Personal data – any information relating directly or indirectly to a specific or identifiable individual (subject of personal data).
Operator – a state body, municipal body, legal entity or individual, independently or jointly with other persons organizing and (or) carrying out the processing of personal data, as well as determining the purposes of processing of personal data, the composition of personal data to be processed, actions (operations) performed with personal data.
Processing of personal data – any action (operation) or a set of actions (operations) performed using automation or without the use of such means with personal data, including the collection, recording, systematization, accumulation, storage, clarification (update, change), extraction, use, transfer (distribution, provision, access), depersonalization, blocking, deletion, destruction of personal data.
According to Art. 24 of the Constitution of the Russian Federation, the collection, storage, use and dissemination of information about the private life of a person without his consent is not allowed.
Art.6of the law No. 152-FZ dated 27.07.2006 sets cases of PD processing without the consent of the PD subject.
Prohibited data. The law prohibits to receive and process PD, relating to certain categories of his membership in public associations or trade Union activities (paragraph 4, 5 of article 86 of the Labour code), data relating to race, national origin, political, religious and other beliefs of the worker, his private life, health, love life (p. 1 article 10 of the law No. 152-FZ), biometric data – that is, the information describing the physiological characteristics and on the basis of which to establish his identity (p. 1 of article 11 of the law No. 152-FZ).
The purpose of PD processing. In accordance with article 86, paragraph 1, of the Labour code, the processing of an employee’s PD may be carried out solely for the purpose of ensuring compliance with laws and other regulatory legal acts, assisting employees in finding employment, training and promotion, ensuring personal security, monitoring the quantity and quality of work performed and ensuring the safety of property. In addition, in accordance with the principles of PD processing set out in article 5 of law No. 152-FZ, the scope and nature of PD should correspond to the purposes of their processing, which are defined and declared in advance when collecting data. Therefore, when drawing up the list of PD required by the employer, it should be specified for what specific purposes certain data are required.
Requiring PD from the third parties. All PD of the employee should be received from him (p. 3 of Art. 86 of the Labor code). Exceptions are cases where the PD is necessary for the employer in connection with the employment relationship, and the employee cannot provide them, but at the same time these data may be obtained from a third party. In this case, the employer is obliged to notify the employee and obtain his / her written consent to receive the data.
Internal data transfer. The order and the purposes of transfer of PD within the company must be established in the local regulation, which must be introduced under the signature of each employee. The right of access to employees’ PD can only be granted to persons specially authorized by the employer. Moreover, these persons are entitled to receive only the data that they need to perform specific functions (Art. 88 of the Labor code).
The transfer of data to third parties. The employee’s PD may be disclosed to third parties only with his / her written consent (article 88 of the Labor code). There are two exceptions to this rule: first, when it is necessary to prevent a threat to the life and health of an employee, and second, in other cases provided for by the Labour code or other Federal laws.
Data storage on the territory of the Russian Federation (article 18 of the law № 152-FZ)
When collecting PD, including through the information and telecommunication network “Internet”, the operator is obliged to provide record, systematization, accumulation, storage, specification (updating, change), extraction of personal data of citizens of the Russian Federation with use of the databases which are in the territory of the Russian Federation.
Cross-border transfer of PD (Art. 12 of law No. 152-FZ) is possible in the following cases:
* consent in writing of the personal data subject to cross-border transfer of his / her personal data;
• stipulated by international treaties of the Russian Federation;
* provided by Federal laws, if necessary to protect the foundations of the constitutional system of the Russian Federation, to ensure national defense and state security, as well as to ensure the security of sustainable and safe functioning of the transport complex, to protect the interests of the individual, society and the state in the field of transport complex from acts of illegal interference;
* execution of the agreement to which the personal data subject is a party;
* protection of life, health, other vital interests of the personal data subject or other persons if it is impossible to obtain the consent in writing of the personal data subject.