home-Shoes-Employment contract for working with personal data. Working with personal data of employees

Employment contract for working with personal data. Working with personal data of employees

Small organizations and individual entrepreneurs usually do not pay enough attention to the protection of personal data, believing that checks are carried out only at large employers.

However, for regulatory authorities, the size of the company and the number of employees do not matter. Moreover, if violations are detected, real fines threaten not only the organization or individual entrepreneur, but also the person responsible for processing personal data. And this is often an accountant. Let's try to figure out how serious the fines are and what accountants or HR officers should do to avoid them.

Fines and inspections

At first glance, fines for violating the rules of working with personal data are not that high. According to Article 13.11 of the Code of Administrative Offenses of the Russian Federation, fines amount to 5-10 thousand rubles for an organization and 500-1000 rubles for its official.

However, it must be borne in mind that this fine may be imposed for each violation committed. And legislators have established a lot of rules for those who work with personal data. So a 10 thousand ruble fine can easily turn into 50 or 100 thousand rubles even within the framework of one inspection. And over the course of a year, these amounts may turn out to be even more impressive.

Responsibility of the organization

In addition, if the company has not approved the Regulations on Personal Data, then administrative liability may arise for violation of labor legislation under Article 5.27 of the Code of Administrative Offenses of the Russian Federation. The fine can range from 30 to 50 thousand rubles. An administrative suspension of activities for up to ninety days is also possible. By the way, starting from 2015, the fine for repeated violations provided for in this article will range from 50 to 70 thousand rubles.

Compliance with legislation on personal data is monitored by Roskomnadzor. For failure to comply with Roskomnadzor's order to eliminate violations of the legislation on personal data, an administrative fine of up to 20,000 rubles is possible (Administrative Code of the Russian Federation). If you simply do not respond to this body’s request regarding personal data, the fine can be up to 5,000 rubles (Administrative Code of the Russian Federation).

Employee Responsibility

An employee whose fault was a violation of the rules governing the processing and protection of personal data of other employees may be involved (Labor Code of the Russian Federation):

  • to administrative responsibility
  • to disciplinary and financial liability;
  • to civil liability;
  • to criminal liability.

Administrative responsibility

Personal data refers to information to which access is restricted. Therefore, for the disclosure of personal data, the responsible employee may be fined in the amount of 4 to 5 thousand rubles (Administrative Code of the Russian Federation “Disclosure of information with limited access”).

Officials can also be held accountable for the lack of an approved Regulation on personal data. In this case, the fine for violation of labor legislation will range from 1 to 5 thousand rubles. For a repeated violation starting from 2015, the fine will be from 10 to 20 thousand rubles or disqualification for a period of one to three years (Administrative Code of the Russian Federation).

Disciplinary responsibility

An employment contract with an employee may be terminated due to the disclosure of a legally protected secret that has become known in connection with the performance of job duties. Including due to the disclosure of personal data of another employee (subparagraph “c”, paragraph 6, part 1, article 81 of the Labor Code of the Russian Federation).

Material liability

In case of illegal dissemination of information about personal data, an employee of an organization may suffer moral harm. The employee may demand compensation from the employer. If the harm was caused through the fault of the person responsible for the non-disclosure of data, the employer may subsequently hold the perpetrator financially liable for the damage caused.

Civil liability

If, as a result of a violation of the rules governing the storage, processing and use of personal data, an employee suffers property damage or moral harm, then it is subject to compensation in in cash in accordance with civil legislation (Civil Code of the Russian Federation).

Criminal liability

If the employee responsible for storing, processing and using personal data abused his official powers, disseminated information about privacy other employees without their consent, then he can be prosecuted on the basis of Article 137 of the Criminal Code of the Russian Federation.

Checks

As mentioned above, the agency authorized to monitor compliance with the personal data regime is the Federal Service for Supervision of Communications, information technologies and mass communications (abbreviated as Roskomnadzor). However, this organization does not have the right to impose and collect fines. Roskomnadzor transfers all materials on those inspections where violations are found to the prosecutor's office. The prosecutor is authorized to make decisions on initiating proceedings for an administrative offense (Clause 1 of Article 28.4 of the Code of Administrative Offenses of the Russian Federation). The issue of imposing fines is decided by the judge (Clause 1 of Article 23.1 of the Code of Administrative Offenses of the Russian Federation).

Official information

In 2013, as part of state control (supervision) over the compliance of personal data processing with the requirements of legislation in the field of personal data, 2,418 inspections were carried out (back in 2011, there were significantly fewer such inspections - 1,743 inspections). Of these, 1,801 were scheduled and 617 unscheduled inspections.
In 2013, the increase in the number of scheduled inspections was associated, first of all, with an increase in the number of operators who refused to comply with the requirements of the Federal Law of July 27, 2006 No. 152-FZ “On Personal Data” due, in their opinion, to the failure to carry out activities related to the processing of personal data.

Statement on personal data

Now let’s try to find out what needs to be done to successfully pass the Roskomnadzor inspection and avoid fines.

Issues of processing personal data are regulated by Federal Law No. 152-FZ dated July 27, 2006 “On Personal Data” (hereinafter referred to as Law No. 152-FZ). All organizations and individual entrepreneurs that have at least one employee must comply with the requirements of this law. This is due to the fact that legislators included, among other things, the information that an enterprise receives from personal data. individuals, hiring them. This means that the organization is obliged to protect them in full accordance with the law.

The main document that any employer must have is a statement of personal data. The Labor Code obliges the adoption of this local act regulating the storage and use of the employer’s personal data. The regulations usually specify all the requirements for receiving, storing, combining, transferring and any other use of personal data, as well as guarantees for their protection.
In practice, such a document usually consists of sections describing exactly how the organization should collect and process personal data; who has access to this data and in what order; what measures are taken to prevent disclosure of personal data.

So we recommend starting the Regulations with the section “Collection and processing of personal data”. It must be stated in it that personal data in the organization can be obtained and processed solely on the basis of the employee’s written consent (see sample “Consent to the processing of personal data”). This means that it would not be superfluous to immediately develop and approve the form of such an application. The employee must be given such a statement for signature immediately upon hiring. And for existing employees, such work will have to be carried out immediately after the approval of the Regulations.

This may be followed by the section “Access to personal data”. It consistently describes the procedure for access to such data by employees of the organization and third parties (individually relatives, government bodies, representatives of other organizations). If necessary, you can enter access levels here depending on the employee’s position. For example, the director and the management staff have access to all personal data; Accounting staff - only to the information necessary for the calculation wages and taxes; representatives personnel service- information necessary for drawing up personnel documentation, etc.

The Regulations will continue in the section “Procedure for processing and transfer of data”. Here it is necessary to fix the rules for transferring data about employees to certain bodies or persons. In cases where data transfer is regulated by law ( tax authorities, statistical authorities, Pension Fund, etc.) it is enough to make references to the procedure for transmitting information established by law. But at the same time, it is necessary to record who and in what order has the right to prepare this information for transmission to government agencies.

But relatives, family members, insurance companies, banks, charitable organizations, non-state pension funds, etc., personal data is provided only with the written consent of the employee for each specific fact of data transfer.

It is better to end the Regulations with the “Responsibility” section. There is no need to reinvent the wheel here - it will be enough to make references (or give them in full) to the norms of the Labor Code (dismissal for disclosing personal data under Article 81 of the Labor Code of the Russian Federation), the Code of Administrative Offenses (the Code of Administrative Offenses of the Russian Federation, already familiar to us) and, if necessary, the Criminal Code Code (Article 137 of the Criminal Code of the Russian Federation).
A regulation on personal data can be developed using as a basis the sample “Regulation on working with personal data” developed by our lawyer.

However, in addition to the regulations, regulatory authorities are also interested in other documents during inspections. Let's name some of them.

Order from the manager to appoint a person in charge

The manager must issue an order appointing someone responsible for working with personal data and ensuring its protection. Such a responsible person can be either a specific person (see the sample “On the appointment of a person responsible for working with personal data and ensuring their protection (responsible person)”), or a department (see the sample “Order on the appointment of a person responsible for working with personal data and ensuring their protection their protection (responsible department)"). In the latter case, the head of such a unit bears personal responsibility.

List of personal data

You will also need to approve a document containing a list of personal data (see sample “Order on approval of the list of personal data”) that are actually used in the organization’s activities. When drawing up such a document, do not forget to include in it all the information that the employee provides in writing about himself when applying for a job, as well as that used in the future when preparing personnel documentation.

This list should include:

  • application for a job;
  • employee profile;
  • personal card;
  • private bussiness;
  • employment contract;
  • orders;
  • employment history;
  • materials of certification commissions.

This is one section of the list. If the organization has an internal document flow containing information about employees (for example, reports and materials that are prepared for shareholders, founders, the parent organization, etc.), then these reports also need to be included in the list.

In addition, the list must contain documents containing information about employees that the organization submits to various government bodies (tax and labor inspectorates, statistical authorities).

Personal data log

Employers are required to comply with the confidentiality regime of personal data (Law No. 152-FZ). To confirm that this requirement is being met, regulatory authorities may require the submission of a personal data log, which indicates who had access to confidential information and when. Note that the form of such a journal is not established, so you need to develop it yourself.

External and internal protection of personal data

Threats to stored personal data can be roughly divided into external and internal.

If we talk about protection from external threats, then it makes sense to stipulate in local acts special treatment access to premises where information containing personal data is stored. In particular, it is possible to provide access control and control over office visitors.

As for internal protection, it is advisable to regulate the composition of employees whose duties require access to personal data. A specific list of employees and cases of obtaining information should be approved by order or regulation (which stipulates that, for example, company lawyers can receive personal data to draw up powers of attorney).

Possible Solution

It is obvious that resolving issues relating to personal data can take a lot of time from an accountant: it is necessary to study a lot volumetric law and understand what actions need to be taken, what documents need to be drawn up, find approximate samples of these documents, adjust and fill them out.

Considering that total There are dozens of documents and data processing actions; one can imagine how much time and effort an accountant will need to organize work with personal data in accordance with the requirements of the law.

You can save time and focus on your main work using the “” web service. It automatically generates all the necessary orders, acts, notifications and regulations necessary for working with personal data. An accountant can ask an expert directly from the service page any questions that arise during the execution of actions and receive a prompt answer. When all actions are completed, all that remains is to print the documents prepared by the service and sign them. Subsequently, the service will remind you that it is time to carry out a certain event, fixed in a set of documents, as well as monitor changes in legislation and inform you about what needs to be done after the amendments come into force.

1. General provisions

1.1. This Regulation determines the procedure for collecting, recording, systematizing, accumulating, storing, clarifying the transfer and any other action for processing the Employee’s personal data, as well as maintaining his personal file in accordance with labor legislation Russian Federation.
These Regulations have been developed in accordance with the Constitution of the Russian Federation, the Labor Code of the Russian Federation, Federal Law dated July 27, 2006 N 152-FZ “On Personal Data”, the List of confidential information approved by Decree of the President of the Russian Federation dated March 6, 1997 No. 188, and other regulations, operating on the territory of the Russian Federation.

1.2. The following terms and definitions will be used in these Regulations:
Employee is an individual who has entered into an employment relationship with the Employer.
Employer: Axel Springer Russia JSC.
Personal data of the Employee - any information relating to a directly or indirectly identified or identified Employee (subject of personal data).
Processing of the Employee’s personal data – any action (operation) or set of actions (operations) performed using automation tools or without the use of such means with the Employee’s personal data, including collection, recording, systematization, accumulation, storage, clarification (updating, changing), extraction, use, transfer (distribution, provision, access), depersonalization, blocking, deletion, destruction of personal data.
Protection of the Employee’s personal data – the Employer’s activities to ensure, through local regulation of the procedure for working with the Employee’s personal data and other organizational and technical measures, the safety of the Employee’s personal data and the inadmissibility of their unauthorized use.
Confidential information is information (in documented or in electronic format), access to which is limited in accordance with the legislation of the Russian Federation.

2. Processing of personal data of Employees
2.1 Obtaining personal data of Employees

2.1.1. The procedure for working with the Employee’s personal data is regulated by the current legislation of the Russian Federation, in particular Chapter 14 of the Labor Code of the Russian Federation and Federal Law dated July 27, 2006 N 152-FZ “On Personal Data,” and is carried out in compliance with strictly defined rules and conditions.

2.1.2. The HR Director is responsible for organizing the processing of Employees' personal data.

2.1.3. In order to ensure the rights and freedoms of man and citizen, the Employer and its representatives, when processing the Employee’s personal data, are obliged to comply with the following General requirements:

  • - Processing of the Employee’s personal data may be carried out solely for the purpose of ensuring compliance with laws and other regulations, assisting Employees in employment, training and promotion, ensuring the personal safety of the Employee, monitoring the quantity and quality of work performed and ensuring the safety of the property of the Employer, Employee and third parties persons;
  • - When determining the scope and content of the processed personal data of the Employee, the Employer must be guided by the Constitution of the Russian Federation, Labor Code Russian Federation and other federal laws;
  • - All personal data of the Employee should be obtained personally from the Employee. If personal data can only be obtained from a third party, then the Employee must be notified about this in advance and written consent (or written refusal) must be obtained from him. The Employer must inform the Employee about the purposes, intended sources and methods of obtaining personal data, intended users of personal data, the rights of the Employee as a subject of personal data established by law, the nature of the personal data to be received and the consequences of the Employee’s refusal to give written consent to receive it;
  • - The Employer does not have the right to receive and process the Employee’s personal data about his political, religious and other beliefs and private life. In cases directly related to issues labor relations, in accordance with Article 24 of the Constitution of the Russian Federation, the Employer has the right to receive and process data about the Employee’s private life only with his written consent;
  • - The Employer does not have the right to receive and process the Employee’s personal data about his membership in public associations or its trade union activities, except for cases provided for by the Labor Code of the Russian Federation or other federal laws;
  • - When making decisions affecting the interests of the Employee, the Employer has no right to rely on the Employee’s personal data obtained solely as a result of their automated processing or electronic receipt.

2.1.4. When applying for a job, the Employee provides personal data about himself in documented form, namely:

  • - passport or other identification document;
  • - work book, with the exception of cases when an employment contract is concluded for the first time or the Employee enters work on a part-time basis;
  • - insurance certificate of state pension insurance;
  • - military registration documents – for those liable for military service and persons subject to conscription military service;
  • - a document on education, qualifications or the presence of special knowledge when applying for a job that requires special knowledge or special training;
  • - completed application form;
  • - photograph indicating your full name;
  • - V in some cases taking into account the specifics of the work, the current legislation of the Russian Federation may provide for the need to present upon conclusion employment contract additional documents (for example, a medical report for persons under 18 years of age; for persons engaged in work related to traffic, visas, work permits for foreign citizens).

2.1.5. It is prohibited to require from a person applying for a job documents other than those provided for by the Labor Code of the Russian Federation, other federal laws, decrees of the President of the Russian Federation and decrees of the Government of the Russian Federation.

2.1.6. When concluding an employment contract and during labor activity It may be necessary for the Employee to provide documents:

  • - about the birth of children;
  • - about the age of the children;
  • - about a woman’s pregnancy;
  • - about disability;
  • - about donation;
  • - about the composition of the family;
  • - about income from a previous place of work;
  • - the need to care for a sick family member;
  • - TIN;
  • - others.

2.1.7. The Employer has the right to verify the accuracy of the information provided by the Employee. As necessary, the Employer requests from the Employee additional information and documents confirming the accuracy of this information.

2.1.8. When registering an Employee, the HR department fills out a unified form T-2 “Employee Personal Card”, which reflects the following personal and biographical information of the Employee:

  • - general information(Full name, date of birth, place of birth, citizenship, level of proficiency foreign languages, education, profession, work experience, marital status, family composition, passport details);
  • - information about place of residence and contact numbers;
  • - information about military registration;
  • - information about hiring;
  • - information about certification;
  • - information about advanced qualifications;
  • - information about professional retraining;
  • - information about awards (incentives), honorary titles;
  • - information about vacations;
  • - information about social guarantees.

2.1.9. Persons receiving the Employee’s personal data are required to observe a regime of secrecy (confidentiality). This provision does not apply to the exchange of personal data of Employees in the manner prescribed by federal laws.

2.2. Storage of personal data of Employees

2.2.1. The HR department creates and stores the following groups of documents (in electronic and/or paper form) containing data about Employees in single or consolidated form:

  • - resumes and profiles of Employees;
  • - cards of the unified form T-2;
  • - employment contracts;
  • - additional agreements to the employment contract;
  • - agreements of the parties;
  • - notifications;
  • - statements of Employees;
  • - offers to Employees;
  • - consent of the Employees;
  • - originals and copies of orders on hiring the Employee;
  • - originals and copies of orders on termination of employment contracts with Employees;
  • - originals and copies of orders to transfer the Employee to another job;
  • - originals and copies of orders on rewarding the Employee;
  • - originals and copies of orders sending the Employee on a business trip;
  • - originals and copies of orders granting leave to the Employee;
  • - originals and copies of orders granting annual basic paid leave with subsequent dismissal;
  • - originals and copies of reprimand orders;
  • - originals and copies of orders announcing reprimands;
  • - originals and copies of orders to make changes to accounting documents containing personal data;
  • - originals and copies of payment orders financial assistance;
  • - originals and copies of orders granting parental leave;
  • - originals and copies of orders assigning compensation payments for child care;
  • - originals and copies of orders for additional payment on certificates of incapacity for work;
  • - originals and copies of training orders;
  • - originals and copies of orders for compensation of expenses;
  • - originals and copies of orders for additional payment;
  • - originals and copies of orders for compensation of expenses for voluntary medical insurance;
  • - originals and copies of orders for payment of pension insurance in Germany;
  • - originals and copies of orders of assignment extra work;
  • - originals and copies of orders for core activities;
  • - originals and copies of certification orders;
  • - personal files and work books of Employees;
  • - job descriptions Workers;
  • - certification sheets of Employees;
  • - cases containing grounds for orders;
  • - files containing employee certification materials;
  • - cases containing materials of internal investigations;
  • - reference and information data bank on personnel (card files, magazines);
  • - originals and copies of reporting, analytical and reference materials transferred to the Employer’s management and heads of structural divisions;
  • - copies of reports sent to state statistical bodies, tax inspectorates, higher management bodies and others government agencies;
  • - documents of planning, accounting, analysis and reporting on personnel issues;
  • - a set of documents required for registration of voluntary medical insurance for Employees;
  • - a set of documents necessary for training Employees;
  • - a set of documents required for registration of SNILS of Employees;
  • - explanatory;
  • - acts;
  • - protocols;
  • - permission to process personal data.

2.2.2. The accounting department creates and/or stores the following groups of documents (in electronic and/or paper form) containing data on Employees in single or consolidated form:

  • - Employees' pay slips;
  • - statements with the numbers of the Employees' current accounts;
  • - documents necessary for calculating wages of Employees, which are transferred to the accounting department by employees of the HR department;
  • - certificates of incapacity for work;
  • - applications for deductions;
  • - writs of execution;
  • - copies of orders on the main activities necessary for the implementation of accounting activities.

2.2.3. The legal department creates and/or stores the following groups of documents (in electronic and/or paper form) containing data on Employees in a single or consolidated form:

  • - powers of attorney for Employees;
  • - contracts related to the activities of the Employer;
  • - decisions of the sole participant of the Employer;
  • - copies of migration documents of Employees - foreign citizens.

2.2.4. The information technology department creates and/or stores the following groups of documents (in electronic and/or paper form) containing data on Employees in single or consolidated form:

  • - copies of bypass sheets for dismissed Employees;
  • - certificates of acceptance/transfer of equipment;
  • - a book of acquaintance of employees of JSC Axel Springer Russia with policies, procedures and regulations in the field of IT.

2.2.5. The above documents containing personal data of Employees are stored on paper in the premises of the HR department, accounting department, legal department, and information technology department, respectively. For this purpose, specially equipped cabinets and safes that are locked are used. Information about Employees is located in alphabetical order. The keys to the cabinets and safes in which information about the organization’s Employees are stored are kept by the HR Director, Chief Accountant, Legal Director, and Deputy Director for Information Technology, respectively. If absent, go to their deputies. Personal files of dismissed Employees are stored in the archives of the HR department in alphabetical order.

2.2.6. Specific responsibilities for storing personal files of Employees, filling out, storing and issuing work books (duplicates of work books), other documents reflecting the personal data of Workers are assigned to Employees of the HR department and are enshrined in their job descriptions.

2.2.7. For some documents, the current legislation of the Russian Federation may establish storage requirements other than those provided for in these Regulations. In such cases, one should be guided by the rules established by the relevant regulations.

2.2.8. On the computers of employees of the HR department, chief accountant, senior accountant (payroll) and the head of the business applications development group, an automated 1C information system is installed with access, limited by a password, to the personal data of Employees.

2.2.9. The Employer ensures that access to the Employees’ personal data is limited to persons not authorized by law or by the Employer to obtain relevant information.

2.2.10. The office of the HR department, as well as the office of the legal department, are equipped with an access system using an electronic pass. Additionally, the HR department office is equipped with a video surveillance camera.

2.3. Access to personal data of Employees

2.3.1. Employees holding the following positions have access to personal data of Employees:

  • - CEO;
  • - financial director;
  • - Chief Accountant;
  • - HR director;
  • - HR manager;
  • - Director of Legal Affairs;
  • - lawyer;
  • - senior accountant (payroll);
  • - head of the business applications development group;
  • - employees of the information technology department;
  • - heads of structural divisions (only in relation to the personal data of Employees on staff of the relevant structural divisions).

2.3.2. When receiving information constituting the Employee’s personal data, these persons have the right to receive only those personal data of the Employee that are necessary to perform specific functions and tasks.

2.3.3. Access to the computers of employees specified in clause 2.3.1 is limited by a password that is known only to these employees.

2.4. Transfer of personal data of Employees

2.4.1. When transferring the Employee’s personal data, the Employer must comply with the following requirements:

  • . Do not disclose the Employee’s personal data to a third party without the written consent of the Employee, except in cases where this is necessary in order to prevent a threat to the life and health of the Employee, as well as in cases established federal law.
  • . Do not disclose the Employee’s personal data for commercial purposes without his written consent;
  • . Warn persons receiving the Employee’s personal data that this data can only be used for the purposes for which they were communicated, and require these persons to confirm that this rule is observed;
  • . Transfer the Employee’s personal data within one Employer in accordance with these Regulations;
  • . Allow access to the personal data of Employees only to specially authorized persons, and these persons should have the right to receive only those personal data of the Employee that are necessary to perform specific functions;
  • . Do not request information about the Employee’s health status, with the exception of information that relates to the issue of the Employee’s ability to perform a job function;
  • . Transfer the Employee’s personal data to the Employees’ representatives in the manner established by the Labor Code and these Regulations, and limit this information only to those Employee’s personal data that are necessary for the said representatives to perform their functions.

2.4.2. Within the company, the HR manager provides the senior accountant with copies of orders, agreements, certificates of incapacity for work, certificates, statements and other necessary copies and original documents for calculating wages for the Employees.

2.4.3. With the written consent of the Employees, personal data can be transferred, both on paper and through automated means, to a bank as part of the implementation of the Employer’s salary project, to an insurance company as part of contracts for insurance of Employees, to other organizations as part of the implementation of concluded contracts. In case of a request about a working or dismissed Employee, information is provided with the written consent of the Employee.

2.5. Protection of personal information

2.5.1. The main task of ensuring the security of Employees’ personal data is to prevent unauthorized access to it by third parties, to prevent deliberate software, hardware and other influences for the purpose of stealing Employees’ personal data, destruction (destruction) or distortion of them during processing.

2.5.2. Protection of the Employee's personal data from unlawful use or loss must be ensured by the Employer at its expense in the manner prescribed by federal law.

2.5.3. "Internal protection".
To ensure internal protection of Employees’ personal data, a number of measures are taken:

  • - all computers must be protected by a password, which is changed monthly by Employees;
  • - limitation and regulation of the composition of Employees who have access to the personal data of Employees;
  • - strict selective and reasonable distribution of documents and information between Employees;
  • - Employees’ knowledge of the requirements of regulatory and methodological documents on the protection of personal data. Employees and their representatives must be familiarized, against receipt, with the organization’s documents establishing the procedure for processing the Employees’ personal data, and also be aware of their rights and obligations in this area.
  • - rational placement of Workers’ workplaces, which would exclude uncontrolled use of protected information;
  • - availability of electronic passes to offices general director, HR department, legal department;
  • - documents containing personal data of Employees are stored in iron cabinets and safes, which are locked and sealed;
  • - if necessary, documents containing personal data of Employees are destroyed using a shredder;
  • - password restriction of access to the automated 1C database containing personal data of Employees;
  • - password restriction of access to the bank-client system “ELBRUS Internet”, used for sending documents containing personal data of Employees as part of the implementation of the salary project;
  • - registration of all actions performed in automated information systems;
  • - daily creation of a backup copy of data in automated information systems;
  • - Employees who have access to the processing of personal data are prohibited, when leaving the premises (for any duration), to leave documents, filing cabinets, office records and other materials containing personal data of Employees on the desktop, as well as to leave computer monitors unlocked, and leave cabinets unlocked;
  • - explanatory work with department employees to prevent the loss of valuable information when working with confidential documents.

2.5.4. "External protection".
To ensure external protection of Employees’ personal data, a number of measures are observed:

  • - recording visitors and accompanying them on the territory of the Employer’s office;
  • - access control at the entrance to the Employer’s office;
  • - accounting for the issuance of passes, their timely cancellation if necessary;
  • - technical security equipment, video surveillance system;
  • - security of the territory, office building, Vehicle;
  • - accounting of computer storage media of personal data;
  • - identification of threats to the security of Employees’ personal data during their processing in information systems and the use of information security measures that have passed the compliance assessment procedure in accordance with the established procedure;
  • - assessment of the effectiveness of measures taken to ensure the security of personal data before the commissioning of the personal data information system;
  • - external written requests for information about Employees are answered only by persons who have within their job responsibilities access to personal data of Employees.

2.5.5. All persons associated with the receipt, processing and protection of personal data are required to sign an obligation of non-disclosure of the Employees’ personal data.

2.5.6. Where possible, personal data is anonymized.

2.5.7. The employer annually draws up an action plan for the protection of personal data and monitors its implementation.

2.5.8. The Deputy Director for Information Technology is appointed responsible for ensuring the security of personal data in the Employer's information system, as well as responsible for the selection and implementation of methods and methods for protecting information in the Employer's information system.

3. Responsibilities of the Employee and the Employer regarding the Employee’s personal data

3.1. In order to ensure the accuracy of personal data, the Employee is obliged to:

3.1.1. When applying for a job, provide the Employer with complete and reliable information about yourself;

3.1.2. If the information constituting the Employee’s personal data changes, immediately provide this information to the Employer.

3.2. The employer is obliged:

3.2.1. Protect the Employee’s personal data;

3.2.2. Ensure proper storage of primary accounting documentation for labor accounting and payment, which, in particular, includes documents for personnel records, documents for recording the use of working time and settlements with Employees for wages, etc. In this case, personal data should not be stored longer than how it is justified by the purposes for which it was collected or for longer than is necessary in the interests of the persons about whom the data is collected;

3.2.3. Do not disclose the Employee’s personal data to a third party without the Employee’s written consent, except in cases provided for by the legislation of the Russian Federation;

3.2.4. Allow access to Employees’ personal data only to specially authorized persons within the framework of performing specific functions;

3.2.5. Take the necessary legal, organizational and technical measures to protect the personal data of Employees during their processing from unauthorized or accidental access to them, destruction, modification, blocking, copying, provision, distribution of personal data, as well as other unlawful actions in relation to personal data;

3.2.6. Other obligations of the Employer established by the legislation of the Russian Federation.

4. Rights of Employees in order to ensure the protection of personal data

4.1. In order to ensure the protection of personal data stored by the Employer, Employees have the right to:

4.1.1. Full information about their personal data and the processing of this data.

4.1.2. Free free access to your personal data, including the right to receive copies of any record containing the Employee’s personal data, except for cases provided for by the legislation of the Russian Federation;

4.1.3. Determination of representatives to protect their personal data;

4.1.4. Requirement to exclude or correct incorrect or incomplete personal data, as well as data processed in violation of the requirements of the Legislation of the Russian Federation. If the Employer refuses to exclude or correct personal data, the Employee has the right to declare writing To the employer about his disagreement with the appropriate justification for such disagreement. Personal data of an evaluative nature The employee has the right to supplement with a statement expressing his own point vision;

4.1.5. The requirement that the Employer notify all persons who were previously informed of incorrect or incomplete personal data of the Employee about all exceptions, corrections or additions made to them;

4.1.6. Appeal to the court against any unlawful actions or inaction of the Employer in the processing and protection of his personal data.

5. Liability for violation of the rules governing the processing and protection of personal data of Employees

5.1. Persons guilty of violating the rules governing the receipt, processing and protection of the Employee’s personal data are subject to disciplinary and financial liability in the manner established by the Labor Code of the Russian Federation and other federal laws, and are also subject to civil, administrative and criminal liability in the manner prescribed established by current legislation.

5.2. The Employer’s unlawful refusal to exclude or correct the Employee’s personal data, as well as any other violation of the Employee’s rights to the protection of personal data, gives rise to the Employee’s right to demand elimination of the violation of his rights and compensation for moral damage caused by such a violation.

6. Final provisions

6.1. This Regulation comes into force from the moment of its approval by the General Director.

6.2. These Regulations are brought to the attention of all Employees personally against signature.

Protection of personal data of organization employees

Personal data is any information relating to an individual identified or determined on the basis of such information (subject of personal data). In the context of labor relations Personal Information- this is information necessary for the employer in connection with labor relations and relating to a specific employee (Article 85 of the Labor Code of the Russian Federation).
In accordance with Article 3 of Federal Law No. 152-F3 (2007) “On the Protection of Personal Data,” personal data includes:
- Full Name;
- year, month, date and place of birth;
- address;
- family, social, property status;
- education;
- profession;
- income;
- other information.
The employer is obliged to collect, store and process personal data in strict accordance with legal requirements. To regulate all issues related to the protection of personal data of employees, the organization must develop and adopt an appropriate document.
DOCUMENTS ESTABLISHING THE PROCEDURE FOR PROCESSING PERSONAL DATA OF EMPLOYEES
These documents are an innovation of the Labor Code of the Russian Federation. If previously the absence of such local regulations was not punished, then Article 90 of the Labor Code of the Russian Federation establishes that those guilty of violating the rules governing the receipt, processing and protection of employee personal data bear disciplinary, administrative, civil or criminal liability.
Since the Labor Code of the Russian Federation talks about documents establishing the procedure for processing personal data in plural, then there must be at least two such documents:
- Regulations on the protection of personal data of employees (approved and put into effect by order of the head of the organization)
- An obligation to non-disclose personal data of employees (signed by those who have access to such data (employees of the HR department, accounting department, security service, etc.).
After checking the availability of documents on the protection of personal data of employees, the state labor inspector will ask how the organization collects data about employees (how legal it is). By general rule All information about an employee can only be obtained from the employee himself. If you have to contact other organizations, even just to inquire whether a person worked there, not to mention obtaining some evaluation data about him, it is necessary to obtain the employee’s written consent.
In this regard, personnel officers resort to cunning. When applying for a job, the employee fills out a questionnaire containing the following item: “I do not object to receiving information about me in...”, and then he himself enters those organizations to which the employer can contact to obtain information about him. Sometimes in the questionnaire it is indicated in a separate line: “I do not object to verification of the submitted data.”
Be very careful if you are asked for personal information about an employee who once worked for you. There are already cases where employees are suing for the disclosure of their personal data. Under no circumstances should such information be given over the phone. Be sure to ask for an application for the transfer of employee data from the employee himself or a request from the employer accompanied by the employee’s written consent. If personal information about an employee is required by police officers or other regulatory organizations, ask for a written request, and if they come to you in person - an official identification card and an order indicating the purposes for collecting such information.
The Labor Code of the Russian Federation requires that employees be familiarized, against receipt, with the organization’s documents establishing the procedure for processing employees’ personal data. Who develops these documents and what should they be called?
With the entry into force of the Labor Code. of the Russian Federation, personnel services employees were tasked with protecting employees’ personal data from unlawful use or loss (Chapter 14 of the Labor Code of the Russian Federation).
The procedure for storing and using personal data of employees in an organization is established by the employer (Article 87 of the Labor Code of the Russian Federation).
The transfer of personal data of employees within one organization must be carried out in accordance with the local regulatory act of the organization, with which the employee must be familiarized with a signature (Article 88 of the Labor Code of the Russian Federation).
A local regulatory act related to the problem of collecting, processing, transferring, storing and protecting employee personal data from unauthorized access is developed by the organization’s personnel service in the form of regulations, instructions, rules or in some other form.
The circle of persons participating in the approval is established at the discretion of the organization
Like all documents of this group, the regulations (instructions, rules) must be signed by the developer (head of the personnel department) and approved by the employer. The employer can approve the document personally by signing the approval stamp, or issue an order for approval of this document and putting it into effect.
Along with the above-mentioned local regulatory act, a form of obligation on non-disclosure of the employee’s personal data should be developed, since persons receiving personal data are required to observe a regime of secrecy (confidentiality), as expressly stated in Art. 88 Labor Code of the Russian Federation.

INSTRUCTIONS on the rules for processing, storing and transferring employee personal data (option)

I. General provisions.
Regulatory framework regulating the provisions of this Instruction is Article 24 of the Constitution of the Russian Federation, Chapter 14 of the Labor Code of the Russian Federation, Article 137 of the Criminal Code of the Russian Federation. II. To the personal data of the employee required by the employer in
Labor relations include:
- information about education;
- information about previous place of work, work experience and position held;
- information about family composition and the presence of dependents;
- information about the state of health and the presence of diseases (when necessary in cases established by law);
- information about attitude to military duty;
III. The procedure for processing employee personal data.
1. When processing an employee’s personal data, that is, receiving, storing, combining, transferring or any other use of the employee’s personal data, HR department employees are required to comply with the following general requirements:
1.1. The employee may process personal data solely for the purpose of ensuring compliance with laws and other regulations, assisting employees in employment, training and promotion, ensuring the personal safety of employees, monitoring the quantity and quality of work performed and ensuring the safety of property;
1.2. All personal data of the employee should be obtained from him or her. If the employee’s personal data can only be obtained from a third party, then the employee must be notified about this in advance and written consent must be obtained from him;
1.3. An HR department employee does not have the right to receive and process the employee’s personal data about his political, religious and other beliefs and private life, membership in public associations or his trade union activities, except in cases directly related to issues of labor relations with the written consent of the employee, as well as in cases provided for by federal law;
1.4. Personal responsibility for compliance by all employees of the HR department with this Instruction, as well as monitoring its compliance, is assigned to the Head of the HR Department (full name)
1.5. All HR department employees must be familiar with this Instruction against signature.
IV. Storing personal data of employees.
Documents containing personal data of an employee are stored in fireproof cabinets (safes), the keys to which are kept by the Head of the HR Department, and in his absence by his replacement. Other personnel department employees may use these documents only with the permission of the above-mentioned persons. V. Transfer of employee personal data.
1. When transferring the employee’s personal data, the HR department employee must comply with the following requirements:
1.1. Do not disclose the employee’s personal data to a third party without the written consent of the employee, except in cases where this is necessary to prevent a threat to the life and health of the employee, as well as in cases established by federal law, and also do not disclose relevant information for commercial purposes without the written consent of the employee ;
1.2. When transferring personal data of employees, warn the persons receiving the personal data of the employee that this data can only be used for the purposes for which it was communicated.
1.3. An employee of the HR department is allowed access only to those personal data of employees that are necessary for him to perform his job duties;
1.4. An HR department employee does not have the right to request information about the employee’s health status, with the exception of information that relates to the issue of the employee’s ability to perform a job function;
VI. Responsibility.
Persons guilty of violating the rules governing the receipt, processing and protection of employee personal data bear disciplinary, administrative, civil or criminal liability in accordance with federal laws.

Regulations on working with personal data

1. General Provisions

1.1. The regulations on working with personal data of employees of LLC "Company" (hereinafter referred to as the Organization or Society) were developed in accordance with the Labor Code of the Russian Federation and other regulatory legal acts Russian Federation.

1.2. This Regulation has been developed in accordance with the Constitution of the Russian Federation, the Labor Code of the Russian Federation, Federal Law of July 27, 2006 No. 149-FZ “On Information, Information Technologies and Information Protection”, Federal Law of July 27, 2006 No. 152- Federal Law “On Personal Data” and other regulatory legal acts of the Russian Federation.

1.3. This Regulation determines the procedure for working (receiving, processing, using, storing, etc.) with personal data of employees and guaranteeing the confidentiality of information about the employee.

1.4. The purpose of this Regulation is to protect the personal data of the organization’s employees from unauthorized access and disclosure.

1.5. These Regulations and all additions and changes to it are approved by the Sole Executive Body of the organization.

1.6. All employees of the organization must be familiar with these Regulations, as well as all additions and changes to it against signature. When hiring, familiarization is carried out before signing the employment contract.

1.7. The implementation of these Regulations is ensured at the expense of the organization in the manner established by the Labor Code of the Russian Federation or other federal laws.

2. Basic concepts used in this provision

2.1. Personal data of an employee is any information relating to a directly or indirectly identified or identified employee (subject of personal data), including his last name, first name, patronymic, year, month, date and place of birth, address, family, social, property status, education, profession, income, medical data, data contained in the employee’s work book and his personal file, insurance certificate of state pension insurance, tax registration certificate, data contained in military registration documents, other information.

2.2. Information containing personal data of employees is used by the organization, in particular, to meet the requirements:

– labor legislation and other acts containing labor law standards when hiring, when providing guarantees and compensation, etc.;

tax legislation, in particular, in connection with the calculation and payment of personal income tax, as well as the unified social tax;

– pension legislation in the formation and provision of personalized data about each recipient of income taken into account when calculating insurance contributions for compulsory pension insurance;

– filling out primary accounting documentation in accordance with Resolution of the State Statistics Committee of Russia dated January 5, 2004 No. 1 “On approval of unified forms of primary accounting documentation for recording labor and its payment.”

2.3. Information containing an employee’s personal data is subject to a confidentiality regime, that is, it is mandatory for the person who has access to the personal data to comply with the requirement not to allow their distribution without the consent of the employee or the presence of another legal basis.

2.4. Confidentiality of personal data is not required:

– in case of depersonalization of personal data;

– in relation to publicly available personal data;

- in cases where this information must be disclosed legally by decision of a court or government agency.

2.5. Processing of an employee’s personal data is any action (operation) or set of actions (operations) performed using automation tools or without the use of such tools with personal data, including collection, recording, systematization, accumulation, storage, clarification (updating, changing), retrieval , use, transfer (distribution, provision, access), depersonalization, blocking, deletion, destruction of personal data.

2.6. Dissemination of an employee’s personal data is actions aimed at disclosing personal data to an indefinite number of persons.

2.7. The use of an employee’s personal data is actions (operations) with personal data performed by a person who has gained access to personal data for the purpose of making decisions or performing other actions that give rise to legal consequences in relation to the employee or other persons or otherwise affect the rights and freedoms of the employee or other persons .

2.8. Blocking an employee’s personal data is a temporary cessation of processing personal data (except for cases where processing is necessary to clarify personal data).

2.9. Destruction of an employee’s personal data is an action as a result of which it becomes impossible to restore the content of personal data in the personal data information system and (or) as a result of which the material media of personal data are destroyed.

2.10. Depersonalization of an employee’s personal data is an action as a result of which it is impossible to determine the ownership of personal data to a specific employee without the use of additional information.

2.11. Information system of personal data of employees is a set of personal data contained in databases and information technologies and technical means that ensure their processing.

2.12. Public personal data of employees is personal data to which an unlimited number of persons have access provided by the employee himself or with his consent.

2.13. Internal access to an employee’s personal data has: Sole executive body, Managing Directors, employees of the Human Resources Department, employees of the Department Accounting, employees of the Legal Department, employees of the Travel Support Department, employees of the Security Department, employees of the Administrative Department, employees of the Information Technology Department, Heads / Directors of the structural divisions to which the employee reports, to perform specific functions. Access to personal data to other specialists is carried out on the basis of written permission from the Sole Executive Body.

External access:

- tax authorities;

— law enforcement agencies;

— statistical authorities;

Insurance companies;

— military registration and enlistment offices;

— social insurance authorities;

pension funds;

— divisions of municipal government bodies;

- judicial authorities.

2.14. The Director of the Human Resources Department is responsible for organizing the processing of personal data.

3. Receipt and processing of personal data of employees

3.1. Authorized officials receive all personal information about an employee directly from the employee. If the employee’s personal data can only be obtained from a third party, then the employee must be notified about this in advance and his written consent must be obtained from him. Authorized officials must inform the employee about the purposes, intended sources and methods of obtaining personal data, as well as the nature of the personal data to be obtained and the consequences of the employee’s refusal to give written consent to receive it.

3.2. When applying for a job, the employee fills out a form in which he indicates the following information about himself:

– last name, first name, patronymic;

– date and place of birth;

Family status;

– education, specialty;

– attitude towards military duty;

– place of residence and home telephone number;

– as well as other information necessary for issuing the employee’s personal card according to the unified form No. T-2, and others that the employee considers necessary to indicate. A photograph of the employee is pasted into the form if the employee provided it to the employer.

3.3. The employee’s questionnaire is stored in the employee’s personal file (hereinafter referred to as the personal file). The personal file also stores information containing the employee’s personal data. The formation and maintenance of personal files is carried out by employees of the Human Resources Department.

3.4. Authorized officials do not have the right to require an employee to provide information about his political and religious beliefs, as well as about his private life. In cases directly related to labor relations issues, authorized officials have the right to receive and process data about the employee’s private life only with his written consent.

3.5. Authorized officials do not have the right to receive and process the employee’s personal data about his membership in public associations or his trade union activities, except in cases provided for by the Labor Code of the Russian Federation or other federal laws.

3.6. The employee provides the authorized official with reliable information about himself. Authorized executive verifies the accuracy of the information by comparing the data provided by the employee with the documents available to the employee.

3.7. If personal data changes, the employee notifies in writing the authorized officer of the Human Resources Department about such changes no later than 14 calendar days.

3.8. If necessary, the employer requests additional information from the employee. The employee provides the required information and, if necessary, presents documents confirming the accuracy of this information.

4. Carriers of personal data of employees

4.1. Personal files and personal cards of the employee (unified form No. T-2) are stored in paper form. Personal files and personal cards are stored in locked cabinets and desk drawers, protected from unauthorized access.

4.2. Work records employees, their inserts, log books, strict reporting forms are stored in fireproof cabinets.

4.3. Other paper documents containing personal data of employees are stored in other places protected from unauthorized access.

4.4. Employees' personal data may also be stored electronically in a local computer network and in the PC of authorized officials. Access to electronic media containing personal data of employees is provided by a 2-level password system: at the local computer network level and at the database level. Passwords are established and communicated to individually authorized officials.

4.5. Authorized officials are permitted to copy and make extracts from documents containing personal data of an employee solely for official purposes.

5. Worker rights

5.1. The employee is provided full information about his personal data and the processing of this data.

5.2. Based on the employee’s written application, no later than three working days from the date of filing this application, he is given copies of documents containing his personal data, except for cases provided for by federal law.

5.3. The employee has the right to determine his representatives to protect his own personal data.

5.4. The employee has the right to demand the exclusion or correction of incorrect or incomplete personal data, as well as data processed in violation of the requirements of the Labor Code of the Russian Federation or other federal law. The employee has the right to supplement personal data of an evaluative nature with a statement expressing his own point of view.

5.5. The employee has the right to demand authorized officials to notify all recipients who were previously informed of incorrect or incomplete personal data of the employee about all exceptions, corrections or additions made to them. Authorized officials of the organization are required to do this within 5 working days.

5.6. The employee has the right to appeal to the appropriate authorities any unlawful actions or inaction of authorized officials during the processing and protection of his personal data.

6. Use of personal data of employees

6.1. Employee personal data is used by authorized officials solely for the purpose of ensuring compliance with regulations, assisting employees in employment, training and promotion, ensuring the personal safety of employees, monitoring the quantity and quality of work performed and ensuring the safety of property.

6.2. When making decisions affecting the interests of an employee, authorized officials do not have the right to rely on the employee’s personal data obtained solely as a result of their automated processing or electronic receipt. Authorized officials also do not have the right to make decisions affecting the interests of the employee based on data that can be ambiguous. If it is impossible to reliably establish any fact based on the employee’s personal data, the authorized official invites the employee to provide written explanations.

7. Transfer of personal data of employees

7.1. Authorized officials have the right to transfer personal data of employees to third parties providing professional services in the field of development and training, in the field of personnel health insurance, in the field of audit and consulting, debt collection, as well as government bodies in strict accordance with the purposes indicated in the Statement of Consent, under an obligation to maintain confidentiality and ensure reliable protection of personal data by a third party.

7.2. Authorized officials do not have the right to provide personal data of an employee to a third party without the written consent of the employee, except in cases where this is necessary in order to prevent a threat to the life and health of the employee, as well as in cases established by federal law.

7.3. Authorized officials warn recipients of an employee's personal information that the information may only be used for the purposes for which it was communicated and require those individuals to certify that this rule is being followed. Persons receiving the employee’s personal data are required to observe a regime of secrecy (confidentiality). This provision does not apply to the exchange of personal data of employees in the manner established by the Labor Code of the Russian Federation and other federal laws.

7.4. If the person making the request is not authorized by federal law to receive the employee’s personal data or there is no written consent of the employee to provide his personal information, the authorized official must refuse to provide the personal data. The person making the request is given a written notice of refusal to provide personal data. A copy of the notice is filed in the employee’s personal file.

7.5. The employee’s personal data may be transferred to the employee’s representative in the manner prescribed by the Labor Code, to the extent necessary for the said representative to perform their functions.

8. Liability for violation of the rules governing the processing and protection of employee personal data

8.1. Persons guilty of violating the rules governing the receipt, processing and protection of personal data of employees of LLC "Company" bear disciplinary, administrative, civil and criminal liability in accordance with federal laws.

8.2. If the rights and legitimate interests of an employee have been violated in connection with the disclosure of information containing his personal data, or other unlawful use of such information, he has the right to apply in the prescribed manner for judicial protection of his rights, including claims for damages and compensation for moral damage , protection of honor, dignity and business reputation. A claim for compensation for damages cannot be satisfied if it is presented by a person who did not take measures to maintain the confidentiality of information or violated the requirements for the protection of information established by the legislation of the Russian Federation, if the adoption of these measures and compliance with such requirements were the responsibilities of this person.



Related publications: