Personal data includes information that allows you to identify a specific person. Federal Law No. 152-FZ of July 27, 2006 defines a list of information, including full name, gender, age, photo and video of a person, education, place of residence, marital status and other similar information, according to which a specific person can be identified.
In the article we will answer questions about the need to issue and the content of a data protection order, as well as the employer’s responsibility in its absence.
Why do you need an order on personal data?
The administration of the institution must implement a system for protecting information regarding information about employees. One of the elements of this system is the publication of an administrative document that defines the algorithm for working with data.
The Data Protection Order defines the obligation of responsible persons to ensure the confidentiality of personal data about employees and the scope of access of each official.
There is no established sample order for the protection of personal data of employees, but the content of the document accompanying the organization of the information protection process is legally defined:
- appointment of a person responsible for organizing the data processing process;
- determination of the list of persons permitted for collection, storage and processing;
- approval of regulations on the processing and protection of confidential data.
How to correctly fill out an order regarding personal data
Although the sample order on personal data of employees 2019 does not have a set form, it must be completed according to general requirements to administrative documents.
The header of the document contains the name of the organization, the name and number of the document, the place and date of preparation.
The preamble must contain the rationale for its publication (the circumstances that gave rise to its creation) or the basis (a direct reference to a specific document or legislative act)
The main part of the order on personal data must contain:
- the actual order on approval of the regulations on personal information, as well as the list of persons admitted to their processing and the degree of their access;
- an indication of the person responsible for ensuring the data processing process, his position and full name;
- instructions to the responsible person to familiarize employees with the administrative document;
- identify an employee who will monitor execution (maybe the manager himself).
The manager must sign the document. All employees of the institution who use such information in their work activities must be familiarized with it by signature.
Sample order to change an employee’s personal data
How to fill out
The order may consist of the following sections:
- General provisions. The section indicates the purpose of the provision and the range of issues that it regulates.
- Basic concepts. Composition of information about employees. It is necessary to indicate which specific documents in the organization contain the specified data.
- Data processing. This section specifies the conditions that must be met during processing.
- Data transfer. It is necessary to establish a procedure for transferring information within the organization, to third parties and government agencies.
- Access to data. Includes information about the procedure for internal and external access to employee data.
- Responsibility for violation of rules governing the processing and protection of information. Indicate who in the organization is responsible for violating the rules for its storage and use.
The provisions on personal data must be brought to the attention of all employees. Actual familiarization with the situation can be recorded in the text employment contract, in the position in the familiarization sheet or in the log of familiarization with local regulations institutions.
Sometimes information about an employee changes (for example, due to marriage, the last name changes). In this case, the employee sends an application to the employer, on the basis of which the latter issues an order to amend a number of documents.
Responsibility for absence
Employee information must be protected from unauthorized access. Roskomnadzor checks the organization's compliance with the requirements of 152-FZ.
The law does not directly establish types of violations and liability for them. 152-FZ refers the employer to other industry legislation. Thus, the Criminal Code of the Russian Federation contains rules providing for liability for the unlawful use of information about employees.
The main responsibility for violating the norms of 152-FZ is administrative, which can be incurred for violating the procedure for collecting, storing and using information, for its failure to provide it at the request of authorized structures.
For violation of 152-FZ, an official may be subject to disciplinary liability for improper performance of job duties when processing information, including dismissal under paragraphs. "c" clause 6 of Art. 81 Labor Code of the Russian Federation.
2004 No. 1
DEPARTMENT | |||
INFORMATION AND ANALYTICAL | OKUD form | ||
ORGAN SUPPORT STATE AUTHORITY YAROSLAV REGION | |||
name of company | |||
Document Number | Date of preparation |
||
ORDER | 20.01.2009 |
On the processing and protection of personal data of employees
In order to ensure the protection of personal data of department employees and in accordance with the Federal Law of 27. “On the State Civil Service Russian Federation", Decree of the President of the Russian Federation "On approval of the regulations on personal data of a state civil servant of the Russian Federation and the management of his personal file"
I ORDER:
1. Approve the Regulations on the processing and protection of personal data of employees of the department of information and analytical support of bodies state power Yaroslavl region (attached).
2. I reserve control over the execution of the order.
Department Director | ||||
(personal signature) | (full name) |
The following have been familiarized with the order:
APPROVED
by order of the director
department
from _________ No.
Position
on the processing and protection of personal data of employees of the department of information and analytical support of public authorities of the Yaroslavl region
1. Applied concepts and definitions
Meaning |
|
Documents containing personal data of the employee | Copies of the employee’s personal documents (passport, diploma, military ID, driver's license, foreign passport, birth certificate, etc.), application form, applications, work book, employee’s personal card in the T-2GS form, a copy of the employment contract and amendments to it, orders for personnel etc. |
Employee personal data | Any information related to an employee identified or determined on the basis of such information, including his last name, first name, patronymic, year, month, date and place of birth, address, family, social and property status, education, profession, income and other information necessary for the employer in connection with labor relations and relating to a specific employee |
Personal data information system | An information system, which is an ordered collection of personal data contained in a database, as well as information technologies and technical means, allowing the processing of such personal data using automation tools or without the use of such tools |
Confidentiality of personal data | Mandatory for the official who has access to personal data to comply with the requirement not to allow dissemination without the consent of the subject of personal data or the presence of another legal basis |
Processing of employee personal data | Actions (operations) with the employee’s personal data, including collection, systematization, accumulation, storage, clarification (updating, changing), use, distribution (including transfer), depersonalization, blocking and destruction of the employee’s personal data |
Position | This Regulation on the processing and protection of personal data of employees |
2. General provisions
2.1. The Regulations determine the procedure for processing and protecting personal data of employees of the department of information and analytical support of public authorities of the Yaroslavl region (hereinafter referred to as the department).
2.2. The provision is mandatory for execution by all officials of the department.
2.3. The objectives of the Regulation are:
Establishing a procedure for processing personal data using automation tools or without the use of such tools;
Determining the rights and obligations of department employees in the field of personal data processing;
Organizing and ensuring the protection of the rights of department employees when processing their personal data.
2.4. Employee personal data includes:
Passport details;
Registration address, residence address, home and mobile phone numbers;
Information about education, advanced training, retraining, certification;
Information about military registration;
Information about work experience and places of previous work;
TIN data;
Information about awards and titles;
Information about bank accounts and cards;
Information about social benefits, pensions and insurance;
2.5. The following have access to the personal data of department employees:
Director of the department (access to personal data of employees that he needs to fulfill his duties job responsibilities);
An employee responsible for staffing (access to personal data of employees that they need to perform their job duties);
Heads of departments (access to personal data of subordinate employees, which they need to perform their official duties);
Head of department - chief accountant (access to the information they need to perform their official duties);
- employee (access to his personal data);
Government bodies, control and supervisory bodies (within the scope of their powers in accordance with federal laws).
2.6. If necessary and taking into account current legislation, changes and additions may be made to the Regulations in the manner established by the department.
3. Procedure for processing personal data of employees.
3.1. Officials who have access to the personal data of department employees must comply with the following requirements when processing personal data:
All personal data of a department employee should be obtained from him personally. If according to good reasons This is impossible, then a third party is involved, with the written consent of the employee himself. The employer informs the employee about the purposes, intended sources and methods of obtaining personal data, as well as the nature of the personal data to be obtained and the consequences of the employee’s refusal to give written consent to receive it;
The employer does not have the right to receive and process the employee’s personal data about his political, religious and other beliefs and private life;
The employer does not have the right to receive and process the employee’s personal data about his membership in public associations or his trade union activities, except in cases provided for by federal laws;
When making decisions affecting the interests of an employee, the Employer has no right to rely on the employee’s personal data obtained solely as a result of their automated processing or electronic receipt.
3.2. The procedure for storing and using personal data of employees is established by the Employer in compliance with the requirements Labor Code Russian Federation and Federal Law - Federal Law “On Personal Data”:
Documents containing the employee’s personal data are stored in a safe or a specially equipped fireproof cabinet, locked with a key, access to which is available to the employee responsible for personnel support;
Personnel records and documents containing information about employees and their work activities are stored in the personal files of employees, which are formed and maintained in current state an employee responsible for staffing throughout the entire period of the employee’s employment;
After the dismissal of an employee, his personal file is subject to storage by the Employer in accordance with the established procedure for 75 years or until the department is liquidated. When a department is liquidated, the personal files of employees are transferred for storage to the state archive in the prescribed manner;
Personal data of employees may be stored electronically in the personal data information system (electronic database) on the Employer’s local computer network. Access to electronic databases containing personal data of employees is provided by a password system in the manner established by local regulations of the department;
Responsibility for storage (safety) of documents related to labor activity employees, is borne personally by the director of the department;
An employee responsible for personnel support can make copies of documents, make extracts, draw up analytical and other certificates, remove (replace) documents stored in the personal files of employees, solely within the scope of his official duties; the issuance of copies of documents containing personal data of employees is carried out in accordance with Article 62 of the Labor Code of the Russian Federation by authorized persons who have access to personal data of employees:
The employee responsible for personnel support issues to the employee, upon his written application (in the form in accordance with Appendix 1 to the Regulations), free copies of documents related to work (copies of the hiring order, orders of transfers to another job, dismissal order, etc.) , as well as extracts from the work book and certificates containing the employee’s data on his work activity;
Department head Chief Accountant issues to the employee free of charge salary certificates, copies of information on accrued and actually paid insurance contributions for compulsory pension insurance, etc.;
Copies of documents related to the work are certified properly: the copy is affixed with the certification inscription “True”, the name of the position of the person who certified the copy, a personal signature, a transcript of the signature (initials, surname), the date of certification, and a seal impression.
3.3. The employee responsible for personnel support has the right to certify copies of work records of department employees and make extracts from them.
3.4. The response to a request from government authorities, control and supervisory authorities for the provision of personal data of an employee is drawn up in a letter, by the employee responsible for human resources, signed by the director of the department (if necessary, with copies of the requested documents attached). The contents of this letter (including any attachments thereto) are confidential.
4. Rights and obligations of the employer
4.1. The employer is obliged:
Do not disclose the employee’s personal data to a third party without the employee’s written consent, except in cases where this is necessary in order to prevent a threat to the life and health of the employee, as well as in other cases established by federal laws;
Do not disclose the employee’s personal data for commercial purposes without his written consent;
Warn persons receiving the employee’s personal data that this data can only be used for the purposes for which it was communicated. Persons receiving the employee’s personal data are required to maintain confidentiality;
Transfer the employee’s personal data in accordance with the Regulations, with which the employee must be familiarized with a personal signature;
Allow access to personal data of employees only to specially authorized persons, while these persons have the right to receive only those personal data of the employee that are necessary to perform specific job duties;
Do not request information about the employee’s health status, with the exception of information that relates to the issue of the employee’s ability to perform job duties;
Transfer the employee’s personal data to employee representatives in the manner prescribed by the Regulations, and limit this information only to those employee personal data that are necessary for the said representatives to perform their job duties.
4.2. The Employer has the right to request from the employee reliable personal data necessary for the Employer in connection with labor relations, when hiring and in cases of change (addition) of personal data.
5. Rights and obligations of the employee
5.1. The employee is obliged:
Provide the Employer with reliable personal data;
If you change (add) personal data, immediately notify the Employer of their change (addition).
5.2. The employee has the right to:
Full information about your personal data and the processing of this data;
Free free access to your personal data, including the right to receive a copy of any record containing the employee’s personal data, except in cases provided for by federal laws;
Determining your representatives to protect your personal data;
Access related medical data using medical specialist by his choice;
Request for the exclusion or correction of incorrect or incomplete personal data, as well as data processed in violation of the requirements of the Regulations. If the Employer refuses to exclude or correct personal data, the employee has the right to declare in writing his disagreement with the appropriate justification for such disagreement. The employee has the right to supplement personal data of an evaluative nature with a statement expressing his own point of view;
The requirement that the Employer notify all persons who were previously informed of incorrect or incomplete personal data of the employee about all exceptions, corrections or additions made to them;
Appeal to the court against any unlawful actions or inaction of the Employer in the processing and protection of the employee’s personal data.
6. Publicly accessible sources of personal data of employees.
6.1. For the purpose of information support, the Employer may create publicly available sources of personal data (including directories, address books). Public sources of personal data, with the written consent of the employee, may include his last name, first name, patronymic, date of birth, address, telephone number, information about profession and other personal data provided by the employee.
6.2. Information about an employee may be excluded at any time from publicly available sources of personal data at the request of the employee himself or by decision of a court or other authorized government bodies.
7. Responsibility
Persons guilty of violating the rules governing the processing and protection of employee personal data bear criminal, administrative, civil, financial and disciplinary liability, up to and including dismissal on appropriate grounds, in the manner established by the legislation of the Russian Federation.
Application
to the Processing Regulations
and protection of personal
employee data
________________________________________________
(name of position, full name of the person to whom the application is sent)
________________________________________________________________
(name of position, full name of employee - author of the application)
STATEMENT
Please give me
Certified copy(s) of document(s) related to my work:
________________________________________________________________________
(name of the document or its brief content)
(in numbers) (in words)
Certificate from place of work:
______________________________________________________________
(list the information that must be included in the certificate)
in _____ (___________) copy(s).
(in numbers) (in words)
________________ ___________________
(personal signature) (signature transcript)
" "_____________20
Copy(s) of document(s)/certificate(s) received:
" "_______20 _______________
Employee personal data- this is information relating to a specific person that is necessary for the employer in connection with labor relations. The legislation provides for a number of obligations regarding the receipt, storage, transfer and protection of personal data of employees. The employer should be guided not only by the provisions of the Labor Code of the Russian Federation and federal laws, but also by the local act, which should be in every organization. Such a local act is the Regulation on Personal Data.
In Art. 3 of the Federal Law of July 27, 2006 N 152-FZ “On Personal Data” it is indicated that personal data is any information related to directly or indirectly determined or determined to an individual. Personal data includes: last name, first name, patronymic, age; education, place of residence, marital status, nationality, religious and political beliefs, sexual orientation, etc.
Regarding the scope labor relations, the employee’s personal data is considered only that information that is necessary for the employer in connection with the employment relationship. This is information about education, specialty, qualifications, health status (for occupation certain types activities), presence of children, income (for filling positions civil service). An employer does not have the right to request information from an employee, for example, about his religion or nationality, so as not to violate the right to privacy.
By virtue of Art. 85 Labor Code of the Russian Federation the employer processes personal data of employees, which includes actions to receive, store, transfer or otherwise use it. In addition, the employer must ensure their protection from misuse and loss in the manner established by the Labor Code of the Russian Federation (clause 7 of article 86 of the Labor Code of the Russian Federation) and other federal laws, at its own expense.
The storage and processing of personal data is usually carried out simultaneously with the use of electronic system storage and on paper. What data in a particular organization is subject to storage and processing as personal, who has access to such data, how it is protected from unauthorized access - all this is stipulated in the Regulation on Personal Data (hereinafter referred to as the Regulation), which must be developed in each organization.
Employees of the organization must be familiarized with the Regulations against signature, and newly hired persons should, in accordance with Art. 68 of the Labor Code of the Russian Federation, familiarize yourself with the Regulations before signing an employment contract. Employees involved in the processing of personal data must agree to non-disclosure of personal data.
It is important to know! Documents that set out provisions on the processing and protection of personal data can be checked by regulatory authorities, in particular by Roskomnadzor employees. Therefore, it is recommended that the employer take a responsible approach to their development.
Procedure for approval of the Personal Data Regulations
The regulation on personal data in the organization must be developed and approved as a local act. If the organization has a trade union, then the Regulations are approved taking into account its opinion in the manner prescribed by Art. 372 of the Labor Code of the Russian Federation (if this requirement is established collective agreement or agreement): the employer sends the draft Regulations to the elected body of the primary trade union organization, which no later than five working days from the date of its receipt, sends the employer a motivated opinion on the project in writing.
If it does not contain agreement with the draft Regulations or contains proposals for its improvement, the employer may agree with this or is obliged within three days after receiving such opinion, conduct additional consultations with the elected body in order to achieve a mutually acceptable solution.
If agreement is not reached, then a protocol of disagreements is drawn up, after which the employer has the right to accept the Regulations. But at the same time, it can be appealed by the elected body of the primary trade union organization to the state labor inspectorate or to the court. The trade union also has the right to initiate a collective labor dispute procedure. If the organization does not have a trade union, but there is another representative body of workers, the Regulations must be agreed upon with this body.
If there is neither one nor the other, the employer approves the Regulations independently, following the approval procedure established by the local regulatory act of the organization. The adopted local act is agreed upon with the head of the personnel department, chief accountant, lawyer or other employees. The regulation is put into effect by order of the head of the organization.
Structure of the Personal Data Regulations
The regulation should consist of the following sections:
- General provisions: indicates the purpose for which this Regulation is being adopted and what issues it regulates.
- Basic Concepts. Composition of personal data of employees: in this section discloses which documents in the organization contain personal data.
- Storage of personal data: this section specifies the procedure and place of storage of documents (cases) containing personal data.
- Processing of personal data: This section should indicate what conditions must be met when processing the employee’s personal data.
- Transfer of personal data: the procedure for transferring personal data of employees within the organization, as well as to third parties and government bodies is prescribed.
- Access to personal data: the section should contain information on the procedure for accessing personal data of employees. Access is divided into internal (provision of personal data to individual employees of the organization) and external (transfer of personal data to representatives of other organizations and government bodies).
- Responsibility for violation of rules governing the processing and protection of personal data: in this section you need to specify who in the organization is responsible for violating the rules for storing and using personal data.
Additional sections can be added to the Regulations if necessary.
When hiring citizens, the employer collects personal information from them personal information. At the same time, according to Article 87 of the Labor Code of the Russian Federation, he must ensure proper order in the storage and application of the information received. In this regard, it is necessary to develop a Regulation on the protection of personal data of employees and approve it by order. A sample order is presented below.
Employees, in turn, before transferring personal data, must give their written consent to their collection, processing, use, and storage. In this regard, when applying for employment, it is written. The employer should retain this statement and familiarize the employee with the provisions governing the protection of information received. Moreover, the acquaintance is carried out against signature; after reading all the points of the local act, the employee signs his acquaintance.
The employer’s task is to draw up a competent local internal act that will correctly reflect the procedure for storing and processing personal data, thereby ensuring its safety and protection. This act is usually drawn up in the form of a Regulation. After development, it must be put into effect by an approval order.
Having a Personal Data Regulation is the responsibility of every employer. His absence will be a violation of labor laws.
When drawing up the Regulations and developing the order approving it, the employer must be guided by the following regulatory points:
- Ch. 14 Labor Code of the Russian Federation;
- Federal Law No. 152-FZ of July 27, 2006 “On Personal Data”.
Additionally, we offer to download sample orders for approval of the following regulatory documentation at the enterprise:
How to issue an order for approval of the Regulation on the protection of employee data
The form for drawing up is not standard; it is prepared by the employer independently after agreeing on all points of the Regulations.
- the basis for preparation is the implementation of clauses of legislative documents regulating the protection of personal data of employees;
- order to approve the developed Regulations (it is in mandatory attached to the order form as an appendix for staff review);
- appointment of a responsible person who must conduct an introductory procedure with all employees - transfer the Regulations on the protection of their data for reading to every worker in the company;
- timing of introductory activities with personnel;
- date of entry into force of the Regulations - it is possible to indicate a specific date, it can be explained that the document comes into force from the date of signing the order for its approval;
- information about the person who is entrusted with control over the execution of the orders set out in the approving order.
The completed sample order must be registered in the consolidated journal and determined for it personal number, the preparation date is set.
16 Sep 2012 16:11
Employee personal data- this is information concerning a specific person that is necessary for the employer in connection with employment relations. The legislation provides for a number of obligations regarding the receipt, storage, transfer and protection of personal data of employees. In this case, the employer should be guided not only by the provisions of the Labor Code of the Russian Federation and federal laws, but also by a local act, which should be in every organization. In this article we will tell you how to develop a Statement on Personal Data, what to include in it and what else to pay attention to.
In accordance with Art. 3 of the Federal Law of July 27, 2006 N 152-FZ “On Personal Data” personal data is any information related to directly or indirectly determined or determined. In addition to data such as last name, first name, patronymic, age, education, place of residence, marital status, nationality, personal data may include religious and political beliefs, sexual orientation, etc. As regards the sphere of labor relations, the employee’s personal data is considered only that information that is necessary for the employer in connection with the labor relationship. This is, first of all, information about education, specialty, qualifications, health status (for engaging in certain types of activities), presence of children, income (for filling civil service positions). That is, the employer does not have the right to request information from the employee, for example, about his religion or nationality. And when some organizations ask such questions during interviews with applicants, the right to privacy is violated.
By virtue of Art. 85 of the Labor Code of the Russian Federation, the employer processes personal data of employees, which includes actions to receive, store, transfer or otherwise use it. In addition, the employer must ensure their protection from misuse and loss in the manner established by the Labor Code of the Russian Federation and other federal laws (clause 7 of Article 86 of the Labor Code of the Russian Federation), at its own expense.
Storage and processing of personal data, as a rule, is carried out simultaneously using an electronic storage system and on paper.
What data in a particular organization is subject to storage and processing as personal, who has access to such data, how it is protected from unauthorized access - all this is stated in the regulation on personal data (hereinafter referred to as the Regulation), which should be developed in each organization .
For your information. For government agencies provisions are developed by regulatory legal acts. Thus, the Regulations on the personal data of a state civil servant of the Russian Federation and the management of his personal file were approved by Decree of the President of the Russian Federation of May 30, 2005 N 609.
Procedure for approval of the Regulations
If the organization has a trade union, the Regulations are approved taking into account its opinion in the manner prescribed by Art. 372 of the Labor Code of the Russian Federation (if this requirement is established or by agreement): the employer sends the draft regulation to the elected body of the primary trade union organization, which, no later than five working days from the date of its receipt, sends the employer a reasoned opinion on the draft in writing. If it does not contain agreement with the draft regulation or contains proposals for its improvement, the employer may agree with this or is obliged, within three days after receiving such an opinion, to conduct additional consultations with the elected body in order to achieve a mutually acceptable solution. If agreement is not reached, a protocol of disagreement is drawn up, after which the employer has the right to accept the Regulations, but it can be appealed by the elected body of the primary trade union organization to the state labor inspectorate or to the court. The trade union also has the right to initiate a collective labor dispute procedure.
If the organization does not have a trade union, but there is another representative body of workers, the Regulations must be agreed upon with this body. If there is neither one nor the other, the employer approves the situation independently, following the approval procedure established by the local regulatory act of the organization. As a rule, the adopted local act is agreed upon with the head of the personnel department, chief accountant, lawyer or other employees. The provision is put into effect by order of the employer.
Here is an example of such an order.
Limited Liability Company
"SATURN"
Order N 203
on approval of the Regulations on personal data
employees of SATURN LLC
Pursuant to Ch. 14 of the Labor Code of the Russian Federation, Federal Law of July 27, 2006 N 152-FZ “On Personal Data”, other current regulations, as well as for the purpose of bringing local regulations of SATURN LLC into compliance with the current legislation of the Russian Federation
I ORDER:
1. Enter into force from June 26, 2012 the Regulations on personal data of employees of SATURN LLC (hereinafter referred to as the Regulations).
2. HR manager L.A. Kukina by June 29, 2012, bring the Regulations to the attention of all employees of the organization against signature.
3. Until June 27, 2012, request from employees processing personal data listed in the Regulations an obligation to non-disclose personal data of employees of SATURN LLC (in the form of Appendix No. 1 to the Regulations).
4. Determine the office of the organization’s HR department as the storage location for the Regulations.
5. Execution control of this order I leave it to the deputy general director- HR Director N.V. Maksimova
General Director Korolev /V.V. Korolev/
The following have been familiarized with the order:
HR Manager Kukina / L.A. Kukina/
HR Director Maksimova /N.V. Maksimova/
Employees of the organization must be familiarized with the Regulations against signature, and newly hired persons should, in accordance with Art. 68 of the Labor Code of the Russian Federation, familiarize yourself with the Regulations before signing an employment contract. As for workers involved in the processing of personal data, familiarizing them with the Regulations is not enough - they must give an undertaking of non-disclosure of personal data.
When developing the Regulations, we recommend including the following information:
- information related to personal data, the procedure for obtaining them;
- list of persons entitled to access personal data, their rights and obligations, regime of access to such data;
- ways to protect personal data;
- the rights of the employee and employer in the field of personal data processing;
- the procedure for familiarizing an employee with his personal data, obtaining copies of documents containing them;
- liability for violation of standards for the processing of personal data.
Sample Statement on Personal Data
Limited Liability Company "SATURN" (LLC "SATURN")
I APPROVED
CEO
LLC "SATURN"
POSITION
about personal data of employees of SATURN LLC
1. General provisions.
1.1. The Regulations on personal data of employees of SATURN LLC (hereinafter referred to as the Regulations) were developed in accordance with the Labor Code of the Russian Federation, Federal Law of June 27, 2006 N 152-FZ “On Personal Data” and other regulatory legal acts.
1.2. The Regulations determine the procedure for obtaining, systematizing, using, storing and transmitting information constituting the personal data of employees of SATURN LLC (hereinafter referred to as the Company).
1.3. Personal data of an employee is any information related to a specific employee (subject of personal data) and necessary for the Company in connection with labor relations. Information about the personal data of employees is classified as confidential (constituting a legally protected secret of the Company).
1.4. When determining the volume and content of personal data processed, the employer must be guided by the Constitution of the Russian Federation, the Labor Code of the Russian Federation and other federal laws.
2. Obtaining personal data.
2.1. The source of information about all personal data of an employee is the employee himself. If personal data can only be obtained from a third party, the employee must be notified in writing in advance and written consent must be obtained from him. The employer is obliged to inform the employee about the purposes, intended sources and methods of obtaining personal data, as well as the consequences of the employee’s refusal to give written consent to receive it.
2.2. When applying for a job, the applicant fills out a questionnaire in which he indicates the following information about himself:
- FULL NAME.;
- floor;
- date of birth;
- Family status;
- presence of children, their dates of birth;
- military duty;
- place of residence and contact telephone number;
- education, specialty;
- work experience in the specialty;
- previous place(s) of work;
- the fact of completing advanced training courses;
- presence of certificates, thanks.
2.3. The employer does not have the right to require the applicant to provide information about political and religious beliefs, or private life.
2.4. When concluding an employment contract, the person applying for work presents documents in accordance with Art. 65 Labor Code of the Russian Federation.
2.5. The employer has the right to verify the accuracy of the information provided by the employee. As necessary, the employer requests from the employee additional information and documents confirming the accuracy of this information.
2.6. When registering an employee, HR department employees fill out the unified form N T-2 “Employee Personal Card” and create a personal file, which is stored in the HR department. The Deputy General Director - HR Director is responsible for maintaining personal affairs.
2.7. The employee's personal file consists of the following documents:
- employment contract;
- personal card form N T-2;
- a copy of the work book;
- characteristics, letters of recommendation;
- passport (copy);
- document on education (copy);
- military ID (copy);
- certificate of registration with the tax authority (TIN) (copy);
- pension certificate (copy);
- marriage certificate (copy);
- children’s birth certificate (copy);
- a copy of the document confirming the right to benefits (honorary donor certificate, medical report on recognition of a person as disabled, etc.);
- results medical examination(in cases established by law);
- documents related to labor activity (employee statements, certification sheets, documents related to transfer, additional agreements to the employment contract, copies of orders, etc.).
2.8. Documents received in a personal file are stored in chronological order.
3. Storage of personal data.
3.1. Personal files are stored in paper form in folders with an inventory of documents, numbered by page. Personal files are kept in the HR department in a specially designated cabinet that provides protection from unauthorized access, and are arranged in alphabetical order.
3.2. Personal affairs are registered in the personal affairs register, which is maintained electronically and on paper.
3.3. After the employee’s dismissal, the relevant documents are entered into the personal file (employee’s statement, order to terminate the employment contract, etc.), a final inventory is drawn up and the personal file is transferred to the organization’s archive for storage.
3.4. In addition to personal files, the Company’s HR department creates and stores the following documents containing personal data of employees:
- work books;
- originals and copies of orders (instructions) regarding personnel;
- orders for personnel;
- materials for certification and advanced training of employees;
- materials of internal investigations (acts, reports, protocols, etc.);
- copies of reports sent to state statistical bodies, tax inspectorates, higher management bodies and other institutions;
- other.
3.5. Personal data of employees is also stored electronically on a local computer network. Access to electronic databases containing personal data of employees is provided by a two-step password system. Passwords are set by the Company’s system administrator, and then they are communicated individually to employees who have access to employees’ personal data. Passwords are changed at least once every two months.
3.6. The HR department office is equipped with a security system and a video surveillance camera.
3.7. The Deputy General Director - Director of Human Resources exercises general control over employees' compliance with measures to protect personal data, ensures that employees are familiarized with local regulations, including this Regulation, upon signature, as well as requiring employees to undertake non-disclosure of personal data.
4. Access to personal data.
4.1. The following have access to personal data of employees:
- founders of the Company;
- CEO;
- Deputy General Director;
- financial director;
- HR Director;
- Chief Accountant;
- lawyer;
- head of the security department;
- managers structural divisions(only for the data of employees of your department);
- HR and accounting department specialists - to the data they need to perform specific functions.
4.2. Access of specialists from other departments to personal data is carried out on the basis of written permission from the General Director or Deputy General Director.
4.3. Copying and making extracts of employees’ personal data is permitted solely for official purposes and with the written permission of the HR Director.
5. Processing of personal data of employees.
5.1. The employer does not have the right to receive and process the employee’s personal data about his race, nationality, political views, religious and philosophical beliefs, health status, intimate life(Part 1, Article 10 of Federal Law No. 152-FZ). In cases directly related to labor relations issues, in accordance with Art. 24 of the Constitution of the Russian Federation, the employer has the right to receive and process data about the private life of an employee only with his written consent.
5.2. Processing of personal data of employees by the employer is possible without their consent in cases where:
- personal data is publicly available;
- personal data relates to the employee’s health status, their processing is necessary to protect his life, health or other vital interests of other persons and obtaining the employee’s consent is impossible;
- the processing of personal data is necessary to establish or exercise the rights of their subject or third parties or in connection with the administration of justice;
- processing of personal data is carried out in accordance with the legislation of the Russian Federation on defense, on security, on countering terrorism, on transport security, on combating corruption, on operational investigative activities, on enforcement proceedings, and with the criminal executive legislation of the Russian Federation;
- processing of personal data is carried out in accordance with the legislation on mandatory types insurance, with insurance legislation;
- at the request of authorized state bodies - in cases provided for federal law.
5.3. The processing of personal data may be carried out solely for the purpose of ensuring compliance with laws or other legal acts, assisting employees in employment, training and professional advancement, ensuring the personal safety of employees, monitoring the quantity and quality of work performed and ensuring the safety of property.
5.4. When making decisions affecting the interests of an employee, the employer does not have the right to rely on personal data obtained about him solely as a result of automated processing or electronic receipt.
5.5. Protection of an employee’s personal data from unlawful use and loss is ensured by the employer at his expense in the manner prescribed by federal law.
5.6. Employees must be familiarized, against receipt, with the Company's documents establishing the procedure for processing personal data, as well as their rights and obligations in this area.
5.7. In all cases, the employee’s waiver of his rights to maintain and protect secrets is invalid.
5.8. Persons who have access to personal data sign an Obligation of Non-Disclosure of Personal Data in the form of Appendix No. 1 to these Regulations.
6. Rights and obligations of an employee in the field of protection of his personal data.
6.1. The employee undertakes to provide personal data that corresponds to reality.
6.2. The employee has the right to:
- full information about your personal data and the processing of this data;
- Free access to your personal data, including the right to receive copies of any record containing such data, except for cases provided for by the legislation of the Russian Federation;
- identifying your representatives to protect your personal data;
- access to medical data relating to them with the help of a medical specialist of their choice;
- requirement to exclude or correct incorrect or incomplete personal data, as well as data processed in violation of legal requirements. If the employer refuses to exclude or correct the employee’s personal data, he has the right to declare in writing to the employer his disagreement with the appropriate justification for such disagreement. The employee has the right to supplement personal data of an evaluative nature with a statement expressing his own point of view;
- the requirement that the employer notify all persons who were previously informed of incorrect or incomplete personal data of the employee about all exceptions, corrections or additions made to them;
- appealing to the court any unlawful actions or inaction of the employer in the processing and protection of his personal data.
7. Transfer of personal data.
7.1. The employer does not have the right to disclose the employee’s personal data to a third party without the employee’s written consent, except in cases where this is necessary in order to prevent a threat to the life and health of the employee, as well as in cases established by federal law (Appendix No. 2 to the Regulations).
7.2. Information related to the employee’s personal data may be provided to government authorities in the manner prescribed by law.
7.3. If the person making the request is not authorized to receive personal data or there is no written consent of the employee, the employer is obliged to refuse to provide personal data. The person making the request is issued written notice refusal to provide such data.
7.4. The employer must warn persons who have received the employee's personal data that this data can only be used for the purposes for which it was communicated, and require such persons to confirm that this rule has been complied with. Persons who have received the employee’s personal data are required to observe a regime of secrecy (confidentiality). This Regulation does not apply to the exchange of personal data of employees in the manner prescribed by federal laws.
7.5. The transfer of personal data of employees within the Company is carried out in accordance with these Regulations.
7.6. When the employer transfers the employee’s personal data to his legal, authorized representatives in accordance with the procedure established by the Labor Code of the Russian Federation, this information is limited only to those personal data that are necessary for the specified representatives to perform their functions.
8. Responsibility for violation of rules governing the processing of personal data.
8.1. Disclosure of personal data of a Company employee, that is, transfer to third parties who do not have access to them; public disclosure; loss of documents and other media containing the employee’s personal data; other violations of the obligations for their protection, processing and storage established by these Regulations, as well as other local regulations of the Company, by the person responsible for receiving, processing and protecting the employee’s personal data - entail the imposition on him disciplinary action(reprimand, dismissal under clause “c”, clause 6, part 1, article 81 of the Labor Code of the Russian Federation).
8.2. In the event of damage to the Company, an employee who has access to the personal data of employees and has committed the specified disciplinary offense bears full financial liability in accordance with clause 7, part 1, art. 243 Labor Code of the Russian Federation.
8.3. An employee of the Company who has access to the personal data of employees and illegally used or disclosed this information without the consent of the employees out of mercenary or other personal interest and thereby caused major damage, bears criminal liability on the basis of Art. 188 of the Criminal Code of the Russian Federation.
8.4. The head of the Company for violating the procedure for handling personal data bears administrative responsibility in accordance with Art. Art. 5.27 and 5.39 of the Code of Administrative Offenses of the Russian Federation, and also compensates the employee for damage caused by the unlawful use of information containing personal data about this employee.
Appendix No. 1 to the Personal Data Regulations
employees of SATURN LLC
Obligation of non-disclosure of personal data of employees
LLC "SATURN"
I, _____________________________________________________________________, have read the Regulations on personal data of employees of SATURN LLC. I undertake not to disclose personal data of employees that became known to me in connection with the performance of official duties.
Employees have been warned about responsibility for disclosing personal information.
Appendix No. 2 to the Personal Data Regulations
employees of SATURN LLC
to CEO
LLC "SATURN"
V.V. Queen
from ________________________,
registered at the address
_____________________________
passport _____________________
Agreement
to transfer personal data to a third party
I, _____________________________________________________________________ in accordance with paragraph. 1 tsp. 1 tbsp. 88 of the Labor Code of the Russian Federation, I give my consent to the Limited Liability Company "SATURN" (LLC "SATURN"), located at ________________, to provide the following personal data to the Pension Fund:
- Full name, date of birth;
- number of the state pension insurance certificate;
- salary amount;
- the amount of accrued and paid insurance premiums.
This consent is valid for one year from the date of its receipt.
_______________ "__" ______________ ____ G.
Conclusion
We note that documents that set out provisions on the processing and protection of personal data may become the object of inspection by regulatory authorities, in particular Roskomnadzor employees. Therefore, the employer should take a responsible approach to their development.
In conclusion, we will give some advice to employers on drawing up local documents regulating work with employees’ personal data:
1. When developing documents, it is necessary to indicate the specific provisions of the law on the basis of which the employer processes personal data.
2. When requesting an employee’s consent to the processing of his personal data, in addition to the law, the purposes for which they are requested should be indicated.
3. In addition to the Regulations, in some cases it is necessary to issue orders from the employer. For example:
- on identifying persons entitled to access personal data;
- on the appointment of persons responsible for the protection of personal data;
- about measures taken to ensure the security of personal data.
4. The Regulations establish a clear and detailed list of information that is personal, as well as specific methods for processing personal data established by Art. 3 of Law N 152-FZ and applied in the organization (collection, systematization, storage, etc.).
5. Indicate the periods for performing actions with personal data. For example, the employee’s consent should indicate that he agrees to the transfer of his data for one month (or one year, etc.).
6. When developing the Regulations, you can use the Decrees of the Government of the Russian Federation dated September 15, 2008 N 687 “On approval of the Regulations on the peculiarities of processing personal data carried out without the use of automation tools” and dated November 17, 2007 N 781 “On approval of the Regulations on ensuring the security of personal data when processing in information systems personal data."
Loading...