home > Trousers > Development of regulations on personal data of employees. We comply with the law on personal data: what needs to be taken into account Employee personal data

Development of regulations on personal data of employees. We comply with the law on personal data: what needs to be taken into account Employee personal data

The GIT inspector will check whether the employer has approved the Regulations on working with personal data. How to draw up a document so that its content complies with the law and finished sample document, look in the article.

In the article:

Download documents on the topic:

Regulations on personal data of employees: 2020 sample

During the employment process, and often even earlier, at the stage of preliminary questionnaires and interviews, the employee provides the employer with certain information of a personal nature. Such information is classified as confidential and is not subject to disclosure to third parties. Moreover, not all types of information can be requested - for example, a question about an applicant’s religious affiliation or political views would be inappropriate at any interview.

The employer is allowed to be interested only in those aspects of the employee’s personal life that are directly related to his work and can affect the quality of his work.

The definition of personal data is contained in Law No. 152-FZ of July 27, 2006. This is the key regulatory document, which at the federal level establishes the basic norms and principles for handling personal information. According to Article 3 of Law No. 152-FZ, personal any data relating directly or indirectly to a specific subject (individual) is considered. The subject may provide information about himself to the operator - a state or municipal body, employer (legal entity or individual).

Regulations on working with personal data of employees

The operator has no right to process the received information or disclose it to third parties without the consent of the subject. Protection of personal information is ensured by the legislation of the Russian Federation: the aforementioned Federal Law No. 152-FZ, individual articles of the Labor, Criminal and Civil Codes of the Russian Federation, as well as Art. 5.39 and 13.11-13.14 of the Code of administrative offenses RF. These rules apply to organizations of all forms of ownership.

Each company that collects personal information about its personnel must draw up and approve a statement on the protection of personal data of employees. This is the name of a local regulatory act that establishes the procedure for working with personal data within a specific enterprise in accordance with the requirements of Art. 87 Labor Code of the Russian Federation. In the public sector civil service“Regulations on the personal data of a state civil servant and the management of his personal file” are being developed, as required by Decree of the President of the Russian Federation No. 609 of May 30, 2005.

To complete the Regulations on Personal Data Processing without errors, use the online service “Human Resources Systems”

Take advantage now

Main types of personal information

Conventionally, the entire volume of personal data about a particular subject can be divided into five types:

  • are common;
  • public;
  • impersonal;
  • special;
  • biometric.

General information is considered to be a person’s passport data (last name, first name, patronymic, date of birth, marital status), address, telephone number, information about education received, etc. Current legislation does not contain an exhaustive list of general data, but it lists in great detail the types of special data for which special rules for collection, processing and storage have been established. These include information about:

  • state of health;
  • intimate life;
  • having a criminal record;
  • religion;
  • philosophical and political beliefs;
  • race and nationality.

You can request special data for processing only in strictly defined cases - for medical purposes (with strict observance of medical confidentiality) or insurance services, for the administration of justice, in the framework of countering terrorism, to protect the life or health of the subject. Criminal record information is processed only if there is a federal law establishing the need for such processing. In addition, it is not prohibited to process special information if the subject himself has given permission to do so or has made it publicly available.

Crib. When personal data can be processed without the employee’s consent

Attention! Public information is considered to be information posted by the owner in public sources - newspapers, magazines, address and telephone directories, social networks.

Biometrics is information about the physiological or biological characteristics of a particular person: height, physique, fingerprints, iris pattern, results of genetic and other studies that allow one to establish his identity. Sometimes you can't do without them. A typical case of using “biometrics” is described in the note “Can an employer take fingerprints of employees to organize access control”: the results of fingerprinting allow you to instantly identify an employee, which is very important when carrying out events with limited access.

Biometric data should be processed and stored in accordance with Decree of the Government of the Russian Federation No. 512 of July 6, 2008. Once the purpose of processing has been achieved or lost, biometric, special and general personal data must be anonymised. Establish the ownership of anonymized information (for example, processed results statistical reports and surveys) is impossible for a specific person.

Attention! Data that cannot be anonymized for objective reasons must be destroyed.

When drawing up regulations on personal data of employees, do not forget to write down the rules for processing different types of information, including biometric information, if the organization collects and uses it in its work.

What functions does the provision on the protection of personal data perform?

One way or another, the employer gets access to certain information about privacy employee. Filling out, providing various benefits and compensations, registration tax deduction- here is just a small list of standard procedures, for which you have to ask the employee for information about their state of health, family composition, etc. And once processing is carried out, then a provision on the protection of personal data is also necessary (a sample document is discussed below).

Attention! You need to receive personal information about an employee directly from him, and not from third parties.

Even within the same organization, personal information can only be transferred in accordance with local regulations, which all personnel must first familiarize themselves with and sign. The need for such familiarization is enshrined in clause 8 of Art. 86 Labor Code of the Russian Federation.

Regulations on personal data of employees: sample structure

The very concept of information processing covers different types operations listed in clause 3 of article 3 of federal law No. 152-FZ. First, information is collected, recorded and systematized. Next comes their accumulation, storage and use. Data can be refined, updated or changed, retrieved and transferred. If there is no need to use personalized information, it is anonymized or destroyed. Therefore, the regulations on working with personal data of employees are divided into sections devoted to different stages of information processing:

  • general provisions;
  • receiving and systematization;
  • storage;
  • usage;
  • broadcast;
  • confidentiality guarantees.

Of course, the proposed structure can be adjusted as necessary - combining existing sections and adding new ones, including additional lists and applications. But even the simplest standard provision on an employee’s personal data is a convenient starting point, on the basis of which you can develop a full-fledged document adapted to the operating conditions of a particular enterprise.

Statement on personal data: procedure for processing and storing information

When developing a statement on personal data, the sample can be used as a basis. Special attention You should pay attention to sections devoted to the procedure for collecting, systematizing and storing information. The more detailed each point is spelled out, the better and safer it is for the employer. If a mandatory survey of applicants is carried out, describe the procedure as accurately as possible and list the specific types of information requested:

Storing any media of personal information - paper, electronic and any other - involves restricting access to them. For these purposes, separate rooms, safes, locked cabinets, special folders and password-protected electronic databases data. Only a limited number of officials can request confidential information without special permission.

All these nuances need to be included in the provisions on the protection of personal data of employees. A sample section would look something like this:

Each employee has legal right know exactly how and to what extent his personal data is processed and used, as well as correct or delete incorrect, incomplete or incorrectly processed information about himself.

Regulations on working with personal data of employees: sample design of the section on transfer of information

The employer is allowed to transfer personal information to third parties, but only under certain circumstances - for example, in order to prevent a threat to the life and health of the employee or in cases provided for by federal laws. In this case, the data does not become publicly available, but is confidentially transferred to an authorized person.

In all other cases, the norm enshrined in Article 7 of Law No. 152-FZ applies and requires each time such a need arises to request from the subject. In this case, data is transferred in a limited amount necessary to perform a specific function and nothing more.

Be sure to add a section on the rules for the transfer of confidential information to the provision on personal data of employees. An example of a section design looks like this:

The employer must keep records of the release of any personal information related to the employees of the enterprise. For this purpose, a special journal (book) is started or electronic document. Ideally, records should be duplicated, saved on both electronic and paper media.

How to approve a regulation on personal data of employees: sample order

There are two ways to approve the provision on the protection of personal data of employees: or simply provide a special field for certification details on the form of the main document. Employers who do not want to multiply the amount of paperwork usually prefer the second method and add the necessary fields to the header of the document.

When approving the document, the head of the organization puts his personal signature and seal on it. If the first, more labor-intensive method of approval is chosen, a corresponding administrative document is drawn up. It is issued in general procedure and, in fact, is no different from standard .

If the employer previously applied a different version of the provision, upon entry into force new edition An order approving the Regulations on working with personal data or any other local act is used as a sample.

Order on approval of the Regulations on working with personal data

Attention! If the organization has a legal department or an in-house legal adviser, it is recommended to agree with him on the provisions on the protection of personal data of employees before the document is sent for final approval to the head of the enterprise.

Notice about the processing of personal data

In addition to a number of basic measures to protect personal data of personnel, the law provides for another obligation of the operator - notifying Roskomnadzor of the upcoming processing of personal data. This rule is present in Russian legislation since 2007. The notification form currently used was approved in 2008.

Let us immediately note that the notification requirement does not apply to all employers. According to Article 22 of Law No. 152-FZ, organizations that:

  • process received information in accordance with labor legislation;
  • receive information in connection with the conclusion of a contract and use it exclusively within the framework of the execution of agreements;
  • receive data that is recognized as publicly available or includes only last names, first names and patronymics of subjects;
  • request information once in order to allow the subject to enter the operator’s territory;
  • are religious or social and process information in confidence to achieve legitimate purposes.

In order not to notify Roskomnadzor about data processing each time, an employer using information about employees exclusively within the framework of labor legislation, can establish the corresponding condition in internal documents. State in the regulations and other local acts the main directions of the company’s activities and the purposes for which it collects and processes personal information about personnel.

Responsibility for violating the rules for processing personal information

For violation of protection laws personal information the guilty person can be brought not only to disciplinary, but also to administrative responsibility , and in some cases - criminal liability. The measure of responsibility is chosen taking into account the type, severity and circumstances of the offense.

It should be remembered that unauthorized access to electronic information, protected by law, and violation of privacy. This also includes improper storage of personal data, as well as unintentional, committed without malicious intent, disclosure of confidential information, access to which was obtained during the execution of labor responsibilities. The injured party may, through the court, demand compensation for material and moral damage caused by the unlawful actions of an official.

The amount of fines paid by employers for non-compliance with the rules for processing personal data of personnel is constantly increasing and currently amounts to tens of thousands of rubles. Therefore, if the organization does not apply or does not have a provision on the protection of personal data of employees, a sample document drawn up taking into account all the requirements of the law will obviously not be superfluous.

In order to process employees’ personal data without a fine from the State Tax Inspectorate, the employer must draw up and approve a Regulation on the processing of employee personal data. This provision is a mandatory document that must be in the organization. Draw up the Regulations in any form and include in it all the features of the procedure for processing personal data in your company. Ready document approve by order of the employer.

Personal data is various types of information that relates to a specific individual (Clause 1, Article 3 of the Federal Law of July 27, 2006 No. 152-FZ). Like any other information, personal data is processed, i.e. it is collected, systematized, accumulated, stored, transferred, destroyed, etc. To ensure that the processing of personal data does not violate the rights and freedoms of citizens, incl. rights to privacy, personal and family secrets, proper protection of personal data is required. This topic is relevant for all employers, because they, in fact, are constantly processing certain personal data of their employees. This includes, for example, the employee’s passport details or his residence address, information about the employee’s education or experience, information about wages or the employee’s marital status, etc. The importance of this area is confirmed by the fact that in the Labor Code of the Russian Federation a separate chapter is devoted to the protection of personal data of employees - Ch. 14 “Protection of employee personal data.” We will tell you about the protection of personal data in organizations in our consultation and provide a sample of the Regulations on the protection of personal data of employees 2017.

Policy for the processing and protection of personal data of employees

General requirements to the processing of employee personal data, as well as issues of personal data protection at the enterprise are contained in Art. 86 Labor Code of the Russian Federation.

Thus, the Labor Code of the Russian Federation establishes, in particular, the following aspects of the processing and protection of personal data:

  • the processing of employee personal data is carried out only for the purpose of complying with the legislation of the Russian Federation, assisting employees in finding employment, obtaining education and career advancement, ensuring the personal safety of employees, monitoring the quantity and quality of work performed and ensuring the safety of property;
  • All personal data of the employee must be obtained from him. If any personal data of an employee can only be obtained from a third party, the employee must be notified in advance and written consent must be obtained from him;
  • the employer must, at his own expense, ensure the protection of the employee’s personal data from unlawful use or loss;
  • The employer must, against signature, familiarize employees and their representatives with the procedure for processing personal data of employees, as well as with their rights and obligations in this area.

At the same time, the requirements for the protection of personal data of employees cannot be considered in isolation from the issues of transfer of personal data. Thus, when transferring an employee’s personal data, the employer is obliged to comply with certain requirements.

These, in particular, include (Article 88 of the Labor Code of the Russian Federation):

  • By general rule do not disclose the employee’s personal data to a third party without the written consent of the employee;
  • warn persons who receive the employee’s personal data that these data can only be used for the purposes for which they were communicated;
  • transfer personal data of an employee within one organization in accordance with local regulations, with which the employee must be familiarized with signature;
  • allow access to personal data of employees only to specially authorized persons;
  • do not request information about the employee’s health status (except in cases related to checking the employee’s ability to perform a job function).

At the same time, the employee’s consent to the transfer of personal data is not always required. Thus, consent is not required when the transfer of personal data is necessary to prevent a threat to the life and health of an employee (paragraph 2 of Article 88 of the Labor Code of the Russian Federation) or is necessary on the basis of other Federal laws (this includes, for example, information to the Pension Fund of the Russian Federation, the Social Insurance Fund, tax authorities etc.).

Responsibility for violation of personal data protection requirements

Responsibility for violations of requirements for the processing and protection of employee personal data is varied. It concerns both employees and the employer himself.

For example, an employee may be fired for disclosing the personal data of another employee that became known to him while performing his job duties. After all, it will be considered gross violation the employee of his labor duties (clause “c” of paragraph 6 of Article 81 of the Labor Code of the Russian Federation).

And, for example, the processing of personal data in cases not provided for by the legislation of the Russian Federation may entail a fine for officials from 5,000 to 10,000 rubles, and for the employing organization - from 30,000 rubles to 50,000 rubles (Part 1 of Article 13.11 Code of Administrative Offenses of the Russian Federation).

Please note that fines have increased significantly since July 1, 2017. If previously the maximum fine for an organization for violating the procedure for collecting, storing, using or distributing personal data was 10,000 rubles, then from July 1, 2017 it increased to 75,000 rubles.

Personal Data Protection Regulation 2017: Sample

Considering that employees have the right to full information about their personal data and the processing of this data, the employer is obliged to familiarize them with the relevant documents (paragraph 2 of article 89 of the Labor Code of the Russian Federation). For these purposes, a Regulation on the Protection of Personal Data can be developed, with which the employer is obliged to familiarize all newly hired employees.

Here are the Regulations on the processing and protection of personal data, posted in the legal reference system ConsultantPlus.

The regulation on the protection of personal data of employees is the basic document of the organization, which forms the legal basis for all work with data of this kind. The article we offer will tell you about the content of this provision and how to work with it.

Regulations on the processing of personal data - legal requirements

Part 1 of Article 18.1 of the Law “On Personal...” dated July 27, 2006 No. 152-FZ indicates that organizations or other entities (individual entrepreneurs, state or municipal authorities) working with personal data of citizens are obliged to take necessary and sufficient measures to ensure compliance with the requirements of both Federal Law No. 152 itself and the by-laws adopted for its implementation. At the same time, the organization has the right to choose the list of measures necessary to fulfill such obligations independently.

The same part 1 of Article 18.1 of Federal Law No. 152 contains an approximate (but not exhaustive) list of activities that an organization can use when working with personal data. Clause 2 of Part 1 of Article 18.1 of Federal Law No. 152 indicates that one of the possible measures is the publication internal documents, which will determine the organization’s policy in the field of working with personal data, as well as other regulations that determine the specific procedure for the organization’s employees to work with such information.

It should be noted that an organization’s policy is primarily a declarative document that only indicates common features measures that will be taken by the organization to comply with the law. Legal basis for the processing of personal data in the organization is the provision on personal data of employees.

An analysis of Article 18.1 of Federal Law No. 152 shows that the adoption of such a provision is not a mandatory requirement. At the same time, when checking compliance with security measures when working with personal data, the organization, in accordance with Part 4 of Article 18.1 of Federal Law No. 152, must present such a document to the inspectors or otherwise confirm the fact of compliance with the norms of Federal Law No. 152. Thus, the presence of such a provision can be considered as indisputable evidence of compliance with the requirements for working with personal data, therefore it is still advisable for the organization to develop it. Moreover, in accordance with the requirements of Part 2 of Article 18.1 of Federal Law No. 152, this provision must be available for public review or posted on the organization’s website.

Don't know your rights?

Contents of the regulation, sample 2017

The list of issues that must be regulated in the regulation is contained in Article 18.1 of Federal Law No. 152. As a rule, they are included in the following order:

  1. General provisions. Here are the following:
    • goals and objectives of the provision;
    • references to other regulatory acts of the organization (orders, instructions, regulations);
    • situations where this provision is subject to application;
    • persons responsible for implementation;
    • definitions of terms used in the document, etc.
  2. List and procedure for applying technical, legal and other measures aimed at protecting personal data. This section reflects:
    • issues of access to personal data carriers,
    • procedure for working with them,
    • requirements for computer equipment used to process information, etc.
  3. The procedure for informing (instructing) employees of the organization who will be allowed to work with personal data.
  4. Frequency and list of activities carried out within the framework of internal or external control for compliance with the provisions.
  5. The scope of employee liability for violation of the requirements of the regulation.
  6. An assessment of possible harm and a list of measures that can minimize it or completely eliminate the likelihood of it occurring.

When developing the organization's regulations, the following standards should also be taken into account:

  • provisions put into effect by the Decree of the Government of the Russian Federation “On approval...” dated September 15, 2008 No. 687 (if the organization processes data manually using paper or electronic media);
  • requirements for working with automation equipment established by the Decree of the Government of the Russian Federation “On approval...” dated November 1, 2012 No. 1119 (when using computer equipment, data transmission via the Internet).

You can find a sample of the 2017 Personal Data Protection Regulation on our website.

Features of working with position

When working directly with the provisions on the protection of personal data of employees, you should remember that the list of persons responsible for such work (or having access to the data) is approved by a separate order. In addition, if the organization uses unified paper accounting forms (books, registers, card files, etc.), for their use, in accordance with paragraph 7 of Regulation No. 687, the publication of appropriate instructions for working with them is additionally required. It is worth remembering that in addition to processing employee data, organizations often require the collection and storage of data from clients and other citizens, so the provisions can be extended to work with their personal data.

To summarize, we note that the development of regulations is a kind of insurance when conducting inspections of an organization by Roskomnadzor and other regulatory authorities. In addition, the provision makes it possible to streamline the activities of employees when working with personal information, which will increase the degree of protection, efficiency, and accuracy of processing.

As any information directly or indirectly related to the subject or allowing him to be identified (clause 1 of article 3). Wherein legislative act does not contain an explanation of what information about an individual this concept includes. In the context labor relations these usually include:

  • Date of Birth;
  • passport details;
  • registration and residence address;
  • SNILS number;
  • information about education and work experience.

This is just a minimum list of information about yourself that a person provides when applying for a job. In the process of cooperation, the following are added to it: the terms of the employment contract and additional agreements, information about military registration, social benefits, information about disciplinary sanctions and incentives, reports for statistical authorities and others. The array of information received constitutes the employee’s personal file.

Why do you need a regulation on working with personal data?

By hiring a person, the company takes on the functions of a data processing operator. In other words, the employer collects, stores, systematizes, accumulates and updates information relating to employees. Work with personal data is carried out both with the use of automation tools and without their use. The processing of confidential information is carried out not only during the period of cooperation, but also after its completion, at the archiving stage. Art. 22.1 obliges organizations to keep employees’ personal files for 75 years. At all stages of processing personal information, the employer is obliged to prevent its transfer to third parties without permission. legal grounds. A set of appropriate measures must be documented as a regulation on working with personal data of employees.

Structure of the Personal Data Regulations

When drawing up the Personal Data Protection Regulation 2020, it is recommended to adhere to the following structure:

Chapter Content
1 Basic provisions Purposes of the document, laws, approval procedure
2 Basic Concepts Definitions of concepts used in the document
3 Composition of personal data of employees List of personal information
4 Data processing Terms of information processing
5 Set of documents List of documents containing personal information
6 Access to personal data The procedure for external and internal access to information
7 Protection of personal information A set of measures to ensure the security of confidential information
8 Rights and responsibilities of an employee Employee rights regarding data processing, obligation to promptly notify of their changes
9 Responsibility for disclosure of information Explanation of liability for violation of information security in accordance with the law

How to implement the regulation on the processing and protection of personal data 2020

At the stage of document development, its content should be agreed upon with the heads of departments involved in data processing, and legal service. The finished local regulatory act is approved. An order is also issued if changes are made to the text of the document. If for some reason there is no provision on the protection of personal data at the enterprise, it is necessary to immediately draw it up and make its content known to all employees. Hired employees must read the clause before signing the employment contract. Confirmation of familiarization with the text is issued at the discretion of the employer. The most convenient way is to keep a log of familiarization with local regulations. If necessary, the employee can request the text of the document as many times as necessary. To simplify this procedure, it is recommended to post a sample regulation on the processing of an employee’s personal data in corporate electronic access resources.

Personal data is considered to be “any information relating to an identified or identifiable individual on the basis of such information.” This concept includes almost all information that the employer processes: the employee’s date of birth, marital status, education, home address, etc. This data is stored in personal cards and is actively used in employment contracts and contracts, orders, pay slips, pay slips, applications and many other documents.

An employer can obtain personal data only first-hand, that is, from the person himself. If it is not possible to collect information personally, it can be obtained through third parties, but with the consent of the employee himself. At the same time, he should explain for what purpose the information is collected, how it will be used and what will happen if the employee refuses to give his consent to the collection and processing of information about himself.

The law limits the list of situations in which an employer can collect data. Among the main ones are:

  • preserving the life and health of subordinates;
  • assistance in employment and education;
  • assistance career growth;
  • control over the employee's performance labor functions;
  • security material assets;
  • compliance with laws.

Responsibility for violations in working with personal data

From July 1, 2017, liability for errors in this area will increase significantly. The list of violations for which an employer can be held liable has been significantly expanded, and in addition, the amount of fines has been increased. Such changes contain the federal law“On amendments to the Code Russian Federation on administrative violations." Instead of one type of administrative liability, which was provided for by Art. 13.11, the Code of Administrative Offenses of the Russian Federation now has seven types, and each has its own fines:

  1. Use of personal data for purposes not provided for by law. Administrative punishment - warning or fine: for individuals from 1,000 to 3,000 rubles, for officials - from 5,000 to 10,000 rubles, for legal entities - from 30,000 to 50,000 rubles.
  2. Processing of personal information without the employee’s consent. This also includes cases where the consent signed by the employee does not contain the list of information provided for in Part 4 of Art. 9 of the law. Administrative punishment - fines: for individuals - from 3,000 to 5,000 rubles, for officials - from 10,000 to 20,000 rubles, for legal entities - from 15,000 to 75,000 rubles.
  3. Violation of access to the organization's policy for processing personal data. The employer is obliged to publish in publicly available sources a document outlining its policy in the area of ​​protecting employees’ personal information. This is provided for in paragraph 2 of Art. 18.1 of Law No. 152-FZ 07/27/2006, and from July 1 it will be a separate offense that entails liability in the form of a warning or fines: for individuals - from 700 to 1,500 rubles, for officials - from 3,000 to 6,000 rubles, for individual entrepreneurs - from 5,000 to 10,000 rubles. and for legal entities - from 15,000 to 30,000 rubles.
  4. Concealing from the employee information about the purposes, timing and methods of collecting, storing and processing information, about third parties who will work with personal information on behalf of the employer, etc. In such cases, the employer receives a warning or pays a fine: individuals - from 1,000 up to 2,000 rub., officials- from 4,000 to 6,000 rubles, individual entrepreneurs - from 10,000 to 15,000 rubles, legal entities - from 20,000 to 40,000 rubles.
  5. The employer's refusal to block or destroy personal data in accordance with Art. 21. Administrative responsibility- warning or fine: for individuals - from 1,000 to 2,000 rubles, for officials - from 4,000 to 10,000 rubles, for individual entrepreneurs - from 10,000 to 20,000 rubles, for legal entities - from 25,000 up to 45,000 rub.
  6. Lack of automation tools for storing personal data, storing information only in paper form. If such an employer allows destruction, leakage, unauthorized copying and/or distribution of an employee’s personal data, a fine is imposed on him: for individuals - from 700 to 2,000 rubles, for officials - from 4,000 to 10,000 rubles, for individual entrepreneurs — from 10,000 to 20,000 rubles, for entity— from 25,000 to 50,000 rubles.
  7. Failure to comply with or violation of the procedure for depersonalizing data by employees of government and municipal authorities authorities (Order of Roskomnadzor “On approval of requirements and methods for depersonalization of personal data”). In this case, the official faces administrative liability in the form of a warning or a fine from 3,000 to 6,000 rubles.

Legislation allows fines for various violations to be summed up, so errors or careless handling of information about employees can be very costly for the employer. And in addition, from July 1, 2017, it is allowed to initiate administrative cases regarding the handling of personal data without the participation of a prosecutor - they can be initiated by Roskomnadzor officials (Clause 58, Part 2, Article of the Code of Administrative Offenses of the Russian Federation).

A correctly drafted Regulation on Personal Data will help you comply with legal requirements, which should consolidate legal norms and specify them for the organization.

How to draw up a Statement on Personal Data

The law does not stipulate the name, structure and mandatory content of the document; the employer has the right to determine for himself what the Regulations will look like. When developing the document, the head of the organization and specialists personnel service must rely on the above Federal Law, as well as on Art. Labor Code RF.

The Personal Data Regulations should reflect:

  1. General provisions: goals and objectives of the organization in the field of personal data protection, range of issues regulated by the Regulations.
  2. Composition of personal data: information that the employer uses within the framework of labor relations with the employee, a list of documents containing such data.
  3. The procedure for collecting and processing information, including storage methods and locations, measures to protect against unauthorized distribution. Among other things, there is a requirement to obtain information only from the person himself or, with his written consent, from third parties. The consent form can be prepared as an appendix to the Regulations.
  4. The procedure for transferring personal data both within the organization and to third parties and government agencies. This should reflect the legal requirement to transfer personal information about an employee to third parties only with his written consent. An exception is if it is necessary to protect the life and health of an employee.
  5. List of employees with access to personal data. Most often these are HR specialists, accountants, managers structural divisions etc.
  6. Responsibility for disclosure of personal data of employees. The section should indicate the positions of those who are responsible for violating the rules of storage, processing and transfer of personal data, as well as the types of liability provided for by law (we will tell you more about changes in this area below).

The regulation on the protection of employee personal data and the consent template are approved by the head of the organization. A stamp with a signature, date of approval and protocol number is placed on title page document. To put the Regulation into effect, the head issues a separate order.

All employees must be familiar with the Personal Data Regulations upon signature. To do this, organizations often keep a separate journal with a list of employees working in the company.

Consent to the processing of personal data

This is a document in which the person being hired allows the future employer to obtain the necessary information and use it within the framework of current legislation.

The employer has no right to collect and use personal information of employees without their written consent. The exception is data from medical institutions regarding contraindications to a certain type of activity.

Consent must include the following information (part 4 of article 9):

  • Full name, address of the employee, passport details (or other identification document);
  • Full name, address of the employee’s representative, details of his passport (or other identification document), details of the power of attorney;
  • name or full name and address of the employer receiving the consent of the personal data carrier;
  • list of personal data for the processing of which consent is given;
  • purpose of processing personal data;
  • a list of actions with personal data for which consent is given, a general description of the methods for processing this information;
  • the period during which the employee’s consent is valid, as well as the method of its withdrawal, unless otherwise established by federal law.

The document is signed by the employee after familiarization with the Regulations. The same consent must be provided if a person allows third parties to provide information about themselves.

An employer has no right to force a potential employee to provide any information about himself. If the applicant refuses to sign the Consent, the organization may reconsider the decision to admit such a person to the staff. Any of the organization’s working employees can also revoke their consent (Part 2, Article 9).

After the employer has received the employee’s consent to process personal information, he can entrust this to a third party, but responsibility for the safety of the information still lies with the employer.

The area of ​​personal data protection has undergone truly large-scale changes, and the employer should be doubly careful both when drawing up the Regulations and when working with personal information about employees. Remember, the more detailed and specific the Regulations on Personal Data are, the more clearly the organization will organize work in this area of ​​personnel records.


We also recommend