Regulations on personal data of employees sample. We comply with the law on personal data: what to consider. Receipt of familiarization with the regulation on the protection of personal data of employees

APPROVED by ____________________________________ (name of the position of the head of the enterprise)

____________________________________ (full name, signature)

"____" ___________________ _____

POSITION

on the processing and protection of personal data of employees

1. GENERAL PROVISIONS

1.1. This Regulation establishes the procedure for receiving, recording, processing, accumulating and storing documents containing information related to the personal data of employees of the enterprise. Employees are persons who have concluded employment contract with the enterprise.

1.2. The purpose of this Regulation is to protect the personal data of employees of the enterprise from unauthorized access and disclosure. Personal data is always confidential, strictly protected information.

1.3. The basis for the development of this Regulation is the Constitution of the Russian Federation, the Labor Code of the Russian Federation, and other applicable regulations RF.

1.4. This Regulation and changes to it are approved by the head of the enterprise and are introduced by order for the enterprise. All employees of the enterprise must be familiarized with this Regulation and amendments to it against signature.

2. CONCEPT AND COMPOSITION OF PERSONAL DATA

2.1. Personal data of employees means information that the employer needs in connection with labor relations and concerning a specific employee, as well as information about the facts, events and circumstances of the employee's life, which allows him to be identified.

2.2. The composition of the employee's personal data:

Autobiography;

Education;

Information about labor and general experience;

Information about previous location work;

Information about the composition of the family;

Passport data;

Information about military registration;

Information about wages employee;

Information about social benefits;

Specialty;

Position held;

The amount of wages;

The presence of a criminal record;

Residence address;

Home phone;

Originals and copies of orders for personnel;

Personal files and work books employees;

Grounds for orders on personnel;

Copies of reports sent to statistics authorities;

Copies of educational documents;

Medical examination results for fitness for exercise job responsibilities;

Photos and other information related to the personal data of the employee;

2.3. These documents are confidential. The confidentiality of personal data is removed in cases of depersonalization or after ____ years of storage period, unless otherwise specified by law.

3. OBLIGATIONS OF THE EMPLOYER

3.1. In order to ensure human and civil rights and freedoms, the employer and his representatives, when processing personal data of an employee, are obliged to comply with the following general requirements:

3.1.1. The processing of an employee's personal data may be carried out solely for the purpose of ensuring compliance with laws and other regulatory legal acts, assisting employees in employment, training and promotion, ensuring the personal safety of employees, monitoring the quantity and quality of work performed and ensuring the safety of property.

3.1.2. When determining the volume and content of the processed personal data of an employee, the employer must be guided by the Constitution of the Russian Federation, Labor Code RF and other federal laws.

3.1.3. All personal data of the employee should be obtained from him. If the employee's personal data can only be obtained from a third party, then the employee must be notified of this in advance and written consent must be obtained from him. The employer must inform the employee about the purposes, the alleged sources and methods of obtaining personal data, as well as the nature of the personal data to be received and the consequences of the employee's refusal to give written consent to receive them.

3.1.4. The employer has no right to receive and process the personal data of the employee about his political, religious and other beliefs and private life. In cases directly related to questions labor relations, in accordance with Art. 24 of the Constitution of the Russian Federation, the employer has the right to receive and process data on the private life of the employee only with his written consent.

3.1.5. The employer does not have the right to receive and process the personal data of the employee about his membership in public associations or his trade union activities, with the exception of cases provided for by federal law.

3.1.6. When making decisions affecting the interests of the employee, the employer has no right to rely on the employee's personal data obtained solely as a result of their automated processing or electronic receipt.

3.1.7. Protection of the employee's personal data from their unlawful use or loss must be ensured by the employer at his expense in the manner prescribed by federal law.

3.1.8. Employees and their representatives must be familiarized, against signature, with the documents of the enterprise that establish the procedure for processing personal data of employees, as well as their rights and obligations in this area.

3.1.9. Employees should not give up their rights to maintain and protect secrets.

4. OBLIGATIONS OF THE EMPLOYEE

The employee is obliged:

4.1. Transfer to the employer or his representative a set of reliable documented personal data, the list of which is established by the Labor Code of the Russian Federation.

4.2. Timely, within a reasonable period of time, not exceeding 5 days, inform the employer about the change in your personal data.

5. RIGHTS OF THE EMPLOYEE

The employee has the right:

5.1. For complete information about your personal data and the processing of this data.

5.2. For free, free access to your personal data, including the right to receive copies of any record containing the employee's personal data, except as otherwise provided by the legislation of the Russian Federation.

5.3. Access to medical data with the help of a healthcare professional of your choice.

5.4. Request the exclusion or correction of incorrect or incomplete personal data, as well as data processed in violation of the requirements specified labor legislation... If the employer refuses to exclude or correct the personal data of the employee, he has the right to declare in writing to the employer his disagreement with the appropriate justification for such disagreement. The employee has the right to supplement personal data of an evaluative nature with a statement expressing his own point of view.

5.5. Require the employer to notify all persons who have previously been provided with incorrect or incomplete personal data of the employee about all exceptions, corrections or additions made to them.

5.6. To appeal to the court any illegal actions or inaction of the employer in the processing and protection of his personal data.

5.7. Identify their representatives to protect their personal data.

6. COLLECTION, PROCESSING AND STORAGE OF PERSONAL DATA

6.1. The processing of personal data of an employee is the receipt, storage, combination, transfer or any other use of personal data of an employee.

6.2. All personal data of the employee should be obtained from him. If the employee's personal data can only be obtained from a third party, then the employee must be notified of this in advance and written consent must be obtained from him.

6.3. The employer must inform the employee about the purposes, intended sources and methods of obtaining personal data, as well as the nature of the personal data to be received and the consequences of the employee's refusal to give written consent to receive them.

6.4. The employee provides the employer with reliable information about himself. The employer checks the accuracy of the information by comparing the data provided by the employee with the employee's documents. The provision by an employee of forged documents or false information when applying for a job is the basis for terminating an employment contract.

6.5. When applying for a job, an employee fills out a questionnaire and an autobiography.

6.5.1. The questionnaire is a list of questions about the employee's personal data.

6.5.2. The questionnaire is filled in by the employee independently. When filling out the questionnaire, the employee must fill out all of its columns, give full answers to all questions, do not allow corrections or crossed out, dashes, blots in strict accordance with the entries contained in his personal documents.

6.5.3. Autobiography - a document containing a chronological description of the main stages in the life and activities of an employed employee.

6.5.4. The autobiography is compiled in any form, without blots and corrections.

6.5.5. The employee's questionnaire and autobiography must be kept in the employee's personal file. The personal file also stores other personal accounting documents related to the personal data of the employee.

6.5.6. The employee's personal file is drawn up after the issuance of an order for employment.

6.5.7. All documents of the personal file are filed in the cover of the sample established at the enterprise. The surname, first name, patronymic of the employee, and the number of the personal file are indicated on it.

6.5.8. Each personal file is accompanied by two color photographs of the employee, size ______.

6.5.9. All documents submitted to the personal file are arranged in chronological order. Sheets of documents attached to a personal file are numbered.

6.5.10. The personal file is maintained throughout labor activity employee. Changes to a personal file must be confirmed by appropriate documents.

7. TRANSFER OF PERSONAL DATA

7.1. When transferring personal data of an employee, the employer must comply with the following requirements:

Not to disclose the personal data of the employee to a third party without the written consent of the employee, except for cases when it is necessary in order to prevent threats to the life and health of the employee, as well as in cases established by federal law;

Do not provide personal data of an employee for commercial purposes without his written consent;

Warn the persons receiving the employee's personal data that these data can be used only for the purposes for which they were communicated, and require these persons to confirm that this rule has been observed. Persons receiving personal data of an employee are required to maintain confidentiality. This provision does not apply to the exchange of personal data of employees in the manner prescribed by federal laws;

Allow access to the personal data of employees only to specially authorized persons, while these persons should have the right to receive only those personal data of the employee that are necessary to perform specific functions;

Do not request information about the health status of the employee, except for those information that relate to the issue of the employee's ability to perform the labor function;

Transfer personal data of an employee to employee representatives in the manner prescribed by the Labor Code of the Russian Federation, and limit this information only to those personal data of an employee that are necessary for these representatives to perform their functions.

8. ACCESS TO PERSONAL DATA OF THE EMPLOYEE

8.1. Internal access (access within the enterprise).

The right to access personal data of an employee is:

Head of the enterprise;

Head of HR department;

Heads of structural units in the direction of activity (access to personal data only of employees of their unit) in agreement with the head of the enterprise;

When translating from one structural unit in another way, the head of the new department can have access to the personal data of the employee in agreement with the head of the enterprise;

Accounting employees - to those data that are necessary to perform specific functions;

The employee himself, the data carrier.

8.2. External access.

Personal data outside the organization can be submitted to state and non-state functional structures:

Tax inspectorates;

Law enforcement agencies;

Statistical bodies;

Insurance agencies;

Military registration and enlistment offices;

Social insurance bodies;

Pension funds;

Subdivisions municipal authorities management.

8.3. Other organizations.

Information about the employee (including the dismissed one) can be provided to another organization only with a written request on the organization's letterhead with a copy of the employee's statement attached.

8.4. Relatives and family members.

Personal data of an employee can be provided to relatives or members of his family only with the written permission of the employee himself.

9. PROTECTION OF PERSONAL DATA OF EMPLOYEES

9.1. In order to ensure the safety and confidentiality of the personal data of the employees of the organization, all operations for the registration, formation, maintenance and storage of this information should be performed only by employees of the personnel department who carry out this work in accordance with their official dutiesdocumented in their job descriptions.

9.2. Answers to written requests other organizations and institutions, within the limits of their competence and the powers granted, are given in writing on the company's letterhead and to the extent that it allows not to disclose an excessive amount of personal information about employees of enterprises.

9.3. Transfer of information containing information about the personal data of employees of the organization, by phone, fax, e-mail without the written consent of the employee is prohibited.

9.4. Personal files and documents containing personal data of employees are stored in lockers (safes), which provide protection against unauthorized access.

9.5. Personal computers that contain personal data must be protected by access passwords.

10. RESPONSIBILITY FOR DISCLOSURE OF INFORMATION,

RELATED TO THE PERSONAL DATA OF THE EMPLOYEE

10.1. Persons guilty of violating the rules governing the receipt, processing and protection of personal data of an employee are subject to disciplinary, administrative, civil or criminal liability in accordance with federal laws.

Head of HR Department: ______________

Carrying out activities, an enterprise or individual entrepreneur, acting as employers, or working with counterparties - individuals, have to deal with their personal data, which, in accordance with the law, are subject to protection. All work with this information should be regulated; for this, the company creates a regulation on the personal data of employees.

Personal data is the information of an employee with which the company has to deal every day from the moment it is concluded with it until the employee is fired.

The responsible persons in the company not only collect and store them, but also periodically process and disclose them to third parties. Often this is required by the activity being carried out, for example, paying salaries to card accounts in a bank.

On the other hand, the existing provisions of legislative acts oblige the company to store and prevent disclosure of such information.

In order to fully comply with the provisions of the law, but also in the future to carry out its activities, the enterprise must develop a Regulation on personal data, in which the current norms are implemented taking into account the work of the organization.

It is necessary to develop this Regulation for any business entity that hires employees, and as a result, deals with their personal data.

This local regulatory act is developed and approved in the same way as all other internal standards of the enterprise. Responsible for its development can be the head of the HR department or otherwise executive, whose responsibilities include working with this information.

The draft document is coordinated with various specialists of the organization, the trade union, and after that it is put into effect by the order of the director. After the Regulation on Personal Data has been put into effect, it is necessary to familiarize all employees with it against signature.

It is possible to record the familiarization of employees with this local document in a special registration log or by filling out individual ones.

Attention! The legislation establishes what the composition of the Regulation should include. It must be requested from a person working at the enterprise every time information is disclosed to third parties, for example, when drawing up a power of attorney, certificates, etc.

In this case, the employee can revoke this consent at any time by submitting an appropriate application to his employer.

What data of employees is personal

Legislation determines what is included in a person's personal data. This can be both information directly related to the employee, and indirectly affecting him.

This includes:

• Full personal data of the employee (full name).
• Information about the place and date of his birth.
• Actual and registered address.
• Social, family, property status.
• The employee's education, profession.
• Information about the income received by the employee, etc.

In addition to the PD law, the composition personal information defines the Labor Code of the Russian Federation. It includes in the composition of the protected information information that allows you to define a person as an employee. These are qualifications, specialization, education, state of human health (in some situations, for example, when working in harmful conditions), the presence of children.

The GIT inspector will check whether the employer has approved the Regulation on the work with personal data. How to draw up a document so that its content complies with the law and ready sample document, look in the article.

In the article:

Download related documents:

Regulation on personal data of employees: 2020 sample

In the process of employment, and often even earlier, even at the stage of preliminary questionnaires and interviews, the employee provides the employer with certain personal information. Such information is classified as confidential and cannot be disclosed to third parties. Moreover, not all types of information can be requested - for example, the question of religious affiliation or political views of the applicant will be inappropriate in any interview.

The employer is allowed to be interested only in those aspects of the employee's personal life that are directly related to his work and that can affect the quality of its performance.

The definition of personal data is contained in the law № 152-ФЗ dated July 27, 2006. This is the key normative document, at the federal level fixing the basic norms and principles of handling personal information. According to Article 3 of Law No. 152-FZ, personal any data relating directly or indirectly to a specific subject (natural person) is considered. An entity can provide information about itself to an operator - a state or municipal authority, an employer (legal entity or individual).

Regulation on work with personal data of employees

The operator has no right to process the information received or disclose it to third parties without the consent of the subject. Protection of personal information provided by the legislation of the Russian Federation: the aforementioned Federal Law No. 152-FZ, separate articles of the Labor, Criminal and Civil Codes of the Russian Federation, as well as Art. 5.39 and 13.11-13.14 of the Code of administrative offenses RF. These norms apply to organizations of all forms of ownership.

Every company that collects personal information about its employees must draw up and approve a regulation on the protection of personal data of employees. This is the name of a local regulatory act that establishes the procedure for working with personal data within a particular enterprise in accordance with the requirements of Art. 87 of the Labor Code of the Russian Federation. In the field of public civil service the "Regulation on the personal data of a state civil servant and the conduct of his personal file" is being developed, as required by the decree of the President of the Russian Federation No. 609 of 30.05.2005

To draw up the Regulations on the processing of personal data without errors, use the online service "Systems Personnel"

Take advantage now

Main types of personal information

Conventionally, the entire volume of personal data about a particular subject can be divided into five types:

• are common;
• public;
• impersonal;
• special;
• biometric.

General information is the passport data of a person (last name, first name, patronymic, date of birth, marital status), address, telephone number, information about education received, etc. The current legislation does not contain an exhaustive list of general data, but rather lists in great detail the types of special data for which special rules for collection, processing and storage are established. These include information about:

• health status;
• intimate life;
• the presence of a criminal record;
• religion;
• philosophical and political convictions;
• race and nationality.

It is possible to request special data for processing only in strictly defined cases - for medical purposes (with the indispensable observance of medical confidentiality) or insurance services, for the administration of justice, in the framework of countering terrorism, to protect the life or health of the subject. Criminal record information is processed only if there is a federal law establishing the need for such processing. In addition, it is not forbidden to process special information if the subject himself gave it or made it publicly available.

Crib. When personal data can be processed without the consent of the employee

Attention!Information posted by the owner in public sources - newspapers, magazines, address and telephone directories, social networks is considered publicly available.

Biometric information is called information about the physiological or biological characteristics of a particular person: height, physique, fingerprints, drawing of the iris of the eye, the results of genetic and other studies that make it possible to establish his identity. Sometimes you can't do without them. A typical use case for “biometrics” is described in the article “Can an employer take fingerprints of employees to organize access control?”: The results of fingerprinting allow immediate identification of the employee, which is very important when conducting activities with limited access.

Biometric data should be processed and stored in accordance with the Decree of the Government of the Russian Federation No. 512 dated 6.07.2008. After achieving or losing the purpose of processing, biometric, special and general personal data must be depersonalized. It is impossible to establish the ownership of anonymized information (for example, processed results of statistical reports and surveys) to a specific person.

Attention!Data that cannot be depersonalized for objective reasons should be destroyed.

When drafting a regulation on the personal data of employees, do not forget to prescribe the rules for processing different types of information, including biometric information, if the organization collects and uses it in its work.

What functions does the regulation on the protection of personal data perform?

One way or another, the employer gains access to certain information about the employee's private life. Filling out, providing various benefits and compensations, drawing up a tax deduction - this is just a small list of standard procedures for which you have to request information from an employee about health status, family composition, etc. And since processing is carried out, then a provision on the protection of personal data is also necessary (a sample document is discussed below).

Attention! You need to receive personal information about an employee directly from him, and not from third parties.

Even within the same organization, personal information can only be transferred in accordance with the local regulation, with which all personnel must first familiarize themselves with the signature. The need for such familiarization is enshrined in paragraph 8 of Art. 86 of the Labor Code of the Russian Federation.

Regulation on personal data of employees: sample structure

The very concept of information processing covers different types operations listed in clause 3 of article 3 of federal law No. 152-FZ. First, the collection, recording and systematization of information is carried out. Further, their accumulation, storage and use takes place. Data can be refined, updated or changed, retrieved and transmitted. If there is no need to use personalized information, it is depersonalized or destroyed. Therefore, the regulation on working with personal data of employees is divided into sections dedicated to different stages of information processing:

• general provisions;
• receipt and systematization;
• storage;
• using;
• broadcast;
• confidentiality guarantees.

Of course, the proposed structure can be adjusted as necessary - to combine existing sections and add new ones, to include additional lists and appendices. But even the simplest model provision about the employee's personal data is a convenient starting template, on the basis of which you can develop a full-fledged document adapted to the working conditions of a particular enterprise.

Regulation on personal data: procedure for processing and storing information

When developing a statement on personal data, the sample can be used as a basis. Particular attention should be paid to the sections on the procedure for collecting, organizing and storing information. The more detailed each point is, the better and safer for the employer. If a mandatory survey of applicants is carried out, describe the procedure as accurately as possible and list specific types requested information:

The storage of any media of personal information - paper, electronic and any other - involves restricting access to them. For this purpose, separate rooms, safes, lockers, special folders and password-protected electronic databases are used. Only a limited number of officials can request confidential information without special permission.

All these nuances need to be included in the regulation on the protection of personal data of employees. A sample of the relevant section would look something like this:

Every employee has legal right know exactly how and to what extent his personal data is processed and used, as well as correct or exclude incorrect, incomplete or processed information about himself.

Regulations on working with personal data of employees: sample design of the section on the transfer of information

The employer is allowed to transfer personal information to third parties, but only under certain circumstances - for example, in order to prevent a threat to the life and health of the employee or in cases provided for by federal laws. In this case, the data does not become publicly available, but is confidentially transferred to the authorized person.

In all other cases, the norm is enshrined in Article 7 of Law No. 152-FZ and requires that every time such a need arises, request from the subject. At the same time, the data is transmitted in a limited amount necessary to perform a specific function and nothing more.

Be sure to add a section on transfer rules confidential information in the regulation on personal data of employees. An example of the section design looks like this:

The employer must keep a record of the issuance of any personal information related to the employees of the enterprise. For this purpose, a special journal (book) or electronic document... Ideally, records should be duplicated, keeping both electronic and paper.

How to approve the provision on personal data of employees: sample order

There are two ways to approve the regulation on the protection of personal data of employees: or simply provide a special field on the form of the main document for certification details. Employers who do not want to multiply the amount of paperwork usually prefer the second method and add required fields in the "head" of the document.

When approving the document, the head of the organization puts a personal signature and seal on it. If the first, more laborious method of approval is chosen, an appropriate administrative document is drawn up. It is issued in general order and, in fact, is no different from the standard ones.

If the employer previously applied a different version of the regulation, upon entry into force new edition the order on the approval of the Regulation on the work with personal data or any other local act is used as a sample.

Order on approval of the Regulation on work with personal data

Attention! If your organization has a legal department or in-house legal counsel, it is recommended that you agree on the employee data protection clause before submitting the document for final approval to the business manager.

Personal data processing notice

In addition to a number of basic measures to protect personal data of personnel, the law provides for another obligation of the operator - notifying Roskomnadzor of the upcoming processing of personal data. This norm is present in russian legislation since 2007. The notification form currently in use was approved in 2008.

We note right away that the notification requirement does not apply to all employers. According to Article 22 of Law No. 152-FZ, organizations are not required to draw up a notification for Roskomnadzor that:

• process the information received in accordance with labor legislation;
• receive information in connection with the conclusion of a contract and use it exclusively within the framework of the execution of agreements;
• receive data recognized as publicly available or including only the surnames, names and patronymics of subjects;
• request information once in order to allow the subject to enter the operator's territory;
• are religious or public and process information confidentially for legitimate purposes.

In order not to notify Roskomnadzor about data processing every time, an employer who uses information about employees exclusively within the framework of labor legislation can fix the corresponding condition by internal documents. Write down in the regulations and other local acts the main directions of the company's activities and the purposes for which it collects and processes personal information about personnel.

Responsibility for violation of the rules for the processing of personal information

For violation of legislation on the protection of personal information, the guilty person can be brought not only to disciplinary, but also to administrative responsibility , and in some cases - and criminal liability. The measure of responsibility is chosen taking into account the type, severity and circumstances of the offense.

It should be remembered that both illegal access to electronic information protected by law and violation of privacy are considered serious violations. This also includes inappropriate storage of personal data, as well as inadvertent, committed without malicious intent, disclosure of confidential information, access to which was obtained in the performance of work duties. The injured party may, through the court, demand compensation for material and moral damage caused by the unlawful actions of the official.

The amount of fines paid by employers for non-compliance with the rules for processing personal data of personnel are constantly increasing and currently amount to tens of thousands of rubles. Therefore, if the organization does not apply or does not have a provision on the protection of personal data of employees, a sample document drawn up taking into account all the requirements of the law will clearly not be superfluous.

In order to process personal data of employees without a fine from the GIT, the employer must draw up and approve the Regulation on the processing of employee personal data. This situation - mandatory documentthat should be in the organization. Draw up the Regulation in any form and include all the features of the procedure for processing personal data in your company. Ready document approve by order of the employer.

APPROVED by ____________________________________ (name of the position of the head of the enterprise) ____________________________________ (full name, signature) "__" ___________ ___

REGULATION on the processing and protection of personal data of employees 1

1. GENERAL PROVISIONS

1.1. This Regulation establishes the procedure for receiving, recording, processing, accumulating and storing documents containing information related to the personal data of employees of the enterprise. Employees are persons who have entered into an employment contract with the enterprise.

1.2. The purpose of this Regulation is to protect the personal data of employees of the enterprise from unauthorized access and disclosure. Personal data is always confidential, strictly protected information.

1.3. The basis for the development of this Regulation is the Constitution of the Russian Federation, the Labor Code of the Russian Federation, and other current regulatory legal acts of the Russian Federation.

1.4. This Regulation and changes to it are approved by the head of the enterprise and are introduced by order for the enterprise. All employees of the enterprise must be familiarized with this Regulation and amendments to it against signature.

2. CONCEPT AND COMPOSITION OF PERSONAL DATA

2.1. Personal data of employees means information that the employer needs in connection with labor relations and concerning a specific employee, as well as information about the facts, events and circumstances of the employee's life, which allows him to be identified.

2.2. The composition of the employee's personal data:

Autobiography;

Education;

Information about labor and general experience;

Information about the previous place of work;

Information about the composition of the family;

Passport data;

Information about military registration;

Information about the employee's salary;

Information about social benefits;

Specialty;

Position held;

The amount of wages;

The presence of a criminal record;

Residence address;

Home phone;

Originals and copies of orders for personnel;

Personal files and work books of employees;

Grounds for orders on personnel;

Copies of reports sent to statistics authorities;

Copies of educational documents;

The results of a medical examination for fitness to work;

Photos and other information related to the personal data of the employee;

A person's belonging to a specific nation, ethnic group, race;

Habits and hobbies, including harmful ones (alcohol, drugs, etc.);

Marital status, having children, family ties;

Religious and political convictions (belonging to a religious confession, membership in a political party, participation in public associations, including in a trade union, etc.);

Financial position (income, debts, ownership of real estate, cash deposits, etc.);

Business and other personal qualities that are of an evaluative nature;

Other information that can identify a person.

From the specified list, the employer has the right to receive and use only the information that characterizes the citizen as a party to the employment contract.

2.3. These documents are confidential. The confidentiality of personal data is removed in cases of depersonalization or after ____ years of storage period, unless otherwise specified by law.

3. OBLIGATIONS OF THE EMPLOYER

3.1. In order to ensure human and civil rights and freedoms, the employer and his representatives, when processing personal data of an employee, are obliged to comply with the following general requirements:

3.1.1. The processing of an employee's personal data may be carried out solely for the purpose of ensuring compliance with laws and other regulatory legal acts, assisting employees in employment, training and promotion, ensuring the personal safety of employees, monitoring the quantity and quality of work performed and ensuring the safety of property.

3.1.2. When determining the volume and content of the processed personal data of an employee, the employer must be guided by the Constitution of the Russian Federation, the Labor Code of the Russian Federation and other federal laws.

3.1.3. All personal data of the employee should be obtained from him. If the employee's personal data can only be obtained from a third party, then the employee must be notified of this in advance and written consent must be obtained from him. The employer must inform the employee about the purposes, the alleged sources and methods of obtaining personal data, as well as the nature of the personal data to be received and the consequences of the employee's refusal to give written consent to receive them.

3.1.4. The employer has no right to receive and process personal data of the employee about his political, religious and other beliefs and private life. In cases directly related to issues of labor relations, in accordance with Art. 24 of the Constitution of the Russian Federation, the employer has the right to receive and process data on the private life of the employee only with his written consent.

3.1.5. The employer does not have the right to receive and process the personal data of the employee about his membership in public associations or his trade union activities, with the exception of cases provided for by federal law.

3.1.6. When making decisions affecting the interests of the employee, the employer has no right to rely on the employee's personal data obtained solely as a result of their automated processing or electronic receipt.

3.1.7. Protection of the employee's personal data from their unlawful use or loss must be ensured by the employer at his expense in the manner prescribed by federal law.

3.1.8. Employees and their representatives must be familiarized, against signature, with the documents of the enterprise that establish the procedure for processing personal data of employees, as well as their rights and obligations in this area.

3.1.9. Employees should not give up their rights to maintain and protect secrets.

4. OBLIGATIONS OF THE EMPLOYEE

The employee is obliged:

4.1. Transfer to the employer or his representative a set of reliable documented personal data, the list of which is established by the Labor Code of the Russian Federation.

4.2. Timely, within a reasonable period of time, not exceeding 5 days, inform the employer about the change in your personal data.

5. RIGHTS OF THE EMPLOYEE

The employee has the right:

5.1. For complete information about your personal data and the processing of this data.

5.2. For free, free access to your personal data, including the right to receive copies of any record containing the employee's personal data, except as otherwise provided by the legislation of the Russian Federation.

5.3. Access to medical data with the help of a healthcare professional of your choice.

5.4. Demand the exclusion or correction of incorrect or incomplete personal data, as well as data processed in violation of the requirements determined by labor legislation. If the employer refuses to exclude or correct the personal data of the employee, he has the right to declare in writing to the employer his disagreement with the appropriate justification for such disagreement. The employee has the right to supplement personal data of an evaluative nature with a statement expressing his own point of view.

5.5. Require the employer to notify all persons who have previously been provided with incorrect or incomplete personal data of the employee about all exceptions, corrections or additions made to them.

5.6. To appeal to the court any illegal actions or inaction of the employer in the processing and protection of his personal data.

5.7. Identify their representatives to protect their personal data.

6. COLLECTION, PROCESSING AND STORAGE OF PERSONAL DATA

6.1. The processing of personal data of an employee is the receipt, storage, combination, transfer or any other use of personal data of an employee.

6.2. All personal data of the employee should be obtained from him. If the employee's personal data can only be obtained from a third party, then the employee must be notified of this in advance and written consent must be obtained from him.

6.3. The employer must inform the employee about the purposes, intended sources and methods of obtaining personal data, as well as the nature of the personal data to be received and the consequences of the employee's refusal to give written consent to receive them.

6.4. The employee provides the employer with reliable information about himself. The employer checks the accuracy of the information by comparing the data provided by the employee with the employee's documents. Submission by an employee of forged documents or false information when applying for a job is the basis for termination of the employment contract.

6.5. When applying for a job, an employee fills out a questionnaire and an autobiography.

6.5.1. The questionnaire is a list of questions about the employee's personal data.

6.5.2. The questionnaire is filled in by the employee independently. When filling out the questionnaire, the employee must fill out all of its columns, give full answers to all questions, do not allow corrections or crossed out, dashes, blots in strict accordance with the entries contained in his personal documents.

6.5.3. Autobiography - a document containing a chronological description of the main stages in the life and activities of an employed employee.

6.5.4. The autobiography is compiled in any form, without blots and corrections.

6.5.5. The employee's questionnaire and autobiography must be kept in the employee's personal file. The personal file also stores other personal accounting documents related to the personal data of the employee.

6.5.6. The employee's personal file is drawn up after the issuance of an order for employment.

6.5.7. All documents of the personal file are filed in the cover of the sample established at the enterprise. The surname, first name, patronymic of the employee, and the number of the personal file are indicated on it.

6.5.8. Each personal file is accompanied by two color photographs of the employee, size ______.

6.5.9. All documents submitted to the personal file are arranged in chronological order. Sheets of documents attached to a personal file are numbered.

6.5.10. The personal file is maintained throughout the employee's work activity. Changes to a personal file must be confirmed by appropriate documents.

7. TRANSFER OF PERSONAL DATA

7.1. When transferring personal data of an employee, the employer must comply with the following requirements:

Not to disclose the personal data of the employee to a third party without the written consent of the employee, except for cases when it is necessary in order to prevent threats to the life and health of the employee, as well as in cases established by federal law;

Do not provide personal data of an employee for commercial purposes without his written consent;

Warn the persons receiving the employee's personal data that these data can be used only for the purposes for which they were communicated, and require these persons to confirm that this rule has been observed. Persons receiving personal data of an employee are required to maintain confidentiality. This provision does not apply to the exchange of personal data of employees in the manner prescribed by federal laws;

Allow access to the personal data of employees only to specially authorized persons, while these persons should have the right to receive only those personal data of the employee that are necessary to perform specific functions;

Do not request information about the health status of the employee, except for those information that relate to the issue of the employee's ability to perform the labor function;

Transfer personal data of an employee to employee representatives in the manner prescribed by the Labor Code of the Russian Federation, and limit this information only to those personal data of an employee that are necessary for these representatives to perform their functions.

8. ACCESS TO PERSONAL DATA OF THE EMPLOYEE

8.1. Internal access (access within the enterprise).

The right to access personal data of an employee is:

Head of the enterprise;

Head of HR department;

Heads of structural units in the direction of activity (access to personal data only of employees of their unit) in agreement with the head of the enterprise;

When transferring from one structural unit to another, the head of the new unit may have access to the personal data of the employee in agreement with the head of the enterprise;

Accounting employees - to those data that are necessary to perform specific functions;

The employee himself, the data carrier.

8.2. External access.

Personal data outside the organization can be submitted to state and non-state functional structures:

Tax inspectorates;

Law enforcement agencies;

Statistical bodies;

Insurance agencies;

Military registration and enlistment offices;

Social insurance bodies;

Pension funds;

Subdivisions of municipal authorities.

8.3. Other organizations.

Information about the employee (including the dismissed one) can be provided to another organization only with a written request on the organization's letterhead with a copy of the employee's statement attached.

8.4. Relatives and family members.

Personal data of an employee can be provided to relatives or members of his family only with the written permission of the employee himself.

9. PROTECTION OF PERSONAL DATA OF EMPLOYEES

9.1. In order to ensure the safety and confidentiality of the personal data of the employees of the organization, all operations for the registration, formation, maintenance and storage of this information should be performed only by employees of the personnel department who carry out this work in accordance with their official duties recorded in their job descriptions.

9.2. Answers to written requests from other organizations and institutions within their competence and powers granted are given in writing on the company's letterhead and to the extent that it allows not to disclose an excessive amount of personal information about the company's employees.

9.3. The transfer of information containing information about the personal data of employees of the organization by phone, fax, e-mail without the written consent of the employee is prohibited.

9.4. Personal files and documents containing personal data of employees are stored in lockers (safes), which provide protection against unauthorized access.

9.5. Personal computers that contain personal data must be protected by access passwords.

10. RESPONSIBILITY FOR DISCLOSURE OF INFORMATION RELATED TO THE PERSONAL DATA OF THE EMPLOYEE

10.1. Persons guilty of violating the rules governing the receipt, processing and protection of personal data of an employee are subject to disciplinary, administrative, civil or criminal liability in accordance with federal laws.

All companies have personal data of employees. From 1 July 2017, new penalties will apply. They are larger than the old ones. We will show you how to work without violations.

From July 1, 2017, liability for violations in the work with personal data increases. The changes will affect all employers without exception, who have personal information of employees and other individuals at their disposal.

What concerns personal data in 2017

Personal data means any information about an individual (clause 1 of article 3 of the Federal Law of July 27, 2006 No. 152-FZ). Such information includes surname, name, patronymic, gender, age, education, place of residence of an individual, etc.

This means that the employer must process, store and destroy all documents with personal data of individuals in accordance with the requirements of the law.

These documents include:

• employment history;
• passport or other identity document;
• insurance certificate of compulsory pension insurance;
• military registration documents - for persons liable for military service and persons subject to conscription military service;
• documents on education and (or) on qualifications or availability of special knowledge - when applying for a job requiring special knowledge or special training;
• documents (certificates) containing information about the health status of the employee;
• documents (certificates) containing information about the age or marital status of the employee.

july

In 2017, fines for violations of the rules for working with personal data will increase

How to protect personal data

Consider what needs to be done on the farm in connection with the protection of personal data of employees and other individuals. Just five steps.

Step 1. Fix the procedure for receiving, processing, transferring and storing personal data in local act organizations. For example, in the regulation on the processing of personal data of employees (Articles 8, 87 of the Labor Code of the Russian Federation, clause 2 of part 1 of Article 18.1 of the Federal Law of July 27, 2006 No. 152-FZ).

Step 2. Appoint an employee responsible for working with personal data (part 5 of article 88 of the Labor Code of the Russian Federation). This could be a human resources employee who interacts with personal affairs employees. He will receive the consent of employees to process personal data, keep employee cards, etc.

Step 3. Prepare a template for consent to the processing of personal data. Without it, you cannot request personal information from individuals. Such consent must include the following information (part 4 of article 9 of the Law of July 27, 2006 No. 152-FZ):

• Full name, address of the employee, passport details (other document proving his identity), including information about the date and place of issue of the document;
• name or full name and address of the employer who obtains the employee's consent;
• the purpose of processing personal data;
• a list of personal data for the processing of which consent is given;
• name or full name and address of the person processing personal data on behalf of the employer, if the processing will be entrusted to such a person;
• a list of actions with personal data, for the performance of which consent is given, a general description of the methods of processing personal data used by the employer;
• the period during which the employee's consent is valid, as well as the method of its withdrawal, unless otherwise provided by federal law;
• employee signature.

Sample consent to the processing of personal data

Surname, name, patronymic (the last name - if any) of the subject of personal data
Residence address _________________________________________________________ ______________________________________________________________________________
Identity document of the subject of personal data, the date of its issue and the issuing authority ________________________________________________________________ ______________________________________________________________________________
CONSENT TO THE PROCESSING OF PERSONAL DATA
I hereby express my consent to the processing of my personal data provided for by part 3 of article 3 of the Federal Law of July 27, 2006 No. 152-FZ, in order to be provided by the Federal Service for Intellectual Property (Rospatent) in accordance with the Federal Law of July 27, 2010 No. 210-FZ "On the organization of the provision of state and municipal services» public service by state registration invention and the issuance of a patent for an invention, its duplicate.
______________________________________________________________________________ (the title of the invention is indicated)
Application number ______________________________________________________________________ (indicated if available registration number applications)
Applicant _____________________________________________________________________
______________________________________________________________________________ (the last name, first name, patronymic (the last name - if any) and place of residence are indicated)
I know that the personal data I have provided, which are not necessary for the provision of the specified public service, will be processed as provided for by Federal Law No. 152-FZ of July 27, 2006, while the publication of my personal data will be made by Rospatent in accordance with the current legislation. I am aware that this consent is valid indefinitely. In case of withdrawal of consent to the processing of personal data federal Service on intellectual property has the right to continue processing personal data without my consent in accordance with part 2 of article 9, paragraph 4 of part 1 of article 6 of the Federal Law of July 27, 2006 No. 152-FZ.
Signature _______________________________________________ surname, name, patronymic (the last name - if available)	Date _____________

Step 4. Provide, at the request of an individual, information that relates to the processing of his personal data (part 7 of article 14 of the Law of July 27, 2006 No. 152-FZ). Among such information, for example:

• confirmation of the fact of personal data processing;
• the purposes of personal data processing;
• methods of processing personal data;
• name and address of the employer, information about persons (except for the operator's employees) who have access to personal data or to whom personal data may be disclosed under the law, etc.

How to work with personal data on the site

Publish or otherwise provide unrestricted access to the document that defines the policy for the processing of personal data. If a farm collects personal data on the Internet, this step must also be taken (clause 2 of article 18.1 of the Law of July 27, 2006, No. 152-FZ).

For example, on some sites, the user indicates his full name and e-mail when registering or applying for a vacancy. Then you need to place links to documents on the site:

• "Personal data processing policy";
• "Regulation on the processing of personal data", etc.

How much to store personal data

Personal data must be destroyed 30 days from the date of receipt of consent to the processing of his personal data. Another term can be set in a contract or agreement with an individual.

If the farm does not have the ability to destroy personal data on time, the information must be blocked. After that, personal information must be destroyed no later than six months later (part 6 of article 21 of Law No. 152-FZ).

The commission destroys personal data on the basis of the order of the head. The result must be formalized in the form of an act on the termination of the processing of personal data. Another option is to make a record of the destruction in a special journal.

Who faces new fines for violation of personal data

From July 1, 2017, the list of grounds for bringing an employer to administrative responsibility in the field of personal data protection will expand. In addition, the size of fines will increase (Federal Law No. 13-FZ of February 7, 2017).

Previously, there was only one fine: from 500 rubles. up to 1000 rubles for the director and from 5000 rubles. up to 10,000 rubles. for a legal entity (Article 13.11 of the Administrative Code of the Russian Federation). There will now be six types of responsibility. For various violations of employers in the field of personal data, inspectors will be able to apply several fines. Read more about the types of violations and fines in the table. → 00

Fines for violation of the rules for working with personal data

Violation
Illegally processed personal data or processed it not for the stated purpose. For example, the company transferred the name, phone numbers, addresses to a legal entity for advertising mailings.	Warning or fine: for individuals from 1000 to 3000 rubles; for the head or chief accountant - from 5,000 to 10,000 rubles; for legal entities - from 30,000 to 50,000 rubles.
Processed personal data without the consent of the individual	for individuals - from 3000 to 5000 rubles; for the head or chief accountant - from 10,000 to 20,000 rubles; for legal entities - from 15,000 to 75,000 rubles.
We did not post publicly available documents on the personal data processing policy	for individuals - from 700 to 1500 rubles; for a director or chief accountant - from 3000 to 6000 rubles; for individual entrepreneurs - from 5,000 to 10,000 rubles; for legal entities - from 15,000 to 30,000 rubles.
Did not provide the individual with information regarding the processing of his personal data	for individuals - from 1000 to 2000 rubles; for a director, personnel officer or accountant - from 4000 to 6000 rubles; for individual entrepreneurs - 10,000 to 15,000 rubles; for legal entities - from 20,000 to 40,000 rubles.
Did not destroy or block personal data	for citizens - from 1000 to 2000 rubles; for a director or chief accountant - from 4,000 to 10,000 rubles; for legal entities - 25,000 to 45,000 rubles.
We collected the personal data of employees only on paper and did not conduct any automated processing, there are no special processing programs	for individuals - from 700 to 2000 rubles; for the head or chief accountant - from 4,000 to 10,000 rubles; for individual entrepreneurs - from 10,000 to 20,000 rubles; for legal entities - from 25,000 to 50,000 rubles.