The purpose of processing personal data is why it is needed. Organization of work with personal data. Why collect information about the subject and consent to its analysis

Work with personal information must be carried out in strict accordance with the law. In particular, one of the fundamental principles of processing personal information is strict adherence to the purposes of use stated in the permission from the owner and the scope specified therein.

The concept of personal data and principles of their processing

One of the provisions establishes a requirement according to which all personal information about citizens of the Russian Federation must be located on servers located in the country. It is not allowed to supplement your information based on that taken from sites located outside Russian borders.

In a situation where a person considers any messages about him to be untrue, he can contact the operator (in accordance with Article 14 of Law 152-FZ) with a request to delete or adjust them accordingly.

In case of refusal, such a person has the right to go to court.

Consent to the processing of personal data

Such a document must contain following sections:

1. The document indicates who expresses consent and their passport details.
2. The name of the operator to whom permission is given is given.
3. They write for what purposes of processing consent is given.
4. The list of data for the processing of which permission is given is specifically listed.
5. All operations with them in question are listed.
6. Period of validity of the permit.
7. A signature, its decoding and date are placed.

A permit drawn up according to the sample gives permission only for what is specifically stated in it.

The use of the information in question is necessary for:

1. Maintaining documents in the HR department.
2. Concluding contracts and performing other legal actions.
3. In connection with compliance with tax legislation requirements.
4. Other purposes of a similar kind.

It should be noted that:

• in each such case, obtaining information is determined by regulations;
• it is carried out in a certain composition, volume, for a specific period and only to fulfill the stated goals.

Examples of targeted use of personal information

In various spheres of the economy and public life, the personal data of citizens is vital.

IN medical institution It is important to know details about a person's health throughout his life. In this case, the owner of personal information is the patient. The operator who uses them is a clinic or other medical institution. She is required to obtain permission from Roskomnadzor for processing. If a clinic transfers data, for example, to a specialized hospital, it must obtain the written consent of the citizen.

For the bank It is vital when granting a loan to make a reasonable guess as to whether the applicant will be able to repay the money borrowed or does not have suitable financial resources. This will require details about income, employment, family composition and some others. The owner of the information is the client. The bank is the operator that carries out the processing. The client has the right to revoke permission to use information about him. The goals of working with information are to ensure compliance with the requirements of banking legislation of the Russian Federation.

It is impossible to do without providing this or similar information. But it is important that its use does not violate the requirements of current regulations.

Rules and principles for working with information

It can be understood that a random person cannot obtain source texts directly from anonymized information. However, this organization itself will be able to restore it later.

Violations related to misuse of personal data

Starting from July 1, 2017, changes were made to the Code of Administrative Offenses, which define liability for violation of Law No. 152-FZ. If the established rules are violated, the law provides appropriate punishments.

If information is collected in cases where this there is no legal basis or processing is carried out for illegal purposes, a fine is imposed. For individuals, the amount will be from 1 to 3 thousand rubles, officials will pay from 5 to 10 thousand rubles, enterprises - from 30 to 50 thousand rubles.

If there was disclosure of information, the fine is assessed in connection with each individual such case. It can range from 500 to 1000 rubles. from the employee through whose fault the violation occurred. If we are talking about an organization that is responsible for what happened, then the amount increases. Now it can range from 5 to 10 thousand rubles.

The regulatory act in question states that compliance with the provisions of law 152-FZ should be monitored by Roskomnadzor. Before processing under Article 22 of the Personal Data Protection Law begins, he must send a notification there. In particular, he carries out appropriate checks and, if violations are detected, issues orders regarding deficiencies that need to be eliminated. If the order was not executed, a fine is imposed on the perpetrator, which can amount to 20 thousand rubles.

The author of the next video will tell you how to properly organize work with other people’s data.

In accordance with Part 2 of Art. 85 Labor Code of the Russian Federation processing of employee personal data - this is the receipt, storage, combination, transfer or any other use of the employee’s personal data.

The processing of an employee’s personal data can be carried out solely for the purpose of ensuring compliance with laws and other regulations, assisting the employee in employment, training and promotion, ensuring the capital’s security, as well as monitoring the quantity and quality of the work he performs and ensuring the safety of property (clause 1 Article 86 of the Labor Code of the Russian Federation).

According to paragraph 3 of Art. 3 of the Federal Law “On Personal Data”, the processing of personal data is actions (operations) with personal data, including collection, systematization, accumulation, storage, clarification (updating, changing), use, distribution (including transfer), depersonalization, blocking , destruction of personal data. It should be borne in mind that regardless of the number of functional operations listed in the legislation, legal regulation must cover all stages of the processing of personal data - from receipt to destruction, without any exceptions or exemptions.

The principles for processing personal data include the following:

• legality of the purposes and methods of processing and fairness;
• compliance of the purposes of processing with the goals predetermined and stated when collecting personal data, as well as with the powers of the operator;
• compliance of the volume and nature of the data processed, methods of processing with the purposes of their processing;
• the reliability of personal data, their sufficiency for the purposes of processing, the inadmissibility of processing personal data that is not related to the purposes stated when collecting data;
• the inadmissibility of combining databases of personal data information systems created for incompatible purposes.

The processing of an employee’s personal data begins with its receipt. As a general rule, all personal data should be obtained from the employee himself. In exceptional cases, when the employee’s personal data can only be obtained from a third party, the employee must be notified of this in advance and written consent must be obtained from him. The employer is obliged to inform the employee about the purposes, intended sources and methods of obtaining personal data, as well as the nature of the personal data to be received and the consequences of the employee’s refusal to give written consent to receive it (Clause 3 of Article 86 of the Labor Code of the Russian Federation). However, the employer does not have the right to receive and process the employee’s personal data about his political, religious and other beliefs and private life (Clause 4 of Article 86 of the Labor Code of the Russian Federation). Also, the employer cannot request information about the employee’s health status if this does not relate to the issue of the employee’s ability to perform a labor function (Article 88 of the Labor Code of the Russian Federation).

The Labor Code of the Russian Federation imposes certain requirements on the organization and technology of processing personal data by the employer. The obligation to familiarize employees and their representatives, against signature, with the employer’s documents establishing the procedure for processing employees’ personal data, as well as their rights and responsibilities in this area, presupposes the need to develop and adopt an appropriate local regulatory legal act. Such an act, depending on the specifics of the activity and the discretion of the employer, can be called a regulation or instruction and, as a rule, includes the following sections:

• basic concepts and provisions;
• processing of employee personal data;
• generation of employee personal data;
• recording, storage and transfer of employee personal data;
• rights and obligations of the employee in the field of processing and protection of his personal data.

Such a local regulatory legal act determines the confidentiality regime (limited access) of an employee’s personal data at a particular employer. The employer's employees who receive the employee's personal data are required to comply with this regime, which must be indicated not only in their job descriptions, but also in the employment contracts concluded with them. The regulation (instruction) on the protection of personal data is the main document reflecting the specifics of the processing and transfer of an employee’s personal data within a specific organization, for a specific individual entrepreneur. If there is an automated component within this activity, the employer does not have the right to make decisions regarding the employee based on personal data obtained solely as a result of their automated processing or electronic receipt (clause 6 of Article 86 of the Labor Code of the Russian Federation). An employer may not be limited to adopting a provision on the protection of personal data of employees in its organization. However, the presence of this local act is mandatory, and its absence is considered by the state labor inspectorate as a serious violation of labor legislation.

For this and other violations of the rules governing receipt, processing and the employee, the employer can bring the perpetrators to material and disciplinary liability, and the relevant government bodies to civil, administrative and criminal liability.

1. The processing of personal data must be carried out in compliance with the principles and rules provided for by this Federal Law. Processing of personal data is permitted in the following cases:

1) the processing of personal data is carried out with the consent of the subject of personal data to the processing of his personal data;

2) the processing of personal data is necessary to achieve the goals provided for by an international treaty of the Russian Federation or law, to implement and fulfill the functions, powers and responsibilities assigned by the legislation of the Russian Federation to the operator;

3) the processing of personal data is carried out in connection with the participation of a person in constitutional, civil, administrative, criminal proceedings, proceedings in arbitration courts;

3.1) processing of personal data is necessary for the execution of a judicial act, an act of another body or official, subject to execution in accordance with the legislation of the Russian Federation on enforcement proceedings (hereinafter referred to as the execution of a judicial act);

4) the processing of personal data is necessary for the execution of the powers of federal executive authorities, bodies of state extra-budgetary funds, executive authorities of state authorities of the constituent entities of the Russian Federation, local government bodies and the functions of organizations involved in the provision of state and municipal services, respectively, provided for by the Federal Law of July 27, 2010 year N 210-FZ "On the organization of the provision of state and municipal services", including registration of the subject of personal data on a single portal of state and municipal services and (or) regional portals of state and municipal services;

(see text in the previous edition)

5) processing of personal data is necessary for the execution of an agreement to which the subject of personal data is a party or beneficiary or guarantor, as well as for concluding an agreement on the initiative of the subject of personal data or an agreement under which the subject of personal data will be a beneficiary or guarantor;

(see text in the previous edition)

6) the processing of personal data is necessary to protect the life, health or other vital interests of the subject of personal data, if obtaining the consent of the subject of personal data is impossible;

7) the processing of personal data is necessary to exercise the rights and legitimate interests of the operator or third parties, including in cases provided for by the Federal Law "On the protection of the rights and legitimate interests of individuals when carrying out activities to repay overdue debts and on amendments to the Federal Law" On microfinance activities and microfinance organizations", or to achieve socially significant goals, provided that the rights and freedoms of the subject of personal data are not violated;

(see text in the previous edition)

8) the processing of personal data is necessary for the professional activities of a journalist and (or) the legal activities of a mass media outlet or scientific, literary or other creative activities, provided that the rights and legitimate interests of the subject of personal data are not violated;

9) the processing of personal data is carried out for statistical or other research purposes, with the exception of the purposes specified in Article 15 of this Federal Law, subject to the mandatory anonymization of personal data;

10) processing of personal data is carried out, access to which is provided by an unlimited number of persons by the subject of personal data or at his request (hereinafter referred to as personal data made publicly available by the subject of personal data);

11) processing of personal data subject to publication or mandatory disclosure in accordance with federal law is carried out.

1.1. Processing of personal data of objects of state protection and members of their families is carried out taking into account the features provided for by Federal Law of May 27, 1996 N 57-FZ “On State Protection”.

2. Features of the processing of special categories of personal data, as well as biometric personal data, are established in accordance with this Federal Law.

3. The operator has the right to entrust the processing of personal data to another person with the consent of the subject of personal data, unless otherwise provided by federal law, on the basis of an agreement concluded with this person, including a state or municipal contract, or by adoption of a relevant act by a state or municipal body (hereinafter - operator's instructions). The person processing personal data on behalf of the operator is obliged to comply with the principles and rules for processing personal data provided for by this Federal Law. The operator’s instructions must define a list of actions (operations) with personal data that will be performed by the person processing personal data and the purposes of processing, the obligation of such a person must be established to maintain the confidentiality of personal data and ensure the security of personal data during their processing, as well as the requirements for the protection of processed personal data must be specified in accordance with Article 19 of this Federal Law.

4. A person processing personal data on behalf of an operator is not required to obtain the consent of the subject of personal data to process his personal data.

5. If the operator entrusts the processing of personal data to another person, the operator is responsible to the subject of personal data for the actions of the specified person. The person processing personal data on behalf of the operator is responsible to the operator.

Carried out on the basis of compliance with laws and other regulations.

What is the processing of personal data? This process includes the following steps:

Legal regulation of working with personal data covers all processes and stages of working with them.

Target

Why is the processing of personal data necessary? The processing of an employee’s personal data is carried out at the enterprise or organization in order to facilitate it.

The main purposes of processing personal data:

• in getting a job;
• in placement in an educational institution or for training, for advanced training;
• for the purpose of labor protection;
• for promotion and control over career opportunities;
• to monitor the quantity and quality of work performed.

The legislation provides for the accumulation and transmission of an employee’s personal data solely for the purpose of his development and the appropriate use of his abilities and experience. , include multifunctional goals.

The purposes of processing personal data of employees include the use and processing of personal data through their synthesis and interrelation, which determine the relevance of the employee’s capabilities in the conditions of organizing the production process.

The set and stated goals for the processing of personal data cannot be changed without notifying the employee.

Carried out by whom?

Personal data means information that contains basic information about a person of interest to a certain circle of representatives of government and other services.

In particular, in production (in an organization), personal data is of interest to the employer, who manages the organization of work in production based on information about its employees.

The employer has the right to request any personal data available in the employee’s records. In addition to him, access to personal data has a limited circle of persons who carry out operational work. As a rule, these are the secretariat and personnel department employees.

The operator carrying out information activities with personal data undergoes instructions before starting the designated work. He gets acquainted with the operating rules and principles prohibiting the disclosure of information contained in personal data.

The implementation of the listed types of work can pursue exclusively the purposes that were the reason for collecting information. Misuse of personal data or their disclosure is considered a gross violation for which liability is imposed.

Violations

As discussed earlier, violations in the processing of personal data are considered:

The operator’s work with personal data is subject to strict control by authorized services, and the operator is held liable for shortcomings, unintentional or deliberate violations.

All unauthorized actions during the processing of personal data may result in punishment: disciplinary, administrative, and in some cases criminal.