Clever Geek Handbook

What is personal data processing? Sample Consent

The processing of personal data is the performance of certain operations with the personal information of a citizen. These include collection, systematization, storage, accumulation, change, updating, distribution, transfer, other use, blocking, destruction, depersonalization. It should be borne in mind that regardless of the number of transactions provided for in the legislation, regulatory regulation should apply to all stages of processing personal data. This will ensure their proper protection.

personal data processing is

Key principles

The processing of personal data is a specific activity of the competent structures. It should be based on the principles of:

  • The legitimacy of the goals and methods of working with information, the integrity of operators.
  • Correspondence of the focus of operations to the goals stated when filling out the form for processing personal data. In this case, the operator must have the appropriate authority.
  • Correspondence of the nature and volume of personal information, methods of processing them to the stated goals.
  • Reliability of personal information, their sufficiency.
  • Inadmissibility of processing data that is not related to the goals stated during their collection.
  • Inadmissibility of combining infobases created to implement goals incompatible with each other.

Processing personal data of an employee

Activities for working with personal information begins with the receipt of information. As a general rule, all data is provided by the employee himself. In some cases, information can only be obtained from a third party. The employee must be notified in advance. In such situations, the employee’s consent to the processing of personal data is mandatory.

consent to the processing of personal data

The employer must inform the citizen about the goals, sources and methods of working with personal information, the nature of the information to be obtained. The employer also explains the consequences of the employee’s refusal to consent to the processing of personal data.

Limitations

The Labor Code of the Russian Federation provides for several articles that limit the employer's ability to process personal data. These are articles 86 and 88.

According to paragraph 4 of paragraph 86 of the norm, the employer is not entitled to request, collect, store, use and perform other actions with information relating to the ideological, political, other convictions of a citizen, his private life. On the basis of Article 88 of the Labor Code, the employer cannot demand the provision of information about the state of health of an employee if it does not relate to resolving the issue regarding the possibility of fulfilling his duties.

Local regulation

The obligation to familiarize the personnel with the documents of the employer, fixing the rules for the processing of personal data (samples of some of them are presented in the article), their rights and responsibilities in this area are reflected in a special legal act. Depending on the characteristics of the enterprise and at the discretion of the employer, it may be called an Instruction or Regulation. As a rule, the second option is used.

application for processing personal data

Regulation on the processing of personal data: sample

A local document typically contains the following items:

  • General Provisions Here are the key concepts used in the document.
  • The procedure for processing personal information.
  • Rules for the formation of personal information.
  • Storage, accounting, transfer of personal information.
  • Duties and rights of the employee in the field of processing and protection of personal information.

The Regulation establishes a mode of limited access to personal information. The employees responsible for their processing must comply with the established rules. The corresponding duty is fixed in their job descriptions, as well as in the contract and additional agreements.

The Regulation on the processing of information is considered as a key document reflecting the specifics of transactions with personal data of personnel. This act must be present at the enterprise.

processing personal data of an employee

Subject Consent

A citizen, the personal information of which is subject to processing, decides to provide them voluntarily and in his interests. His consent must be conscious and concrete. It can be expressed in any form that allows you to reliably confirm receipt, unless otherwise provided in federal law. If an application for the processing of personal data of a person is received from his representative, the authority of the latter must be verified by the operator. Such a situation, for example, may arise if it is necessary to perform operations with the personal information of minors. In such cases, the operator receives consent to the processing of personal data from the parents or other legal representatives of the child. Their authority is confirmed by documents issued in the manner prescribed by law. In particular, this may be the parent's passport and the birth certificate of the minor.

These rules are enshrined in part 1 of article 9 of the Federal Law No. 152.

parental consent to the processing of personal data

The nuances of the law

In accordance with Part 2 of Article 9 of the Federal Law No. 152, the subject has the opportunity to revoke the consent given to him earlier. In such a situation, the operator can continue processing the information received from the citizen without his permission if there are grounds provided for in paragraphs 2-11 1 of part 6 of the article, part 2 of article 10 and part 2 of article 11 of the Law "On Personal Data".

The obligation to provide evidence of consent from the entity rests with the operator.

Written permission

In cases provided for by law, information is processed only after obtaining written consent from the subject. An electronic document signed with a digital signature is recognized as equivalent to a paper medium certified by the personal signature of a citizen.

employee consent to the processing of personal data

The consent form for the processing of personal data must indicate:

  • F. I. O., address of the subject, details of the main document confirming his identity, information about the date of execution and the authority that issued it. For the representative, the same information shall be indicated, as well as data on the power of attorney, on the basis of which he acts.
  • Name or full name of the operator.
  • The purpose of processing information.
  • A list of data whose processing is permitted by the subject.
  • The specific operations that will be performed with the personal information of the citizen, a general description of the methods of working with information.
  • The period during which the consent issued by the person is valid, the method of withdrawal of permission, unless otherwise provided by law.
  • Signature of the subject.

The rules for obtaining consent in electronic form for the provision of municipal and state services, as well as the services necessary for their provision, are determined by the government.

additional information

If the subject is legally incompetent, permission to process data about him is given by the legal representative. If a citizen has died, consent may be given by his successors, if it was not obtained by the operator during the person’s life.

Biometric data

They are called information characterizing the biological and physiological characteristics of the subject, according to which you can establish a person’s personality. Their processing may be carried out with written consent. Exceptions are provided for part. 2 11 articles of the Federal Law No. 152.

It is allowed to process biometric information without the consent of a citizen in order to:

  • implementation of the provisions of international agreements to which the Russian Federation is a party;
  • administration of justice and enforcement of judgments.

Such processing is also permitted in cases stipulated by regulatory acts governing:

  • Defense and security of the country.
  • Countering terrorism and corruption.
  • Transport safety.
  • Operational-search activity.
  • The order of public service.
  • Rules for the execution of criminal sentences.
  • The order of departure / entry of persons from / to the Russian Federation.

The specifics of information processing in municipal / state information systems

Local authorities and state bodies, within the framework of their powers enshrined in federal law, form special personal data bases.

consent to the processing of personal data

Regulatory acts may provide for the peculiarities of accounting for personal information in municipal and state information systems, including those related to the use of different methods for designating information belonging to a specific person.

In order to ensure the proper exercise of the rights of citizens who are data carriers, when processing information in municipal or state information systems, a population register can be created whose legal status, as well as the rules for working with it, are fixed by federal legislation.

Bans

Freedoms, interests, rights of citizens cannot be limited for reasons arising from the use of different methods of processing personal information or designating their belonging to a particular citizen. It is forbidden to use methods that offend a person’s feelings and degrade his dignity.

in addition, operators in their activities are required to be guided by the provisions of the Constitution. The Basic Law, in particular, does not allow any discrimination of citizens on any grounds.

Operator Responsibilities

When collecting personal information, the authorized body must provide the entity at its request with the information specified in 7 part 14 of the norm of Federal Law No. 152.

If the communication of personal data, according to the rules established by law, is mandatory, the operator should notify the citizen about the consequences of the refusal to transmit the necessary information.

Special obligations are provided if personal information was not received from its carrier. In such situations, the operator must inform the subject:

  • Its name or F.I.O. and address. If a representative acts on his behalf, information about him is reported accordingly.
  • The purpose of working with personal information, the legal basis for working with them.
  • Intended information users.
  • The rights of the holder of personal data.
  • Sources of information.

The operator may be exempted from the obligation to provide the above data if:

  • A citizen was notified of transactions with his personal information.
  • Personal information was obtained on the basis of the provisions of federal law or in connection with the fulfillment of the terms of the agreement in which the carrier is the guarantor or beneficiary.
  • Personal data was obtained from a source with unlimited access or became publicly available as a result of actions of the citizen himself.
  • Processing of personal information is carried out for research or statistical purposes, conducting professional journalistic, scientific, creative, literary activities. In this case, the rights and interests of the data carrier must not be violated.

The operator must take sufficient and necessary measures to ensure the fulfillment of the obligations established in the Federal Law No. 152 and other regulatory acts issued in accordance with this Law. The composition and list of appropriate measures is determined independently by the competent structure, unless otherwise provided by legal documents.

More articles:


All Articles