data of an employee that these data can only be used for the purposes for which they were reported;
• transfer the employee's personal data within the same organization in accordance with the local regulatory act, with which the employee must be familiarized against signature;
• allow access to personal data of employees only to specially authorized persons;
• not to request information about the employee's health status (except in cases related to checking the employee's ability to perform a labor function).

At the same time, the consent of the employee to the transfer of personal data is not always required. So, consent is not required when the transfer of personal data is necessary to prevent a threat to the life and health of an employee (paragraph 2 of article 88 of the Labor Code of the Russian Federation) or is necessary on the basis of other federal laws (this includes, for example, information in the FIU, FSS, tax authorities etc.).

Responsibility for violation of personal data protection requirements

Responsibility for violations of the requirements for the processing and protection of personal data of an employee is varied. It applies to both employees and employers.

For example, an employee may be dismissed for disclosing the personal data of another employee that became known to him in the performance of his job duties. After all, this will be considered a gross violation by the employee of his labor duties (clause “c”, clause 6, article 81 of the Labor Code of the Russian Federation).

And, for example, the processing of personal data in cases not provided for by the legislation of the Russian Federation may result in a fine of officials from 5,000 to 10,000 rubles, and for an employer organization - from 30,000 rubles to 50,000 rubles (part 1 of article 13.11 of the Code of Administrative Offenses of the Russian Federation).

Please note that fines have increased significantly since 07/01/2017. If earlier the maximum fine for an organization for violating the procedure for collecting, storing, using or distributing personal data was 10,000 rubles, then from 07/01/2017 it has increased to 75,000 rubles.

Regulation on the protection of personal data 2017: sample

Considering that employees have the right to full information about their personal data and the processing of this data, the employer is obliged to familiarize them with the relevant documents (paragraph 2 of article 89 of the Labor Code of the Russian Federation). For these purposes, a Regulation on the protection of personal data can be developed, with which the employer is obliged to acquaint all newly hired employees.

Here are the Regulations on the processing and protection of personal data, posted in the legal reference system ConsultantPlus.

As any information directly or indirectly related to the subject or allowing him to be identified (clause 1, article 3). At the same time, the legislative act does not contain an explanation of what kind of information about individual includes this concept. In the context of labor relations, these typically include:

• Date of Birth;
• passport data;
• address of registration and residence;
• SNILS number;
• information about education and work experience.

This is just the minimum list of information about yourself that a person provides when applying for a job. In the process of cooperation, the following are added to it: the terms of the employment contract and additional agreements, information on military registration, social benefits, data on disciplinary action and incentives, reports for statistical bodies and others. The array of information received is the personal file of the employee.

Why do we need a regulation on working with personal data

By hiring a person, the enterprise assumes the functions of a data processing operator. In other words, the employer collects, stores, systematizes, accumulates and updates information relating to employees. Work with personal data is carried out both with the use of automation tools and without their use. The processing of confidential information is carried out not only during the period of cooperation, but also after its completion, at the stage of archiving. Art. 22.1 obliges organizations to keep the personal files of employees for 75 years. At all stages of the processing of personal information, the employer is obliged to prevent their transfer to third parties in the absence of legal grounds. A set of appropriate measures should be documented as a regulation on working with personal data of employees.

Structure of the regulation on personal data

When drafting the regulation on the protection of personal data 2020, it is recommended to adhere to the following structure:

How to implement the regulation on the processing and protection of personal data 2020

At the stage of document development, its content should be agreed with the heads of departments involved in data processing and the legal service. The finished local normative act is approved. The order is also issued in case of changes in the text of the document. If, for any reason, there is no regulation on the protection of personal data at the enterprise, it must be immediately drawn up and communicated to all employees. Employees being hired must read the policy before signing the employment contract. Confirmation of familiarization with the text is issued at the discretion of the employer. The most convenient way is to keep a log of familiarization with local regulations. If necessary, the employee can apply for the text of the document as many times as necessary. To simplify this procedure, it is recommended to post a sample provision on the processing of personal data of an employee in corporate electronic access resources.

The regulation on the personal data of employees - a sample of 2019 can be found in this article. What is the text of the provision, taking into account all the requirements of the law? Let's take an example.

Personal data of employees - any information required by the administration in connection with labor relations and relating to a particular employee (clause 1, article 3 of the Law of July 27, 2006 No. 152-FZ).

The accounting department and the personnel service store documents containing personal data of employees - payroll statements, personal cards, personal files and others. All personal data of an employee can only be obtained from him.

Regulation on personal data: structure

To prevent the disclosure of personal data, create a reliable system for their protection. Set the procedure for receiving, processing, transferring and storing such information in the local act of the organization, for example, in the regulation on working with personal data of employees. The position is approved by the director. Familiarize employees with the document for signature (Article 8, Clause 8, Part 1, Article 86, 87 of the Labor Code, Clause 2, Part 1, Article 18.1 of the Law of July 27, 2006 No. 152-FZ).

In order to ensure compliance with the requirements for the processing of personal data of employees and the protection of this information, the employer may develop and approve the Regulations on working with personal data of employees. It can also be called, for example, the Regulation on the processing of personal data of employees, the Regulation on the protection of personal data, or even the Regulation on the personal data of employees.

The regulation on personal data refers to those local acts that must be in the organization. The employer must determine the procedure for the storage, processing and use of personal data by a local regulatory act (Regulations on Personal Data). The absence of the Regulation may be qualified by the state labor inspectorate as a violation of labor legislation. This conclusion is also confirmed judicial practice(see Decree of the Federal Antimonopoly Service of the Moscow District dated October 26, 2006 N KA-A40 / 10220-06 in case No. A40-20745 / 06-148-194).

The structure and content of the Regulations on the protection of personal data of employees (a sample is given below) the employer determines for himself.

When developing the Regulation on Personal Data, the employer must take into account, in particular, the following principles:

• the processing of personal data of employees is carried out only for the purpose of complying with the legislation of the Russian Federation, assisting employees in finding employment, obtaining education and promotion, ensuring the personal safety of employees, controlling the quantity and quality of work performed and ensuring the safety of property;
• all personal data of employees must be obtained from him. If any personal data of an employee can only be obtained from a third party, the employee must be notified in advance about this, and written consent must be obtained from him;
• the employer must, at his own expense, protect the personal data of employees from their unlawful use or loss;
• the employer must, against signature, familiarize employees with the procedure for processing their personal data, as well as with their rights and obligations in this area.

Stella Limited Liability Company

(LLC Stella)

APPROVE

Director

LLC "Stella"

A.S. Pushkin

POSITION

About working with personal data of employees

1.1. The regulation on working with personal data of Stella LLC employees was developed in accordance with the Labor Code of the Russian Federation, the Law of July 27, 2006 No. 152-FZ and the regulatory legal acts in force on the territory of the Russian Federation.

1.2. This Regulation defines the procedure for working (collecting, processing, using, storing, etc.) with the personal data of employees and guarantees the confidentiality of information about the employee provided by the employee to the employer.

2.1. The employer receives the personal data of the employee directly from the employee.
The employer has the right to receive personal data of the employee from third parties only with the written consent of the employee or in other cases expressly provided for in the legislation.

2.2. When applying for a job, the employee fills out a questionnaire in which he indicates the following information about himself:
- floor;
- date of birth;
- marital status;
- attitude to military duty;
– place of residence and home telephone number;
– education, specialty;
– previous place(s) of work;
- other information with which the employee considers it necessary to acquaint the employer.

2.3. The employer has no right to require the employee to provide information about political and religious beliefs and about his private life.

2.4. The employee provides the employer with reliable information about himself. The employer checks the accuracy of the information by comparing the data provided by the employee with the documents available to the employee.

2.5. When changing personal data, the employee shall notify the employer in writing of such changes within a reasonable time, not exceeding 14 days.

2.6. If necessary, the employer will request additional information from the employee. The employee submits the required information and, if necessary, presents documents confirming the accuracy of this information.

2.7. The employee's profile is kept in his personal file. The personal file also stores all information related to the personal data of the employee. The management of personal files is entrusted to the accounting department responsible for the management of personal files - the accountant of the organization.

3.1. The employee's profile is kept in his personal file. The personal file also stores all information that relates to the personal data of the employee. The management of personal files is entrusted to the accounting department responsible for the acquisition of personal files - the accountant of the organization.

Read also How to make changes to your vacation schedule

3.2. Personal files and personal cards are stored in paper form in folders, stitched and numbered by pages. Personal files and personal cards are located in the accounting department in a specially designated cabinet that provides protection from unauthorized access. At the end of the working day, all personal files and personal cards are handed over to the accounting department.

3.3. Personal data of employees may also be stored in in electronic format in the local computer network. Access to electronic databases containing personal data of employees is provided by a two-stage password system: at the local computer network level and at the database level. Passwords are set by the deputy head of the organization and communicated individually to employees who have access to personal data of employees.

3.4. Passwords are changed by the deputy head of the organization at least once every two months.

3.5. In order to improve the security of processing, transfer and storage of personal data of employees in information systems they are depersonalized. To depersonalize personal data, the method of introducing identifiers is used, that is, replacing part of the information of personal data with identifiers with the creation of tables of correspondence of identifiers to the original data.

3.6. The head of the organization, his deputy, the chief accountant, as well as the immediate supervisor of the employee have access to the personal data of the employee. Specialists of the accounting department - to the data that is necessary to perform specific functions. Access of specialists of other departments to personal data is carried out on the basis of the written permission of the head of the organization or his deputy.

3.7. Copying and making extracts from the personal data of an employee is allowed solely for official purposes with the written permission of the head of the organization, his deputy and chief accountant.

4.1. The employee's personal data is used for purposes related to the employee's performance of labor functions.

4.2. The employer uses personal data, in particular, to resolve issues of employee promotion, the order in which annual leave is granted, and the determination of the salary. On the basis of the employee's personal data, the issue of his access to information constituting an official or commercial secret is decided.

4.3. When making decisions affecting the interests of the employee, the employer does not have the right to rely on the employee's personal data obtained solely as a result of their automated processing or electronic receipt. The employer also has no right to make decisions affecting the interests of the employee, based on data that can be interpreted in two ways. If it is impossible to reliably establish any fact on the basis of the employee's personal data, the employer offers the employee to provide written explanations.

5.1. Information relating to the personal data of an employee may be provided to state bodies in the manner prescribed by federal law.

The regulation on the protection of personal data of employees is the basic document of the organization, which forms the legal basis for all work with this kind of data. The article we propose will tell about the content of this provision and work with it.

Regulation on the processing of personal data - legal requirements

Part 1 of Article 18.1 of the Law “On Personal ...” dated July 27, 2006 No. 152-FZ indicates that organizations or other entities (individual entrepreneurs, state or municipal authorities) that work with personal data of citizens are required to take necessary and sufficient measures to to ensure the fulfillment of the requirements of both the Federal Law No. 152 itself and the by-laws adopted for its implementation. At the same time, the organization has the right to choose the list of measures necessary for the fulfillment of such duties independently.

The same part 1 of article 18.1 of Federal Law No. 152 contains an approximate (but not exhaustive) list of measures that an organization can use when working with personal data. Paragraph 2 of Part 1 of Article 18.1 of Federal Law No. 152 indicates that one of the possible measures is the publication of internal documents that will determine the organization's policy in the field of working with personal data, as well as other regulations that determine the specific procedure for the organization's employees to work with such information.

It should be noted that the organization's policy is predominantly a declarative document that indicates only the general features of the measures that will be taken by the organization to comply with the law. The legal basis for the processing of personal data in an organization is the regulation on the personal data of employees.

An analysis of Article 18.1 of Federal Law No. 152 shows that the adoption of such a provision is not a mandatory requirement. At the same time, when conducting an audit of compliance with security measures when working with personal data, the organization, in accordance with part 4 of Article 18.1 of Federal Law No. 152, must present such a document to the inspectors or otherwise confirm the fact of compliance with the norms of Federal Law No. 152. Thus, the presence of such a provision can be regarded as indisputable evidence of compliance with the requirements for working with personal data, so it is still desirable for an organization to develop it. At the same time, in pursuance of the requirements of Part 2 of Article 18.1 of Federal Law No. 152, this provision must be available for public review or posted on the organization's website.

Don't know your rights?

The content of the provision sample 2017

The list of issues that must be resolved in the regulation is contained in Article 18.1 of the Federal Law No. 152. As a rule, they are included in the following order:

1. General provisions. Here are indicated:
   • goals and objectives of the provision;
   • references to other regulatory acts of the organization (orders, instructions, regulations);
   • the situations in which this provision applies;
   • persons responsible for the implementation;
   • definitions of terms used in the document, etc.
2. List and procedure for applying technical, legal and other measures aimed at protecting personal data. This section reflects:
   • issues of access to personal data carriers,
   • how to work with them
   • requirements for computer technology, which is used to work with information, etc.
3. The procedure for informing (instructing) employees of the organization who will be allowed to work with personal data.
4. The frequency and list of activities carried out within the framework of internal or external control over compliance with the provision.
5. The scope of responsibility of employees for violation of the requirements of the regulation.
6. Grade possible harm and a list of measures that can minimize it or completely eliminate the likelihood of it being caused.

When developing the position of the organization, the following rules should also be taken into account:

• the provisions put into effect by the Decree of the Government of the Russian Federation “On approval ...” dated September 15, 2008 No. 687 (if the organization processes data manually using paper or electronic media);
• requirements for working with automation tools established by the Decree of the Government of the Russian Federation “On Approval ...” dated 01.11.2012 No. 1119 (when using computer equipment, data transmission via the Internet).

You can find a sample regulation on the protection of personal data 2017 on our website.

Features of working with position

When working directly with the regulation on the protection of personal data of employees, it should be remembered that the list of persons responsible for such work (or those with access to data) is approved by a separate order. In addition, if the organization uses unified paper forms of accounting (books, registers, file cabinets, etc.), for their use, in accordance with paragraph 7 of Regulation No. 687, the publication of appropriate instructions for working with them is additionally required. At the same time, it is worth remembering that in addition to processing employee data, an organization often requires the collection and storage of data from customers and other citizens, so the provision can be extended to work with their personal data.

Summing up, we note that the development of the regulation is a kind of insurance during inspections of the organization by Roskomnadzor and other regulatory authorities. In addition, the regulation allows you to streamline the activities of employees when working with personal information, which will increase the degree of protection, and efficiency, and accuracy of processing.