Sample of consent to the processing of personal data according to the new rules - example of an application

Many actions related to record keeping cannot be carried out without consent to the processing of a person’s personal data. An adult citizen of the Russian Federation can give permission to interact with the personal information and data of his child under 18 years of age.

The most stringent requirements in this area are imposed on employers receiving documents from employees. According to Law No. 152-FZ, in order to avoid fines, it is necessary to obtain an application from each employee; it is better to do this directly when hiring a new person to the staff.

Does an employer need to obtain employee consent to process personal data?

The legal side of the issue is regulated by Federal Law No. 152-FZ, to which a number of important changes have been introduced since March 2021. In particular, a new article 10.1 has been added, which talks about the additional obligation to obtain separate consents in case of dissemination of personal data. That is, starting from 2021, you must separately obtain a permit application for the processing of personal information and for the transfer of this data to third parties or their publication in the media, on Internet portals, and websites.

Read more about the obligation to obtain separate consent for the dissemination of personal data of employees.

Paragraph 1 of Article 6 of Law 152-FZ states that the employer is obliged to request permission from a subordinate to process personal information. The clause itself does not indicate the existence of an employment contract as an obligation to transfer personal data, however, the employer has the right to ask the employee for any information that will ensure the normal implementation of the duties of both parties to the employment contract.

The very fact of permission given by the employee must be documented - in writing in the form of an application. This consent is a guarantee for the person that his personal data will be used strictly for its intended purpose by the employer’s employees and will not be “directed in the other direction.” Written consent is considered one of the types of employee protection from violation of his rights.

The information that the employer has the right to request can be divided into three groups:

  • “general” data – those that are publicly available (full name, gender, citizenship, date and place of birth);
  • “numeric parameters” – INN, SNILS numbers, series and passport number with the date of issue;
  • additional biographical information – nationality, religion, criminal record, etc.

Article 14 of the Labor Code of the Russian Federation regulates that HR department specialists are responsible for maintaining the confidentiality of employees’ personal data.

If an employee refuses to sign a consent form, the employer has no right to force him to do so. But you need to take into account that in this case the employer will not be able to officially register the applicant for work.

How to write an application?

Standard forms for writing applications for data processing can be found on the official website of Roskomnadzor. You can also see an example of consent there. The document can also be drawn up in free form, the main thing is to include in it the details specified in Art. 9 Law 152-FZ.

In general, you need to comply with the general requirements for preparing business documentation:

  1. In the “header” in the upper right corner, indicate the name of the employing company, the name and position of its manager.
  2. The line below contains information about the applicant (full name, place of permanent registration with postal code, series and number of passport with date and place of issue).
  3. The title should indicate “Consent to the processing of personal data.”
  4. In the body of the application itself, you must refer to the current legislative acts in the prescribed form, writing “I, full name, in accordance with Art. 9 of Federal Law No. 152-FZ, I agree to...” Then you need to list all the required information and what it can be used for by the employer.
  5. At the bottom of the document, certify its authenticity with the date of writing and a personal signature with a transcript.

The application must be submitted to the head of the enterprise, and then sent to the personnel department to create a personal card for a new employee. As a rule, the application is written only once at the time of hiring, but can be submitted in the future if necessary, or the employee’s passport details change.

Sometimes the application may indicate the validity period of the permit. Law 152-FZ allows you to revoke consent at any time at the request of the employee; for this, the employee needs to write a corresponding application for revocation.

It is understood that the consent is written voluntarily, so there is no need to make additional notes about the absence of coercion on the part of the employer.

for 2021

.

.

Fines for lack of employee permission

An employee who is already on staff may refuse to write a new consent to the OPD, and this often will not greatly affect his future work. But a new employee without such paper will not be able to get a job, because his data will be needed by the personnel department, accounting and office.

For violation of legislation in the field of interaction with personal data and the lack of written permission from individuals, the employer may incur administrative and even criminal liability.

The amounts of fines are established by Art. 13.11 Code of Administrative Offenses of the Russian Federation:

  • OPD in cases not provided for by law - a fine in the amount of 1 thousand for citizens to 50 thousand for legal entities;
  • for processing without the written consent of the subject - an administrative fine for citizens from 3 to 5 thousand rubles, for officials - from 10 to 20 thousand, for legal entities - from 15 to 75 thousand rubles;
  • failure by the operator to comply with unlimited access to the OPD policy - from 700 to 1000 rubles for citizens, from 3000 to 6000 for officials, from 5000 to 10000 for individual entrepreneurs, from 15000 to 30000 for legal entities;
  • untimely transfer of personal data to government agencies - a penalty in the amount of 100 rubles to 5 thousand rubles;
  • illegal collection of personal data – a fine of up to 200 thousand rubles and up to 360 hours of correctional labor;
  • illegal public dissemination of personal data of employees – a fine of up to 300 thousand rubles and forced labor for up to 5 years.

In less severe cases, the employer may face disciplinary or civil penalties.

Working with applicant’s personal data

Processing of personal data of applicants for filling vacant positions involves obtaining the consent of applicants for filling vacant positions to process their personal data for the period while the employer makes a decision on accepting or refusing employment (clarifications of Roskomnadzor dated December 24, 2012 “Issues relating to the processing of personal data of employees , applicants for vacant positions, as well as persons in the personnel reserve").

The exception is when:

  • a recruitment agency with which the applicant has entered into a corresponding agreement acts on behalf of the applicant;
  • the applicant independently posts his resume on the Internet, accessible to an unlimited number of people.

If an organization receives an applicant’s resume via e-mail or fax, it needs to take additional measures aimed at confirming that the applicant himself sent the said resume.

For example, such events include inviting the applicant to a personal meeting with authorized employees of the employer, feedback via email, etc.

If an applicant questionnaire is used to collect personal data of applicants, the format of such a questionnaire must comply with the requirements of clause 7 of the Regulations on the specifics of processing personal data carried out without the use of automation tools (approved by Decree of the Government of the Russian Federation of September 15, 2008 No. 687 ).

If an employer receives a resume from which it is impossible to clearly identify the sender, it should be destroyed on the day of receipt.

The same must be done with information received from the applicant in the event that he is not hired.

30 days are allotted for data destruction.

This might be interesting:

Company documents: how many years to keep?

conclusions

The employer is required to obtain written permission from the employee to process personal data. Consent is drawn up in free form, taking into account the details established by Art. 9 of Law 152-FZ.

The body of the application should list the required personal data and the purpose for which it can be used by the employer. For violation of the law, the employer faces administrative or criminal liability. Thus, for processing data without consent, the company will be fined up to 75 thousand rubles.

How to draw up a Regulation on the protection of personal data of employees

CLOSED JOINT STOCK COMPANY "PROGRESS" APPROVED the order of the General Director of CJSC "Progress" dated
April
13
, 20
07
No.
43 REGULATIONS on the protection of personal data of employees
in Moscow
1. GENERAL PROVISIONS 1.1. These Regulations have been developed in order to protect the personal data of employees of the Progress Closed Joint Stock Company (hereinafter referred to as the Company). 1.2. This Regulation has been developed in accordance with the requirements of the Labor Code of the Russian Federation, Federal Law No. 152BFZ of July 27, 2006 “On Personal Data” and defines a system for processing and protecting employee personal data obtained in the course of business activities and necessary in connection with labor relations. Employee personal data is information required by the employer in connection with employment relations and relating to a specific employee. Processing of an employee’s personal data – receiving, storing, combining, transferring or any other use of the employee’s personal data. 2. LIST OF DOCUMENTS AND INFORMATION CONTAINING PERSONAL DATA OF THE EMPLOYEE 2.1. In accordance with the Labor Code of the Russian Federation, a person applying for work at the Company presents to the employer the following documents containing his personal data: – passport or other identification document that contains information about his passport data, place of registration (place of residence), marital status ; – work book, which contains information about the employee’s work activity; – insurance certificate of state pension insurance, which contains information about the number and series of the insurance certificate; – certificate of registration with the tax authority, which contains information about the taxpayer identification number; – a document on education, qualifications or the presence of special knowledge, containing information about education, profession; – military registration documents that contain information about the military registration of those liable for military service and persons subject to conscription for military service. 2.2. The list of documents and information containing personal data includes: – employment contract; – information about health status; – information about wages. 3. GENERAL REQUIREMENTS FOR PROCESSING PERSONAL DATA AND GUARANTEES OF THEIR PROTECTION 3.1. The processing of an employee’s personal data is carried out solely for the purpose of ensuring laws and other regulations, assisting the employee in employment, training and promotion, ensuring the personal safety of the employee, the safety of property, and monitoring the quantity and quality of work performed. 3.2. All personal data of the employee is transferred to him personally. If the employee’s personal data can only be obtained from a third party, then the employer is obliged to notify the employee about this in advance and written consent must be obtained from him. The employer is obliged to inform the employee about the purposes, sources and methods of obtaining personal data, as well as the nature of the personal data to be received. 3.3. The employer does not have the right to receive and process the employee’s personal data about his political, religious and other beliefs and private life. In cases directly related to issues of labor relations, in accordance with Article 24 of the Constitution of the Russian Federation, the employer has the right to receive and process data about the private life of an employee only with his written consent. 3.4. The employer does not have the right to receive and process employee data about his membership in public associations or his trade union activities, except in cases provided for by federal laws. 3.5. When making decisions affecting the interests of an employee, the employer does not have the right to rely on the employee’s personal data obtained solely as a result of their automated processing or electronic receipt. 3.6. Protection against misuse of an employee's personal data is provided by the employer at his own expense in the manner prescribed by federal law. 3.7. The employee must be familiarized with these Regulations against signature. 4. PROCEDURE FOR STORING AND USE OF EMPLOYEE PERSONAL DATA 4.1. The employee’s personal data is stored after automated processing on electronic media and in paper form in the employee’s personal file. 4.2. Personal data in paper form is stored in a safe. The key to the safe is kept by the general director. 4.3. Personal data on electronic media is stored in the 1C: Salaries and Personnel program. The general director and the head of the personnel department have access to the program. Login to the program is carried out only by entering the user's personal password. 4.4. Access to an employee's personal data is permitted only to those officials who need personal data for business activities in accordance with the List of Specially Authorized Persons (Appendix 1). 4.5. Employees responsible for storing personal data, as well as employees who possess personal data due to their official duties, are required to not disclose confidential information about employees’ personal data. 4.6. Control and audit bodies have external access to personal data of employees if they have documents on the basis of which they conduct an audit. Remotely, personal data of employees can be submitted to control and supervisory authorities only upon written request. Insurance funds, non-state pension funds, other organizations, as well as relatives and family members of the employee do not have access to the employee’s personal data, except with the written consent of the employee himself. 4.7. Automated processing and storage of personal data of employees is allowed only after all basic information protection measures have been completed. 4.8. Premises in which personal data of employees are stored must be equipped with reliable locks and an alarm system. 5. RULES FOR TRANSFER OF PERSONAL DATA OF EMPLOYEES 5.1. When transferring an employee’s personal data, the person responsible for storing personal data must comply with the following requirements: – do not disclose the employee’s personal data without his written consent, except in cases where this is necessary in order to prevent a threat to the life and health of the employee, as well as in cases established by federal law; – warn persons who have received the employee’s personal data that this data can only be used for the purposes for which they were communicated, and require confirmation from these persons that this rule has been complied with; – do not disclose the employee’s personal data for commercial purposes; – do not request information about the employee’s health status, except for that information that relates to the issue of the employee’s ability to perform a job function. 5.2. The employer has the right to transfer the employee’s personal data within one organization in accordance with this Regulation, which the employee is familiar with against signature. 5.3. The employer has the right to transfer the employee’s personal data to the employee’s representative in the manner established by the Labor Code of the Russian Federation, and limit this information only to those personal data of the employee that are necessary for the specified representative to perform his functions. 6. RIGHTS OF AN EMPLOYEE FOR THE PURPOSES OF PROTECTING PERSONAL DATA STORED BY THE EMPLOYER The employee has the right: – to full information about his personal data and the processing of this data; – free and free access to this data, including the right to receive copies of any record containing the employee’s personal data; – to request the exclusion or correction of incorrect or incomplete personal data processed in violation of the Labor Code of the Russian Federation and these Regulations; – to the requirement that the employer notify all persons who were previously informed of incorrect or incomplete personal data of the employee about all exceptions, corrections or additions made to them; – to identify their representatives to protect their personal data; – to appeal to the court against unlawful actions or inaction of the employer in the processing and protection of the employee’s personal data. 7. LIABILITY FOR VIOLATION OF THE STANDARDS GOVERNING THE PROCESSING AND PROTECTION OF PERSONAL DATA 7.1. For violation of the rules governing the receipt, processing and protection of employee personal data, the perpetrators bear responsibility in accordance with federal laws: – disciplinary; – administrative; – civil law; – criminal. 7.2. An employee who submits false documents or knowingly false information about himself to the employer bears disciplinary liability up to and including dismissal. 8. FINAL PROVISIONS 8.1. This Regulation comes into force from the moment of its approval by the General Director and is put into effect by his order. 8.2. The provision is mandatory for all employees of the Company. Agreed by: Chief Accountant Voronova
/Voronova E.L./ Head of HR Department
Voevodina
/Voevodina G.I./ Legal Consultant
Nikolaev /Nikolaev S.P./

Rating
( 1 rating, average 4 out of 5 )
Did you like the article? Share with friends:
Для любых предложений по сайту: [email protected]