Features of personal data protection

Apply for SearchInform DLP TRY NOW

The Law "On Personal Data» № 152-FZ of 27.07.2006 year regulates relations of the state, individuals and legal entities in the collection, storage, processing and protection of personal data (PD) using automation tools or without them. The purpose of the law is to protect the rights of citizens to preserve the secrets of their personal lives. Any organization that collects and processes PD is a PD operator.

Operator's work with PD of employees and other individuals

For the effective work of each operator organization, it is always required to determine a set of personal data of citizens, employees, customers, visitors. This information is constantly collected from subjects of personal data or selected from other legal sources. In this case, the operator must notify the subject of the purpose of collecting information about him and obtain his written consent to the collection.

The processing of personal information of citizens is legal in the following cases:

  • if a person's written permission has been received to process his personal data;
  • if it is necessary for the proper performance by the operator of his functions;
  • for the administration of justice;
  • to receive public services;
  • for the purpose of execution and execution of the contract;
  • to protect the life and health of an individual;
  • in order to implement the legitimate requirements of operators or their clients, in case of non-violation of the rights of PD subjects;
  • professional work of journalists, the media while respecting the legal rights of the subject of this information;
  • statistical and other research, with the obligatory observance of the condition for depersonalization of the collected information;
  • if the PD became publicly available due to the subject itself;
  • when PDs are subject to publication or mandatory disclosure due to legal requirements.

It is the operator's duty to ensure the confidentiality of personal information, unless otherwise provided by law.

Principles and conditions for the processing of personal data by the operator

  1. PD processing is carried out on a legal basis.
  2. The exact purposes for the processing of personal data must be determined and the necessary data for the realization of these purposes must be listed.
  3. For each goal or compatible group of goals, you need to create a separate database (DB). Merging databases if their purposes are incompatible is not allowed.
  4. PDs must be accurate, complete and current for these purposes.
  5. When these data are no longer needed, they are destroyed by the operators within five years or given to the archive, if provided by law.

Obligations of the operator

  • Register in the Register of Personal Data Operators of Roskomnadzor, stating the purposes of collecting and processing PD.
  • Obtain written permission from the subject to process his personal information, unless otherwise provided by law.
  • Ensure proper protection of processed and stored PD.
  • Give a response to the subject's request about the composition of his personal data within the time period provided by law.
  • Destroy PD or transfer it to the archive within five years, if the need for them has disappeared.
  • Inform the subject about the reason for refusing to provide personal data.

Features of working with PD when registering personal files of employees of an enterprise

The procedure for registering personal files of employees is not standardized by current legislation. The employer has the right to keep copies of his documents in the personal file of employees, if the following conditions are met:

  • the personnel service has accepted the employee's consent to the storage and processing of his personal data;
  • personal data is processed in order to better organize production, comply with the requirements of regulatory enactments, help employees with employment, determine the level of their special knowledge, improve their qualifications, ensure the proper safety of personal data;
  • the amount of PD is not excessive for the proper operation of this institution.

Processing of personal data that is not provided for by law, collection of inappropriate personal data, work with personal data without the written consent of a citizen entails a warning from the inspection authorities or a fine.

The use of photographs is included in the category of processing biometric PD, therefore, such actions require the written consent of the subject of personal data.

The procedure for registering a personal file and the possible composition of personal data:

  • the content of the personal file;
  • application for a job;
  • The order of acceptance to work;
  • questionnaire;
  • autobiography and resume;
  • copies of diplomas;
  • labor contract;
  • submissions for transfers to another position;
  • transfer orders;
  • modification of personal data;
  • employee certification documentation;
  • staff statements;
  • health documents;
  • Photo;
  • order of encouragement and collection;
  • copies of passport data;
  • copies of PFR cards;
  • individual tax numbers;
  • copies of military cards;
  • marriage documents;
  • documents on the birth of children;
  • lists of scientific papers, inventions;
  • characteristics and reviews.

Monitoring the activities of PD operators

The verification of the legal basis for the processing of PD is carried out by Roskomnadzor. A scheduled inspection is carried out once every three years and within the exact timeframes prepared by Roskomnadzor and approved by the prosecutor's office. Routine inspection of the operator is carried out at the beginning of its activity and then every three years.

The grounds for an unscheduled inspection are:

  • control over the execution of the order to eliminate the violation revealed during the previous inspection;
  • the demand of the prosecutor's office due to received appeals and complaints about the actions of the operator;
  • inaction of operators, due to which the interests of the subjects of the Russian Federation were violated;
  • Roskomnadzor order issued to fulfill orders of the President or the Government of the Russian Federation.
  • The check is carried out no more than 20 working days, but if necessary it can be continued for the same period.

Verification methods:

  • departure to the place of processing of personal data;
  • verification of documentation provided upon request;
  • systematic observation by specialist inspectors, on the basis of which conclusions are drawn on the observance of the laws on working with personal data.

Responsibility for illegal processing of personal data

The operator cannot collect, store, use and distribute information about personal life, correspondence, telephone conversations, etc., unless there is a court order or other legal grounds for this activity.

The operator does not have the right to cause material and moral damage to people, infringe on their rights and freedoms using personal data.
Violation of the law "On personal data" may result in disciplinary, administrative and criminal liability.

Requirements for the protection of personal data

The legal provisions on the protection of personal information are necessary for implementation. The operator is obliged to take the necessary measures to protect PD from illegal or simply accidental access to them, deletion, falsification, blocking, inconsistent copying, duplication of PD, as well as from other illegal steps in relation to personal information.

For proper protection of PD, you must:

  • to establish the current security threats when processing information in personal data information systems (ISPDN);
  • take adequate organizational and technical measures;
  • apply certified information security tools;
  • before commissioning, carry out certification of ISPD for compliance of protective systems with legal norms;
  • keep records of machine carriers of PD;
  • detect facts of illegal access to this information and take appropriate actions to improve their protection;
  • restore damaged information;
  • establish a mode of access to PD only for strictly specified persons;
  • register all actions performed when working with PD.

Protection against unauthorized access

  • Permissive system of admissions to the information system.
  • Restricting the ability to enter premises with technical means for processing personal data.
  • Registration of actions when working with PD.
  • Strict accounting and storage of removable media.
  • Creation of backup copies and duplication of databases and information carriers.
  • Use of certified information security tools.
  • Secure communication channels.
  • Finding technical means for processing personal data within the protected area.
  • Fight malware and viruses with certified antivirus software and other protection methods.
  • Firewalling.
  • Analysis of the security of information systems by security scanners.
  • Protection of communication channels from data reading.
  • Use of smart cards, electronic locks for correct user identification.
  • Systematic firewall testing by simulating external attacks.
  • Authentication of friendly information systems and ensuring the integrity of transmitted data.

Features of personal data protection in the EU

On May 25, 2018, the Personal Data Protection Regulation came into force. It applies to all companies that process personal information about persons located in the EU.

What you should pay attention to:

  • the list of personal data has expanded (added location data, IP addresses, cookies);
  • the legal possibilities of PD subjects have increased (the right to transfer data from one company to another, the right to eliminate all information about oneself from the company's database);
  • new obligations for operators have appeared (proof of the legality of data processing, protection of personal data by default, appointment of a representative in the EU for non-resident companies, identification of a data protection officer);
  • the consent of the subject to the processing of PD is spelled out in detail (consent is expressed by an active action: a written message, including through electronic means, or orally);
  • describes what measures should be taken if PD is lost or unauthorized access has occurred (the company must send a notification to the supervisory authority within 72 hours after the incident occurred, and if the data leak is significant, then inform the PD subject about this to warn about a possible danger);
  • the territory of the Regulation has been extended beyond the EU borders.

Thus, European legislators set an important goal to create a single effective legal framework that will apply to all states that are members of the EU, and even beyond.