November 28, 2017 at 14:56

HR Operator Errors Associated with Human Resources



    More than 10 years have passed since the adoption of the Federal Law of July 27, 2006 N 152-ФЗ "On Personal Data", however, the supervisory activity of Roskomnadzor shows that far from everyone has mastered the practice of its application. In particular, in the statistics for the year 2016 one of the typical mistakes of operators is clearly visible, in most cases related to personnel work (apparently, as the most common activity), namely:
    “Inconsistency of the content of the written consent of the personal data subject to the processing of personal data with the requirements of the legislation of the Russian Federation (part 4 of article 9 of the Federal law of July 27, 2006 No. 152-FZ“ On personal data ”) - approximately 9% of the total number identified in 2016 violations. ”

    Let's try again to look at this issue. Moreover, thanks to innovations in the legislation, fines have increased significantly.

    So, according to Art. On November 13, 2017, the Administrative Code of the Russian Federation, the maximum penalty for an official was a fine of 1 thousand rubles, and for a company - up to 10 thousand rubles.

    On July 1, 2017, amendments entered into force that strengthen administrative responsibility (Federal Law dated 07.02.17 No. 13-FZ). The amendments introduce additional offenses in Art. 13.11 Administrative Code and increase fines. In particular, the law introduces liability of legal entities for the following violations:

    • processing personal data in cases not prescribed by law (part 1 of article 13.11 of the Administrative Code of the Russian Federation) - a fine from 30 thousand to 50 thousand rubles;
    • processing personal data without written consent when the law requires such consent (part 2 of article 13.11 of the Administrative Code) - a fine of 15 to 70 thousand rubles;
    • non-publication by the operator of a policy regarding the processing of personal data when such an obligation is prescribed by law (part 3 of article 13.11 of the Administrative Code) - a fine of 15 to 30 thousand rubles.

    An employee may be held administratively liable, but not only. Additionally, he bears material (clause 7 of article 243 of the Labor Code of the Russian Federation) disciplinary (items “c”, clause 6 of article 1 of article 81 of the Labor Code of the Russian Federation) and even criminal liability (part 2 of article 137 of the Criminal Code of the Russian Federation).

    Liability will be brought against both the offending employee (for example, having copied the customer base to his USB flash drive and transferring it to a competitor), and the employee who is responsible for the processing of personal data in the company.

    What with the consent of the employee?


    Roskomnadzor, in its recommendations (the full text of the document is available here ), identifies 5 main points when we can not take one from the employee.

    The processing of personal data of an employee, civil servant does not require the receipt of the relevant consent of these persons, provided that the amount of personal data processed by the employer does not exceed the established lists, and also complies with the purposes of processing provided for by labor legislation, the legislation of the Russian Federation on the state civil service.

    The employer has the right, without appropriate consent, to process the personal data of the employee in cases stipulated by the collective agreement, including the internal labor regulations, which are, as a rule, the annex to the collective agreement, the agreement, as well as the local acts of the employer, adopted in the manner established by art. 372 of the Labor Code of the Russian Federation.

    In addition, obtaining an consent by an employer to process personal data is not required in the following cases:

    1. The obligation to process, including publishing and posting personal data of employees on the Internet, is provided for by the legislation of the Russian Federation.

    Information on the activities of medical organizations, educational institutions, state bodies and local governments
    For example, according to paragraph 7 of Part 1 of Art. 79 of the Federal Law of November 21, 2011 N 323-ФЗ “On the Basics of Protecting the Health of Citizens in the Russian Federation”, a medical organization is obliged to inform citizens in an accessible form, including using the Internet, about ongoing medical activities and about medical workers, about their level education and their qualifications.

    In accordance with the Rules for posting on the Internet and updating information about an educational institution, approved by Decree of the Government of the Russian Federation of 04/18/2012 No. 343, an educational institution must post on its official website on the Internet and update within the time period established by the Law of the Russian Federation of 10.07. 1992 N 3266-1 “On Education”, including information containing the following personal data: last name, first name, middle name of the founder of the educational institution, his location, work schedule, hell ec-mail address, name, patronymic of the head of the educational institution, its location, schedule, e-mail address, contact phone, name, surname, patronymic, position of the structural unit managers including branches and representative offices, their location,

    Relevant obligations are also established by Federal Law of 09.02.2009 N 8-ФЗ “On ensuring access to information on the activities of state bodies and local governments”, according to which state bodies and local governments are required to provide access to information on their activities, including to information on the heads of the state body, its structural divisions, territorial bodies and representative offices abroad (if any), the heads of the local government body liaison, its structural divisions, heads of subordinate organizations (surnames, first names, patronymics, positions, work phones). Other information may be indicated only with the consent of these persons.

    2. The processing of personal data of close relatives of the employee in the amount provided for by the unified form N T-2, approved by the resolution of the State Statistics Committee of the Russian Federation dated 05.01.2004 N 1 “On the approval of unified forms of primary accounting documentation for labor accounting and payment”, or in cases established by the legislation of the Russian Federation (receipt of alimony, registration of admission to state secrets, registration of social payments).

    In other cases, obtaining the consent of close relatives of the employee is a prerequisite for the processing of their personal data.

    3.Processing of special categories of employee’s personal data, including information about the state of health related to the issue of the possibility of an employee performing a labor function on the basis of the provisions of clause 2.3 of part 2 of article 10 of the Federal Law "On Personal Data" in the framework of labor legislation.

    4. When transferring the employee’s personal data to third parties in cases where it is necessary in order to prevent threats to the life and health of the employee, as well as in other cases provided for by the Labor Code of the Russian Federation or other federal laws.

    Transfer of personal data of employees to the Social Insurance Fund of the Russian Federation, Pension Fund of the Russian Federation
    The employer, according to Art. 22 of the Labor Code of the Russian Federation, is obliged to carry out compulsory social insurance of workers in the manner prescribed by federal laws, in particular the Federal Law “On Compulsory Pension Insurance in the Russian Federation, the Federal Law“ On the Basics of Compulsory Social Insurance, the Federal Law “On Compulsory Medical Insurance in the Russian Federation” Federation ".

    Thus, the transfer of personal data of employees to the Social Insurance Fund of the Russian Federation, the Pension Fund of the Russian Federation is carried out without their consent.

    The consent of the employee, public servant is not required when transferring his personal data in cases related to the performance of his official duties, including when he was seconded (in accordance with the Rules for the provision of hotel services in the Russian Federation, approved by the Government of the Russian Federation on 04.25.1997 N 490, regulatory legal acts in the field of transport safety).

    The exceptions related to the absence of the need to obtain consent include cases when the employer transfers the personal data of employees, civil servants to the tax authorities, military commissariats, and trade union bodies provided for by the current legislation of the Russian Federation.
    So, in accordance with Art. Art. 17, 19 of the Federal Law of 12.01.1996 N 10-ФЗ "On trade unions, their rights and guarantees of activity" for the implementation of their statutory activities, trade unions are entitled to receive free and unhindered from employers, their associations (unions, associations), public authorities and local government bodies information on social and labor issues, including monitoring compliance by employers, officials with labor laws, labor contract (contract), working hours and rest periods, remuneration, guarantees and compensations, benefits and advantages, as well as other social and labor issues in the organizations that employ members of the union and have the right to demand the elimination of violations.

    In the case of motivated requests from prosecutors, law enforcement agencies, security agencies, from state labor inspectors when they exercise state supervision and control over compliance with labor laws and other
    An employee’s consent is not required upon receipt, within the established powers, of motivated requests from prosecution authorities, law enforcement agencies, security agencies, and state labor inspectors when they exercise state supervision and control over compliance with labor laws and other bodies authorized to request information about employees in accordance with competence provided for by the legislation of the Russian Federation.

    A reasoned request should include an indication of the purpose of the request, a link to the legal grounds for the request, including the confirming powers of the body that sent the request, as well as a list of the information requested.

    In the case of requests from organizations that do not have the appropriate authority, the employer must obtain the consent of the employee to provide his personal data and notify the persons receiving the personal data of the employee that these data can only be used for the purposes for which they were communicated, and also require from these persons confirmation that this rule will (has) been respected.

    It should be noted that the transfer of employee personal data to credit organizations that open and maintain payment cards for payroll is carried out without his consent in the following cases:

    1. an agreement to issue a bank card was concluded directly with the employee and the text of which provides for the transfer of the employee’s personal data by the employer;
    2. the employer has a power of attorney to represent the interests of the employee when concluding an agreement with a credit institution for the issue of a bank card and its subsequent servicing;
    3. the corresponding form and system of remuneration is prescribed in the collective agreement (Article 41 of the Labor Code of the Russian Federation).

    5. The processing of personal data of the employee during the implementation of the access regime to the territory of the office buildings and premises of the employer, provided that the organization of the access regime is carried out by the employer on their own or if this processing complies with the procedure provided for in the collective agreement, local acts of the employer adopted in accordance with Art. 372 of the Labor Code of the Russian Federation.

    When attracting third-party organizations for personnel and accounting, the employer must comply with the requirements established by Part 3 of Art. 6 of the Federal Law "On Personal Data", including obtaining the consent of employees to transfer their personal data.

    Common mistakes


    Everything seems to be quite simple and clear, but what is the error? At the recent International Conference "Protection of Personal Data", in his speech, Mikhail Emeliannikov cited the following data from the audit materials:
    The presence in the employee’s consent to the processing of personal data in writing, information about the processing of personal data for several purposes and the indication in it of several persons who process personal data on behalf of the operator. Consent to the processing of personal data of the applicant does not meet the requirements of paragraph 4 of part 4 of article 9 of the Law, in terms of indicating one purpose of processing personal data. The consent includes an indication of several persons who process personal data on behalf of the operator, which does not comply with the requirements of paragraph 6 of part 4 of article 9 No. 152-ФЗ “On Personal Data” regarding the instructions of a person (one) who processes personal data on behalf of the operator.

    And one more explicit indication of the court, for understanding the situation, from the same:
    To eliminate the revealed violation, the Company needs to develop and use a standard written consent form for the processing of personal data of an employee, providing for one purpose of processing in the case of transfer of personal data of employees to third parties.
    Court conclusion: ... if the purposes of processing personal data are beyond the scope of the Labor Code of the Russian Federation, for each case of transferring personal data of employees to third parties, it is necessary to obtain a separate written consent of the employee.

    The decision of the Ninth Arbitration Court of Appeal dated 08.16.2016 No. 09AP-30182/2016-AK in the case No. A40-17595 / 16

    It is on these seemingly insignificant mistakes that lawsuits are taking place today.
    In addition, the definition of the personal data itself remains completely unclear. In this matter, again, judicial practice is piling up.

    Usually, in any organization there is at least a standard set, plus / minus data from various access control systems (access control and management system), namely:

    1. Full Name;
    2. year, month, date and place of birth;
    3. address;
    4. marital, social, property status;
    5. education, profession, position, income;
    6. biometric personal data.

    The practice of court decisions further expands the lists of personal data, for example, courts recognized personal data:

    1. information about the death of a citizen (Decree of the Volga Federal District Administrative Court of September 25, 2014 in case No. A49-2005 / 2014);
    2. mobile phone number (appeal ruling of the Altai Regional Court of 01.10.13 in case No. 33-9241 / 2015);
    3. photographs of a citizen (appeal ruling of the Sverdlovsk Regional Court dated 04/09/15 in case No. 33-5232 / 2015).

    Recently, there has been a clear trend - the list of information that makes up personal data is becoming wider. Thus, the European Court of Justice, in its Decision of 10/19/16 in case No. 582/14 (Patrick Breyr v. Germany), recognized that under certain conditions even the IP address of an Internet user can be recognized as personal data.

    Nevertheless, the Law requires us to ensure the security of personal data, both in the traditional document circulation and in the processing of data in an automated form.

    How to comply with the requirements of the law?


    The law states that personal data refers to confidential information (Article 7 of the Law No. 152-FZ). Operators and other persons who have gained access to them are required not to disclose to third parties and not to disseminate personal data without the consent of the subject. The operator must ensure the security of personal data. The measures depend on the method of data processing - using automation tools or manually.

    Recommended measures are provided for the protection of personal data without automation (Article 19 of the Law No. 152-ФЗ and Clauses 13-15 of the Regulation approved by Decree of the Government of the Russian Federation of September 15, 08 No. 687). One of such measures is to define in the internal documents of the company a list of persons who process personal data or have access to them. It is also necessary to separately store personal data carriers that are processed for various purposes.

    With automated processing of personal data, it is subject to the requirements for the protection of personal data during their processing in information systems, approved. Decree of the Government of the Russian Federation of November 01, 12 No. 1119 and Order of the FSTEC of Russia of February 18, 13 No. 21. To fulfill these requirements, a number of organizational and technical measures are necessary. You may have to attract specialists from integrator companies.

    With automated processing, you can also contact us and save yourself at least part of the headache on the issue of compliance and reduce your costs. We offer at least two solutions that allow you to get closer to the image of the "ideal operator" leading personnel records:

    Tags:

    Also popular now: