Personal data of employees. What an employer should know

The main documents that you need to rely on when processing personal data are the Constitution of the Russian Federation (Article 24) and the Federal Law of July 27, 2006 No. 152-FZ (hereinafter referred to as the Law on Personal Data).

In Art. 24 of the Constitution of the Russian Federation states that “the collection, storage, use and dissemination of information about the private life of a person without his consent is not permitted.” The Personal Data Law defines the meaning of not only the key concepts that every employer will have to deal with in practice, but also introduces the principles and conditions for the processing of personal data, the rights of the subject of personal data and other important points.

The issues of protecting employee personal data are addressed in Chapter. 14 Labor Code of the Russian Federation.

What does the employee’s personal data include?

Personal data is any information relating to a directly or indirectly identified individual (subject of personal data). Typically, this data allows you to identify a specific person.

As part of the employment relationship, the employer can request only those personal data that are necessary to perform the job function. These include full name, information about previous work, documents that are necessary to get a job (passport, work book, etc.), information about education. The employer has no right to request information such as religion, since it is not required to perform a job function.

The complexity of processing personal data lies in the fact that at different stages of interaction and when solving various work tasks, the employer may have questions. For example, is the information contained in a candidate's resume considered personal data? Should he give consent in this case, even if he is not hired? Is it necessary to somehow coordinate with the employee the transfer of data to issue a pass? Is it possible to post a photo of an employee on the honor board without his consent? Is it allowed to post “black lists” of employees on the company website? What to do with the data of fired employees?

It is important to know the answers to all these questions. Moreover, the Ministry of Labor, Rostrud, and Roskomnadzor periodically publish explanations on them.

Regulations on personal data of employees: document structure

The document in question contains local standards defining:

goals and objectives of the company when working with personal data;
lists of actual and potential personal data involved in the company’s business processes;
a description of the data operations practiced by the company;
methods of data access used in the company;
responsibilities of company employees who use certain data when performing a job function;
the rights of company employees to acquire authorized access to data;
legal mechanisms for liability of company employees for violations during data transactions.

Based on the noted list of norms, the provision on the processing of personal data of employees can be represented by the following key sections:

establishing the general provisions of the document;
fixing the criteria for selecting personal data from the array of information involved in document flow and other areas of internal corporate communications;
defining a list of key operations with personal data;
regulating the implementation of relevant operations;
defining the procedure for access of company employees and other persons to data;
establishing the responsibilities of employees involved in data operations;
establishing the rights of company employees in terms of gaining access to such data and carrying out the necessary operations with it;
defining the mechanisms of responsibility of company employees for violations of local norms and provisions of the legislation of the Russian Federation regulating operations with personal data.

The regulation on intra-corporate transactions with personal data must be certified by the head of the company. All employees are required to familiarize themselves with a copy of this document against receipt (subclause 6, clause 1, article 18.1 of law No. 152-FZ).

What to do with the candidate’s personal data

Even at the stage of reviewing resumes, the company begins to collect personal data of candidates. She can save resumes in special programs, print them, save contacts for further communication, etc.

A resume usually contains a whole list of personal data - from phone number to information about education and previous places of work.

Roskomnadzor warns that the processing of personal data of applicants requires obtaining appropriate consent from them. Consent should be issued for the period of making a decision on acceptance or refusal of employment.

But there are exceptions when such consent is not required:

if a recruitment agency with which the candidate has entered into an agreement acts on behalf of the applicant;
when posting your resume on the Internet yourself.

The consent must indicate the purpose of obtaining personal data—considering a candidate for a vacant position. You can use a sample consent to the processing of personal data.

If an employer receives an applicant’s resume by email, he needs to take additional steps to confirm that the applicant himself sent the resume. For example, this could be inviting the applicant to an interview or responding to his email.

What to do if personal data is collected using a questionnaire

Often, an employer collects personal data of candidates using a standard questionnaire. Firstly, such a questionnaire must contain information about the period for its consideration and the decision to accept or refuse employment.

And secondly, it must comply with the requirements of clause 7 of the Regulations on the specifics of processing personal data carried out without the use of automation tools. It means that:

the questionnaire must contain information about the purpose of processing personal data, the name (title) and address of the operator, full name and address of the subject of personal data, the source of obtaining personal data, the timing of processing personal data, a list of actions with personal data that will be performed during their processing, a general description of the data processing methods used by the employer;
the questionnaire must contain a field in which the subject of personal data can mark his consent to processing;
the questionnaire must be compiled in such a way that each of the subjects of personal data contained in the document has the opportunity to familiarize themselves with their data without violating the rights and legitimate interests of others;
the questionnaire should not provide for combining fields intended for entering personal data, the purposes of processing of which are obviously incompatible.

Typically, the questionnaire is posted electronically on the company’s website, and consent to the processing of personal data is confirmed by checking the appropriate box.

What to do with the data of a candidate who was not hired

In this case, the data provided by the applicant must be destroyed within 30 days.

There are exceptions to this situation - cases provided for by the legislation on the state civil service. Then the applicant’s personal data will have to be stored for 3 years.

Sending inquiries to previous places of employment

At the interview stage, the employer may need to clarify some information about the employee or obtain additional information from previous employers.

To do this, he must obtain the consent of the applicant.

Documents for working with personal data

In order to protect yourself when checking the safety of personal data, the company must have the following documents that can be presented upon request of the inspectors:

provisions on personal data;
order on the appointment of those responsible for working with personal data;
order on the appointment of those responsible for ensuring the security of personal data;
statements from employees regarding consent to the processing of personal data.

Statement on personal data

In pursuance of the legislation of the Russian Federation, in order to ensure the protection of the rights and freedoms of employees, each organization is obliged to develop and adopt a regulation on personal data of employees (hereinafter referred to as the Regulation). This document determines exactly what information is subject to processing and storage at this enterprise.

The regulation relates to management documentation and is approved by order of the organization. Its content must be developed in accordance with the Constitution of the Russian Federation, the Civil and Labor Codes of the Russian Federation, Federal Law dated July 27, 2006 No. 149-FZ “On information, information technologies and information protection”, Federal Law dated July 27, 2006 No. 152-FZ “ About personal data."

The Regulations should contain the following sections:

General information.
Basic concepts and composition of personal data of employees.
Collection, processing and protection of data.
Data transfer and storage.
Access to personal data of employees.
Responsibility for violation of the rules governing the processing and protection of personal data.

All employees included in the list of persons authorized to work with personal data must be familiarized with the Regulations against their signature.

List of processed employee data

Next, you will need to approve a document containing a list of personal data that is actually used in the organization’s activities. When drawing up such a document, do not forget to include in it all the information that the employee provides in writing about himself when applying for a job, as well as that used in the future when preparing personnel documentation.

This list should include:

application for a job;
employee profile;
personal card;
private bussiness;
employment contract;
orders;
employment history;
materials of certification commissions.

If the organization has an internal document flow containing information about employees (for example, reports and materials that are prepared for shareholders, founders, the parent organization, etc.), then these reports also need to be included in the list. In addition, the list must contain documents containing information about employees that the organization submits to various government bodies (tax and labor inspectorates, statistical authorities).

note

Fines are assessed for one violation, and where there is no system for protecting personal data, the inspection commission is most often faced with massive violations, as a result of which the total amount of the fine becomes quite impressive.

The next stage of work is the preparation and approval of a list of persons authorized to work with personal data. This document is approved by order of the manager and delivered for signature to all employees indicated in it. By the way, the manager’s order to appoint someone responsible for working with personal data and ensuring its protection is the first thing inspectors will want to see. This responsibility can be either a specific person or a department. In the latter case, the head of such a unit bears personal responsibility.

The agency authorized to monitor compliance with the personal data regime is the Federal Service for Supervision of Communications, Information Technologies and Mass Communications (abbreviated as Roskomnadzor). The department transfers all materials on those inspections where violations are found to the prosecutor's office.

When to familiarize a new employee with the Personal Data Regulations

Familiarize your future employee with the Regulations on Personal Data before signing an employment contract (Article 68 of the Labor Code of the Russian Federation). You can confirm that the employee has read the Regulations by signing:

in the text of the employment contract;
in the sheet for familiarizing yourself with the Statement on Personal Data;
in the journal of familiarization with local acts.

The regulation on personal data is a local regulatory act that must be present in the organization (Article 87 of the Labor Code of the Russian Federation). Otherwise, the company may be brought to administrative liability (Article 5.27 of the Code of Administrative Offenses of the Russian Federation).

Collection and processing of personal data when applying for a job

Labor legislation determines the list of documents that an employer requests from an employee when applying for a job. At this stage, according to Art. 65 of the Labor Code of the Russian Federation, the following are requested:

passport or other identity document;
employment history;
a document confirming registration in the individual (personalized) accounting system, including in the form of an electronic document;
if necessary: military registration documents, a document on education and (or) qualifications or the presence of special knowledge, a certificate of the presence (absence) of a criminal record.

The employee’s consent is not required to enter personal data from these documents into the employment contract. When he signs an employment contract, he thereby already gives his consent.

Procedure for storing personal data of employees

The official is obliged to comply with a special provision that regulates the processing, storage and protection of personal information and personal files of employees. The rules and operating procedures must be followed by the employers. These persons must ensure the following functions:

compilation and storage of primary documentation, which is published in a unified form;
safety of papers in which personnel records are kept;
storage of documentation that takes into account the specifics of working time distribution;
safety of the package of documents in which the calculation of wages for working personnel is carried out.

The procedure and period for storing personal information of civil servants is determined by labor legislation, as well as special departmental regulations.

Registration of a salary card and personal data of the employee

Many organizations issue a salary card to employees when hiring them. In this regard, the question may arise: does the bank need to obtain consent to transfer an employee’s personal data? Yes need.

It is important that:

the list of personal data strictly corresponded to what was transferred to the bank;
the purpose for obtaining personal data was indicated, namely to issue a salary card.

Roskomnadzor determines cases when the transfer of an employee’s personal data to a bank for opening salary cards must occur without consent:

the agreement for issuing a bank card was concluded directly with the employee and its text directly provides for provisions for the transfer of employee data;
the employer has a power of attorney to represent the employee’s interests when concluding an agreement with the bank for issuing a card and servicing it;
the corresponding form and system of remuneration is prescribed in the collective agreement (Article 41 of the Labor Code of the Russian Federation).

It is worth considering that an employee may refuse to sign a consent to transfer data to the bank with which the company works. He may already have accounts and cards opened in another bank, and therefore it is more convenient for him to continue to be serviced by his bank.

Last year, liability for “wage slavery” was established. This means that an employee cannot be denied the right to change the credit institution to which the salary will be transferred.

What does processing of personal data mean?

According to Art. 3 of the law on personal data, processing of personal data is a set of actions related to personal data. Operations can be performed with or without automation. Any activity using PD covers all processes and stages of working with them, and these are: collection, systematization, recording, storage, accumulation, specification (change, update), extraction, application, delegation (distribution, provision, access), blocking, depersonalization , data elimination.

Employers, according to the law on personal data, are required to comply with the requirements for storing personal data. To exclude all cases that could lead to legal proceedings, written consent should be obtained from each applicant for the position to process their data.

The law provides for some cases in which a written form of consent is mandatory (Part 4, Article 9 of the PD Law). This applies to the following situations:

1) When transferring the applicant’s personal data from a third party (clause 3 of Article 86 of the Labor Code of the Russian Federation). In such a situation, the employee must be warned about this in advance and obtain written consent from him for the processing and storage of information (Clause 3 of Article 86 of the Labor Code of the Russian Federation).

In the form where the applicant gives his consent, you must indicate (clause 3 of Article 86 of the Labor Code of the Russian Federation):

the purpose of obtaining personal data of the applicant from third parties;
expected resources for acquiring information (persons from whom data is requested);
methods of obtaining data, their main features;
the likely consequences of the employer’s refusal to obtain the applicant’s personal data from a third party. If an employee refuses to study a notification about the possible receipt of his personal data from another person, it would be reasonable to draw up an appropriate act.

If the applicant decides to withdraw consent to the processing of his personal data, he has every right to do so (Part 2 of Article 9 of the Law on Personal Data).

Working with his personal data in such a situation is possible only if there are compelling reasons. They are indicated in paragraph 2 - part 11 of Art. 1, part 2 art. 10, part 2 art. 11 of the Law on Personal Data (Part 2 of Article 9 of the Law on Personal Data).

There is also information that employers are prohibited from requesting from third parties, even if the applicant gives consent. One that is not related to the tasks listed in paragraph 1 of Article 86 of the Labor Code of the Russian Federation.

2) When transferring the applicant’s personal data to third parties, except in situations where this is necessary to prevent a threat to the life and health of the employee (paragraph 2 of Article 88 of the Labor Code of the Russian Federation).

3) To process certain categories of employee personal data directly related to labor issues (clause 4 of article 86 of the Labor Code of the Russian Federation, clause 1 of part 2 of article 10 of the law on personal data). These include information about race, nationality, religion, political views, philosophical beliefs, health indicators, intimate relationships.

If an employee is declared incompetent, written permission to process his data is given by his legal representative (guardian, parent) (Part 6, Article 9 of the Law on Personal Data). And in the event of the death of an employee, such consent is drawn up by his heirs, unless, of course, it was signed by the employee himself during his lifetime (Part 7, Article 9 of the Law on Personal Data).

The employee's permission to process his or her personal data is not required in all circumstances. So, if the data is received (clause 2, part 1, article 6, clause 2.3, part 2, article 10 of the law on personal data, paragraph 1 of Roskomnadzor’s explanations):

from documents (materials) provided by the employee when drawing up an employment contract;
based on the results of a mandatory preliminary medical examination of the state of health (Article 69 of the Labor Code of the Russian Federation, paragraph 3 of the explanations of Roskomnadzor dated December 14, 2012 “Issues relating to the processing of personal data of employees, applicants for vacant positions, as well as persons in the personnel reserve” , hereinafter - clarifications of Roskomnadzor dated December 14, 2012);
in the amount established by special form No. T-2, including personal data of close relatives, and in other cases provided for by the legislation of the Russian Federation (collection of alimony, gaining access to state secrets, processing social payments) (clause 2 of Roskomnadzor’s clarifications dated December 14, 2012);
from a recruiting agency working on behalf of the applicant (paragraph 12, paragraph 5 of Roskomnadzor’s clarifications dated December 14, 2012);
on behalf of the person himself, who posted his profile on the Internet during a job search, making it available to everyone (clause 10, part 1, article 6 of Federal Law No. 152-FZ dated July 27, 2006, paragraph 12, clause 5 of Roskomnadzor’s clarifications dated December 14, 2012);

then the employer, with the permission of the applicant, can transfer his personal data to another person for processing (part 3 of article 6 of the law on personal data, paragraph 2, paragraph 5 of the explanations of Roskomnadzor dated December 14, 2012). Despite this, the employer still remains responsible to the applicant for the actions of a third party (Part 5 of Article 6 of the PD Law).

Placing “black lists” of employees on the website

Sometimes an employer boldly publishes publicly lists of former employees who were fired, for example, for loss of trust or repeated failure to perform duties.

It should be noted that this is regarded by law as a violation of the requirements for the processing of personal data. The Ministry of Labor warns about this, in particular, in Letter No. 14-2/B-803 dated 10/08/2018.

In this case, by publishing the reasons for dismissal, the employer discloses the employee’s personal information to third parties. This cannot be done without the employee’s consent.

What should be the consent to the processing of personal data?

Roskomnadzor in its recommendations formulates the following requirements:

The content of consent must be specific and informed. That is, based on the information, one can make an unambiguous conclusion about the purposes, methods of processing, indicating the actions performed with personal data, and the volume of data processed.
It is allowed to issue consent in the form of a separate document or as part of the text of the employment contract.
Consent must meet the requirements for its content, in accordance with Part 4 of Art. 9 of the Law on Personal Data.

General provisions

1.1. This Regulation regulates relations related to the processing of personal data, including actions taken by the Employer to obtain, store, combine, transfer the Employee’s personal data or otherwise use them, in order to protect the Employee’s personal data from unauthorized access, as well as their unlawful use and loss .

1.2. The Regulations were developed in accordance with the Constitution of the Russian Federation, the Labor Code of the Russian Federation, the Federal Law “On Information, Information Technologies and Information Protection” N 149-FZ dated July 27, 2006, the Federal Law “On Personal Data” N 152-FZ dated July 27 .2006 and other regulations defining cases and features of the processing of personal data.

back to contents

Design of the honor board

The opposite situation is rewarding an employee in the form of an honor roll. But there are some subtleties here too.

Usually a photograph of a person is placed on the honor board and his full name is indicated. And all this is personal data that the employer does not have the right to display publicly in his office, even if the purpose of his actions is to encourage successful employees and thereby motivate the rest of the team.

To use an employee’s photo, you will also have to obtain consent.

Personal information for the pass

Most organizations now have access control. Accordingly, new employees are required to obtain a pass.

In this case, there is no need to obtain consent to the processing of personal data if:

the company independently carries out access control;
if the processing complies with the procedure provided for by the collective agreement, local acts adopted in accordance with Art. 372 Labor Code of the Russian Federation.

In the event that the access control is under the control of a third party, then consent is required.

How to collect, organize and store personal data

Step 1 . Issue a statement on personal data . Both federal law and common sense require this. The local act must specify all the rules for storing and processing data.

Step 2 . Approve the position . To do this, you need to issue a corresponding order signed by the manager and familiarize all employees with it. Employees must sign in a special journal or statement.

Step 3 . Appoint a specialist responsible for personal data . Most likely, this will be a HR employee. It is advisable that the work with personal data be specified in his employment contract. If the agreement has already been drawn up, you can issue an additional agreement to it. In the same order, it is necessary to identify the employees who will have access to personal data. All persons mentioned must sign a non-disclosure agreement.

Step 4 . Collect written consent from all employees for the processing of personal data . The written consent must list the specific data and the purposes for which it will be used. Goals should be reduced solely to maintaining the labor process.

Step 5 . Store data in strict order . Data can be stored both electronically and on paper. They must be absolutely inaccessible to third parties, replenished in a timely manner and, if necessary, adjusted.

Step 6 . Contact Roskomnadzor . This item is not required if you:

process information without the use of specialized software and databases (that is, if the operator processes the data array manually on a PC or on paper);
process data only of your employees and only for the purpose of drawing up and maintaining employment contracts (no more);
entered into an agreement with an individual as a contractor, supplier or non-staff specialist;
allowed a stranger who is not your employee into the territory of the enterprise once (for example, for an interview).

What to do with the personal data of fired employees

It should be taken into account that there are requirements for the processing of personal data within the framework of accounting and tax accounting.

For example, employers are obliged to ensure the safety of documents necessary for the calculation, withholding and transfer of tax for 4 years (clause 5, clause 3, article 24 of the Tax Code of the Russian Federation). And here the consent of former employees, whether they like it or not, is not required.

Roskomnadzor reminds that after the expiration of the deadlines specified by law, the personal files of employees are transferred to archival storage for a period of 75 years. But the Law on Personal Data does not apply to the organization of archival storage and the use of archival documents with personal data of employees.

If I break the law

Employers began to receive letters from Roskomnadzor en masse warning that during an inspection of the company they could receive serious fines for violating the provisions of Law No. 152-FZ dated July 27, 2006 (hereinafter referred to as the Law). According to it, the employer is obliged to guarantee the protection of such information from unlawful access and use by third parties. The regulation on working with personal data of employees helps solve these problems.

On February 23, 2021, Government Resolution No. 146 of February 13, 2019 came into force, which approved the Rules for the organization and implementation of state control and supervision over the processing of personal data. According to the document, scheduled inspections will be carried out every 2-3 years, and the list of companies subject to control can be seen in advance on the Roskomnadzor website. As is the case with other types of control, inspectors will have to warn about the planned visit. If the inspection is scheduled, then you must notify about it 3 working days in advance, and if it is unscheduled - 24 hours in advance.

For violation of the Law, disciplinary, material, administrative and criminal liability is provided. Supervisory authorities may bring administrative liability under Art. 13.11 and 13.14 Code of Administrative Offences, fines are:

for officials: from 500 to 1000 rubles;
for an organization: from 5,000 to 10,000 rubles;
for officials in connection with the performance of official or professional duties: from 4,000 to 5,000 rubles.

The most common violations, according to inspectors, are the processing of personal data without the consent of their owner or with violations, failure to comply with the requirement to destroy personal information, and violation of the conditions for storing such information.