Regulations on the work with personal data. Regulations on the protection of personal data of employees. Regulations on working with personal data of employees

I APPROVE ____________________________________ (name of the position of the head of the enterprise)

____________________________________ (full name, signature)

"____"___________________ _____ G.

POSITION

on the processing and protection of personal data of employees

1. GENERAL PROVISIONS

1.1. This Regulation establishes the procedure for obtaining, recording, processing, accumulating and storing documents containing information related to the personal data of employees of the enterprise. Employees are persons who have entered into an employment contract with the enterprise.

1.2. The purpose of this Regulation is to protect the personal data of employees of the enterprise from unauthorized access and disclosure. Personal data is always confidential, strictly protected information.

1.3. The basis for the development of this Regulation is the Constitution of the Russian Federation, the Labor Code of the Russian Federation, and other current regulatory legal acts of the Russian Federation.

1.4. These Regulations and amendments to it are approved by the head of the enterprise and introduced by order for the enterprise. All employees of the enterprise must be familiarized with this Regulation and amendments to it against signature.

2. CONCEPT AND COMPOSITION OF PERSONAL DATA

2.1. The personal data of employees is understood as information necessary for the employer in connection with labor relations and relating to a specific employee, as well as information about the facts, events and circumstances of the employee's life, allowing to identify his personality.

2.2. The composition of the employee's personal data:

Autobiography;

Education;

Information about labor and general experience;

Information about previous place work;

Information about the composition of the family;

Passport data;

Information about military registration;

Information about wages employee

Information about social benefits;

Speciality;

Position held;

The amount of wages;

Having a criminal record;

Residence address;

Home phone;

Originals and copies of orders on personnel;

personal affairs and work books employees;

Grounds for orders on personnel;

Copies of reports sent to the statistical authorities;

Copies of education documents;

The results of a medical examination for fitness for work;

Photos and other information related to the personal data of the employee;

2.3. These documents are confidential. The confidentiality regime of personal data is removed in cases of depersonalization or after ____ years of storage period, unless otherwise provided by law.

3. OBLIGATIONS OF THE EMPLOYER

3.1. In order to ensure the rights and freedoms of man and citizen, the employer and his representatives, when processing the personal data of the employee, must comply with the following general requirements:

3.1.1. The processing of personal data of an employee may be carried out solely for the purpose of ensuring compliance with laws and other regulatory legal acts, assisting employees in employment, training and promotion, ensuring the personal safety of employees, controlling the quantity and quality of work performed and ensuring the safety of property.

3.1.2. When determining the scope and content of the processed personal data of an employee, the employer must be guided by the Constitution of the Russian Federation, Labor Code Russian Federation and other federal laws.

3.1.3. All personal data of the employee should be obtained from him. If the employee's personal data can only be obtained from a third party, then the employee must be notified of this in advance and written consent must be obtained from him. The employer must inform the employee about the purposes, intended sources and methods of obtaining personal data, as well as the nature of the personal data to be obtained and the consequences of the employee's refusal to give written consent to receive them.

3.1.4. The employer does not have the right to receive and process the personal data of the employee about his political, religious and other beliefs and private life. In cases directly related to issues of labor relations, in accordance with Art. 24 of the Constitution of the Russian Federation, an employer has the right to receive and process data on the private life of an employee only with his written consent.

3.1.5. The employer does not have the right to receive and process the employee's personal data on his membership in public associations or his trade union activities, except as otherwise provided by federal law.

3.1.6. When making decisions affecting the interests of the employee, the employer does not have the right to rely on the employee's personal data obtained solely as a result of their automated processing or electronic receipt.

3.1.7. The protection of the employee's personal data from their unlawful use or loss must be ensured by the employer at his expense in the manner prescribed by federal law.

3.1.8. Employees and their representatives must be familiarized against signature with the documents of the enterprise that establish the procedure for processing personal data of employees, as well as their rights and obligations in this area.

3.1.9. Employees must not waive their rights to maintain and protect secrecy.

4. EMPLOYEE RESPONSIBILITIES

The employee is obliged:

4.1. Transfer to the employer or his representative a set of reliable documented personal data, the list of which is established by the Labor Code of the Russian Federation.

4.2. In a timely manner, within a reasonable time, not exceeding 5 days, inform the employer about changes in their personal data.

5. RIGHTS OF THE EMPLOYEE

The employee has the right:

5.1. For full information about their personal data and the processing of this data.

5.2. To have free access to their personal data, including the right to receive copies of any record containing the employee's personal data, except as otherwise provided by the legislation of the Russian Federation.

5.3. To access medical data with the help of a healthcare professional of your choice.

5.4. Demand the exclusion or correction of incorrect or incomplete personal data, as well as data processed in violation of the requirements defined by labor legislation. If the employer refuses to exclude or correct the personal data of the employee, he has the right to declare in writing to the employer his disagreement with the appropriate justification for such disagreement. The employee has the right to supplement personal data of an evaluative nature with a statement expressing his own point of view.

5.5. Require the employer to notify all persons who were previously provided with incorrect or incomplete personal data of the employee about all exceptions, corrections or additions made to them.

5.6. Appeal in court any illegal actions or inaction of the employer in the processing and protection of his personal data.

5.7. Designate your representatives to protect your personal data.

6. COLLECTION, PROCESSING AND STORAGE OF PERSONAL DATA

6.1. The processing of personal data of an employee is the receipt, storage, combination, transfer or any other use of personal data of an employee.

6.2. All personal data of the employee should be obtained from him. If the employee's personal data can only be obtained from a third party, then the employee must be notified of this in advance and written consent must be obtained from him.

6.3. The employer must inform the employee about the purposes, intended sources and methods of obtaining personal data, as well as the nature of the personal data to be obtained and the consequences of the employee's refusal to give written consent to receive them.

6.4. The employee provides the employer with reliable information about himself. The employer checks the accuracy of the information by comparing the data provided by the employee with the documents available to the employee. The provision by an employee of false documents or false information when applying for a job is the basis for terminating the employment contract.

6.5. When applying for a job, an employee fills out a questionnaire and an autobiography.

6.5.1. The questionnaire is a list of questions about the employee's personal data.

6.5.2. The questionnaire is filled out by the employee himself. When filling out the questionnaire, the employee must fill in all its columns, give full answers to all questions, not allow corrections or strikethroughs, dashes, blots in strict accordance with the entries contained in his personal documents.

6.5.3. Autobiography - a document containing a description in chronological order of the main stages of the life and activities of the hired employee.

6.5.4. The autobiography is compiled in any form, without blots and corrections.

6.5.5. The questionnaire and CV of the employee must be kept in the personal file of the employee. The personal file also stores other personal records related to the personal data of the employee.

6.5.6. The personal file of the employee is drawn up after the issuance of an order for employment.

6.5.7. All documents of the personal file are filed in the cover of the sample established at the enterprise. It indicates the surname, name, patronymic of the employee, the number of the personal file.

6.5.8. Each file is accompanied by two ______ size color photographs of the worker.

6.5.9. All documents received in the personal file are arranged in chronological order. Sheets of documents filed in a personal file are numbered.

6.5.10. A personal file is maintained throughout the entire working life of an employee. Changes made to the personal file must be confirmed by relevant documents.

7. TRANSFER OF PERSONAL DATA

7.1. When transferring personal data of an employee, the employer must comply with the following requirements:

Do not disclose the personal data of the employee to a third party without the written consent of the employee, except when it is necessary to prevent a threat to the life and health of the employee, as well as in cases established by federal law;

Do not disclose personal data of an employee for commercial purposes without his written consent;

Warn persons receiving employee personal data that the data may only be used for the purposes for which it is disclosed, and require these persons to confirm that this rule has been observed. Persons receiving personal data of an employee are required to maintain confidentiality. This provision does not apply to the exchange of personal data of employees in the manner prescribed by federal laws;

Allow access to the personal data of employees only to specially authorized persons, while these persons should have the right to receive only those personal data of the employee that are necessary to perform specific functions;

Do not request information about the health status of the employee, with the exception of information that relates to the issue of the employee's ability to perform a labor function;

Transfer personal data of an employee to employee representatives in the manner prescribed by the Labor Code of the Russian Federation, and limit this information only to those personal data of an employee that are necessary for the specified representatives to perform their functions.

8. ACCESS TO EMPLOYEE'S PERSONAL DATA

8.1. Internal access (access within the enterprise).

The following persons have the right to access personal data of an employee:

Head of the enterprise;

Head of the Human Resources Department;

Leaders structural divisions in the direction of activity (access to personal data only of employees of their unit) in agreement with the head of the enterprise;

When transferring from one structural unit to another, the head of the new unit may have access to the employee's personal data in agreement with the head of the enterprise;

Accounting staff - to the data that is necessary to perform specific functions;

The worker himself, the data carrier.

8.2. external access.

Personal data outside the organization may be submitted to state and non-state functional structures:

Tax inspections;

Law enforcement agencies;

bodies of statistics;

insurance agencies;

military registration and enlistment offices;

Social insurance bodies;

pension funds;

Subdivisions of municipal governments.

8.3. Other organizations.

Information about an employee (including a dismissed employee) can be provided to another organization only upon a written request on the organization's letterhead with a copy of the employee's application attached.

8.4. Relatives and family members.

Personal data of an employee may be provided to relatives or members of his family only with the written permission of the employee himself.

9. PROTECTION OF PERSONAL DATA OF EMPLOYEES

9.1. In order to ensure the safety and confidentiality of personal data of employees of the organization, all operations for the design, formation, maintenance and storage of this information should be performed only by employees of the personnel department who carry out this work in accordance with their official duties set out in their job descriptions.

9.2. Answers to written requests from other organizations and institutions within their competence and powers granted are given in writing on the letterhead of the enterprise and to the extent that allows not disclosing an excessive amount of personal information about employees of enterprises.

9.3. Transfer of information containing information about the personal data of employees of the organization by telephone, fax, e-mail without the written consent of the employee is prohibited.

9.4. Personal files and documents containing personal data of employees are stored in lockers (safes) that provide protection against unauthorized access.

9.5. Personal computers, which contain personal data, must be protected by access passwords.

10. RESPONSIBILITY FOR DISCLOSURE OF INFORMATION,

RELATED TO THE PERSONAL DATA OF THE EMPLOYEE

10.1. Persons guilty of violating the rules governing the receipt, processing and protection of personal data of an employee shall bear disciplinary, administrative, civil or criminal liability in accordance with federal laws.

Head of Human Resources: ______________

Personal data is “any information relating to an identified or identifiable natural person”. Almost all information handled by the employer falls under this concept: the date of birth of the employee, marital status, education, home address, etc. This data is stored in personal cards and is actively used in employment contracts and contracts, orders, payslips, payrolls, statements and many other documents.

An employer can receive personal data only first-hand, that is, from the person himself. If it is not possible to personally collect information, it can be obtained through third parties, but with the consent of the employee himself. At the same time, he should explain for what purpose the information is collected, how it will be used and what will happen if the employee refuses to give his consent to the collection and processing of information about himself.

Legislation limits the list of situations when an employer can collect data. Among the main ones are:

• preservation of life and health of subordinates;
• assistance in employment and education;
• promoting career growth;
• control over the performance by the employee of his labor functions;
• protection of material values;
• enforcement of laws.

Responsibility for violations in the work with personal data

From July 1, 2017, liability for errors in this area will seriously increase. The list of violations for which the employer can be held liable has been significantly expanded, and in addition, the amount of fines has been increased. Such changes are contained in the Federal Law “On Amendments to the Code Russian Federation on administrative offences. Instead of one type of administrative responsibility, which was provided for by Art. 13.11, there are now seven types in the Code of Administrative Offenses of the Russian Federation, and each has its own fines:

1. Use of personal data for purposes not provided for by law. Administrative punishment - warning or fine: for individuals from 1,000 to 3,000 rubles, for officials- from 5,000 to 10,000 rubles, for legal entities - from 30,000 to 50,000 rubles.
2. Processing personal data without the consent of the employee. This also includes cases where the consent signed by the employee does not contain a list of information provided for in Part 4 of Art. 9 of the law. Administrative punishment - fines: for individuals - from 3,000 to 5,000 rubles, for officials - from 10,000 to 20,000 rubles, for legal entities - from 15,000 to 75,000 rubles.
3. Violation of the regime of access to the policy of the organization for the processing of personal data. The employer is obliged to publish in public sources a document that outlines its policy in the field of protection personal information workers. This is provided for in paragraph 2 of Art. 18.1 of Law No. 152-FZ of July 27, 2006, and from July 1 it will be a separate offense that entails liability in the form of a warning or fines: for individuals - from 700 to 1,500 rubles, for officials - from 3,000 to 6,000 rubles, for individual entrepreneurs - from 5,000 to 10,000 rubles. and for legal entities - from 15,000 to 30,000 rubles.
4. Hiding information from the employee about the purposes, terms and methods of collecting, storing and processing information, about third parties who will work with personal information on behalf of the employer, etc. In such cases, the employer receives a warning or pays a fine: individuals - from 1,000 up to 2,000 rubles, officials - from 4,000 to 6,000 rubles, individual entrepreneurs - from 10,000 to 15,000 rubles, legal entities - from 20,000 to 40,000 rubles.
5. The refusal of the employer to block or destroy personal data in accordance with Art. 21 . Administrative responsibility - a warning or a fine: for individuals - from 1,000 to 2,000 rubles, for officials - from 4,000 to 10,000 rubles, for individual entrepreneurs - from 10,000 to 20,000 rubles, for legal entities - from 25,000 to 45,000 rubles
6. Lack of automation tools for storing personal data, storing information only in paper form. If such an employer allowed the destruction, leakage, unauthorized copying and / or distribution of the employee's personal data, a fine is imposed on him: for individuals - from 700 to 2,000 rubles, for officials - from 4,000 to 10,000 rubles, for individual entrepreneurs — from 10,000 to 20,000 rubles, for entity- from 25,000 to 50,000 rubles.
7. Non-observance or violation of the procedure for depersonalization of data by employees of state and municipal authorities (Order of Roskomnadzor "On approval of requirements and methods for the depersonalization of personal data"). Administrative responsibility in this case threatens the official in the form of a warning or a fine of 3,000 to 6,000 rubles.

Legislation allows you to summarize fines for various violations, so mistakes or careless attitude to information about employees can be very costly for the employer. And besides, from July 1, 2017, it is allowed to initiate administrative cases regarding the handling of personal data without the participation of a prosecutor - Roskomnadzor officials will be able to initiate them (clause 58, part 2, article of the Code of Administrative Offenses of the Russian Federation).

Complying with the requirements of the law will help a properly drawn up Regulation on personal data, which should consolidate the norms of the law and specify them for the organization.

How to draw up a Regulation on personal data

The law does not stipulate the name, structure and mandatory content of the document, the employer has the right to determine how the Regulation will look like. When developing a document, the head of the organization and HR specialists must rely on the above Federal Law, as well as on Art. Labor Code of the Russian Federation.

The Regulation on personal data should reflect:

1. General provisions: goals and objectives of the organization in the field of personal data protection, the range of issues that are regulated by the Regulations.
2. Composition of personal data: information that the employer uses in the framework of labor relations with the employee, a list of documents that contain such data.
3. The procedure for collecting and processing information, including methods and places of storage, measures to protect against unauthorized distribution. Among other things, the requirement to obtain information only from the person himself or, with his written consent, from third parties is prescribed here. The consent form can be issued as an annex to the Regulations.
4. The procedure for the transfer of personal data both within the organization and to third parties and government agencies. This should reflect the legislative norm to transfer personal information about the employee to third parties only with his written consent. An exception is if it is necessary to protect the life and health of the employee.
5. List of employees with access to personal data. Most often, these are HR specialists, accountants, heads of structural divisions, etc.
6. Responsibility for the disclosure of personal data of employees. In the section, it is worth indicating the positions of those who are responsible for violating the rules for storing, processing and transferring personal data, as well as the types of liability provided for by law (we will talk about changes in this area in more detail below).

The regulation on the protection of the employee's personal data and the consent template are approved by the head of the organization. A stamp with a signature, date of approval and protocol number is placed on the title page of the document. To put the Regulation into effect, the head issues a separate order.

All employees must be familiarized with the Regulation on personal data against signature. To do this, organizations often start a separate journal with a list of employees working in the company.

Consent to the processing of personal data

This is a document in which the person being hired allows the future employer to receive necessary information and use it within the framework of the current legislation.

The employer has no right to collect and use the personal information of employees without their written consent. An exception is data from medical institutions regarding contraindications to a certain type of activity.

Consent must include the following information (part 4 of article 9):

• Full name, address of the employee, details of the passport (or other identification document);
• Full name, address of the representative of the employee, details of his passport (or other identity document), details of the power of attorney;
• name or full name and address of the employer receiving the consent of the personal data carrier;
• a list of personal data for the processing of which consent is given;
• purpose of personal data processing;
• a list of actions with personal data to which consent is given, a general description of the methods of processing this information;
• the period during which the consent of the employee is valid, as well as the method of its withdrawal, unless otherwise provided by federal law.

The document is signed by the employee after reading the Regulations. The same consent must be issued if a person allows third parties to provide information about themselves.

An employer does not have the right to force a potential employee to provide any information about himself. If the applicant refuses to sign the Consent, the organization may reconsider the admission of such a person to the staff. Any of the working employees of the organization can also withdraw their consent (part 2 of article 9).

After the employer has received the employee's consent to the processing of personal information, he can entrust this to a third party, but the responsibility for the safety of the information still lies with the employer.

Really large-scale changes have affected the spheres of personal data protection, and the employer should be doubly careful both when drawing up the Regulations and when working with personal information about employees. Remember, the more detailed and specific the Regulations on Personal Data are, the clearer the work in this area of ​​personnel records will be built in the organization.

When carrying out activities, an enterprise or individual entrepreneur acting as employers, or working with contractors - individuals, has to deal with their personal data, which, in accordance with the law, are subject to protection. All work with this information should be regulated; for this, the enterprise creates a regulation on the personal data of employees.

Personal data is the employee's information that the company has to deal with every day from the moment of conclusion with them until the dismissal.

Responsible persons at the enterprise not only collect and store them, but also periodically process and disclose them to third parties. Often this is required by the ongoing activity, for example, the payment of salaries to card accounts in a bank.

On the other hand, the existing provisions of legislative acts oblige the enterprise to store and prevent disclosure of such information.

In order to fully comply with the provisions of the law, but also in the future to carry out its activities, the enterprise must develop a Regulation on personal data, in which the current norms are implemented taking into account the work of the organization.

It is necessary to develop this Regulation for any business entity that hires employees, and as a result, deals with their personal data.

This local regulation is developed and approved in the same way as all other internal regulations of the enterprise. The head of the organization may be responsible for its development. personnel department or another official whose duties include working with this information.

The draft document is agreed with various specialists of the organization, the trade union, and after that it is put into effect by the order of the director. After the Regulation on Personal Data is put into effect, it is necessary to familiarize all employees with it against signature.

You can record the familiarization of employees with this local document in a special registration log or by filling out separate ones.

Attention! The legislation establishes that the Regulations should include. It must be requested from a person working at the enterprise every time information is disclosed to third parties, for example, when drawing up a power of attorney, certificates, etc.

At the same time, the employee can revoke this consent at any time by submitting an appropriate application to the name of his employer.

What employee data is personal

Legislation determines what is included in the personal data of a person. This can be both information directly related to the employee, and indirectly affecting him.

This includes:

• Full personal data of the employee (full name).
• Information about the place and date of its birth.
• Actual and registered address.
• Social, family, property status.
• The employee's education, profession.
• Information about the income received by the employee, etc.

In addition to the law on PD, the composition of personal information is also determined by the Labor Code of the Russian Federation. It includes in the composition of the protected information information that allows you to identify a person as an employee. These are qualifications, specialization, education, the state of human health (in some situations, for example, when working in harmful conditions), the presence of children.

The regulation on the personal data of employees is an internal local act of the organization, the presence of which is the focus of inspections conducted by Roskomnadzor. Therefore, many companies are puzzled by the question of how to develop a regulation on the protection of personal data (2020), if they did not have such a document before. In the article we will tell you what you need to pay special attention to when developing it in order to prevent violations of the law.

If I break the law

Employers massively began to receive letters from Roskomnadzor with a warning that, during an inspection, companies could receive serious fines for violating the norms of the law No. 152-FZ of July 27, 2006 (hereinafter referred to as the Law). According to it, the employer is obliged to guarantee the protection of such information from illegal access and use by third parties. The regulation on working with personal data of employees helps to solve these problems.

On February 23, 2020, Government Decree No. 146 of February 13, 2019 came into force, which approved the Rules for organizing and exercising state control and supervision over the processing of personal data. According to the document, scheduled inspections will be carried out every 2-3 years, and the list of companies subject to control can be seen in advance on the Roskomnadzor website. As in the case of other types of control, the inspectors will have to warn about the planned visit. If it is a scheduled inspection, then they must notify about it 3 working days in advance, and if it is an unscheduled one, 24 hours in advance.

Violation of the Law provides for disciplinary, material, administrative and criminal liability. Supervisory authorities may bring to administrative responsibility under Art. 13.11 and 13.14 of the Code of Administrative Offenses, the fines are:

• for officials: from 500 to 1000 rubles;
• for an organization: from 5,000 to 10,000 rubles;
• for officials, in connection with the performance of official or professional duties: from 4000 to 5000 rubles.

The most common violations, according to inspectors, are the processing of personal data without the consent of their owner or with violations, failure to comply with the requirement to destroy personal information, and violation of the storage conditions for such information.

What is personal data

This is any information that an employer needs when establishing an employment relationship that concerns an employee. For example, last name, first name, patronymic, date and place of birth, place of residence, etc.

Examples of documents that include personal data include:

• employee card containing full name persons, information about the composition of the family, education;
• work book with experience from previous jobs;
• diplomas, certificates of education;
• labor contract.

It is forbidden to receive and process data that is not directly related to work activity. For example, information about religion, nationality, political affiliation. This information obtained exclusively from the employees themselves. These conditions should be included in the regulation on the processing and protection of personal data. Employers are obliged to notify the employee and obtain from him a written consent to the processing, storage, use and distribution of his data.

Store Data Properly

Personal data of employees is contained in their personal cards and personal files. The legislation obliges each specific enterprise to develop rules for the use and storage of data about its employees.

The regulation on the protection of personal data can be either a separate document or a section included in the current Internal Labor Regulations.

To maintain the confidentiality of information about people working in the organization, a list of officials who have access to it is compiled. The order appoints a person responsible for the collection, storage and processing of confidential data. employees, managers, CEO businesses sign a non-disclosure agreement.

Information about the personal data of employees in the enterprise can be stored both in paper and in electronic form. Nowadays, such information is most often stored in a mixed way.

Sample regulation on personal data of employees (2020) and its development

At the first stage of development, it is necessary to determine what data is used in the company, how it is received, stored, processed.

To draw up organizational documents, general rules are used: the name of the organization, the date and number of the document are indicated in the title, and the stamp of approval is placed in the upper right corner.

The position includes the following information:

• goals and objectives of the enterprise when working with confidential data;
• lists of such data;
• description of data operations that are often used in the enterprise;
• ways to access data;
• lists and duties of the company's personnel when using information;
• the rights of company employees to access information;
• responsibility of employees of the enterprise for disclosure of information.

The position is approved by the order of the head of the company. A sample provision on the processing of personal data of employees should be available to all employees for review. They should put their signature on a sheet or journal of acquaintance, which, as a rule, starts the personnel department of the employer. The journal is a list of company employees, where everyone signs after reading this local act.

The regulation on the personal data of employees - a sample of 2019 can be found in this article. What is the text of the provision, taking into account all the requirements of the law? Let's take an example.

Personal data of employees - any information necessary for the administration in connection with labor relations and relating to a particular employee (clause 1, article 3 of the Law of July 27, 2006 No. 152-FZ).

The accounting department and the personnel service store documents containing personal data of employees - payroll statements, personal cards, personal files and others. All personal data of an employee can only be obtained from him.

Regulation on personal data: structure

To prevent the disclosure of personal data, create a reliable system for their protection. Set the procedure for receiving, processing, transferring and storing such information in the local act of the organization, for example, in the regulation on working with personal data of employees. The position is approved by the director. Familiarize employees with the document for signature (Article 8, Clause 8, Part 1, Article 86, 87 of the Labor Code, Clause 2, Part 1, Article 18.1 of the Law of July 27, 2006 No. 152-FZ).

In order to ensure compliance with the requirements for the processing of personal data of employees and the protection of this information, the employer may develop and approve the Regulations on working with personal data of employees. It can also be referred to, for example, as the Regulation on the processing of personal data of employees, the Regulation on the protection of personal data, or even the Regulation on the personal data of employees.

The regulation on personal data refers to those local acts that must be in the organization. The employer must determine the procedure for the storage, processing and use of personal data by a local regulation (Regulations on Personal Data). The absence of the Regulation can be qualified state inspection labor as a violation labor law. This conclusion is also confirmed judicial practice(see Decree of the Federal Antimonopoly Service of the Moscow District dated October 26, 2006 N KA-A40 / 10220-06 in case No. A40-20745 / 06-148-194).

The structure and content of the Regulations on the protection of personal data of employees (a sample is given below) the employer determines for himself.

When developing the Regulation on Personal Data, the employer must take into account, in particular, the following principles:

• the processing of personal data of employees is carried out only in order to comply with the legislation of the Russian Federation, assist employees in finding employment, obtaining education and promotion, ensuring the personal safety of employees, controlling the quantity and quality of work performed and ensuring the safety of property;
• all personal data of employees must be obtained from him. If any personal data of an employee can only be obtained from a third party, the employee must be notified in advance about this, and written consent must be obtained from him;
• the employer must, at his own expense, protect the personal data of employees from their unlawful use or loss;
• the employer must, against signature, familiarize employees with the procedure for processing their personal data, as well as with their rights and obligations in this area.

Society with limited liability"Stella"

(LLC Stella)

APPROVE

Director

LLC "Stella"

A.S. Pushkin

POSITION

About working with personal data of employees

1. General Provisions

1.1. The regulation on working with personal data of Stella LLC employees was developed in accordance with the Labor Code of the Russian Federation, the Law of July 27, 2006 No. 152-FZ and the regulatory legal acts in force on the territory of the Russian Federation.

1.2. This Regulation defines the procedure for working (collecting, processing, using, storing, etc.) with the personal data of employees and guarantees the confidentiality of information about the employee provided by the employee to the employer.

2. Receipt and processing of personal data of employees

2.1. The employer receives the personal data of the employee directly from the employee.
The employer has the right to receive personal data of the employee from third parties only with the written consent of the employee or in other cases expressly provided for in the legislation.

2.2. When applying for a job, the employee fills out a questionnaire in which he indicates the following information about himself:
- floor;
- date of birth;
- marital status;
- attitude to military service;
– place of residence and home telephone number;
– education, specialty;
– previous place(s) of work;
- other information with which the employee considers it necessary to acquaint the employer.

2.3. The employer has no right to require the employee to provide information about political and religious beliefs and about his private life.

2.4. The employee provides the employer with reliable information about himself. The employer checks the accuracy of the information by comparing the data provided by the employee with the documents available to the employee.

2.5. When changing personal data, the employee shall notify the employer in writing of such changes within a reasonable time, not exceeding 14 days.

2.6. If necessary, the employer will request additional information from the employee. The employee submits the required information and, if necessary, presents documents confirming the accuracy of this information.

2.7. The employee's profile is kept in his personal file. The personal file also stores all information related to the personal data of the employee. The management of personal files is entrusted to the accounting department responsible for the management of personal files - the accountant of the organization.

3. Storage of personal data of employees

3.1. The employee's profile is kept in his personal file. The personal file also stores all information that relates to the personal data of the employee. The management of personal files is entrusted to the accounting department responsible for the acquisition of personal files - the accountant of the organization.

Read also How to make changes to your vacation schedule

3.2. Personal files and personal cards are stored in paper form in folders, stitched and numbered by pages. Personal files and personal cards are located in the accounting department in a specially designated cabinet that provides protection from unauthorized access. At the end of the working day, all personal files and personal cards are handed over to the accounting department.

3.3. Employees' personal data may also be stored electronically on a local computer network. Access to electronic databases containing personal data of employees is provided by a two-stage password system: at the local computer network level and at the database level. Passwords are set by the deputy head of the organization and communicated individually to employees who have access to personal data of employees.

3.4. Passwords are changed by the deputy head of the organization at least once every two months.

3.5. In order to improve the security of processing, transfer and storage of personal data of employees in information systems they are depersonalized. To depersonalize personal data, the method of introducing identifiers is used, that is, replacing part of the information of personal data with identifiers with the creation of tables of correspondence of identifiers to the original data.

3.6. The head of the organization, his deputy, Chief Accountant and the immediate supervisor of the employee. Specialists of the accounting department - to the data that is necessary to perform specific functions. Access of specialists of other departments to personal data is carried out on the basis of the written permission of the head of the organization or his deputy.

3.7. Copying and making extracts from the personal data of the employee is allowed only in official purposes with the written permission of the head of the organization, his deputy and chief accountant.

4. Use of personal data of employees

4.1. The employee's personal data is used for purposes related to the performance of the employee's job functions.

4.2. The employer uses personal data, in particular, to resolve issues of employee promotion, the order in which annual leave is granted, and the determination of the salary. On the basis of the employee's personal data, the issue of his access to information constituting an official or commercial secret is decided.

4.3. When making decisions affecting the interests of the employee, the employer does not have the right to rely on the employee's personal data obtained solely as a result of their automated processing or electronic receipt. The employer also has no right to make decisions affecting the interests of the employee, based on data that can be interpreted in two ways. If it is impossible to reliably establish any fact on the basis of the employee's personal data, the employer offers the employee to provide written explanations.

5. Transfer of personal data of employees

5.1. Information relating to the personal data of an employee may be provided to state bodies in the manner prescribed by federal law.