Regulations on the procedure for storing employee personal data

Apply for SearchInform DLP TRY NOW

The regulation on the procedure for storing personal data is the most important act of a local nature, which is developed at each enterprise. It must have a specific structure, contain a list of personal data that are used at the enterprise, provide for the responsibility of the company owner for violations committed by him when handling personal information of employees, and other important points.

Labor law on personal data

The concept of personal data (PD) is clearly spelled out in Article 3 of the Federal Law No. 152, in force since July 27, 2006. This legislative document was developed and adopted after the ratification of the CE Convention, which regulates the protection of individuals in the process of automated processing of PD.

In accordance with the law, personal data is any information that directly or indirectly relates to an individual who is recognized by the Federal Law No. 152 as a subject of personal data.

Chapter 14 of the Labor Code of the Russian Federation is devoted to the employee's personal data, their protection. It also regulates the storage, use in the organization, the transfer of personal information to third parties, the owner's responsibility for violating the laws that regulate activities in this area.

Employer processing of personal information

The processing of personal information of company employees is carried out in accordance with the Labor Code of the Russian Federation (Article 86) according to the following rules:

  • PD processing can be performed only in the interests of employees or for the implementation of issues related to work;
  • the company can receive PD from the employee personally or with his written consent;
  • the employer organizes the protection of stored personal data at his own expense;
  • an employee cannot waive the rights granted to him by law to protect personal information. Such a waiver, regardless of the form in which it is filed, will not be valid;
  • the employee and the employer should jointly develop the necessary measures to protect personal data.

Regulations on the procedure for storing personal information of employees

The employer must, without fail, develop a Regulation on the procedure for storing personal data and approve it in accordance with the procedure for approving internal documents adopted at the enterprise.

The requirement for its development is specified in article 87 of the Labor Code of the Russian Federation. The provision should not contradict the norms of the Labor Code, other legislative acts, which establish requirements for the protection of personal information of employees, its storage and use.
The law does not establish the structure of the document, but there are sections that, based on practice, it is desirable to include in the Regulation.

The document should describe the following issues:

  1. The introductory part, which describes the grounds for the development and implementation of the Regulation, listing the legislative norms in force in the field of PD processing, the main definitions used in the Regulation (indicated in Art. 3 of Law No. 152).
  2. List of information that makes up the personal data of the company's employees.
  3. List of documents processed and stored at the enterprise containing such information.
  4. Personal information processing rules.
  5. Determination of places of storage of PD with their indication.
  6. The procedure for obtaining access to personal information stored at the enterprise by personnel, PD subjects, third parties.
  7. Measures taken to protect personal information that is stored in the enterprise.
  8. Rights and obligations of all participants in legal relations in the field of processing and storage of personal data.
  9. The responsibility of the company for violations of the procedure for storing personal information.

With the document put into effect, it is required to familiarize all employees with signature.

Adoption of the Regulation on the procedure for storing PD

This Regulation is of a local nature. The procedure for its development and approval is the same as for other internal documents in accordance with Article 8 of the Labor Code of the Russian Federation, taking into account the rules of office work.

This document is usually developed by the HR department or the employee who is responsible for the HR sector in the company. The Regulations are approved by the employer or other person authorized by the employer by issuing an order or order.

Employer's responsibility

If the employer violates the requirements for storing personal data specified in the legislation, in accordance with Article 90 of the Labor Code of the Russian Federation, administrative, material, civil and criminal liability is provided. What type of liability will be applied in each specific case depends on the seriousness of the violation and the severity of its consequences.

If, for some reason, the Regulation on the protection of personal data has not been developed at the enterprise, it is important to immediately correct this violation, create such a document and familiarize all employees and persons employed with it. Moreover, the latter should familiarize themselves with the Regulation even before signing an employment contract with them. The most convenient way of writing the fact of acquaintance can be considered a magazine in which employees put their signatures that they are familiar with the internal documents of the company. The employee has the right to refer to the Regulations on the procedure for storing personal data and study its content any number of times. This procedure can be simplified by placing a sample document on an electronic resource with corporate access.