Legal basis for personal data processing

Apply for SearchInform DLP TRY NOW

Operators involved in the processing of personal data (PD) are obliged to be guided by legal grounds that allow them to carry out all the actions provided for by legislative norms with the personal information of citizens. This is necessary so that operators do not go beyond the requirements set out in Federal Law No. 152 "On Personal Data".

Personal data processing legislation

In March 2009, a Regulation was issued that regulates the powers and legal basis that is vested in Roskomnadzor in matters of PD processing. The importance of the development and implementation of this Regulation was caused by the need to ensure the security of personal data and the rights of citizens.

Law No. 152 (Art. 23, Part 5, Clause 3) states that the authorized body performing the function of protecting the rights of subjects is obliged to keep a register of all operators. He receives a legal basis for the processing of personal data. This document contains information directly about the operators based on the information received in the notifications.

After that, in accordance with the submitted information letter, all the necessary changes are entered into the information available in this register for specific operators. The register must also record information on the termination of the operator's PD processing process. The legal basis for performing these actions is the submitted application, which also allows you to issue the requested extract from the information entered in the register.

Keeping a register

An exhaustive amount of information on the form of working with the register is posted on the official Roskomnadzor portal and on the PD portal . These resources can also be found:

  • with a notification form that the future operator must draw up if he intends to process PD in the legal field;
  • with an information letter (in the form of a notification about making changes to the register according to data on operators);
  • with an application form for stopping the processing of PD by operators with an indication of the provided legal basis. A sample is available for download and print;
  • with an application for extracts in a recommendatory form.

Basic information

Operators can be any government or municipal authorities, as well as individuals, legal entities that provide, on a legal basis, the processing of personal data at the enterprise. These authorities and persons need to establish the objectives and determine the content of such processing.

As a legal basis for performing any actions for PD processing, operations performed with the help of automated means or without their use are used.

The operator can perform the following operations with PD:

  • collect;
  • write down;
  • systematize;
  • accumulate;
  • keep;
  • clarify;
  • update;
  • change;
  • extract;
  • use;
  • transfer;
  • distribute;
  • give;
  • create access to them;
  • depersonalize;
  • block;
  • delete;
  • destroy.

It is for these actions that the operator is authorized when filling out the register.

Legal bases

All organizations, institutions, companies that are operators involved in the collection, processing, storage of personal data must adhere to the general requirements established by the laws of Russia, including the requirements of Article 86 of the Labor Code of the Russian Federation.

The legal basis for PD processing for agricultural companies, industrial enterprises, any other organizations is the fulfillment of the norms of current laws and other acts regulating this activity.

The purposes of this processing can be considered:

  • assistance in getting a job;
  • getting education;
  • training;
  • compliance with corporate and personal security requirements;
  • ensuring control of quality, quantitative indicators of manufactured products and other parameters.

All PD, after receiving them, are processed, after which they are sent for storage, regardless of what media are used for their placement (in paper or electronic versions).

Consent and conditions

In order for the legal grounds for starting the PD processing process to appear, the employer must necessarily obtain written consent from the employee to perform such actions. The transfer of personal information of subjects is allowed under various conditions. If the written consent of the employee is not provided, it is not allowed to transfer PD to third parties. The exceptions are cases when there is a threat to life and health and other reasons prescribed in legislative documents are possible.

It is forbidden to use personal information of an employee if this is for commercial purposes and the employee's consent to the possibility of performing such actions has not been obtained. Individuals who receive personal data must maintain complete confidentiality with respect to this information.

Only those employees who have received a legal basis allowing them to collect, store, process this information can have access to PD. Information about the health of an employee can be requested only in the amount necessary for the implementation of labor relations and the performance of his labor duties.

When performing any action with PD, the operator must adhere to the rules provided for in the Labor Code of the Russian Federation.

Ensuring the storage and protection of personal data

Any company must register, form, maintain and store information that contains personal data. Such work is always performed by those who are endowed with the legal basis that must be recorded in the job descriptions at the enterprise. The person responsible for the implementation of this work is appointed by order of the General Director.

Unauthorized persons should not have access to personal information. The head of the enterprise must also approve the list of persons admitted to such activities, and the general director must endorse this document.

Persons from the number of administrative employees, such as a boss, employees responsible for working with personnel, an employee of the personnel department (inspector), engineering personnel responsible for organizing and setting labor standards by structural divisions, can have a permanent right of access to PD at the enterprise.

In some companies, any personal data may be required by the chief accountant if it is necessary to prepare certain documents.

An employee responsible for security at the enterprise has constant access to confidential data, but only within the framework of the authority assigned to him.

Other employees may be included in the list, which is compiled at the enterprise for persons who have access to the personal data of employees and who perform certain work with them. It varies in accordance with the Internal Labor Regulations.

Data transfer capability

The transfer of personal data of any employee of the company can be carried out only if there is a request submitted by state authorities. Such bodies and organizations can be:

  • law enforcement agencies;
  • Ministry of Emergency Situations;
  • tax authorities;
  • courts of law;
  • security organs;
  • Migration Service;
  • military commissariats;
  • social insurance authorities;
  • statistical services;
  • Pension fund and other services and bodies.

But you should take into account the requirements of the legislation during the provision of documents requested by these instances with the personal data of employees. It is necessary to obtain the written consent of the employees in respect of whom it is necessary to form and transfer personal data to perform these actions. Without such consent, it is prohibited to transmit personal data of subjects both by fax and by telephone, as well as by e-mail and using other media. The exception is the cases specified in the legislation.