Employee personal data protection

Apply for SearchInform DLP TRY NOW

A legal feature of the protection of personal data of an employee of any institution is the general unification of this process. Regardless of where an employee works, if he is faced with the protection of personal data, then the Federal Law of the same name No. 152 applies to him. The third article of this Law states that in legal practice, personal data is considered any information that identifies an individual.

What does personal data consist of?

The processed personal data of an employee is regulated by the Basic Law of the Russian Federation, the Labor Code of the Russian Federation and other parts of federal legislation. In general, the documentation on this issue can be roughly divided into two broad categories:

  • provided by the employee himself;
  • collected by the employer.

The first category is presented at the time of the conclusion of the employment contract. Such personal data of an employee include:

  • Name, phone number, residential address, registration;
  • identification insurance documents;
  • employment history;
  • pensioner's ID;
  • documents confirming the grounds for granting benefits;
  • diplomas and other documents confirming education and profession;
  • photographs;
  • documents regarding military registration;
  • documents confirming marital status, etc.

Each item in this category falls under the basic principle of protecting employee personal data - ensuring maximum confidentiality. Only state power structures can operate with such information, only when necessary and in most cases - with the direct permission of the employee.

The second category of personal data is dealt with by the employer. This includes all papers related to the career and financial situation of staff and non-staff employees. The second category reflects any changes in the employee's workplace, fixing the time of vacations, sick leaves, the base rate (if any), the rate scale for piecework (if any), overtime, non-material incentives for staff personnel, both individual and group ... All this information, with the obvious exception of financial information, is usually less confidential.

Protection of employee personal data

In addition to Federal Law No. 152, the Labor Code of the Russian Federation is the most important legal document regarding compliance with the law when using personal data. Its 14th chapter regulates the requirements for the protection of personal data, as well as liability for violations related to the employee's personal data. Article 86 of the Labor Code of the Russian Federation states that the employer is empowered to collect materials that are in the plane of these labor relations; he cannot arbitrarily withdraw and store data that does not in any way relate directly to the work process. Also, this article defines the requirements that ensure the rights and freedoms of citizens, which the employer must guarantee during the processing of the employee's personal data:

  • these actions are possible only for purposes that provide assistance to the employee in his employment, training, career advancement, implementation of measures to ensure the personal safety of employees of the enterprise, monitoring the quantity and quality of his work;
  • the operator must comply with the requirements of the Constitution of the Russian Federation, federal legislation while establishing the number and types of processed PD;
  • all personal data of the employee must be received directly from him. If it is not possible for the employee to personally transfer his data, it is allowed to receive it from another party, if the employee is notified in advance about the performance of such actions by the operator, for this you need to obtain his consent in writing;
  • the operator is obliged to notify the employee about the goals, options for obtaining his personal information and their sources, as well as the consequences of the employee's refusal to provide in writing his consent to receive his personal data;
  • the operator does not have the right to receive and process information about an employee, which belongs to the category of special in accordance with the legislation of the Russian Federation (race, nationality, intimate data, political views, religious views, etc.);
  • the operator also cannot receive, process information about the employee, about his affiliation with public organizations, his trade union work;
  • making decisions related to the interests of the employee, the operator cannot take as a basis his personal data, which were obtained only through electronic channels or using automated processing;
  • the operator is obliged to create effective protection of the employee's personal data from illegal use, loss. For this, the necessary funds of the employer must be used, and all actions must be performed in accordance with the requirements of the Labor Code of the Russian Federation and other Federal Laws;
  • the operator must familiarize the employee, against signature, with the documentation that determines the procedure for working with PD;
  • operator, employee, their legal representatives jointly develop measures to protect employees' personal data.

Requirements for the storage and use of PD at the enterprise

The procedure for storing and applying employees' PD should be established by the operator. In this case, it is required to comply with the norms of the Labor Code of the Russian Federation, other Federal Laws.

The transfer of the employee's personal data is possible subject to the requirements:

  • not to allow the disclosure of the employee's personal data to unauthorized persons, if there is no written consent. The exception is a threat to the life, health of an employee, other cases described by law;
  • not to disclose PD for commercial purposes if the subject does not provide written permission;
  • to notify persons using personal data about the possibility of their use only for the purpose for which they are communicated. Also, the operator is obliged to require such persons to confirm compliance with this rule;
  • the recipients of the employee's PD are obliged to maintain confidentiality when working with this information;
  • transfer the employee's personal data in the organization, guided by the local standard, with which employees must be familiarized with signature;
  • the issuance of personal information is possible only to persons who have received special powers from the employer. Such data is issued to them in the amount necessary to perform the established functions;
  • do not demand data on the employee's health, except for information related to the possibility of his performance, job duties.

Employee rights in relation to personal data

Employees have the right to the protection of personal data, as well as to:

  • obtaining complete information about their personal data, the purposes of their processing;
  • obtaining free access to personal information, copies of their personal data, except for cases provided for by law;
  • choosing your representative to protect personal data;
  • correction at the request of the employee of incorrect, incomplete, irrelevant, received, processed with violations of personal data. If the operator denies this right to the employee, the latter may declare his disagreement to the employer in writing and justify it. The employee can supplement the estimated PD with a statement containing his point of view;
  • the opportunity to appeal in court any illegal actions, inaction of the employer in relation to the processing and protection of his personal data.

Legal sanctions for violation of the protection of personal data of an employee

Working with personal data involves punishment for neglect of cybersecurity, violation of the rules for maintaining traditional (paper) document flow for both an employee and an employer. The severity of the sanctions depends on the severity of the offense committed.

Types of responsibility assigned to the employee in case of violations:

  • material. Occurs in case of disclosure of some personal data of other employees. Make up the full amount of the damage caused. Usually applied relatively rarely due to the difficulty of accurately assessing this damage;
  • disciplinary. It occurs when an employee disclosed a trade secret or personal information that he received in the labor process. This penalty is imposed by the employer. In the case where the operator determines that the employee's fault is relatively small, the possibility of a reprimand is allowed without dismissing the employee;
  • administrative. If the procedure for working with data is violated, an administrative fine is imposed under the Code of Administrative Offenses of the Russian Federation;
  • criminal. This type of responsibility is spelled out in detail in Article 137 of the Criminal Code of the Russian Federation and is imposed in the form of a fine of up to 200 thousand rubles, differentiated by the severity of the term of imprisonment or community service.

A clear knowledge and fulfillment of all the requirements of the legislation regarding the processing of personal data of an employee will allow avoiding any kind of liability for both the operator and the employee.