Internet Windows Android
Expand
home

Purposes of personal data processing in enterprises. Processing of personal data

In accordance with Part 2 of Art. 85 of the Labor Code of the Russian Federation processing of personal data of an employee - is the receipt, storage, combination, transfer or any other use of the employee's personal data.

The processing of the employee's personal data may be carried out solely for the purpose of ensuring compliance with laws and other regulatory legal acts, assisting the employee in employment, training and promotion, ensuring metropolitan security, as well as controlling the quantity and quality of work performed by him and ensuring the safety of property (clause 1 article 86 of the Labor Code of the Russian Federation).

According to paragraph 3 of Art. 3 of the Federal Law "On Personal Data", the processing of personal data is actions (operations) with personal data, including collection, systematization, accumulation, storage, clarification (updating, changing), use, distribution (including transfer), depersonalization, blocking , destruction of personal data. It should be borne in mind that, regardless of the number of functional operations listed in the legislation, legal regulation should cover all stages of personal data processing - from receipt to destruction, without any exceptions and exceptions.

The said Law refers to the principles of personal data processing as follows:

  • lawfulness of the purposes and methods of processing and good faith;
  • compliance of the purposes of processing with the purposes predetermined and declared during the collection of personal data, as well as the authority of the operator;
  • compliance of the volume and nature of the processed data, methods of processing with the purposes of their processing;
  • the reliability of personal data, their sufficiency for the purposes of processing, the inadmissibility of processing personal data that is not related to the purposes stated during the collection of data;
  • the inadmissibility of combining personal data information systems databases created for incompatible purposes.

The processing of personal data of an employee begins with their receipt. As a general rule, all personal data should be obtained from the employee himself. In exceptional cases, when the employee's personal data can only be obtained from a third party, the employee must be notified of this in advance and written consent must be obtained from him. The employer is obliged to inform the employee about the purposes, alleged sources and methods of obtaining personal data, as well as the nature of the personal data to be obtained and the consequences of the employee's refusal to give written consent to receive them (clause 3 of article 86 of the Labor Code of the Russian Federation). However, the employer does not have the right to receive and process the personal data of the employee about his political, religious and other beliefs and private life (clause 4 of article 86 of the Labor Code of the Russian Federation). Also, the employer cannot request information about the health status of the employee, if this does not apply to resolving the issue of the employee's ability to perform a labor function (Article 88 of the Labor Code of the Russian Federation).

The Labor Code of the Russian Federation imposes separate requirements on the organization and technology of processing personal data by the employer. The obligation to familiarize employees and their representatives against signature with the documents of the employer establishing the procedure for processing employees' personal data, as well as their rights and obligations in this area, implies the need to develop and adopt an appropriate local regulatory legal act. Such an act, depending on the specifics of the activity and the discretion of the employer, may be referred to as a regulation or instruction and, as a rule, includes the following sections:

  • basic concepts and provisions;
  • processing of personal data of an employee;
  • formation of personal data of the employee;
  • accounting, storage and transfer of personal data of an employee;
  • the rights and obligations of the employee in the field of processing and protection of his personal data.

Such a local regulatory legal act determines the confidentiality regime (limited access) of the employee's personal data with a specific employer. Employees of the employer who receive the personal data of the employee are required to comply with this regime, which must be indicated not only in their job descriptions, but also in the employment contracts concluded with them. The regulation (instruction) on the protection of personal data is the main document reflecting the specifics of the processing and transfer of personal data of an employee within a particular organization, from a certain individual entrepreneur. If there is an automated component within this activity, the employer does not have the right to make decisions regarding the employee based on personal data obtained solely as a result of their automated processing or electronic receipt (clause 6 of article 86 of the Labor Code of the Russian Federation). An employer may not be limited to adopting a provision on the protection of personal data of employees in his organization. However, the presence of this local act is mandatory, and its absence is considered by the state labor inspectorate as a serious violation of labor legislation.

For this and other violations of the rules governing the receipt, processing and employee, the employer may bring the perpetrators to material, disciplinary liability, and the relevant state bodies - to civil, administrative and criminal.

This information is any action or operation with the personal data of the subject: collection, recording, systematization, accumulation, storage, clarification, extraction, use, transfer, depersonalization, blocking, deletion, destruction.

Why collect information about the subject and give consent to its analysis?

For client/patient

Information about the state of health of a citizen belongs to a special category of personal data. According to Part 2, Clause 4, Art. 10 of the Federal Law No. 152, the processing of such information is allowed without the consent of the subject, provided that it is carried out for the purposes of:

  • establishing a diagnosis;
  • disease prevention;
  • provision of medical and medical-social services.

This rule is true for situations where the processing is carried out by a professional doctor who is obliged to keep medical secrets in accordance with the legislation of the Russian Federation.

Exceptions are those situations where it is impossible to obtain consent, but is necessary to protect the life or health of the patient.

If a person uses any service - concludes an agreement, draws up a loan - that is, he is a client, personal information about him can also be processed in accordance with Federal Law No. 152.

Customer data can be used to:

  1. Provision of consulting, information and mediation services.
  2. Conclusion and execution of the contract with the client.
  3. Managing HR and accounting services.
  4. Other transactions not prohibited by the legislation of the Russian Federation.

For an organization employee

The employer has the right to his employees, it is enshrined in Art. 22 FZ No. 152. Purposes of personal data processing in the organization:

  • Registration of civil law contracts with citizens, provided for by the Legislation of the Russian Federation and the Charter of the enterprise.
  • Personnel records, compliance with laws and, registration of obligations under labor and civil law contracts.
  • Assistance with employment, education or promotion, registration and use of benefits.
  • Ensuring the personal safety of the employee and the safety of property.
  • Compliance with the requirements of tax and pension legislation when calculating contributions for pension insurance.
  • Formation of statistics in accordance with the Labor, Tax Codes and federal laws.
  • Control of the work performed by the employee.

(Article 86 of the "Labor Code of the Russian Federation" dated December 30, 2001 No. 197-FZ). Personal information about an employee that is classified as "special" is not subject to processing by the employer.

The validity period of the Consent to the processing of personal data must be established, it can be a specific date or event, for example, dismissal or withdrawal of consent by an employee.

Examples

Banking

Bank "Financial". The purpose of processing the client's personal data is to carry out banking and other operations, including:

  1. Opening and maintaining bank accounts.
  2. Transfer of funds through bank accounts.
  3. Transfer of funds from individuals - individuals and legal entities without opening a bank account.
  4. Purchase and sale of foreign currency.
  5. Provision of consulting and information services, including through an e-mail address.

Medical organization

Medical organization "Health". Purpose of processing:

  • Organization of medical care.
  • Issuance of concessionary prescriptions.
  • Payment of bills in the CHI and VHI system.
  • Use for statistics and research work.
  • Informing via SMS notification about the results of analyzes, ongoing promotions and the work schedule of specialists.

Conclusion

With, a client or a patient, not everything is as simple as it seems at first glance. Just like that, without consent and warning, they cannot be transferred to third parties or used for those purposes with which the subject does not agree. If a person is faced with the fact that his personal data has been leaked, he can always apply to Roskomnadzor or to the court.

Didn't find an answer to your question? Find out, how to solve your problem - call right now:

1. The processing of personal data must be carried out in compliance with the principles and rules provided for by this Federal Law. The processing of personal data is allowed in the following cases:

1) the processing of personal data is carried out with the consent of the subject of personal data to the processing of his personal data;

2) the processing of personal data is necessary to achieve the goals stipulated by an international treaty of the Russian Federation or the law, to exercise and fulfill the functions, powers and obligations assigned to the operator by the legislation of the Russian Federation;

3) the processing of personal data is carried out in connection with the participation of a person in constitutional, civil, administrative, criminal proceedings, proceedings in arbitration courts;

3.1) the processing of personal data is necessary for the execution of a judicial act, an act of another body or official subject to execution in accordance with the legislation of the Russian Federation on enforcement proceedings (hereinafter referred to as the execution of a judicial act);

4) the processing of personal data is necessary for the exercise of the powers of federal executive bodies, bodies of state off-budget funds, executive bodies of state power of the constituent entities of the Russian Federation, local governments and the functions of organizations participating in the provision of state and municipal services, respectively, provided for by the Federal Law of July 27, 2010 of the year N 210-FZ "On the organization of the provision of state and municipal services", including the registration of a personal data subject on a single portal of state and municipal services and (or) regional portals of state and municipal services;

(see text in previous edition)

5) the processing of personal data is necessary for the performance of an agreement to which the subject of personal data is a party or beneficiary or guarantor, as well as to conclude an agreement on the initiative of the subject of personal data or an agreement under which the subject of personal data will be the beneficiary or guarantor;

(see text in previous edition)

6) the processing of personal data is necessary to protect the life, health or other vital interests of the subject of personal data, if obtaining the consent of the subject of personal data is impossible;

7) the processing of personal data is necessary for the exercise of the rights and legitimate interests of the operator or third parties, including in cases provided for by the Federal Law "On the protection of the rights and legitimate interests of individuals in the implementation of activities to return overdue debts and on amendments to the Federal Law" On microfinance activities and microfinance organizations", or to achieve socially significant goals, provided that the rights and freedoms of the subject of personal data are not violated;

(see text in previous edition)

8) the processing of personal data is necessary for the professional activities of a journalist and (or) the legitimate activities of the media or scientific, literary or other creative activities, provided that the rights and legitimate interests of the subject of personal data are not violated;

9) the processing of personal data is carried out for statistical or other research purposes, with the exception of the purposes specified in Article 15 of this Federal Law, subject to the mandatory depersonalization of personal data;

10) processing of personal data is carried out, access of an unlimited number of persons to which is provided by the subject of personal data or at his request (hereinafter - personal data made public by the subject of personal data);

11) processing of personal data subject to publication or mandatory disclosure in accordance with federal law is carried out.

1.1. The processing of personal data of objects of state protection and members of their families is carried out taking into account the features provided for by the Federal Law of May 27, 1996 N 57-ФЗ "On State Protection".

2. Features of the processing of special categories of personal data, as well as biometric personal data, are established accordingly and this Federal Law.

3. The operator has the right to entrust the processing of personal data to another person with the consent of the subject of personal data, unless otherwise provided by federal law, on the basis of an agreement concluded with this person, including a state or municipal contract, or by adopting a relevant act by a state or municipal body (hereinafter - instructions of the operator). A person who processes personal data on behalf of the operator is obliged to comply with the principles and rules for the processing of personal data provided for by this Federal Law. The instruction of the operator must define a list of actions (operations) with personal data that will be performed by the person processing personal data and the purposes of processing, the obligation of such a person to maintain the confidentiality of personal data and ensure the security of personal data during their processing, as well as the requirements for the protection of processed personal data must be specified in accordance with Article 19 of this Federal Law.

4. The person processing personal data on behalf of the operator is not required to obtain the consent of the subject of personal data to the processing of his personal data.

5. If the operator entrusts the processing of personal data to another person, the operator shall be liable to the subject of personal data for the actions of the said person. The person who processes personal data on behalf of the operator is liable to the operator.

On July 1, 2017, Federal Law No. 13-FZ of February 7, 2017 came into force, which amends Art. 13.11 of the Code of Administrative Offenses and provides for the expansion of the list of grounds for bringing to administrative responsibility for illegal x and a significant increase in fines.

One of the mandatory documents that a personal data operator must prepare in order to comply with the requirements of the Federal Law of July 27, 2006 No. 152-FZ is called the Personal Data Processing Policy, which explains how the company works with the data of employees, customers and other individuals. This file is freely available on almost all sites that have any form of collecting personal data.

How to draw up a Personal Data Processing Policy correctly, which sections must be included? Roskomnadzor provides clarifications on these issues.

Structure of the Personal Data Processing Policy

  • General provisions
  • Purposes of collecting personal data
  • Legal grounds for the processing of personal data
  • Scope and categories of processed personal data, categories of personal data subjects
  • The procedure and conditions for the processing of personal data
  • Updating, correction, deletion and destruction of personal data, responses to requests from subjects for access to personal data

1. General goals

In this section, you actually answer the question - what is the Personal Data Processing Policy for? It also explains the basic concepts that are used in the document, as well as the rights and obligations of the operator and the subject of personal data.

2. Purposes of collecting personal data

Art. 5 of the Federal Law of July 27, 2006 No. 152-FZ requires the definition of specific, legitimate purposes for collecting data. Therefore, personal data that does not correspond to these purposes may not be processed.

Roskomnadzor indicates that the purposes of processing personal data may occur, including:

  • from the analysis of legal acts regulating the activities of the operator;
  • from the purposes of the activities actually carried out by the operator;
  • from activities that are provided for by the constituent documents of the operator;
  • from specific business processes of the operator in specific information systems of personal data (according to the structural divisions of the operator and their procedures in relation to certain categories of personal data subjects).

3. Legal grounds for the processing of personal data

Federal Law No. 152-FZ of July 27, 2006 is not a legal basis for the processing of personal data. This role is performed by the legal acts in accordance with which the operator processes the data.

Thus, in the Data Processing Policy, as legal grounds, you can specify: federal laws and regulatory legal acts adopted on their basis that regulate relations related to the activities of the operator; statutory documents of the operator; contracts concluded between the operator and the subject of personal data; consent to the processing of personal data (in cases not expressly provided for by the legislation of the Russian Federation, but corresponding to the authority of the operator).

4. Scope and categories of processed personal data, categories of personal data subjects

It is important that the amount of personal data processed does not diverge from the stated purposes of processing.

The categories of personal data subjects may include: employees - both current and former, candidates for vacancies, relatives of employees, customers and counterparties (individuals), representatives or employees of clients and counterparties.

Roskomnadzor draws attention to the fact that for each category of subjects and in relation to specific purposes, all processed personal data should be indicated. Separately, all cases of processing special categories of personal data and biometric personal data (if applicable) are described.

5. Procedure and conditions for processing personal data

What is included in this section:

  • list of actions performed with personal data;
  • ways of processing personal data;
  • terms of personal data processing.

If, as part of achieving the goals of processing personal data, the operator interacts with third parties, then he needs to:

  • explain the conditions for the transfer of personal data to third parties (including cross-border data transfer);
  • indicate the name and location of third parties;
  • indicate the purposes of data transfer and their scope;
  • list the processing actions, methods and other conditions of processing, including the requirements for the protection of processed personal data.

The operator has the right to transfer personal data to the bodies of inquiry and investigation, as well as other authorized bodies on the grounds provided for by law.

The Personal Data Processing Policy should include information on compliance with the requirements for the confidentiality of personal data (they are named in Article 7 of the Federal Law of July 27, 2006 No. 152-FZ) and information on taking measures (Part 2 of Article 18.1, Part 1 of Art. 19).

In addition, the operator must specify the condition for terminating the processing of personal data. This may be the achievement of the purposes of processing, the expiration of the consent to processing, the withdrawal of the consent of the subject of personal data to processing, the identification of illegal data processing.

Special attention should be paid to such an issue as the storage of personal data. First, the deadlines must be called. Secondly, databases located on the territory of the Russian Federation are used. Thirdly, it takes into account the fact that the storage must be carried out in a form that allows the identification of the subject of personal data no longer than required by the purposes of processing. Fourth, it is necessary to mention other storage conditions, including when processing data without using automation tools.

6. Update, correction, deletion and destruction of personal data, responses to requests from subjects for access to personal data

According to Art. 21 No. 152-FZ, personal data must be updated by the operator if the fact of inaccuracy of personal data is confirmed. The same applies to the confirmation of the fact of illegal processing.

Personal data is subject to destruction when the purposes of their processing are achieved and in the event that the subject of personal data withdraws consent to their processing, unless: otherwise provided by the agreement to which the subject of personal data is a party, beneficiary or guarantor; otherwise is not provided by another agreement between the operator and the subject of personal data. The operator is not entitled to process without the consent of the subject of personal data on the grounds provided for by Federal Law No. 152-FZ of July 27, 2006 or other federal laws.

Based on Art. 20, the operator is obliged to inform the subject of personal data about the processing of personal data carried out by him upon request.

Roskomnadzor recommends that the Personal Data Processing Policy include procedures for responding to requests and appeals from personal data subjects, their representatives, authorized bodies regarding data inaccuracy, illegal processing, withdrawal of consent and access to their data. It will not be superfluous to add the appropriate forms of requests and appeals to the Policy.

Placement of the Personal Data Processing Policy in the office and on the website

Any person whose data is processed by the company has the right to get acquainted with the Personal Data Processing Policy. Therefore, it must be placed in a public place. For example, use an information stand for this.

If the company collects personal data via the Internet, then it is obliged to place the Policy on the website. The site visitor can view it by clicking on the link.

To stay up to date on the most important business changes, join our channel on

The company cannot do without obtaining personal information from employees, customers and contractors. We need names, addresses, other information. However, the company has the right to process personal data only for specific purposes. Any other use of the data is a violation that will result in administrative action.

The purposes for which information is requested must comply with the law and the needs of the company

In the course of doing business, a company deals with information that needs to be protected. Confidential information includes information about technologies, projects, developments, the specifics of transactions, etc. The law also obliges to protect information about people who work for the company, are its clients or represent contractors. The “On Personal Data” is in force in pursuance of the constitutional principle of protecting privacy (Article 2 of Law No. 152). The requirements of the law apply to any organizations that receive data from their subjects (Article 1 of Law No. 152).

A company that starts processing personal data has the right to request them only for certain purposes (Part 2, Article 5 of Law No. 152). In addition, the amount of data depends on the goals. You cannot request information that the company does not need (parts 4 and 5 of article 5 of law No. 152). For example, an online store does not have the right to demand passport data from the buyer or ask for a postal address if the client picks up the goods by self.

The company itself determines the purposes of processing personal data of customers and employees

Why exactly the information was required is determined by the company (clause 2, article 3 of law No. 152). As a rule, the organization requests personal data of customers, counterparties, employees in order to:

  1. Conclusion of contracts. These can be contracts with consumers of the company's services or goods, with other types of customers, with business partners, labor agreements, etc. For any contract that the company is going to sign, personal data will be required - an employee who acts in its interests, a representative counterparty or the counterparty itself, if it is a private person. Including data is needed so that the company can fulfill its obligations.
  2. Systematization of information about personnel, personnel records and office work. Employee data is necessary not only for the conclusion of employment contracts, but also for all other operations within the framework of an employment relationship.
  3. Compliance with the requirements of the law on the deduction of taxes to the budget, insurance premiums, etc. The company withholds personal income tax, contributions from employees and transfers these amounts to the state, the Pension Fund of the Russian Federation and other organizations (Article 22 of Law No. 152, Article 86 of the Labor Code of the Russian Federation).
  4. Formation of statistics. For this, the data must be depersonalized (clause 9, part 1, article 6 of law No. 152).

Guest, get acquainted -!

The company is obliged to notify the subject of personal data about the purposes of processing

The company is obliged to notify the employee or client of the purpose for which it requests his personal data for processing (clause 4, part 4, article 9 of law No. 152). This is done as part of obtaining consent to provide information. The list of goals should:

  • be comprehensive and specific;
  • comply with the provisions of the charter, as well as local acts of the organization;
  • correspond to what goals the company actually pursues.

For example, the bank requests information from the client. The purpose of the processing is to maintain his account, including:

  • account opening,
  • account management,
  • operations for transferring funds from and to the account,
  • client consultation.

Another example of information is the listing of the purposes of processing personal data of employees in the company's policy. The organization confirms that the information is used:

  • when working with resumes of applicants;
  • to fulfill the company's obligations under an employment agreement;
  • to comply with labor, tax and pension laws;
  • to organize training of employees, improve their professional level;
  • when calculating and calculating salaries;
  • to control the quality of work of employees;
  • when providing various guarantees and benefits, etc.

Consent to processing must be obtained from the data subject in almost all cases. If the purpose of the collection is to promote the company on the market or political campaigning, the operator must prove that the person has given consent (Part 1, Article 15 of Law No. 152). Otherwise, it is considered that it was not requested.

In addition to the agreement with the employee or client, the purpose of obtaining data must be reflected in a special document - the company's policy on working with such data. It must be a public document. As a rule, it is published on the organization's website in a special section.

Professional help system for lawyers, where you will find the answer to any, even the most complex question.

Did not find an answer to your question? Look at here
Open left menu val di fiemme Val di fiemme piste mapOpen left menu val di fiemme Val di fiemme piste map
Val di Fiemme Val di Fiemme italy piste mapVal di Fiemme Val di Fiemme italy piste map
Sightseeing in St. Tropez - things to seeSightseeing in St. Tropez - things to see