Accountants and HR specialists have long been accustomed to the fact that when hiring a new employee, they need to obtain consent to the processing of personal data. What if the employee refuses to sign it? What fines will an organization face for not having this document? And as judicial practice on such issues shows, not everything is as simple as it seems at first glance. In this article we will analyze in detail all the nuances and talk about innovations in working with personal data in 1C: Enterprise Accounting ed. 3.0.
As part of the labor relationship between the company and the employer, it is necessary to have personal data. persons for the correct execution of personnel documents and the employee’s performance of his labor functions.
Personal data (hereinafter referred to as PD) is information that can be attributed to a specific individual. person (Law dated July 27, 2006 No. 152-FZ). As a rule, such data is full name, information about previous places of work, passport data, and others.
It is worth noting that the employer has the right to request only the information that is necessary to perform job duties. This means that the employer has no right to request information regarding nationality, political views, religion and other similar information.
New rules from 2021
On March 1, changes were made to the Federal Law dated July 27, 2006 No. 152-FZ, which were introduced by the Federal Law dated December 30, 2020 No. 519-FZ.
Let's look at the main innovations.
1. The document “Consent to distribute the employee’s personal data” appears.
Now, having received consent from the employee to process personal data, the company cannot distribute it. For these purposes, it is necessary to obtain from a physical person. person is a separate document that allows the operator to distribute data, for example, post it on the company website, on the honor board, transfer it to the bank, etc. In this document, it is important to provide the employee with the opportunity to indicate exactly what information he allows the employer to disseminate.
2. The silence of the PD subject cannot be regarded as consent to the distribution of PD. This is also relevant for the inaction of an employee (clause 8 of article 10.1 of Law No. 152-FZ).
3. Any personal data about individuals. a person can be published only with his written consent, even if the person independently posted them in a public place (the Internet or social networks). Previously, such personal data could be distributed without obtaining consent from its owner (Clause 2, Article 10.1 of Law No. 152-FZ).
What documents should you familiarize yourself with first:
- Federal Law No. 152-FZ “On Personal Data” dated July 27, 2006.
- Federal Law No. 149-FZ “On information, information technologies and information protection” dated July 27, 2006.
- Order of the FSB of the Russian Federation No. 378 “On approval of the composition and content of organizational and technical measures to ensure the security of personal data during their processing in personal data information systems using cryptographic information protection tools necessary to fulfill the requirements established by the Government of the Russian Federation for the protection of personal data for each level security" dated July 10, 2014.
- FSTEC Order No. 17 “On approval of requirements for the protection of information that does not constitute a state secret, contained in state information systems” dated 02/11/2013.
- FSTEC Order No. 21 “On approval of the composition and content of organizational and technical measures to ensure the security of personal data during their processing in personal data information systems” dated 02/18/2013.
- Decree of the Government of the Russian Federation No. 1119 “On approval of requirements for the protection of personal data during their processing in personal data information systems” dated November 1, 2012.
- Federal Law No. 99-FZ “On licensing of certain types of activities” dated May 4, 2011.
- Recommendations of Roskomnadzor for drawing up a document defining the operator’s policy regarding the processing of personal data, in the manner established by Law No. 152-FZ “On Personal Data”.
Withdrawal of consent
If the employee did not consent to the distribution of personal data, but at the same time agreed to processing, then the employer does not have the right to transfer the information to third parties (clause 4 of article 10.1 of Law No. 152-FZ).
The rule does not apply to the transfer of personal data to state authorities. authorities (IFTS, FSS, Pension Fund, police and others).
It is worth noting that an employee may completely refuse to give consent to the processing of personal data. But this does not mean that the employer does not have the right to process such data. This is possible in the cases specified in Part 2 of Art. 9 of Law No. 152-FZ. One of which is the fulfillment of the obligations imposed by law on the company.
Simplified step-by-step instructions for meeting PDN processing standards:
- Read Law No. 152-FZ “On Personal Data”.
- Decide what type of data will need to be processed in order to understand whether Law 152-FZ applies to your institution.
- Check to see if there are other regulations that apply to your case.
- Once you have decided on the type of data, you need to understand what threats may arise to protect it.
- Based on the forms of threats, determine methods and tools for data protection.
- Draw up internal regulatory documents and check their execution.
- Obtain the consent of the persons whose personal data you intend to process.
How can an employer obtain consent?
There are two ways to obtain consent to distribute personal data:
1. Directly from the physical. persons, that is, with a personal signature on paper;
2. Through the Roskomnadzor information system. Any physical a person can connect to the system in order to indicate which PD and to whom he allows distribution.
The operator, in turn, also has the opportunity to connect to this system and not receive written consent from a specific individual, but use the information contained in the Roskomnadzor system. This opportunity will become available from July 1, 2021.
Consent: how to formalize it correctly
Part 3 art. 9 of Law No. 152-FZ contains the following provision: the operator is obliged to either obtain official consent from the subject to process his data or provide legal grounds for carrying out such activities without the consent of the person.
The operator is invited to follow Articles 2–11, Part 1, Article 6, Part 2, Art. 10 and part 2 art. 11 of Law No. 152-FZ. Responsibility for compliance with these standards rests with him.
Since Articles 6 and 9 of this law oblige to obtain the employee’s consent to such processing of information, the employer is recommended to hedge his bets by obtaining the employee’s consent to such actions in advance.
Document form
Requirements for the content of consent to disseminate personal data are approved by Roskomnadzor Order No. 18 dated February 24, 2021. It is worth noting that you do not need to notify Roskomnadzor of your intention to distribute personal data if you have the subject’s permission to do so.
Is it possible to obtain one consent from an employee, specifying all possible purposes of processing/distribution?
Often, the “Consent” document contains not one purpose of processing and not one third party to whom the information is distributed, but several at once, which, according to Roskomnadzor, is contrary to current legislation.
According to the department’s position, each target and each third party to whom information about an individual is disclosed must have their consent. This follows from Part 4 of Art. 9, part 5 art. 18 of the Law of July 27, 2006 No. 152-FZ.
In these articles, the “purpose of processing” and the third party are indicated in the singular; therefore, it is unlawful to combine several purposes and several third parties in one document.
This rule applies to all cases where it is necessary to obtain the employee’s written consent.
Judicial practice is currently not on the employer’s side (Resolution of January 15, 2021 in case No. A40-81171/2017). In this regard, companies will have to issue a large number of consents from employees in order to comply with legal norms.
Processing of personal data: step-by-step instructions for companies
Pavel, I’m glad that you are trying to study legal issues about personal data in detail! Well, let's go! I hope that you can Google some legal acts.
Let's define what personal data is. Personal data, according to Article 3 of the Federal Law “On Personal Data” dated July 27, 2006 N 152-FZ, is any information relating to a directly or indirectly identified or identifiable individual (subject of personal data). That is, this is data that can identify a person and allow us to understand who is in front of us - Vasya Petrov or Ivan Ivanov. At the same time, the legislator does not clearly differentiate what it is, but defines it as a certain set of information. There is, of course, Decree of the President of the Russian Federation dated 03/06/97 No. 188 (https://zakonbase.ru/content/base/20358), where some specific details were given, but in this case it does not help much. But now you and I will find this line)
So, the phone, as I said above in the commentary, in the opinion of Roskomnadzor, is not personal data, and it says this even through its territorial divisions in answers to questions (for example: https://26.rkn.gov.ru/p8926 /p10713/ - question 5, https://57.rkn.gov.ru/p8924/p14069/p14070/), these positions are also applied by the courts, for example, you can see here: appeal ruling of the Investigative Committee for civil cases of the Novosibirsk Regional court dated February 4, 2021 in case No. 33-774/2016 or the appeal ruling of the Moscow City Court dated July 24, 2017 No. 33-28957/17. Letter of the Ministry of Telecom and Mass Communications of Russia dated 07/07/2017 N P11-15054-OG “On clarification of the norms of federal legislation” says that: “a subscriber number or email address can be recognized as personal data in the case when such information relates to directly or indirectly defined or determined to an individual (a subscriber number belonging to a legal entity cannot be considered as personal data).”
That is, if we take a phone number or email, everything is okay, there is no personal data.
Let's move on to the name. The name does not identify the subject of the personal data. Not at all. Thus, it is not personal data. Or just a last name - also not subject to protection as personal data (Resolution of the Eighteenth Arbitration Court of Appeal dated September 24, 2014 No. 18AP-10690/14; Determination of the Investigative Committee in civil cases of the Primorsky Regional Court dated September 09, 2013 in case No. 33-7063 (here the court even said that “in total, the name, patronymic, street and house number do not allow us to reliably establish which person is being discussed on the pages of the forum”); review of citizens’ appeals for the second quarter of 2012 The Roskomnadzor Office for the Republic of Karelia considered the issue , whether the citizen’s last name and initials are personal data).
Phone + name will not allow you to uniquely and accurately identify a person (which is a criterion for personal data). But if you add a little more data to your phone or email, for example, your full name, that’s it, your personal data is ready and subject to protection.
So, yes, this is my personal opinion, based on law enforcement practice and legal requirements
Withdrawal of consent
An employee of an organization has the right to withdraw his consent to the processing and distribution of personal data at any time.
To do this, it will be enough for him to confirm his decision with a written request in any form.
The document should indicate:
- Full name of the applicant;
- applicant's contacts;
- PD, the processing and distribution of which must be stopped.
The employer must stop using the information within three working days. Otherwise, the employee has the right to go to court (clause 14 of article 10.1 of Law No. 152-FZ).
Do not forget that there are personal data for the processing of which the employee’s consent is not required, for example, those that are needed to fulfill an employment contract. All other data of the employing company should be destroyed.
What is consent to processing
By submitting to the employer the documents necessary for applying for a job, the citizen immediately confirms in writing that he agrees to the processing of his data. Article 3 of Law No. 152-FZ includes in such information all information about the employee, including about previous work.
It is customary to divide personal information into three sections:
- public information – full name, gender, information about the citizen’s birth;
- biometric – related to physical condition and external data, which are determined by a routine examination;
- special - nationality, religion, criminal record, health status, additional information about previous work, for example, the article under which the citizen was fired.
Public information is not confidential; all other information can be processed only with the consent of the owner.
Note! A citizen's consent cannot be unlimited. By giving it, the employee allows you to work with information until a certain date or before the occurrence of an event. It is also possible for an employee to withdraw his consent (Clause 4, Article 9 of Law No. 152-FZ).
Fines
Companies and individual entrepreneurs should definitely pay attention to the innovations described above, since penalties have doubled.
Starting from March 27, 2021, for working with personal data of employees without their written consent, individual entrepreneurs will face a fine of 20,000 to 40,000 rubles; organizations with a similar violation will have to pay from 30,000 to 150,000 rubles.
If an individual entrepreneur violates the law again, the fine will be from 100,000 to 300,000 rubles, and for companies - from 300,000 to 500,000 rubles. (Part 2 of Article 13.11 of the Administrative Code). Punishment for such an offense may follow within a year (Article 4.5 of the Code of Administrative Offenses of the Russian Federation).
To summarize: the rules for processing personal data apply to absolutely all individuals and legal entities.
In this regard, it is advisable for employers to charge employees:
1. consent to the processing of personal data;
2. consent to the distribution of personal data.
Documents are drawn up in accordance with the requirements of current legislation.
Ignoring the rules for processing and distributing data can lead to serious financial losses.
Purposes of processing personal data at the enterprise
The organization processes personal data of employees for the following purposes:
- creation, conclusion, execution and termination of civil contracts. This includes relationships with both individuals and legal entities, as well as entrepreneurs. Such relations are regulated by laws and documents on the company’s activities;
- accounting in the personnel sphere, monitoring the implementation of laws in general activities and the field of civil law;
- implementation of office work that complies with the requirements of the law, correct registration of employment, assistance in career growth for employees, application of benefits;
- correct application of tax law in the field of taxation of citizens' income and deduction of contributions to funds, generation of accounting data and transfer of them to the Pension Fund of the Russian Federation;
- maintaining statistics and preparing documentation required by tax and labor law.
Watch the video. How to draw up consent to the processing of personal data: