Protection of personal data Who can be an operator of personal data? Why is it dangerous to sign an agreement on the use and processing of personal data in Russia? Definition of processing and use of personal data

Processing of personal data without the consent of the subject is possible only in cases established by law. The use of such information in violation of order or without appropriate grounds entails bringing the perpetrators to civil, labor, administrative and criminal liability.

In what cases is it permissible to transfer to third parties and otherwise process personal information about the subject?

The Law “On Personal Data” dated July 27, 2006 No. 152-FZ established 2 options in which the processing of personal information of a citizen (subject) is legal:

  1. Upon receipt of his consent to this.
  2. Without obtaining consent in the following cases:
    • use of information by other people for personal and family needs, if this does not violate the rights of a citizen;
    • entering personal information into the database of the Archival Fund of Russia;
    • making a decision to classify information as a state secret (in this case, the consent of the subject is not required to classify information about him);
    • the need to use information in order for Russia to implement the terms of international treaties and laws;
    • participation of a person in the legal process and in connection with such participation;
    • use for execution of a judicial act or the provisions of a document adopted by enforcement bodies;
    • receipt by a person of municipal or government services;
    • recognition by a person of information about himself as publicly available;
    • conclusion and execution of an agreement in which the subject is a party or beneficiary;
    • impossibility of obtaining consent in the event of a threat to the life, health, or important interests of a person;
    • exercising rights, ensuring the interests of the operator (person processing information) or third parties, achieving socially significant goals;
    • carrying out professional activities by journalists and the media, creative activities, when this does not violate human rights;
    • use of anonymized information about a person for research and statistical purposes, with the exception of political agitation, promotion of goods, services and work on the market;
    • the need for mandatory disclosure and publication of data based on the law (for example, civil servants are required to disclose information about their income).

The procedure for processing (storing, distributing, etc.) information without obtaining the approval of the subject

The general procedure for operators to process personal data about citizens without their special permission is as follows:

  1. The operator receives information if there are legal grounds. It is not required to notify the person about the start of processing of his information, but in some cases the notification is sent to Roskomnadzor.
  2. The operator carries out the necessary actions (collects, records, transmits, clarifies, etc.). As stated in Art. 5 of Law No. 152-FZ, user actions are limited to the purpose of processing.
  3. After achieving the goals or after the need for use ceases, the data is destroyed or anonymized.

An additional stage may be an individual challenging the legality of using information about him. The body for resolving disputes is (at the citizen’s choice) the court or Roskomnadzor. In the course of resolving the conflict, the operator presents evidence of the existence of circumstances that allow him to use the data without the approval or contrary to the citizen’s prohibition.

Operator Responsibility

If the operator violates the procedure and conditions for processing personal information, he may be subject to various types of liability:

Type of responsibility

Example of a violation

Punishment

Legal basis

Civil

Causing moral harm

Payment of compensation

Art. 24 of Law No. 152-FZ, art. 1099 GK

Disciplinary

Disclosure of personal information about another worker

Dismissal

Violation of the law when processing information

Bringing to disciplinary and financial liability

Administrative

Processing of information contrary to the purpose of data collection
  • citizens - 1000-3000 rubles;
  • officials - 5,000-10,000 rubles;
  • organizations - 30,000-50,000 rubles.

Part 1 art. 13.11 Code of Administrative Offenses

Criminal

Violation of privacy

Alternative sanction:

  • fine up to 200,000 rubles,
  • compulsory work up to 360 hours,
  • correctional – up to 1 year,
  • forced - up to 2 years,
  • imprisonment for up to 2 years, etc.

Part 1 art. 137 CC

Refusal or deception on the part of an official when providing a citizen with information about him

Fine (200,000 rubles or income for up to one and a half years) or deprivation of the right to engage in certain activities for 2-5 years

Access to computer information without the right to do so

Fine (200,000 rubles or income for up to one and a half years), correctional labor for up to a year or forced labor, restriction or imprisonment for up to 2 years

Part 1 art. 272 CC

Thus, processing information without the permission of the subject is possible if the operator is granted such a right by law. The information must be used to the extent necessary to achieve the operator’s goals, after which the data is destroyed or anonymized. A person who believes that his personal data has been used illegally has the right to appeal to the court or Roskomnadzor.

Don't know your rights?


In the age of new technologies and the Internet, any information spreads at tremendous speed. Social networks greatly “help” the process, making a citizen’s personal data publicly available. Most often, personal information is provided when applying for a job. For this purpose, there is a law on the processing of personal data in an organization. This law will be discussed in the article.

Dear readers! Our articles talk about typical ways to resolve legal issues, but each case is unique.

If you want to know how to solve exactly your problem - contact the online consultant on the right or call free consultation:

What does processing mean?

Any person can get acquainted with information about another citizen, both during work and non-work communication, while browsing Internet pages, as well as reading a newspaper. This (special or non-special) collection of information has nothing to do with the processing of personal data: I got acquainted, read and forgot, most likely.

If personal data is specifically collected in order to be used and stored, then such an action already means the processing of personal data. This process occurs most often in educational institutions and hospitals: the necessary information is registered, recorded in databases, and also classified so that it can later be use for legal purposes.

Read our article about whether wages relate to personal data.

If a writer or journalist collects information, he has the right to process personal data for creative purposes.

Personal information is processed in two ways: automated and non-automated.

Non-automated processing is considered to be that which is carried out with the personal participation of a citizen.

If personal data is processed without automation, it must be separated from other information. This can be done by marking them, for example, in the margins of forms. Strictly It is not allowed to place personal data on a single medium, if it is known in advance that the purposes of their processing are incompatible.

If personal information of citizens belongs to different categories, then it is necessary to use an individual medium for each type.

The next two points lead to the answer to the question of which systems can be considered automated and which are not. Let's look at them in detail:

  • Personal data contained in the personal data system can be considered processed using a non-automated process if its use and destruction are carried out in the personal presence of the citizen.
  • It cannot be confirmed that the data has been processed automatically based solely on the fact that it exists in the personal information information system.

Automated processing of personal information is the processing of personal information using computing tools.

Such processing may include certain processes that are carried out using automated means: application of mathematical operations with these indicators, as well as their adjustment and disposal.

Processing of personal data is any action that is carried out with the information provided. The following actions are considered processing of personal data:

  • collection;
  • fixation;
  • usage;
  • destruction.

Rules and procedures

Personal data of the worker, which are necessary for the manager, consist of several points:

  • Information about education.
  • Information about experience, as well as place of work, where the citizen previously worked and what position he held.
  • Brief information about family members and their jobs.
  • Information about existing diseases and health in general.

During the processing of employee data of an organization (receipt, transfer, and other use), personnel department employees must adhere to certain rules:


Why is consent needed?

Consent to the processing of personal information is a legislative innovation that protects a citizen’s personal data from unwanted use.

This consent is required when applying for a job, opening a bank account, and other important circumstances. There is no specific form of consent. It can be issued in any form on the form used by the enterprise.

The period during which the consent will be valid is indicated directly in the document itself.

Person responsible for personal data in the organization

The employee who will be responsible for receiving, processing and storing personal information is appointed by the director of the organization.

He may also appoint certain persons who will have access to personal data. It is best to issue this document separately. Typically, the following persons are responsible for all work from start to finish with personal data (collection, processing and storage):

    You can download a sample order on the persons responsible for personal data in an organization.

  1. Head of HR Department.
  2. Personnel inspector.
  3. Head of HR.
  4. Deputy Head of HR.
  5. HR specialist.
  6. Or the introduction of another position is allowed.

Taking into account the legislation (Law No. 152), the employee who collects and processes personal information is considered an operator. In this case, the operator is considered to be the manager.

Transfer and storage

Important papers containing personal information about employees are stored in fireproof cabinets, i.e. safes. The keys to the safe must be kept by the director of the HR department at all times. If the director is absent on any day, then his deputy should have the keys.

If it is necessary to transfer personal data of a worker, the HR department employee must adhere to certain rules:

  • You cannot provide personal information about a worker to a third party without his consent in writing.

    • Exceptions may occur when the information is needed to prevent harm to the employee’s health and in cases stipulated by law. In addition, you cannot disclose an employee’s personal data for commercial purposes without his permission.

  • If you have to transfer personal information of employees, you need to inform those for whom this information is intended that this information can only be used for the purposes for which the request was given.
  • An HR employee has the right to access only the information necessary to perform his or her job duties.
  • An employee of the personnel department does not have such authority to find out information about the health status of an employee.

    • An exception may be such circumstances that are relevant to the issue of the worker’s performance of his job duties.

If any employees are found to have violated the procedure for collecting, processing and issuing personal data of an employee of the organization, then these persons will bear disciplinary and criminal liability in accordance with Federal law.

In Article 5 of the Federal Law It states that personal data that is collected for processing using automation principles or using other means must be produced in such a form that it is possible to identify the subject of this data.

In this case, the definition of the subject should not be longer than necessary for processing. And, if processing has been carried out, then the destruction of personal data are not subject to certain time.

The manager must be aware of certain deadlines that are required for the safety of certain information. And the employee’s personal data is necessary store for 75 years.

Find out the general procedure for organizing and the list of actions for processing personal data in an enterprise from the video:

In particular, it expanded the list of grounds for bringing to administrative responsibility for the illegal processing of personal data (PD) and increased fines.

Personal data: fines

Base Amount of fine
Individual Officials Legal entity IP
Processing of personal data in cases not provided for by the legislation of the Russian Federation; processing of personal data incompatible with the purposes of collecting personal data warning or fine - from 1000 to 3000 rubles. warning or fine - from 5000 to
10,000 rub.		 warning or fine - from 30,000 to 50,000 rubles.
Processing of personal data without the written consent of its subject from 3000 to 5000 rub. from 10,000 to 20,000 rub. from 15,000 to 75,000 rubles.
Failure to fulfill the obligation to publish or provide access to a document defining the policy for the processing of personal data, or information on the protection of personal data from 700 to 1500 rub. from 3000 to 6000 rub. from 15,000 to 30,000 rub. from 5,000 to 10,000 rubles.
Failure to provide the subject of personal data with information on their processing warning or fine - from 1000 to 2000 rubles. warning or fine - from 4,000 to 6,000 rubles. warning or fine - from 20,000 to 40,000 rubles. warning or fine - from 10,000 to 15,000 rubles.
Failure by the operator to comply with the request of the PD subject or his representative to clarify, block, or destroy (if the PD is incomplete, outdated, inaccurate, illegally obtained, or is not necessary for the stated purpose of processing) warning or imposition of a fine in the amount of 1000 to 2000 rubles. warning or fine - from 4000 to
10,000 rub.		 warning or fine - from 25,000 to 45,000 rubles. warning or fine - from 10,000 to 20,000 rubles.
Failure by the operator to ensure the safety of personal data when processing personal data without automation means, which led to unauthorized or accidental access to personal data and caused their destruction, modification, blocking, copying from 700 to 2000 rub. from 4000 to
10,000 rub.		 from 25,000 to 50,000 rubles. from 10,000 to 20,000 rub.
Failure of the operator (state or municipal body) to fulfill the obligation to anonymize personal data; non-compliance with requirements for depersonalization of personal data warning or imposition of an administrative fine - from 3,000 to 6,000 rubles.

Please note: it is precisely this reason, such as processing personal data without obtaining the consent of its subject, that provides for the largest fines for all categories of violators - up to 75,000 rubles.

In this regard, many questions arise, the most frequently asked:

  • Am I a data controller?
  • Does the Personal Data Law apply to me?
  • How to notify Roskomnadzor about the processing of personal data?
  • What should a website owner do to avoid fines?

Let's deal with all the questions in order.

All organizations collect, store and use information about their employees. Personal information is now of high value, and when it falls into the hands of fraudsters, it becomes a means for committing crimes. In this article we will tell you how and for what purpose companies process personal data and whether they must obtain employee consent to do so.

What is personal data processing

The concept of “processing of personal data” includes any actions performed by the operator with individual information. Among them:

  1. collection;
  2. clarification;
  3. systematization;
  4. usage;
  5. deletion;
  6. storage.

All organizations and enterprises are operators of personal data because they process it. In Art. 22 of Law No. 152-FZ provides the legal basis for the processing of personal data. Based on the text of the article, the employer has the right to take actions with the personal information of employees without notifying Roskomnadzor authorities of this intention.

Several methods are used to perform actions with personal information.  Automated processing of personal data is processing on a computer. The non-automated method involves the use of paper media. Nowadays, in most cases, mixed processing is used, which combines elements of automated and manual processing.

Purposes of processing personal data at the enterprise

The following purposes of processing personal data in the organization are distinguished:

  1. Conclusion, execution and termination of civil contracts with citizens, legal entities, individual entrepreneurs and other persons in situations provided for by law and the Charter of the enterprise.
  2. Organization of personnel records of the organization, ensuring compliance with laws, concluding and fulfilling obligations under labor and civil contracts.
  3. Conducting personnel records, assisting employees in employment, training and promotion, and using benefits.
  4. Compliance with the requirements of tax legislation on the calculation and payment of personal income tax and the unified social tax, pension legislation in the formation and transfer to the Pension Fund of personalized data about each recipient of income, which is taken into account when calculating contributions for compulsory pension insurance.
  5. Filling out primary statistical documentation in accordance with the Labor, Tax Code and federal laws.

What is consent to the processing of personal data

Along with the provision of the necessary documents when concluding an employment contract, the employee’s consent to the processing of the employee’s personal data is signed. According to Art. 3 Federal Law No. 152, such data includes all information about a person - from first and last name to entries in the work book.

Personal data is divided into 3 categories:

  • Public- basic personal data, including full name, gender, date and place of birth.
  • Biometric- information about appearance and some physiological characteristics, if they are determined visually.
  • Special- nationality, religion, health status, criminal record, partially - information about work (reasons for dismissal, etc.).

Personal data is confidential (except for publicly available data), therefore, to process it, it is necessary to obtain the person’s consent.

The validity period of consent to the processing of personal data is mandatory. The moment of its end is either a specific date or a certain event, including the employee’s withdrawal of his consent. This requirement is specified in paragraph 4 of Art. 9 Federal Law No. 152.

In what cases is consent required for the processing of personal data?

Consent is required for the processing of special and biometric data. Publicly available information may be used freely, unless it is contrary to the law, as well as generally accepted standards of morality and ethics.

Situations when consent to the processing of personal data is not required

The exception is when a criminal case is being investigated and operational search activities are being carried out. Biometric data may be needed to establish identity if a person does not have documents. In such situations, consent to the processing of personal information is not required.

Sample form of consent and description of the document

An application for consent to the processing of personal information is submitted to the head of the organization in writing. The header of the document indicates:

  1. the position of the manager and the name of the organization he heads;
  2. Full name of the manager;
  3. employee position;
  4. Full name of the employee;
  5. date;
  6. place of compilation.

An example document text is as follows:
“With this statement, I confirm my consent to the collection, processing, use and storage of my personal data to the extent necessary to ensure my labor and social rights, payment of established taxes, fees and other mandatory payments, deduction of mandatory contributions to state funds and for other purposes , arising from labor and related legal relations between me and the employer within the framework of current legislation. The employer has the right to provide my personal data to third parties only in cases established by law.”
The employee puts his signature under the text of the application.

Is it possible to refuse the processing of personal data from the standpoint of law?

According to the law, refusal of consent to the processing of personal data does not carry legal consequences. In Part 1 of Art. 9 Federal Law No. 152 states that consent itself is expressed freely and voluntarily.

Part 5 art. 6 of the same law allows for the absence of consent to the processing of personal information if this is required for the execution of a contract, including an employment contract. Therefore, employers, while fulfilling their duties, may process their personal data in the interests of employees without obtaining consent. This only applies to employees who are already on the payroll. It is impossible to hire a person if he refuses to process personal data. In this case, the employment contract has not yet been concluded. Since this document does not exist, then the employer does not have an obligation to fulfill it.

Sometimes refusing to process personal information can have negative consequences. If the enterprise has a pass regime, then under such circumstances the employee will not be able to issue or replace a pass - such an action would go beyond the scope of official purposes. Therefore, lack of consent will entail the impossibility of performing labor functions.

Ask questions in the comments to the article and get an answer from a specialist

In the age of information and the Internet, data is transmitted and distributed at unprecedented speed. Social networks add fuel to the fire by making users’ personal data almost publicly available. But does the owner himself always agree that information about him is collected, studied, stored and transmitted?

Personal data: what does it include?

Information about a person is so important and significant that the legislator finally decided to legally regulate this area and defined personal data as information about a person that identifies him.

These include:

  • first name, patronymic, last name;
  • place of residence;
  • date and place of birth.

A separate legal regime is established for information that poses a risk to the rights and freedoms of the subject of personal data and includes information about:

  • racial or ethnic origin;
  • nationality;
  • religious and ideological views;
  • membership in political parties and trade unions;
  • criminal prosecution;
  • health, sex life, biometric and genetic data.

Personal includes passport and other registration information, data on family or property status (with the exception of civil servants) and many others, since their list is not limited by the legislator.

The law also establishes a form of consent for the processing of personal data. Such permission is made in writing in order to be sure of the unconditional consent of the owner of the information.

What does the processing of personal data involve?

Each citizen can get acquainted with information about another person, both by the nature of his work and in the process of informal communication, reading newspapers or browsing the Internet. Such familiarization does not mean the processing of personal data: I read, heard, learned - and perhaps forgot. Or just took note.

If information about a person is collected for subsequent systematization, use, transfer or storage, this is already the processing of personal data. This procedure is carried out, for example, by clinics or schools: the data obtained is registered, entered into databases and catalogues, and classified for subsequent use for their statutory purposes.

A journalist, writer or individual may process personal information solely for creative purposes without complying with legal regulations.

Restrictions on the processing of personal information

Collection and processing of personal data is permitted solely for the fulfillment of statutory tasks and achievement of the established goal. For example, a clinic may use personal information collected from patients only to provide medical care to those individuals.

Entire arrays of personal information are processed by insurance companies, travel agencies, transport companies, utilities and other similar legal entities. These organizations may use such information only to perform their tasks for the consumer and do not have the right to collect more information than is necessary for a specific situation.

It is impossible to collect data that poses a risk to the rights and freedoms of a person unless such information is provided by the person himself, for example, a member of a political party provided information about himself directly to the party organization.

Who has the right to process information about a person?

Any actions with personal data can only be carried out by those to whom the data owner has given consent.

There are also exceptions to the rules, for example, investigative authorities can process information about the accused without his consent. This right of the investigator is caused by the need to protect public interests and fulfill his official duties.

Tax and pension authorities also carry out various operations with personal information not only to fulfill their duties, but also to ensure the rights of citizens.

Mobile operators have a considerable amount of personal information about subscribers. Of course, they can only use such information to provide high-quality mobile communications to the user.

Personal data at work

Most often, personal information is provided during employment. The law establishes a list of mandatory information about the employee, without which hiring is impossible:

  • first name, patronymic, last name;
  • date of birth;
  • place of residence;
  • series, number, date of issue of passport;
  • tax and insurance registration numbers;
  • marital status;
  • health status and some other information.

With the receipt of this data, the law associates certain legal consequences with regard to wages, vacations, benefits and many other issues.

Of course, every citizen can refuse to disclose information about himself, but in this case the employer has the right to refuse to hire him - this is the legal relationship. Most often, problems do not arise during registration, since the employee voluntarily provides the necessary information.

However, it should be remembered that the employer does not have the right to operate with the employee’s data on nationality or party affiliation, religious views and some others.

What is consent to the processing of personal data?

The permission of the owner of personal data for their processing is usually issued in writing, including during employment.

Companies who have learned from bitter experience or are simply cautious ask consumers to sign appropriate statements when applying for discount cards and participating in promotions; clinics, schools, universities and other institutions have also developed standard consent for the processing of personal data.

Before signing, you should carefully study the sample and make sure that the requested information is really necessary for a specific person. A written consent form for the processing of personal data allows you to confirm the good will of the owner.

Reservations regarding personal data are included in almost all contracts: business, labor, consumer, because when it comes to complying with the law, it is better to overdo it a little than to underdo it.

Written form

Below is the written form of the employee’s consent to the processing of personal data.

Director of the Selkhozmash plant

Ivanov I.I.

tractor driver of the mechanization shop

Aristov Oleg Arkadevich.

Place of compilation.

With this application I give written permission to collect, process, use and store my personal data, to the extent necessary to ensure my labor and social rights, pay established taxes, fees and other mandatory payments, make mandatory contributions to state funds, as well as for other purposes. purposes arising from labor and related legal relations between me and the employer and within the limits provided for by current legislation.

The employer has the right to transfer my personal data to third parties only in cases expressly established by law.

The employee usually signs consent to the collection and processing of personal data when applying for a job and providing all the necessary documents. It makes sense to request such a statement from him before signing the employment order.

Consent to the processing of personal data: sample

One of the non-standard options in the field of processing personal data is the issuance by parents of consent to an educational institution for operations with the personal data of their minor child. Of course, the school is forced to use information about children and their parents to provide educational services. Parents as legal representatives of minor children have the right to issue such permission.

Legal advice: both parents should be asked about consent to the processing of a child’s personal data, regardless of whether they are in an official, civil marriage or divorced. The exception is deprivation of parental rights by court decision.

Below is a sample consent form drawn up by both parents.

To the director of secondary school No. 30

Moscow

Ivanova I. I.

parents of a 4th grade student

Petrova Petr Petrovich, born in 2005,

resident: Kharkov highway, 356, apt. 2,

Petrova's mother Irina Leonidovna,

residing: Kharkov highway, 356, apt. 2,

Father Petrov Igor Ivanovich,

residing: Kharkov highway, 356, apt. 2,

Consent to the processing of the child’s personal data

With this statement, we give permission to the school administration to collect, process, use and store our child’s personal data solely to the extent necessary to ensure the educational process and related legal relations related to the social rights of our child.

We permit the transfer of our child’s personal data to third parties only in cases provided for by current legislation, of which the administration must notify us in the prescribed manner.

Petrova I. L., date.

Petrov I.I., date.

If desired, parents can draw up separate consent sheets for the processing of personal data, each on their own behalf.

Is it possible to process information about a person without the consent of the owner?

As a general rule, the processing of personal information without the voluntary consent of the owner is illegal. The exception is when information is processed without the consent of the owner to protect his vital interests.

In some cases, it is possible to process personal information without the written consent of its owner:

  • when issuing permission to the database owner;
  • when concluding a transaction in the interests of a citizen and for some other reasons.

What sanctions are provided for violating the procedure for handling personal information?

  • Disciplinary. Applies to employees who, in violation of their official duties, have not ensured the protection of personal data.
  • Administrative. Liability in the form of fines is quite serious and is imposed on the guilty person (for citizens - in the amount of 300 to 500 rubles; for officials - from 500 to 1000 rubles; for legal entities - from 5000 to 10,000 rubles - depending on the offense committed and the legal status of the offender).
  • Material. It may occur by court decision if a violation of a person’s rights to the safety of personal data causes him material or moral damage.

Information about a person is protected by law due to its special importance, which means that it is necessary to comply with all the requirements of the law on the protection of personal data.

Related publications