How to draw up a statement on the personal data of employees. How to draw up a statement on the protection of personal data

APPROVED

By order of approval

Processing provisions

personal data

Commanding Bishop

S.V. Ryakhovsky

POSITION
ABOUT PROCESSING PERSONAL DATA
IN THE CENTRALIZED RELIGIOUS ORGANIZATION THE RUSSIAN UNION OF CHRISTIANS OF THE EVANGELICAL FAITH (PENTECOSTALS)

1. General Provisions

1.1. The Regulations on the processing of personal data (hereinafter referred to as the Regulations) determine the conditions and procedure for the processing of personal data, which is carried out by the Centralized religious organization Russian United Union of Christians of the Evangelical Faith (Pentecostals) (hereinafter referred to as the Operator).

1.2. The Regulations were developed in pursuance of the Policy regarding the processing of personal data and ensuring security (hereinafter referred to as the Policy) and in accordance with clause 2 of Part 1 of Art. 18.1 of the Federal Law of July 27, 2006 No. 152-FZ “On Personal Data” (hereinafter referred to as the Federal Law “On Personal Data”), as well as the following regulatory legal acts: Civil Code Russian Federation; Labor Code of the Russian Federation dated December 30, 2001 No. 197-FZ; Tax Code of the Russian Federation dated July 31, 1998 No. 146-FZ; Federal Law “On accounting» dated December 6, 2011 No. 402-FZ “On Accounting”; Decree of the Government of the Russian Federation dated September 15, 2008 No. 687 “On approval of the Regulations on the specifics of processing personal data carried out without the use of automation tools”; Decree of the Government of the Russian Federation of November 1, 2012 No. 1119 “On approval of requirements for the protection of personal data during their processing in personal data information systems.”

2. Organization of processing of personal data

2.1. In order to ensure the fulfillment of the obligations provided for by the Federal Law “On Personal Data” and the regulatory legal acts adopted in accordance with it, the Operator appoints a person responsible for organizing the processing of personal data (hereinafter referred to as the Responsible).

2.2. The responsible person is obliged:

  • ensure approval, enforcement, and updating, if necessary, of the Policy, Regulations and other local acts on the processing of personal data;
  • assess the effectiveness of measures taken to ensure the security of personal data before putting the Operator’s information system into operation;
  • assess the harm that may be caused to personal data subjects in the event of a violation of the Federal Law “On Personal Data”;
  • exercise internal control over compliance by the Operator and its employees with legislation on personal data, Policy, Regulations and other local acts on the processing of personal data, including requirements for the protection of personal data (hereinafter - Regulatory acts);
  • communicate to employees against signature the provisions of regulatory acts when concluding an employment contract, as well as on their own initiative;
  • provide employees with access to personal data processed in information system Operator, as well as to their material media only for execution labor responsibilities;
  • organize and control the reception and processing of requests and requests from personal data subjects, ensure the exercise of their rights;
  • ensure interaction with the authorized body for the protection of the rights of personal data subjects (hereinafter referred to as Roskomnadzor).

3. Ensuring the security of personal data

3.1. Employees who have access to personal data are obliged not to disclose them to third parties or distribute them without the consent of the subject of personal data, unless otherwise provided by federal law.

3.2. In order to protect personal data from unlawful actions (in particular, unauthorized or accidental access, destruction, modification, blocking, copying, provision, distribution), the Operator applies a set of legal, organizational and technical measures to ensure the security of personal data, which constitutes a personal data protection system.

3.3. The use of a set of measures to ensure the security of personal data ensures the established level of security of personal data during their processing in the Operator’s information system.

3.4. In order to ensure the fulfillment of the obligations provided for by the Federal Law “On Personal Data” and the regulatory legal acts adopted in accordance with it, the Operator appoints someone responsible for ensuring the security of personal data in the information system.

3.5. The person responsible for ensuring the security of personal data in the information system is obliged to:

  • identify threats to the security of personal data during their processing in the Operator’s information system;
  • ensure the implementation of organizational and technical measures to ensure the security of personal data and the use of information security tools necessary to achieve the established level of security of personal data when processed in the Operator’s information system;
  • establish rules for access to personal data processed in the Operator’s information system, as well as ensure registration and accounting of all actions with it;
  • organize detection of facts of unauthorized access to personal data and take response measures, including restoration of personal data modified or destroyed due to unauthorized access to it;
  • annually carry out internal control over ensuring the established level of security of personal data when processed in the Operator’s information system.

4. Exercising the rights of personal data subjects

4.1. When a personal data subject contacts or receives his request (hereinafter referred to as the Appeal), the Responsible Person ensures that the personal data subject is provided with information about the availability of personal data relating to him, as well as the opportunity to familiarize himself with this personal data within 30 days from the date of the Appeal.

4.2. In the presence of legal grounds to refuse to provide the subject of personal data with information about the availability of personal data relating to him, as well as the opportunity to familiarize himself with this personal data, the Responsible shall ensure that the subject of personal data is sent a reasoned response in writing, containing a reference to the provision of Part 8 of Art. 14 of the Federal Law “On Personal Data” or other federal law, which is the basis for such a refusal, within 30 days from the date of the Application.

4.3. When the subject of personal data provides information confirming that his personal data processed by the Operator is incomplete, inaccurate or irrelevant, the Responsible shall ensure that the necessary changes are made to the personal data within 7 working days from the date of the Application.

4.4. When the subject of personal data provides information confirming that his personal data processed by the Operator is illegally obtained or is not necessary for the stated purpose of processing, the Responsible shall ensure the destruction of such personal data within 7 working days from the date of the Application.

4.5. The person in charge ensures that the subject of personal data is notified of changes made to his personal data and measures taken, and also takes reasonable measures to notify third parties to whom the personal data of this subject have been transferred.

4.6. If the subject of personal data withdraws consent to their processing, it can be continued if there are grounds specified in clause 2-11 of part 1 of Art. 6, part 2 art. 10 and part 2 art. 11 Federal Law “On Personal Data”.

5. Interaction with Federal service for supervision in the field of communications, information technologies And mass communications RF (Roskomnadzor)

5.1. At the request of Roskomnadzor, the Responsible Person will organize the provision of local acts regarding the processing of personal data and documents confirming the adoption of measures to comply with the requirements of the Federal Law “On Personal Data” within 30 days from the date of receipt of the request.

5.2. At the request of Roskomnadzor, the Responsible Person will organize clarification, blocking or destruction of unreliable or illegally obtained personal data within 30 days from the date of receipt of the request.

5.3. In the cases provided for in Art. 22 of the Federal Law “On Personal Data”, the Responsible sends a notification to Roskomnadzor of the intention to process personal data.

5.4. If necessary, the Responsible Person sends requests to Roskomnadzor regarding the processing of personal data carried out by the Operator.

6. Liability for violation of the procedure for processing and ensuring the security of personal data

6.1. If an employee violates the provisions of the legislation in the field of personal data, he may be brought to disciplinary, material, civil, administrative and criminal liability in the manner established by the Labor Code of the Russian Federation and others federal laws, in accordance with Part 1 of Art. 24 Federal Law “On Personal Data” and Art. 90 Labor Code of the Russian Federation.

6.2. If an employee discloses personal data that has become known to him in connection with the performance of his job duties, employment contract it can be terminated in accordance with paragraphs. "c" clause 6 of Art. 81 Labor Code of the Russian Federation.

I APPROVED _____________________________________ (name of the position of the head of the enterprise)

____________________________________ (full name, signature)

"____"___________________ _____ G.

POSITION

on the processing and protection of personal data of employees

1. GENERAL PROVISIONS

1.1. This Regulation establishes the procedure for receiving, recording, processing, accumulating and storing documents containing information related to the personal data of employees of the enterprise. Employees mean persons who have entered into an employment contract with an enterprise.

1.2. The purpose of this Regulation is to protect the personal data of enterprise employees from unauthorized access and disclosure. Personal data is always confidential, strictly protected information.

1.3. The basis for the development of this Regulation is the Constitution of the Russian Federation, the Labor Code of the Russian Federation, and other current regulatory legal acts of the Russian Federation.

1.4. This Regulation and amendments to it are approved by the head of the enterprise and are introduced by order of the enterprise. All employees of the enterprise must be familiarized with this Regulation and amendments to it.

2. CONCEPT AND COMPOSITION OF PERSONAL DATA

2.1. Personal data of employees means information necessary for the employer in connection with labor relations and relating to a specific employee, as well as information about the facts, events and circumstances of the employee’s life that allow his or her identity to be identified.

2.2. Composition of the employee’s personal data:

Autobiography;

Education;

Information about labor and general experience;

Information about your previous place of work;

Information about family composition;

Passport details;

Information about military registration;

Information about wages employee;

Information about social benefits;

Speciality;

Position held;

Salary amount;

Having a criminal record;

Residence address;

Home phone;

Originals and copies of orders for personnel;

Personal files and work records of employees;

Grounds for orders regarding personnel;

Copies of reports sent to statistical authorities;

Copies of education documents;

results medical examination for fitness to perform job duties;

Photos and other information related to the employee’s personal data;

2.3. These documents are confidential. The confidentiality regime of personal data is lifted in cases of depersonalization or upon expiration of ____ years of storage period, unless otherwise specified by law.

3. OBLIGATIONS OF AN EMPLOYER

3.1. In order to ensure the rights and freedoms of man and citizen, the employer and his representatives, when processing the employee’s personal data, are obliged to comply with the following general requirements:

3.1.1. Processing of an employee’s personal data may be carried out solely for the purpose of ensuring compliance with laws and other regulations, assisting employees in employment, training and promotion, ensuring the personal safety of employees, monitoring the quantity and quality of work performed and ensuring the safety of property.

3.1.2. When determining the scope and content of an employee's personal data to be processed, the employer must be guided by the Constitution of the Russian Federation, the Labor Code of the Russian Federation and other federal laws.

3.1.3. All personal data of the employee should be obtained from him or her. If the employee’s personal data can only be obtained from a third party, then the employee must be notified about this in advance and written consent must be obtained from him. The employer must inform the employee about the purposes, intended sources and methods of obtaining personal data, as well as the nature of the personal data to be obtained and the consequences of the employee’s refusal to give written consent to receive it.

3.1.4. The employer does not have the right to receive and process the employee’s personal data about his political, religious and other beliefs and private life. In cases directly related to issues labor relations, in accordance with Art. 24 of the Constitution of the Russian Federation, the employer has the right to receive and process data about the private life of an employee only from his written consent.

3.1.5. The employer does not have the right to receive and process the employee’s personal data about his membership in public associations or his trade union activities, except as provided by federal law.

3.1.6. When making decisions affecting the interests of an employee, the employer does not have the right to rely on the employee’s personal data obtained solely as a result of their automated processing or electronic receipt.

3.1.7. Protection of an employee’s personal data from unlawful use or loss must be ensured by the employer at his expense in the manner prescribed by federal law.

3.1.8. Employees and their representatives must be familiarized, against signature, with the company’s documents establishing the procedure for processing personal data of employees, as well as their rights and responsibilities in this area.

3.1.9. Employees should not waive their rights to maintain and protect secrets.

4. RESPONSIBILITIES OF AN EMPLOYEE

The employee is obliged:

4.1. Transfer to the employer or his representative a set of reliable documented personal data, the list of which is established by the Labor Code of the Russian Federation.

4.2. Promptly, within a reasonable period of time, not exceeding 5 days, inform the employer about changes in your personal data.

5. EMPLOYEE RIGHTS

The employee has the right:

5.1. On full information about your personal data and the processing of this data.

5.2. Free free access to your personal data, including the right to receive copies of any record containing the employee’s personal data, except in cases provided for by the legislation of the Russian Federation.

5.3. Access to medical information through a medical professional of your choice.

5.4. Request the exclusion or correction of incorrect or incomplete personal data, as well as data processed in violation of the requirements specified labor legislation. If the employer refuses to exclude or correct the employee’s personal data, he has the right to declare in writing to the employer his disagreement with the appropriate justification for such disagreement. The employee has the right to supplement personal data of an evaluative nature with a statement expressing his own point of view.

5.5. Require the employer to notify all persons who were previously informed of incorrect or incomplete personal data of the employee about all exceptions, corrections or additions made to them.

5.6. Appeal to court any unlawful actions or inaction of the employer in the processing and protection of his personal data.

5.7. Identify your representatives to protect your personal data.

6. COLLECTION, PROCESSING AND STORAGE OF PERSONAL DATA

6.1. Processing of an employee’s personal data is the receipt, storage, combination, transfer or any other use of an employee’s personal data.

6.2. All personal data of the employee should be obtained from him or her. If the employee’s personal data can only be obtained from a third party, then the employee must be notified about this in advance and written consent must be obtained from him.

6.3. The employer must inform the employee about the purposes, intended sources and methods of obtaining personal data, as well as the nature of the personal data to be obtained and the consequences of the employee’s refusal to give written consent to receive it.

6.4. The employee provides the employer with reliable information about himself. The employer verifies the accuracy of the information by comparing the data provided by the employee with the documents available to the employee. The provision by an employee of forged documents or false information when applying for a job is grounds for termination of the employment contract.

6.5. When applying for a job, the employee fills out a questionnaire and autobiography.

6.5.1. The questionnaire is a list of questions about the employee’s personal data.

6.5.2. The questionnaire is filled out by the employee independently. When filling out the questionnaire, the employee must fill out all its columns, give complete answers to all questions, and avoid making corrections or crossing-outs, dashes, or blots in strict accordance with the entries contained in his personal documents.

6.5.3. Autobiography is a document containing a description in chronological sequence the main stages of life and activity of the hired employee.

6.5.4. Autobiography is compiled in free form, without blots or corrections.

6.5.5. The employee's questionnaire and autobiography must be kept in the employee's personal file. The personal file also stores other personal records related to the employee’s personal data.

6.5.6. The employee’s personal file is drawn up after the hiring order is issued.

6.5.7. All documents of the personal file are filed in the cover of the sample established at the enterprise. It indicates the last name, first name, patronymic of the employee, and personal file number.

6.5.8. Each personal file is accompanied by two color photographs of the employee, size ______.

6.5.9. All documents received in a personal file are located in chronological order. Sheets of documents filed in a personal file are numbered.

6.5.10. A personal file is maintained throughout the employee’s entire career. Changes made to a personal file must be confirmed by relevant documents.

7. TRANSFER OF PERSONAL DATA

7.1. When transferring personal data of an employee, the employer must comply with the following requirements:

Do not disclose the employee’s personal data to a third party without the employee’s written consent, except in cases where this is necessary in order to prevent a threat to the life and health of the employee, as well as in cases established by federal law;

Do not disclose the employee’s personal data for commercial purposes without his written consent;

Warn persons receiving the employee's personal data that this data can only be used for the purposes for which it was communicated, and require these persons to confirm that this rule is observed. Persons receiving employee personal data are required to maintain confidentiality. This provision does not apply to the exchange of personal data of employees in the manner established by federal laws;

Allow access to personal data of employees only to specially authorized persons, while these persons should have the right to receive only those personal data of the employee that are necessary to perform specific functions;

Do not request information about the employee’s health status, with the exception of information that relates to the issue of the employee’s ability to perform a job function;

Transfer the employee’s personal data to employee representatives in the manner established by the Labor Code of the Russian Federation, and limit this information only to those employee personal data that are necessary for the said representatives to perform their functions.

8. ACCESS TO EMPLOYEE PERSONAL DATA

8.1. Internal access (access within the enterprise).

The following have the right to access employee personal data:

Head of the enterprise;

Head of HR Department;

Heads of structural divisions in the area of ​​activity (access to personal data only of employees of their division) in agreement with the head of the enterprise;

When transferring from one structural unit to another, the head of the new unit may have access to the employee’s personal data in agreement with the head of the enterprise;

Accounting employees - to the data that is necessary to perform specific functions;

The employee himself, the data carrier.

8.2. External access.

Personal data outside the organization may be submitted to government and non-government functional structures:

Tax inspectorates;

Law enforcement agencies;

Statistical authorities;

Insurance agencies;

Military registration and enlistment offices;

Social insurance authorities;

Pension funds;

Divisions of municipal government bodies.

8.3. Other organizations.

Information about an employee (including a dismissed employee) can be provided to another organization only with a written request on the organization’s letterhead accompanied by a copy of the employee’s application.

8.4. Relatives and family members.

Personal data of an employee can be provided to relatives or members of his family only with written permission the employee himself.

9. PROTECTION OF PERSONAL DATA OF EMPLOYEES

9.1. In order to ensure the safety and confidentiality of the personal data of the organization’s employees, all operations for registration, generation, maintenance and storage of this information must be performed only by personnel department employees who carry out this work in accordance with their official responsibilities as stated in their job descriptions.

9.2. Responses to written requests from other organizations and institutions, within the limits of their competence and granted powers, are given in writing on the enterprise’s letterhead and to the extent that allows not to disclose an excessive amount of personal information about the enterprise’s employees.

9.3. Transfer of information containing information about the personal data of the organization’s employees by telephone, fax, e-mail without the written consent of the employee is prohibited.

9.4. Personal files and documents containing personal data of employees are stored in locked cabinets (safes) that provide protection from unauthorized access.

9.5. Personal computers containing personal data must be protected with access passwords.

10. RESPONSIBILITY FOR DISCLOSURE OF INFORMATION,

RELATED TO PERSONAL DATA OF AN EMPLOYEE

10.1. Persons guilty of violating the rules governing the receipt, processing and protection of employee personal data bear disciplinary, administrative, civil or criminal liability in accordance with federal laws.

Head of Human Resources: ______________

The law has not established a strict form for the provision on the protection of personal data, but it must meet the requirements for the protection of personal data of an employee of the Labor Code of the Russian Federation.

The main content of the provisions on the protection of personal data

The provision must indicate the following:

  • goal and objectives of the company in the field
  • concept and composition of personal data;
  • in which structural units and on what media (paper, electronic) this data is accumulated and stored;
  • how personal data is collected;
  • how they are processed and used;
  • who (by position) in the company has access to them;
  • how personal data is protected from unauthorized access;
  • employee rights to ensure the protection of their personal data;
  • responsibility for the disclosure of confidential information related to the personal data of employees.

How to work with the provisions on the protection of personal data

The regulation on the protection of employee personal data is approved by the head of the company or a person authorized by him. And this document is put into effect by order of the head.

The Personal Data Protection Regulation looks like this:

Regulations on the protection of personal data of employees

Every employee who, by virtue of his job responsibilities has access to personal data of other employees, must sign a non-disclosure agreement.

The list of persons who have access to the employee’s personal data is usually drawn up as an appendix to the regulation.

First of all, these are personnel service employees, since they collect and generate data about the employee, heads of structural divisions (for example, heads of departments). However, the latter have the right to request only the data that is necessary to perform specific labor functions (for example, to calculate tax benefits, the accounting department will not receive all information about the employee, but only data on the number of his dependents). The application is designed like this.

List of authorized persons in obtaining personal data of employees

The employer is obliged to provide a provision on the protection of personal data, and the employee is obliged to sign for it. The fact of familiarization is usually documented with a receipt, which remains with the employer. Here's a sample of it.

Receipt for familiarization with the provisions on the protection of personal data of employees

Personal data of the employee and measures to protect them

The definition of the term “personal data” for the labor sphere until May 7, 2013 was contained in Art. 85 Labor Code of the Russian Federation. As such, only information required and received by the employer in connection with labor activity subject.

Now this norm is excluded, and the interpretation of the concept of personal data is contained in the Federal Law “On Personal Data” dated July 27, 2006 No. 152-FZ: this is all information related to an individual.

The employer, as the entity processing personal information, is obliged to guarantee the protection of such information from unlawful access and use.

Examples of documents containing personal data:

  • employee card (form T-2) contains full name. persons, information about family, completed educational institutions;
  • V work book length of service and previous places of work are indicated;
  • the employment contract contains the name of the position, amount of remuneration, etc.

Art. 86 of the Labor Code of the Russian Federation notes that the only source of personal information can be the employee himself. When such data is available outsider, it is allowed to receive them provided that the employee agrees to this.

IMPORTANT! Gross violation of the law is the very fact of failure to ensure the safety of documentation containing personal information, regardless of the occurrence for the person negative consequences(decision of the Chelyabinsk Regional Court dated March 14, 2016 No. 11-1913/2016).

Nuances of drawing up regulations on working with personal data (2018-2019)

In Art. 87 Labor Code and Art. 18.1 of the law establishes the employer’s obligation to formulate and establish in internal regulations the procedure for processing and storing personal data of personnel, and a list of steps to protect them. The specified document is most often a regulation on the processing of personal data of employees.

The law does not impose specific requirements for drawing up a local act. In practice, it includes the following information:

  • general rules containing the purpose of the act, references to regulatory framework its development;
  • composition of personal information, list of its carriers;
  • the employee’s rights to control the handling of his personal information;
  • measures that an organization needs to take to protect information, the procedure for processing and use;
  • sequence of actions when transferring personal information;
  • list of employees with access;
  • sanctions for failure to comply with the rules for handling the information in question.

Regulations on personal data of employees subject to approval by order of the head of the legal entity.

IMPORTANT! This act is provided to all employees for review, for which a special journal can be opened with a list of subjects working in the company, where everyone signs after reading the rules.

A sample regulation on working with personal data can be downloaded from the link: /filemanager/download/4803">Regulation on working with personal data (sample 2018-2019).

The employer, acting as the entity receiving and processing personal information of personnel, is obliged to accept necessary measures to protect it during processing, storage, and use. The corresponding measures are regulated by the provisions on personal data, which are made available to all employees for review.

Simply put, personal data is information about a person. Law No. 152-FZ of July 26, 2006 gives a longer formulation, where a person is called a subject, which is determined according to clear criteria legal norms. The issue is also regulated by Chapter 14 of the Labor Code of the Russian Federation and the Constitution of the Russian Federation.

First of all, the topic is important for employers, since labor relations are directly related to the processing of personnel information. That is why each enterprise approves Regulations on working with personal data of employees. This data includes:

  • place of residence (registration);
  • phone number;
  • information about the identity document;
  • income (salary, taxes);
  • presence of children;
  • Family status;
  • education;
  • health status;
  • number of years worked (experience).

By approving the Regulations on the processing and protection of personal data, you can supplement or detail the list.

Personal Data Protection Regulations 2019

If we refer to Art. 87 of the Labor Code of the Russian Federation and Article 81.1 of Federal Law 152, there is no direct indication of the procedure for processing work with employee data. The rules simply indicate the need to regulate such operations. The most common method in practice is the publication of the corresponding internal document. A sample of the Personal Data Regulations - 2019 can be downloaded after reading the article.

The local act is approved by order of the enterprise and must be brought to the attention of employees. In addition to familiarizing yourself with the local act itself, employees sign consent to processing. Processing is the collection, systematization, accumulation, storage, transmission, destruction of information. Most Operations are carried out by a specialist from the HR department.

The purpose of the local act is to protect personal, family secret, ensure privacy. Based on these principles, it is necessary to reflect the following in the local document:

  • types of PD;
  • actions that are performed with this data;
  • who and how has access to protected information;
  • responsibilities of persons carrying out processing;
  • responsibility for disclosure.

Sample Regulations on Personal Data of Employees - 2019

Access to the information

Of course, the operator (the one who carries out the processing) has access to the information. The subject himself has the right to contact the operator for information, including with a request to clarify, change or supplement it. The information is provided by the operator in an accessible form, and it should not contain information about other persons.

Article 14 of Federal Law No. 152 contains an exception when the PD subject’s access to his data may be limited. We are talking about cases of legalization of criminally obtained Money, when the data was obtained during the operational investigation, and other cases.

Responsibility

If information restricted in dissemination was communicated to other persons, then the guilty citizens will be held liable in the form of a fine in the amount of 500 or 1000 rubles. Officials for data leakage they will pay from 4,000 to 5,000 rubles, according to Art. 13.14 Code of Administrative Offenses of the Russian Federation.

To prevent employees of your company from committing such violations, publish local act and monitor its compliance. If you need a sample Regulation on the processing of personal data of employees, you can download it in our article.

In addition, you may be fired for disclosing personal data, since this information is classified as protected by law. The basis (article) for termination of employment relations is subparagraph “c”, paragraph 6, part 1, article 81 of the Labor Code of the Russian Federation.