Errors of PD operators related to personnel work
More than 10 years have passed since the adoption of the Federal Law No. 152- “On Personal Data” dated July 27, 2006, however, the supervisory activities of Roskomnadzor show that they are far from familiar with the practice of its use. In particular, in statistics for 2016, one of the typical mistakes of operators, in most cases, related to personnel work (apparently, as the most common activity), is clearly visible, namely:
“Inconsistency of the content of the written consent of the subject of personal data to the processing of personal data with the requirements of the legislation of the Russian Federation (part 4 of article 9 of the Federal Law No. 152- dated July 27, 2006“ On Personal Data ”) - approximately 9% of the total number detected in 2016 violations. "
Let's try to take another look at this issue. Moreover, thanks to innovations in the legislation, fines have increased significantly.
So, according to Art. 13.11 Administrative Code of the Russian Federation until July 1, 2017, the maximum penalty for an official was a fine of 1 thousand rubles, and for a company - up to 10 thousand rubles.
')
On July 1, 2017, amendments that strengthen administrative responsibility entered into force (Federal Law of 07.02.17 No. 13-). The amendments introduce additional offenses in Art. 13.11 of the Administrative Code and increase fines. In particular, the law introduces liability of legal entities for the following violations:
- processing of personal data in cases not provided by law (part 1 of article 13.11 of the Administrative Code of the Russian Federation) - a fine of 30 thousand to 50 thousand rubles;
- the processing of personal data without written consent, when the law requires such consent (part 2 of article 13.11 of the Administrative Code of the Russian Federation) - a fine of 15 to 70 thousand rubles;
- failure of the operator to publish a policy regarding the processing of personal data, when such a duty is provided by law (part 3 of article 13.11 of the Administrative Code of the Russian Federation) - a fine of 15 to 30 thousand rubles.
Employees can be brought to administrative responsibility, but not only. In addition, he bears the material (clause 7 of article 243 of the Labor Code of the Russian Federation) disciplinary (clause “c” of paragraph 6 of part 1 of article 81 of the Labor Code of the Russian Federation) and even criminal liability (part 2 of article 137 of the Criminal Code of the Russian Federation).
Both the employee of the offender (for example, who copied the customer base to his flash drive and transferred it to a competitor) and the employee who is responsible for the processing of personal data in the company will be held liable.
What about the consent of the employee?
Roskomnadzor, in its recommendations (the full text of the document is available by reference ), identifies 5 main points when we can not take such an employee.
The processing of personal data of an employee, public servant does not require obtaining the relevant consent of these persons, provided that the amount of personal data processed by the employer does not exceed the established lists, and also complies with the purposes of processing provided for by labor legislation and the legislation of the Russian Federation on civil service.
The employer has the right to process the employee’s personal data in cases stipulated by the collective agreement, including internal labor regulations, which are usually annexed to the collective agreement, agreement, as well as local acts of the employer, adopted in the manner established by Art. 372 Labor Code of the Russian Federation.
In addition, the receipt by the employer of the consent to the processing of personal data is not required in the following cases:
1. The duty of processing, including publishing and posting personal data of employees on the Internet, is provided for by the legislation of the Russian Federation.
Information on the activities of medical organizations, educational institutions, state bodies and local authorities
For example, in accordance with paragraph 7 of Part 1 of Art. 79 of the Federal Law of 21.11.2011 N 323- “On the basis of protecting the health of citizens in the Russian Federation”, a medical organization is obliged to inform citizens in an accessible form, including using the Internet, about the medical activities carried out and about medical workers education and their qualifications.
In accordance with the Rules for posting on the Internet and updating information about an educational institution, approved by the Decree of the Government of the Russian Federation of April 18, 2012 N 343, an educational institution must post on its official website on the Internet and update it in the terms established by the Law of the Russian Federation of 10.07. 1992 N 3266-1 “On Education”, including information containing the following personal data: surname, name, patronymic of the founder of the educational institution, his location, work schedule, hell e-mail, last name, first name, patronymic of the head of the educational institution, its location, work schedule, e-mail address, reference telephone numbers, last names, first names, middle names, positions of heads of structural divisions, including branches and representative offices, their locations, work schedules, e-mail addresses, information about the staff of pedagogical (scientific and pedagogical) workers, their surnames, names, patronymic names, positions held, their level of education, qualifications, availability of academic degree nor academic title.
The corresponding obligations are also established by the Federal Law of 09.02.2009 N 8- “On ensuring access to information on the activities of state bodies and local self-government bodies”, according to which state bodies and local self-government bodies are obliged to provide access to information on their activities, including to information about the leaders of the state body, its structural subdivisions, territorial bodies and representative offices abroad (if any), the heads of the local government body Heads of subordinate organizations (surnames, first names, patronymic names, positions, business phones). Other information may be indicated only with the consent of the specified persons.
In accordance with the Rules for posting on the Internet and updating information about an educational institution, approved by the Decree of the Government of the Russian Federation of April 18, 2012 N 343, an educational institution must post on its official website on the Internet and update it in the terms established by the Law of the Russian Federation of 10.07. 1992 N 3266-1 “On Education”, including information containing the following personal data: surname, name, patronymic of the founder of the educational institution, his location, work schedule, hell e-mail, last name, first name, patronymic of the head of the educational institution, its location, work schedule, e-mail address, reference telephone numbers, last names, first names, middle names, positions of heads of structural divisions, including branches and representative offices, their locations, work schedules, e-mail addresses, information about the staff of pedagogical (scientific and pedagogical) workers, their surnames, names, patronymic names, positions held, their level of education, qualifications, availability of academic degree nor academic title.
The corresponding obligations are also established by the Federal Law of 09.02.2009 N 8- “On ensuring access to information on the activities of state bodies and local self-government bodies”, according to which state bodies and local self-government bodies are obliged to provide access to information on their activities, including to information about the leaders of the state body, its structural subdivisions, territorial bodies and representative offices abroad (if any), the heads of the local government body Heads of subordinate organizations (surnames, first names, patronymic names, positions, business phones). Other information may be indicated only with the consent of the specified persons.
2. Processing of personal data of employee’s close relatives in the amount provided for by standardized form N T-2, approved by the State Statistics Committee of the Russian Federation of January 5, 2004 No. 1 “On approval of standardized forms of primary accounting documentation for labor accounting and pay”, or established by the legislation of the Russian Federation (receipt of alimony, registration of admission to state secrets, registration of social benefits).
In other cases, obtaining the consent of the employee’s close relatives is a prerequisite for the processing of their personal data.
3. Processing of special categories of personal data of the employee, including information about the state of health relating to the question of the possibility of the employee performing the labor function on the basis of the provisions of paragraph 2.3 of Part 2 of Art. 10 of the Federal Law "On Personal Data" in the framework of labor legislation.
4. When transferring personal data of an employee to third parties in cases when it is necessary to prevent a threat to the life and health of the employee, as well as in other cases provided for by the Labor Code of the Russian Federation or other federal laws.
Transfer of personal data of employees to the Social Insurance Fund of the Russian Federation, Pension Fund of the Russian Federation
The employer, according to Art. 22 of the Labor Code of the Russian Federation, is obliged to provide compulsory social insurance of employees in the manner established by federal laws, in particular the Federal Law “On Compulsory Pension Insurance in the Russian Federation, Federal Law“ On the Principles of Compulsory Social Insurance, Federal Law “On Compulsory Medical Insurance in the Russian Federation Federation. "
Thus, the transfer of personal data of employees to the Social Insurance Fund of the Russian Federation, the Pension Fund of the Russian Federation is carried out without their consent.
Thus, the transfer of personal data of employees to the Social Insurance Fund of the Russian Federation, the Pension Fund of the Russian Federation is carried out without their consent.
Consent of an employee, civil servant is not required when transferring his personal data in cases related to the performance of his official duties, including his secondment (in accordance with the Rules for the provision of hotel services in the Russian Federation, approved by the Government of the Russian Federation of April 25, 1997 N 490, regulatory legal acts in the field of transport security).
Exceptions related to the lack of the need to obtain consent include cases of transfer by the employer of personal data of employees, civil servants to tax authorities, military commissariats, trade union bodies provided for by the current legislation of the Russian Federation.
Thus, in accordance with Art. Art. 17, 19 of the Federal Law of 12.01.1996 N 10- “On trade unions, their rights and guarantees of activity” to carry out their statutory activities, trade unions have the right to receive free and unhindered from employers, their associations (unions, associations), state authorities and local government information on social and labor issues, including monitoring the compliance of employers, officials with labor legislation, labor contract (contract), working time and rest periods, remuneration, guarantees and compensations, benefits and advantages, as well as other social and labor issues in the organizations that employ members of the union and have the right to demand the elimination of violations.
In the case of motivated requests from prosecutors, law enforcement agencies, security agencies, from state labor inspectors in the exercise of state supervision and control over compliance with labor legislation and other
The employee’s consent is not required upon receipt, within the framework of established powers, motivated requests from prosecution authorities, law enforcement agencies, security agencies, and state labor inspectors when they exercise state supervision and control over compliance with labor legislation and other bodies authorized to request information about employees in accordance with with the competence stipulated by the legislation of the Russian Federation.
A motivated request should include an indication of the purpose of the request, a reference to the legal basis of the request, including confirming the authority of the body that sent the request, as well as a list of requested information.
In the case of requests from organizations that do not have the appropriate authority, the employer must obtain the employee’s consent to provide his personal data and warn those who receive the employee’s personal data that this data can only be used for the purposes for which they are communicated, and also to demand from these persons confirmation that this rule will be (was) observed.
A motivated request should include an indication of the purpose of the request, a reference to the legal basis of the request, including confirming the authority of the body that sent the request, as well as a list of requested information.
In the case of requests from organizations that do not have the appropriate authority, the employer must obtain the employee’s consent to provide his personal data and warn those who receive the employee’s personal data that this data can only be used for the purposes for which they are communicated, and also to demand from these persons confirmation that this rule will be (was) observed.
It should be noted that the transfer of employee personal data to credit institutions that open and maintain payment cards for payroll accounting is carried out without his consent in the following cases:
- the contract for issuing a bank card was concluded directly with the employee and the text of which provides for provisions for the transfer of the employee’s personal data by the employer;
- the employer has a power of attorney to represent the interests of the employee when concluding a contract with a credit institution for issuing a bank card and its subsequent maintenance;
- the corresponding form and system of remuneration is spelled out in the collective agreement (article 41 of the Labor Code of the Russian Federation).
5. Processing employee's personal data in the implementation of access control to the territory of office buildings and premises of the employer, provided that the access control is organized by the employer independently or if the said processing complies with the procedure stipulated by the collective agreement, local acts of the employer adopted in accordance with Art. 372 Labor Code of the Russian Federation.
When attracting third-party organizations for personnel and accounting, the employer is obliged to comply with the requirements established by Part 3 of Art. 6 of the Federal Law "On Personal Data", including obtaining the consent of employees to transfer their personal data.
Common mistakes
It seems that everything is quite simple and clear, but what is the error? At the recently held International Conference “Personal Data Protection”, in his speech, Mikhail Yemelyannikov cited the following data from the audit materials:
The presence in the employee's consent to the processing of personal data, given in writing, information about the processing of personal data for several purposes and the indication in it of several persons engaged in the processing of personal data on behalf of the operator. Consent to the processing of personal data of the applicant does not meet the requirements of paragraph 4 of paragraph 4 of Article 9 of the Law, in terms of specifying one purpose for the processing of personal data. Consent includes the indication of several persons processing personal data on behalf of the operator, which does not meet the requirements of Clause 6 of Part 4 of Art. 9 No. 152-FZ “On Personal Data” in terms of specifying a person (one) performing personal data processing on behalf of the operator.
And one more explicit order of the court, to understand the situation, from the same place:
To eliminate the revealed violation, the Company should develop and use a standard written form of consent to the processing of personal data of the employee, providing for the presence of one processing purpose in case of transferring personal data of employees to third parties.
The conclusion of the court: ... if the purposes of processing personal data are beyond the scope of the Labor Code of the Russian Federation, for each case of the transfer of personal data of employees to third parties it is necessary to obtain a separate written consent of the employee.
Resolution of the Ninth Arbitration Court of Appeal No. 09-30182/2016-AK dated August 16, 2016 on Case No. A40-17595 / 16
It is for these seemingly insignificant errors that judicial proceedings are taking place today.
In addition, the definition of personal data itself remains unclear. In this matter, again, judicial practice is accumulating.
Usually, in any organization there is at least a standard set, plus / minus data from various access control systems (access control system), namely:
- Full Name;
- year, month, date and place of birth;
- address;
- family, social, property status;
- education, profession, position, income;
- biometric personal data.
The practice of judicial decisions further expands the lists of personal data, for example, the courts recognized personal data:
- information about the death of a citizen (Resolution of the Volga Region Autonomous District dated September 25, 2014 in case No. A49-2005 / 2014);
- mobile phone number (appeal determination of the Altai Regional Court of 10/01/13 in case No. 33-9241 / 2015);
- photos of a citizen (appeal determination of the Sverdlovsk Regional Court of April 9, 2015 in case No. 33-5232 / 2015).
Recently, there is a clear trend - the list of information that make up personal data is becoming wider. Thus, the European Court of Justice in Decision of October 19, 166 in case No. 582/14 (Patrick Breir v. Germany) recognized that, under certain conditions, even the IP address of an Internet user may be considered personal data.
Nevertheless, the Law requires us to ensure the security of personal data, both in traditional document circulation and in the processing of data in an automated form.
How to comply with the requirements of the law?
The law states that personal data are classified as confidential information (Article 7 of Law No. 152-FZ). Operators and other persons who have access to them are obliged not to disclose to third parties and not to distribute personal data without the consent of the subject. The operator is obliged to ensure the security of personal data. Measures depend on the way the data is processed - using automation or manually.
For the protection of personal data without automation, recommendatory measures are provided (Article 19 of the Law No. 152- and clauses 13-15 of the Regulations, approved by the Decree of the Government of the Russian Federation of September 15, 2008 No. 687). One of such measures is to determine in the internal documents of the company a list of persons who process personal data or have access to it. It is also necessary to separately store the carriers of personal data that are processed for various purposes.
In automated processing of personal data, it is subject to the Requirements for the protection of personal data when they are processed in information systems, approved. Decree of the Government of the Russian Federation of 11/11/12 No. 1119 and Order of the FSTEC of Russia of February 18, 13 No. 21. To fulfill these requirements, a number of organizational and technical measures are needed. You may have to involve specialists from integrator companies.
With automated processing, you can also contact us and save yourself at least part of the headache on the issue of compliance and reduce your costs. We propose at least two solutions that allow approaching the image of the “ideal operator” leading personnel records:
Source: https://habr.com/ru/post/343378/
All Articles