Regulations on the protection of personal data of employees. How to properly organize work with personal data? Access to employee personal data

Authorized persons must be familiar with the provisions of the document and warned about their rights and obligations, as well as responsibility for using information for other purposes (clause 8, part 1, article 86 of the Labor Code of the Russian Federation). From the answer “How to organize the processing of personal data of employees” We wrote more about access to personal data here. 2. Answer: Does the head of a structural unit have the right to demand from the accounting department to provide monthly information on the accrued salaries of employees subordinate to him Nina Kovyazina, Deputy Director of the Department of Medical Education and Personnel Policy in Healthcare of the Ministry of Health of Russia Information about the amounts accrued to employees refers to personal data (clause 1 of Art. 3 of the Law of July 27, 2006 No. 152-FZ).

How to organize the protection of employee personal data

To do this, you should keep special logs. Logbook of internal access to personal data of employees The logbook of internal access to personal data of employees indicates: the date of issue and return of documents (personal files) to employees of the organization; purpose of issuance, name of documents issued, period of use. If there were a lot of documents and they were issued according to the inventory, when returning you need to check their availability according to the inventory. The employee returning the documents must be present.
When issuing documents, warn that you cannot make notes or corrections in them, make new entries, remove documents (for example, from a personal file) or add new ones.

Who can have access to employees' personal data?

Attention

Dismissal on this basis is a disciplinary measure, therefore, when implementing it, the procedure for imposing a disciplinary sanction, provided for in Article 193 of the Labor Code of the Russian Federation, must be followed. If the employee challenges the dismissal under paragraphs. “c” clause 6, part 1, art. 81 of the Labor Code of the Russian Federation, the employer is obliged to provide evidence indicating that the information that the worker disclosed relates to the personal data of another employee, this information became known to the employee in connection with the performance of his job duties, and he undertook not to disclose such information (clause 43 Resolution of the Plenum of the Supreme Court of the Russian Federation “On the application by the courts of the Russian Federation of the Labor Code of the Russian Federation”). Judicial practice N. filed a claim in court to declare the dismissal illegal and to compensate for moral damage.

At the court hearing, it was established that N. worked as an electrician and was called to the personnel department to repair a break in the telephone cable.

Processing of employee personal data - terms and types

Themes:
Personal Information

Question What to do so as not to violate the law on personal data - the following situation arose: the head of the Laboratory wanted to get acquainted with the personal sheet of an employee subordinate to him, which, accordingly, contained the personal data of this employee. Should a specialist from the Human Resources Department provide the head of the Laboratory with the personal sheet of his subordinate, or should only the director of the institution know personal information about employees? Thank you. Answer Answer to the question: According to Article 88 of the Labor Code of the Russian Federation, only specially authorized persons who need such access to perform specific functions can have access to personal data of employees.

Employee personal data

The access levels of certain persons, as well as the specific procedure for transferring personal data of employees within the organization must be prescribed in its local documents, for example, in the Regulations on the protection of personal data of employees (paragraph 5 of Article 88 of the Labor Code of the Russian Federation). Authorized persons must be familiar with the provisions of the document and warned about their rights and obligations, as well as responsibility for using information for other purposes (clause 8, part 1, article 86 of the Labor Code of the Russian Federation). Thus, the head of a laboratory can request the personal data of a subordinate if the appropriate clearance is established in a local regulatory act and the employee’s consent to the processing of his personal data is obtained, and only if this is necessary for the head of his job duties.
You will learn everything about checking personal data when applying for a job if you read the material at the link.
It is difficult to monitor this, but a businessman can protect himself if he receives a written undertaking from the employee regarding non-disclosure of data. Table 2 Main sections that should be contained in the regulation on personal data of employees No. Section Contents 1 General provisions The purpose of creating the document (data protection), issues that are regulated by the regulation (the procedure for receiving, processing, storage), links to regulatory documents, on the basis of which the provision was developed (Constitution, Labor Code, Law on the Protection of Personal Data) 2 Concepts and composition of personal data All definitions related to personal data (“personal data”, “processing of personal data”, etc.) can be taken from Article 3 Law No. 152-FZ, as well as Article 85 of the Labor Code of the Russian Federation.
Responsibilities of the employer The requirements that the employer must comply with are named in Article 88 of the Labor Code of the Russian Federation, as well as Articles 18 - 21 of Law No. 152-FZ 4 Responsibilities of the employee There is no separate article regulating this issue. But among the employee’s responsibilities can be called the obligation to transfer to the employer documents containing personal data, the list of which is established by labor and tax legislation, as well as to promptly inform the employer about changes in personal data 5 Employee rights Employee rights are listed in Article 89 of the Labor Code of the Russian Federation 6 Processing of personal data Processing of personal data employee data is the receipt, storage, combination of any other use of information about the employee. General requirements that must be observed during processing are given in Article 86 of the Labor Code of the Russian Federation, as well as in Articles 6 and 9 of Law No. 152-FZ.

Info

To issue plastic cards, the bank received application forms filled out and signed by employees with their personal data. D. did not sign the application form; he did not give consent to the transfer of his personal data. The court's claims were satisfied, despite the fact that the plastic card D received.

actively used it.

When you can be fired for disclosing information Only those employees who become aware of such information in connection with the performance of their job duties can be fired for disclosing information. This is expressly stated in paragraphs. “c” clause 6, part 1, art. 81 Labor Code of the Russian Federation. Such employees include heads of organizations, employees of human resources services, accounting departments and other persons whose work is directly related to the processing of personal data.

The merchant, as an employer, processes the employee’s personal data to fulfill his duties as a party to an employment contract, namely reporting, reporting income, withholding and remitting taxes, that is, fulfills the requirements of the law. However, many employers play it safe and ask for consent from all employees, since the wording of Law No. 152-FZ is unclear, and this situation is not specified in the Labor Code. In addition, if any other use of personal data is expected that goes beyond the scope of the Labor Code, for example, posting information about an employee on a stand or website, using the employee’s last name in his email address, issuing business cards for an employee, then it is better to obtain consent.

This article. The subject of personal data has the right to demand from the operator clarification of his personal data, blocking or destruction of it if the personal data is incomplete, outdated, inaccurate, illegally obtained or is not necessary for the stated purpose of processing, as well as take measures provided by law to protect his rights .

Judicial practice and legislation - 152-FZ On personal data. Article 14. The right of the subject of personal data to access his personal data

20. The Unified State Exam participant, as well as his parents (legal representatives) have the right to receive information about the operator of the Unified State Exam FBD (Unified State Exam RDB), his location, whether the Unified State Exam FBD operator (Unified State Exam RDB) has personal data of the Unified State Exam participant, as well as familiarization with such personal data, except for cases established by Federal Law of July 27, 2006 No. 152-FZ “On Personal Data” (Collected Legislation of the Russian Federation, 2006, No. 31, Art. 3451).

Personal data of an employee is information necessary for the employer in connection with
with labor relations and relating to a specific employee. Namely:

passport details;
Family status;
information about education;
number of the insurance certificate of compulsory pension insurance;
information about work activity, etc.

This information is necessary for the employer to conclude an employment contract, fill out personal card No. T-2, help the employee in training, career advancement, ensure his personal safety, and control the quantity and quality of the work he performs.

The concept of personal data contains a List of confidential information (approved by Decree of the President of the Russian Federation of March 6, 1997 No. 188 “On approval of confidential information”). This is information about facts, events and circumstances of a person’s private life.

How to obtain personal data

Personal data refers to confidential information, that is, to which there is no free access. Therefore, the employer is obliged to receive all personal data
about the employee only from himself. If for some reason this is impossible to do, then the employer has the right to request such information from third parties only with the written consent of the employee. At the same time, he needs to be informed about the purposes, sources, methods of obtaining personal data, what information the employer is interested in, as well as
about the consequences of the employee’s refusal to give written consent to receive this information.

There is an exception to this rule: the employer has the right to request information, for example, from various medical institutions about contraindications and restrictions in the work activities of their employees.

The main purpose of such an exception is to prevent and prevent a threat to the life and health of the employee.

Confidential information about an employee can be transferred to other persons only with the written consent of the employee. It is not permitted to transfer personal information about an employee for commercial purposes. Transfer of such information without written consent is possible only in the following cases:

this is necessary in order to protect the life and health of the employee (the degree of threat is determined by the employer);
this is provided for by federal law (for example, Article 228 of the Labor Code of the Russian Federation directly states that if an accident occurs at work, then the relatives of the victim, as well as a number of state and local government agencies, must be immediately informed about this).

The employer is obliged to maintain confidentiality when working with personal data of employees. To do this, you should keep special logs.

Logbook of internal access to personal data of employees

The journal for recording internal access to personal data of employees indicates: the date of issue and return of documents (personal files) to employees of the organization; purpose of issuance, name of documents issued, period of use. If there were a lot of documents and they were issued according to the inventory, when returning you need to check their availability according to the inventory. The employee returning the documents must be present. When issuing documents, warn that you cannot make notes or corrections in them, make new entries, remove documents (for example, from a personal file) or add new ones.

In the journal for recording the issuance of personal data of employees to organizations and government bodies, the following are recorded: incoming requests (date of receipt, number and date of the incoming document, from which body the request was received); date of transfer of personal data; content of the transmitted information; date of notification of refusal to provide information (if any).

In addition, the personnel officer must regularly check the availability of documents and other media containing personal data of employees. You should also keep a special journal for this.

What information is indicated in the Personal Data Protection Regulations

The procedure for storing and using personal data of company employees is determined by the Regulations on the Protection of Personal Data. This is a mandatory internal (local) document of the company; it is developed by the HR department.

The law has not established a strict form for this document, but it must meet the requirements for the protection of personal data of an employee of the Labor Code of the Russian Federation.

The Regulations must indicate:

the purpose and objectives of the company in the field of personal data protection;
concept and composition of personal data;
in which structural units and on what media (paper, electronic) this data is accumulated and stored;
how personal data is collected;
how they are processed and used;
who (by position) in the company has access to them;
how personal data is protected from unauthorized access;
employee rights to ensure the protection of their personal data;
responsibility for disclosure of confidential information related to
with personal data of employees.

Who approves the Personal Data Protection Regulations
on the protection of employee personal data

The regulation on the protection of employee personal data is approved by the head of the company or a person authorized by him. And this document is put into effect by order of the head.

The Personal Data Protection Regulation looks like this:

Who has access to personal data

Each employee who, due to his job duties, has access
to the personal data of other employees, must sign an obligation of non-disclosure.

The list of persons who have access to the employee’s personal data is usually drawn up
as an annex to the Regulations.

First of all, these are personnel department employees, since they collect and generate data about the employee, and heads of structural divisions (for example, chief accountant, heads of departments). However, the latter have the right to request only the data that is necessary to perform specific labor functions (for example, to calculate tax benefits, the accounting department will not receive all information about the employee, but only data on the number of his dependents). The application is designed like this:

The employer is obliged to familiarize the employee with the Regulation on the Protection of Personal Data, and the employee is obliged to sign for this. The fact of familiarization is usually documented with a receipt, which remains with the employer. Here's a sample:

Article 14. The right of the subject of personal data to access his personal data

Commentary on Article 14

1. The legislator, defining the subject of personal data as the main participant in legal relations regulated by this Federal Law, concentrates the rights of the latter in a separate article.
Conditional rights can be grouped as follows:
the right to access your personal data;
the right to clarify, block or destroy information;
the right to know who is using or has used this information and for what purposes;
the right to receive information about the operator;
the right to protection of legitimate interests.
Restricting citizens' access to their own personal data is permissible only on the grounds provided for by federal laws.
The subject's right to access personal data specifies and develops, in relation to the provisions of this Law, enshrined in paragraph 2 of Art. 24 of the Constitution of the Russian Federation, as well as Art. 8 of July 27, 2006 No. 149-FZ “On information, information technologies and information protection”, the power according to which state authorities and local governments, their officials, and other entities are obliged to provide everyone with the opportunity to familiarize themselves with documents and materials, directly affecting his rights and freedoms, unless otherwise provided by law.
The right to clarify, block or destroy information is largely characteristic of the norms of labor legislation affecting the protection of personal data of employees, since it is associated with the possibility of declaring in writing one’s disagreement with the appropriate justification for such disagreement.
The right to know who uses or has used this information and for what purposes. In fact, citizens cannot but know who is using information about them and for what purposes, since information cannot be used or transmitted without their consent. At the same time, the Law allows that the right to access information about oneself may be limited by federal law. This means that this right cannot be limited by any other regulatory act.
The right to receive information regarding the personal data operator implies not only the name of the latter, its location and methods of activity, information about its managers, the operating mode of the organization, the documents required when making a request, but also includes the possibility of obtaining complete and reliable information in relation to the forms, methods and means of working with personal data used by the operator, a list of the processed personal data of the subject, the terms of their processing, including storage periods, information about what legal consequences for the subject of personal data the processing of his personal data may entail .
In terms of its content, the article in question is one of the so-called “combined norms”, which in a certain ratio contain the norms of both substantive and procedural (procedural) law, since the latter determine the general procedure for restoring violated rights.
2. This Law does not provide for the exact form in which the subject’s personal data is provided. At the same time, the type of presentation of personal data is of fundamental importance, because the same data can be processed publicly and openly for the citizen in one format (meaning the method of data processing) and at the same time, the operator or any other person can secretly process the same data in a different format, which can lead to significant infringement of a variety of rights of citizens in a variety of areas of law (from credit, housing or labor to marriage and family). In addition, specifying the form for providing personal data makes it possible to determine the compliance of the purposes of their processing with the stated goals of the operator’s activities.
According to the legislator, the operator, when contacting or receiving a request from a personal data subject, must provide the subject in an accessible form with information about the availability of this data, which does not contain personal data relating to other subjects, as well as excluding the possibility of their identification. Moreover, within the meaning of Part 4 of the commented article, the volume of personal data provided depends entirely on its subject and is determined by the latter in a request submitted to the operator.
Thus, presumably the personal data operator independently determines the form of provision of personal data based on the following criteria:
technical capabilities, level of technical equipment;
declared goals of activity and purposes and methods used for processing personal data;
requirements for the protection of confidential information of other subjects of personal data and the methods used for their implementation;
terms of processing and storage of personal data;
location of the subject of personal data and method of obtaining it.
3. The Law under comment presupposes that information regarding personal data is in the public domain for its subjects. In order for the latter to obtain it, a set of factual and legal grounds is required. The first include the availability of personal data under the control of the operator and the legality of its receipt.
The legal basis within the meaning of this Law is an oral or written (request) request from the subject of personal data (or his legal representative) to gain access to the latter.
It is understood that the right of the subject of personal data to access it can only be exercised by contacting the specific operator in whose charge the personal data is located, with a request to provide it. At the same time, the legislator does not exclude the possibility of the subject of personal data contacting other operators who pursue similar goals in working with personal data, provided that the federal law or departmental regulatory act adopted on its basis does not establish otherwise. In this case, with the knowledge of the subject of personal data, the operator has the right to receive them and provide them to the authorized person in the order of information exchange with their owner.
The legislator contains an alternative to choosing the form of application of the subject of personal data to ensure access to the latter. Personal data may be provided to him in the following cases:
1) an oral appeal to the personal data operator, accompanied by the mandatory provision of the main document identifying the subject of personal data or his legal representative;
2) providing a written request. The latter can be executed both on paper and on electronic media.
The choice of the form of contact depends on the will of the subject of personal data. The latter is largely determined by such circumstances as:
the requirement formulated in the request;
the availability of appropriate capabilities and the amount of information provided;
use of an electronic document, the strength of which is confirmed by an electronic digital signature, subject to the requirements of current legislation.
Naturally, in the context of the dynamic development of technology and means of communication, preference will be given to electronic documents.
4. The legislator does not establish mandatory requirements for the details and content of the request. The latter can be compiled in any form, while complying with the basic requirements and standards of office work. The request is submitted to the head of the credit history bureau. The name of this position is determined in accordance with the normative act that predetermines the internal structure, powers and procedure of the entity.
The legislator emphasizes that the request must necessarily contain:
number of the main identification document of the subject of personal data or his legal representative;
information about the date of issue of the specified document and the issuing authority;
handwritten signature of the subject of personal data or his legal representative.
Current legislation provides that the main documents identifying a citizen of the Russian Federation are:
passport;
diplomatic passport;
service passport;
seafarer's passport (seafarer's identity card).

———————————

See: Law of the Russian Federation of August 15, 1996 No. 114-FZ “On the procedure for leaving the Russian Federation and entering the Russian Federation.”

Documents identifying a foreign citizen in the Russian Federation are a foreign citizen’s passport or another document established by federal law or recognized in accordance with an international treaty of the Russian Federation as an identity document of a foreign citizen.
Documents proving the identity of a stateless person in the Russian Federation are:
1) a document issued by a foreign state and recognized in accordance with an international treaty of the Russian Federation as a document certifying the identity of a stateless person;
2) temporary residence permit;
3) residence permit;
4) other documents provided for by federal law or recognized in accordance with an international treaty of the Russian Federation as identification documents of a stateless person (Article 10 of the Federal Law of July 25, 2002 No. 115-FZ “On the legal status of foreign citizens in the Russian Federation” );

———————————

NW RF. 2002. No. 30. Art. 3032.

In addition, identification documents may include:
certificate of registration of the emigrant's application for recognition as a refugee (for persons who do not have refugee status);
resident card;
refugee certificate;
temporary identity card of a citizen of the Russian Federation.
All of them can basically be regarded as secondary documents. However, this is not an obstacle to the subject’s access to personal data.
The passport of a citizen of the Russian Federation is the main document identifying the citizen of the Russian Federation on the territory of the Russian Federation. All citizens of the Russian Federation who have reached the age of 14 and live on the territory of the Russian Federation are required to have a passport.
A passport is issued to a citizen of the Russian Federation upon his written application, submitted personally or through his legal representative, by the internal affairs body, the Ministry of Foreign Affairs of the Russian Federation on the territory of the Russian Federation, as well as by a diplomatic mission or consular office of the Russian Federation outside the territory of the Russian Federation in cases provided for by federal law. For a citizen of the Russian Federation living outside the territory of the Russian Federation, a passport is issued and issued by a diplomatic mission or consular office of the Russian Federation in the state of residence of the specified citizen. The Ministry of Foreign Affairs of the Russian Federation can issue and issue a passport to a citizen of the Russian Federation residing on the territory of the Russian Federation, upon his written application submitted through an organization sending him outside the territory of the Russian Federation and registered with the Ministry of Foreign Affairs of the Russian Federation in the manner established by the Government of the Russian Federation.
Information about the identity of citizens that is entered in the passport is: last name, first name, patronymic, gender, date of birth (day, month, year) and place of birth.
In addition to information about the identity of citizens, the following marks and entries are made in the passport:
on registration of a citizen at the place of residence and deregistration - by the relevant registration authorities;
on the attitude towards military service of citizens who have reached the age of 18 - by the relevant military commissariats and internal affairs bodies;
on registration and divorce - by the relevant civil registry authorities (hereinafter referred to as the registry office) and internal affairs bodies;
about children under 14 years of age - by the registry office and internal affairs bodies;
about previously issued basic documents identifying the identity of a citizen of the Russian Federation on the territory of the Russian Federation - by internal affairs bodies;
on the issuance of basic documents identifying a citizen of the Russian Federation outside the Russian Federation - by internal affairs bodies or other authorized bodies.
At the request of the citizen, the following marks are also made in the passport:
about his blood type and Rh factor - by the relevant health care institutions;
about the taxpayer identification number - by the relevant tax authorities.
The following details must be filled in the passport:
about the internal affairs body that issued the passport;
the date of issue of the passport;
code of the passport and visa unit of the internal affairs body that issued the passport;
citizen's personal code;
personal signature of the citizen;
signature of the head of the passport and visa department of the internal affairs body that issued the passport.
Of the submitted passport details, priority in the formation of a credit history, due to the direct instructions of the legislator, will be the series, number, date and place of issue, name and code of the authority that issued the passport or other identification document.
Validity period of a citizen's passport:
from 14 years - until the age of 20;
from 20 years to 45 years of age;
from 45 years old - indefinitely.
When a citizen (with the exception of military personnel serving on conscription) reaches 20 and 45 years of age, the passport must be replaced. For military personnel undergoing conscription military service, passports are issued or replaced at their place of residence upon completion of the established period of conscription military service. The issuance and replacement of passports is carried out by internal affairs bodies at the place of residence of citizens in the manner determined by the Ministry of Internal Affairs of the Russian Federation. Citizens who do not have a place of residence are issued and replaced passports by the internal affairs bodies at their place of residence.
A passport of a citizen of the USSR, identifying the identity of a citizen of the Russian Federation, is valid until it is replaced within the established time frame with a passport of a citizen of the Russian Federation.
A diplomatic passport is issued by the Ministry of Foreign Affairs of the Russian Federation to citizens of the Russian Federation who, in accordance with the 1961 Vienna Convention on Diplomatic Relations and other international treaties of the Russian Federation, when traveling outside the territory of the Russian Federation to perform official duties assigned to them, have diplomatic immunity, to the President of the Russian Federation, members of the Federation Council and deputies of the State Duma of the Federal Assembly of the Russian Federation (for the term of their powers), members of the Government of the Russian Federation, judges of the Constitutional Court of the Russian Federation, judges of the Supreme Court of the Russian Federation, judges of the Supreme Arbitration Court of the Russian Federation, the Prosecutor General of the Russian Federation, the Chairman of the Central Bank of the Russian Federation, as well as diplomatic employees and diplomatic couriers Ministry of Foreign Affairs of the Russian Federation. Family members (spouse, minor children, disabled adult children) of a citizen of the Russian Federation who has a diplomatic passport and is sent outside the territory of the Russian Federation to an official mission of the Russian Federation or to a representative office of the Russian Federation at an international organization outside the territory of the Russian Federation, living or traveling together with him, a diplomatic passport is also issued.
A seafarer's passport (sailor's identity card) is a valid document for leaving the Russian Federation and entering the Russian Federation on a ship in which the holder of the seaman's passport (seaman's identity card) is included in the ship's role. A seafarer's passport (sailor's identity card) is issued by federal executive authorities whose competence includes the management of sea and river transport and fisheries, and is issued to a citizen of the Russian Federation working on a Russian vessel sailing abroad or sent by a Russian shipowner to work on a foreign vessel, as well as included in shipboard role for cadets of educational institutions and those sent on ships to perform official assignments for employees of enterprises, institutions and organizations under the jurisdiction of federal executive authorities for the management of sea and river transport and fisheries, other federal executive authorities, or a citizen of the Russian Federation who is a sailor in relation to Seafarers' Documents Convention, 1958 (ILO Convention No. 108).
The seafarer’s passport contains the following information about the passport holder:
citizenship;
Full Name;
Date of Birth;
Place of Birth;
description of personality (height, eye color, special features);
position indicating the name of the vessel and the shipowner.
The seafarer's passport also contains:
name of the authority, position and surname of the person who issued the passport;
date of issue and validity period of the passport;
notes on the extension of the validity of the passport, on changes in the official position of its owner, on his departure from the Russian Federation and entry into the Russian Federation;
personal photograph and signature of the passport holder.
If the holder of a sailor’s passport is the legal representative (parent, adoptive parent, guardian or trustee) of a child aged 12-16 years and goes on a foreign voyage with this child, a corresponding entry is made in the sailor’s passport in a specially designated place or in the column “ For “marks,” a photograph of the child is placed, certified by the seal and signature of the person authorized to issue a seafarer’s passport. A sailor's passport is issued for a period of up to 5 years. Its validity can be extended once for a period of up to 5 years, after which the passport must be replaced.
A residence permit is issued to a foreign citizen (stateless person) who has reached the age of 14. A foreign citizen (stateless person) under 14 years of age is included in the residence permit of both parents. A foreign citizen (stateless person) under 14 years of age who has become an orphan may be issued a residence permit. In the identity document of a foreign citizen (stateless person), a note is made about the issue of a residence permit. A residence permit is issued to a foreign citizen for the period of validity of his identity document, but not more than 5 years. A residence permit for a stateless person is issued for 5 years.
A temporary residence permit (residence permit) contains the following information: last name, first name (written in Russian and Latin alphabets), date and place of birth, gender, citizenship of a foreign citizen, number and date of the decision to issue the permit, validity period of the permit, name executive authority that issued the permit.
A residence permit is issued to a foreign citizen (stateless person) by the territorial body of the federal executive body in charge of internal affairs at the place of residence (hereinafter referred to as the internal affairs body) on the basis of a written application submitted to the internal affairs body by a personally capable foreign citizen (person stateless) no later than 6 months before the expiration of his temporary residence in the Russian Federation. A foreign citizen (stateless person) under 18 years of age is issued a residence permit on the basis of a written application submitted to the internal affairs body by one of the parents or a legal representative.
The identity card of a military man of the Russian Federation is a document proving the identity and legal status of a military man of the Russian Federation. The certificate contains the following information about the serviceman: last name, first name, patronymic, date of birth, personal number, assigned military ranks and military positions held. The form of the certificate contains columns in which information about permission to carry personal weapons, re-registration of the certificate, as well as special notes (on passing fingerprint registration, blood type, etc.) is entered.
A refugee certificate in the Russian Federation is issued to a person recognized as a refugee in the Russian Federation in accordance with the Law of the Russian Federation “On Refugees”.
The certificate is valid for three years.
The validity period of the certificate can be extended based on the relevant decision of the territorial body on migration issues.
A black and white photographic card of the owner of the ID, photographed from the front, without a headdress, is pasted into the ID. A photographic card measuring 40 x 50 mm is made on white matte paper with shading.
The following is included in the certificate:
date of issue and validity period of the certificate;
the authority that issued the certificate;
signature, surname and initials of the head of the body that issued the certificate;
last name, first name(s), patronymic of the owner of the certificate;
date, month, year and place of birth;
citizenship (stateless person);
documents on the basis of which the identity of the owner of the certificate is established;
refugee personal file number;
signature of the owner of the certificate (in the absence of documents proving the identity of the owner, or in the event of his illiteracy, a thumbprint of the right hand is affixed);
gender and marital status of the ID holder;
information about minor family members of the refugee who arrived with him;
records on renewal of the certificate;
information about place of residence (stay).
The certificate is issued to refugees over 18 years of age.
In addition, it is advisable to reflect the reasons for its preparation in the text of the request. The request is signed on behalf of the subject of personal data or his legal representative. In the latter case, the legality and validity of his actions must be confirmed.
The request can be sent either electronically or in paper form. At the same time, regardless of the chosen form of its carrier, details indicating the date of its preparation and the time of registration must be clearly reflected. The legal force of an electronic document must be confirmed by an electronic digital signature in accordance with the legislation of the Russian Federation or another analogue of the handwritten signature of its executor.
In such cases, the transmission of a request for access to personal data must be carried out subject to mandatory compliance with the requirements to confirm the legal validity of the document with an electronic digital signature in accordance with the legislation of the Russian Federation or another analogue of the handwritten signature of the head or other authorized person of the credit history bureau. In this case, an electronic document with an electronic digital signature has legal significance in the implementation of the relations specified in the signature key certificate.
An electronic digital signature in an electronic document is equivalent to a handwritten signature in a paper document, subject to the following conditions:
the signature key certificate related to this electronic digital signature has not lost force (is valid) at the time of verification or at the time of signing the electronic document if there is evidence determining the moment of signing;
the authenticity of the electronic digital signature in the electronic document is confirmed;
an electronic digital signature is used in accordance with the information specified in the signature key certificate (Article 4 of the Federal Law of January 10, 2002 No. 1-FZ “On Electronic Digital Signature”).

———————————

NW RF. 2002. No. 2. Art. 127.

The creation of keys for electronic digital signatures is carried out for use in:
information system for public use by its participant or upon his request by the certification center;
corporate information system in the manner established in this system.
When creating electronic digital signature keys for use in a public information system, only certified electronic digital signature tools should be used. Compensation for losses caused in connection with the creation of electronic digital signature keys by uncertified electronic digital signature means may be assigned to the creators and distributors of these means in accordance with the legislation of the Russian Federation.
The use of uncertified electronic digital signature tools and electronic digital signature keys created by them in corporate information systems of federal government bodies, government bodies of constituent entities of the Russian Federation and local governments is not allowed.
Certification of electronic digital signature tools is carried out in accordance with the legislation of the Russian Federation on certification of products and services.
The signing key certificate must contain the following information:
the unique registration number of the signature key certificate, the start and end dates of the signature key certificate, located in the register of the certification center;
last name, first name and patronymic of the owner of the signature key certificate or alias of the owner. If an alias is used, the certification authority makes a record of this in the signature key certificate;
public key of electronic digital signature;
name of the electronic digital signature tools with which this public key of the electronic digital signature is used;
name and location of the certification center that issued the signature key certificate;
information about the relationships in which an electronic document with an electronic digital signature will have legal significance.
If necessary, the signature key certificate, on the basis of supporting documents, indicates the position (indicating the name and location of the organization in which this position is established) and qualifications of the owner of the signature key certificate, and, upon his application in writing, other information confirmed by relevant documents.
The signature key certificate must be entered by the certification authority into the register of signature key certificates no later than the effective date of the signature key certificate.
To verify that an electronic digital signature belongs to the appropriate owner, a signature key certificate is issued to users indicating the date and time of its issuance, information about the validity of the signature key certificate (valid, suspended, terms of suspension, canceled, date and time of cancellation of the signature key certificate) and information about the registry of signature key certificates. If a signature key certificate is issued in the form of a paper document, this certificate is drawn up on the letterhead of the certification center and certified by the handwritten signature of an authorized person and the seal of the certification center. If a signature key certificate and the specified additional data are issued in the form of an electronic document, this certificate must be signed with an electronic digital signature of an authorized person of the certification center.
5. The operator is obliged to inform the subject of personal data or his legal representative information about the availability of personal data relating to the corresponding subject of personal data, as well as provide the opportunity to familiarize himself with them when contacting the subject of personal data or his legal representative or within ten working days from the date of receipt request of the subject of personal data or his legal representative. In addition, the subject of personal data may be provided with additional information regarding the processing of his personal data, regardless of whether they were indicated in the request or not. According to the commented article, this kind of information includes:
1) confirmation of the fact of processing of personal data by the operator, as well as the purpose of such processing;
2) methods of processing personal data used by the operator;
3) information about persons who have access to personal data or who may be granted such access;
4) a list of personal data being processed and the source of its receipt;
5) terms of processing of personal data, including periods of their storage;
6) information about what legal consequences for the subject of personal data the processing of his personal data may entail (see paragraph 4 of this article).
Providing additional information is not a direct violation of the current legislation and the article under comment, in particular, provided that this does not create the prerequisites for violating the regime for protecting information classified as a secret protected by law.
If personal data was not received from the subject of personal data, except in cases where personal data was provided to the operator on the basis of federal law or if personal data is publicly available, the operator, before processing such personal data, is obliged to provide the subject of personal data with the following information:
1) name (last name, first name, patronymic) and address of the operator or his representative;
2) the purpose of processing personal data and its legal basis;
3) intended users of personal data;
4) the rights of the subject of personal data established by this Federal Law.
6. As a general rule, citizens have access to documented information free of charge. The provision of information free of charge as a principle of informing the population about processes and phenomena occurring in society and the state, as well as about events directly related to them, is aimed at revealing the constitutional guarantee to freely seek, receive, transmit, produce and disseminate information in any legal way (p 4 Article 29 of the Constitution of the Russian Federation). However, at the same time, the legislator retains the possibility of limiting the right to freely receive information, thereby leaving open the question of its payment. Consequently, the final decision on whether to issue information for a fee or free of charge is left to the discretion of the holder of the documented information.
7. Implementing the constitutional provision on legislative restrictions on the rights of a citizen, the developers of this Law allow for the possibility of refusing to provide personal data to the subject. Restriction of the right of the subject of personal data to access it is permissible subject to compliance with the established legislative procedure.

Let’s answer the question of what applies to the personal data of an organization’s employee. According to Art. 3, personal data of an employee is any information about him.

Sometimes, when hiring a new employee, personnel officers take photocopies of the documents provided and put them in his personal file. According to Roskomnadzor, this is not allowed.

Arbitrage practice

When checking compliance with the requirements of the legislation on the protection of personal data, the supervisory authority considered it illegal to store photocopies of their passports in the personal files of employees. The organization appealed to the Arbitration Court with a statement to declare this order of Roskomnadzor illegal.

The court refused to satisfy the stated demand. According to the court, the organization’s storage of copies of employees’ passports is excessive, is not provided for by law, violates the rights of citizens and exceeds the amount of personal data of employees provided for in Art. 86 Labor Code of the Russian Federation. (Resolution of the Federal Antimonopoly Service of the North Caucasus District dated March 11, 2014 No. F08-480/14 in case No. A53-10287/2013)

Sample application for processing of employee personal data

In accordance with paragraph 1 of Art. 6 of the Law of July 27, 2006 No. 152-FZ “On Personal Data”, the processing of such data by the employer company can only be carried out if a number of conditions are met. Among these is the consent of the subject of personal data to transfer information about himself for processing (subclause 1, clause 1, article 6 of Law No. 152-FZ). It is issued in the form of consent to the processing of personal data. In addition, a citizen can give consent to the operator to provide his information to third parties.

An individual has the right to revoke his consent; for this purpose, a withdrawal application is drawn up.

In accordance with the List of standard management archival documents generated in the course of the activities of state bodies, local governments and organizations, indicating storage periods, approved, the storage period for employee personal data is 75 years.

Processing of personal data

The organization needs to develop and approve a local regulatory act that establishes the procedure for processing information about employees. Each employee must be familiarized with this document upon signature.

Arbitrage practice

The prosecutor filed a lawsuit to force the organization to develop and adopt a local legal act establishing the procedure for storing and using personal data of employees. He motivated his demands by the fact that during an inspection of the implementation of legislation regulating the collection, storage, use or dissemination of personal data, it was found that, in violation of the requirements of labor legislation, the procedure for storing and using personal data of employees in the organization was not developed. I believed that the absence of this local regulation could lead to unlawful access to personal data of unauthorized persons.

The prosecutor's request was satisfied by the court's decision. The court ordered the organization to develop and adopt a local legal act establishing the procedure for storing and using personal data of employees within 30 days from the date the court decision entered into legal force.

Transfer of an employee’s personal data to another person is permitted only with the consent of that employee, except in cases established by law. For example, an employer has the right to transfer information about an employee at official requests from the court, prosecutor’s office, investigative and inquiry authorities.

Please note that it is not acceptable to provide any employee information over the phone.

Arbitrage practice

D. filed a lawsuit to declare the employer’s transfer of his personal data to another person illegal and to recover moral damages.

At the court hearing, it was established that the organization in which D. worked entered into an agreement with the bank to implement a salary project. To issue plastic cards, the bank received application forms filled out and signed by employees with their personal data. D. did not sign the application form; he did not give consent to the transfer of his personal data.

The court satisfied the claims, despite the fact that D. actively used the received plastic card.

When you can get fired for disclosing information

Only those employees who became aware of such information in connection with the performance of their job duties can be fired for disclosing information. This is expressly stated in paragraphs. “c” clause 6, part 1, art. 81 Labor Code of the Russian Federation. Such employees include heads of organizations, employees of human resources services, accounting departments and other persons whose work is directly related to the processing of personal data. However, if the employee learned the data by accident (for example, due to the negligence of the employee responsible for the safety of information) and his job responsibilities do not include working with personal information, dismissal on this basis will be illegal.

If the employee challenges the dismissal under paragraphs. “c” clause 6, part 1, art. 81 of the Labor Code of the Russian Federation, the employer is obliged to provide evidence indicating that the information that the worker disclosed relates to the personal data of another employee, this information became known to the employee in connection with the performance of his job duties, and he undertook not to disclose such information (clause 43 Resolution of the Plenum of the Supreme Court of the Russian Federation “On the application by the courts of the Russian Federation of the Labor Code of the Russian Federation”).

Arbitrage practice

N. filed a lawsuit to declare the dismissal illegal and to compensate for moral damages.

At the court hearing, it was established that N. worked as an electrician and was called to the personnel department to repair a break in the telephone cable. While fixing the cable, he managed to read the dismissal agreement for employee M. with the payment of significant monetary compensation, which the personnel officer left unattended on her desk. The next day N. turned to the director, stating that he also wanted to resign by agreement of the parties with the same monetary compensation. And having received a refusal, he was offended and began to tell other employees about this situation. As a result, by order of the director, N. was dismissed under paragraphs. “c” clause 6, part 1, art. 81 of the Labor Code of the Russian Federation for the disclosure of personal data of another employee.

By the court's decision, N.'s claims were satisfied. The court came to the conclusion that N.’s job duties did not include working with the personal data of other employees, and this information became known to him as a result of the negligence of the personnel officer, who did not ensure the safety of the information.