1c enterprise protection of personal data. ZPK delivery set includes

On May 29, 2014, a lecture was held in Moscow at 1C: Lectures (Moscow, Seleznevskaya st., 34). Our readers, who could not attend the lecture, sent their questions within the framework of the Internet conference of the same name. During the event, Yuri Kontemirov, head of the department for the protection of the rights of subjects of personal data of Roskomnadzor and Irina Baimakova, an expert from 1C, answered questions about the protection of personal data, and also analyzed the main errors identified by Roskomnadzor during the implementation of control measures.

Kot user : 1C: Enterprise 8.2z for small and medium enterprises. Medicine, Government employees, Military ...? Who is this platform for and what is it for? In user mode, this should be buried with permissions. From a third-party connection by means of a DBMS?

For four years now I have been wondering that this is a simple pumping out of money by analogy with the "problem of the year 2000". When I came, I launched a program on my computer, she did something, you said that everything was fine and you were paid.

Irina Baimakova : The requirements of the Federal Law "On Personal Data" apply to any operators of personal data, i.e. any organization in which personal data is processed. Yes, indeed, the requirements for the protection of personal data, depending on the category of data and their volume, may differ significantly.

: What's so special about 8.2z? Why is personal data protected in it and what is wrong in terms of personal data protection in other versions of the eight programs?

Irina Baimakova : ZPK "1C: Enterprise, version 8.2z" - a certified version of the technological platform 1C: Enterprise 8.2. There are no functional differences between the certified version and the regular version. The modifications made taking into account the requirements of the FSTEC of Russia have been implemented in both the regular and certified versions of the technological platform.

The use of the ZPK "1C: Enterprise, version 8.2z" allows you to fulfill the requirement provided for in article 2 of article 19 of the Federal Law "On Personal Data" in terms of the mandatory use of information protection means that have passed the conformity assessment in relation to personal data processed using software products 1C.

Unregistered user : I have no idea how the program can become a panacea in the field of personal data protection. But what about the notorious human factor? After all, people work in the program.

Irina Baimakova : In this case, we cannot say that the program is a panacea. The protected software package "1C: Enterprise, version 8.2z" is one of the "building blocks" that allows you to build an information protection system and ensure compliance with the requirements of the current legislation of the Russian Federation in the field of personal data protection.

Unregistered user : Have there been any cases of data leakage of protected 1c?

Irina Baimakova : I do not have such data.

Unregistered user : Is 1C responsible for any data loss and leakage?

Irina Baimakova : Responsibility for the loss of data lies with the operator of personal data.

Unregistered user : Who needs to apply ZPK "1C: Enterprise, 8.2z"? What is included in the ZPK delivery set?

Irina Baimakova

The package ZPK "1C: Enterprise, version 8.2z" includes a distribution kit of the technological platform, a form, documentation.

Unregistered user : What other software products can be used to protect personal data?

Irina Baimakova : There are a significant number of information security tools on the market. The need to use a particular product depends on the identified actual threats and requirements for the protection of personal data from a particular operator.

Unregistered user : What are the main potential dangers you see for personal data? What exactly does the protection guarantee or exclude?

Yuri Kontemirov : The main danger is leakage and illegal distribution of personal data, which can lead to negative consequences for a person, invasion of his privacy. It is possible to guarantee the actual protection of personal data only with an integrated approach to the organization of information protection, paying special attention to the "human" factor.

Unregistered user : In your opinion, how often do small companies face accounting data breaches?

Yuri Kontemirov : Unfortunately, I have no information on this issue.

Unregistered user : Why is "1C: Enterprise 8.2z" called protected? What is its fundamental difference from other products?

Irina Baimakova : In this case, "protected" is the name, i.e. verified testing laboratory for the absence of undeclared capabilities and compliance with other requirements determined by the FSTEC of Russia.

ZPK "1C: Enterprise, version 8.2z" is a special product to meet the requirements of the current legislation on personal data by organizations and entrepreneurs using 1C software products.

Kaufen user : Organization purchased ZPK "1C: Enterprise 8.2z". What are the main differences between the platform and 1C: Enterprise 8.2, except for the FSTEC certificate? Has anyone come across such a platform?

The main difference is that the certified release is checked by the testing laboratory and confirms compliance with the requirements specified in the certificate, and also contains the checksums given in the form of the ZPK "1C: Enterprise, version 8.2z".

Unregistered user : We have a budgetary institution. Is there a modification of the ZPK "1C: Enterprise 8.2z" specifically for state employees and how much does the supported version cost?

Irina Baimakova : ZPK "1C: Enterprise, version 8.2z" is a certified version of the technological platform 1C: Enterprise 8.2, which can be used with any standard configurations, including for budgetary institutions(eg "1C: Salary and personnel state institution"," 1C: Accounting of a state institution ").

The procedure for selling and updating ZPK 1C: Enterprise version 8.2z "is defined in the information letter of 1C company No. 12891. You can get acquainted with the following link -http: //1c.ru/news/info.jsp? Id = 12891

Unregistered user : The announcement of the lecture and the Internet conference talks about the main errors detected by Roskomnadzor during the implementation of control measures. I would like to know more about this, what errors are most often detected by the department?

Yuri Kontemirov : The most typical violations of the law, revealed during the control actions of Roskomnadzor, are reflected in the annual reports published on the agency's website.

Unregistered user : Please tell us about the certification of ZPK "1C: Enterprise, version 8.2z".

Irina Baimakova : Questions about the goals, procedure, and results of certification carried out by 1C are discussed in detail and presented on the website buh.ru, including in the article "Certification of programs in order to comply with the legislation on the protection of personal data" on the primary certification of 2010 and in article "Personal data protection - from 2011 to 2013 or changes in length of two years" on the certification carried out in 2013 and the renewal of the certificate.

Unregistered user : Do you think new measures are needed to prevent the leakage of personal data and increase the level of their protection? If so, which ones?

Yuri Kontemirov : To prevent personal data leaks, a reasonable comprehensive approach is important and special attention should be paid to the "human" factor.

Unregistered user : Does it make sense to use individual entrepreneurs and small businesses with similar software products?

Irina Baimakova : In accordance with sub. 3 clause 2 of Article 19 of the Federal Law of 27.07.2006 No. 152-FZ "On Personal Data" the use of the procedure for assessing the conformity of information protection means that have passed in accordance with the established procedure is one of the measures to ensure the security of personal data during their processing.

According to the requirements of the Government Decree of 01.11.2012 No. 1119, the use of information security tools that have passed the procedure for assessing compliance with legal requirements Russian Federation in the field of information security is mandatory, in the case when the use of such means is necessary to neutralize current threats. Thus, it is possible to determine the need or absence of the need to use information protection tools that have passed the conformity assessment, including the ZPK "1C: Enterprise, version 8.2z" based on the threat model.

The use of ZPK "1C: Enterprise, version 8.2z" allows you to fulfill with the lowest cost the requirements of the current legislation described above, as well as a number of requirements provided for by Order of the FSTEC of Russia dated 02/18/2013 No. 21.

Unregistered user : What are the adverse consequences of a data breach? For example, for individual entrepreneurs without employees.

Irina Baimakova : The main danger is leakage and illegal distribution of personal data, which can lead to negative consequences for a person, invasion of his privacy.

If an individual entrepreneur does not have hired workers, and, accordingly, the processing of personal data of either employees or other individuals is not carried out, then in this case it is hardly possible to assume a possible leak of personal data.

Protected software package "1C: Enterprise 8.3z" (x86-64). 64-bit version.

The structure includes a certified version of the technological platform "1C: Enterprise 8.3" and a set of documentation.

"1C: Enterprise 8.3z" is certified in the Information Security Means Certification System according to information security requirements No. ROSS RU.0001.01BI00 and has a certificate of conformity No. 3442 (issued by FSTEC of Russia on September 2, 2015). According to the certificate, the product meets the requirements of the guidance document "Protection against unauthorized access to information. Part 1. Software for information security. Classification according to the level of control of undeclared capabilities" (State Technical Commission of Russia, 1999) - according to the 4th level of control, the guidance document "Means computing technology... Protection against unauthorized access to information. Indicators of security against unauthorized access to information "(State Technical Commission of Russia, 1992) - according to the 5th class of security when following the operating instructions given in section 12 of the form included in the product package.

Certified copies of the platform are marked with conformity marks from No. К 605432 to К 615431.

All configurations developed on the 1C: Enterprise 8.3 platform (for example, "1C: Management manufacturing enterprise"or" 1C: Salary and Personnel Management 8 ", etc.), can be used to create information system personal data of any class and additional certification of application solutions is not required.

Purposes and procedure for using the protected software package "1C: Enterprise, version 8.3z"

The protected software package "1C: Enterprise, version 8.3z" can be used to ensure the security of personal data in accordance with the Composition and content of organizational and technical measures to ensure the security of personal data during their processing in personal data information systems, approved by order of the FSTEC of Russia dated February 18, 2013 No. 21, in personal data information systems of all security levels. ZPK "1C: Enterprise, version 8.3z" can be used both in organizations that are the operator of personal data and process personal data on their own, and in organizations that provide services for maintaining ISPD of several operators. ZPK "1C: Enterprise, version 8.3z" can be used both when processing information for one legal entity or an entrepreneur, and for a group of companies (holding).

The procedure for selling a software product Protected software package "1C: Enterprise, version 8.3z"

It is allowed to purchase ZPK "1C: Enterprise, version 8.3z" only in addition to the registered software products of the "1C: Enterprise" system, including the products "1C-Joint".

If for the product for which ZPK "1C: Enterprise, version 8.3z" is purchased, mandatory information technology support (ITS) service has been introduced, then the registered user must subscribe to ITS at the time of purchasing the ZPK.

ZPK delivery set includes:

direct distribution of the certified platform on disk;
FSTEC sticker of Russia;
checksum form;
the registration card of the protected product;
specification;
program description;
application description;
a copy of the FSTEC certificate.

PLEASE NOTE:

ZPK "1C: Enterprise, version 8.3z" can be used only if there are existing licenses and protection keys as part of previously purchased software products "1C: Enterprise 8";

use of ZPK "1C: Enterprise, version 8.3z" does not require renewal of previously purchased licenses;

PROTECTION KEYS ARE NOT INCLUDED IN THE SUPPLY OF ZPK "1C: Enterprise, version 8.3z"

The procedure for updating a protected software package

The 1C firm will systematically certify the newly released releases of 1C: Enterprise, version 8.3z. In order to receive updates of the certified platform, 1C introduces an annual service fee.

The following method of receiving updates is provided: self-subscription for 6 or 12 months on the site http://www.online.1c.ru to receive updates in in electronic format(information on the site is posted as updates are released);

Service fee for one year (first year) from the date of shipment from the 1C warehouse of the certified platform is not charged.

The set of update materials will include up-to-date information on the organization of personal data protection Toolkit and clarifications.

The cost of a paid subscription: Updating ZPK "1C: Enterprise 8.3z" (ONLINE subscription) for 6 months, and 12 months can be checked with the manager of our organization.

If a mandatory information technology support (ITS) service has been introduced for the product for which the ZPK is purchased, then the registered user must subscribe to the ITS at the time of purchasing the ZPK 1C: Enterprise update, version 8.3z.

Accounting for personal data is an important component in the work of every organization. Either large enterprise or a small organization, they all keep records of customers, suppliers, and primarily their employees, taking into account and storing the personal data of each of them. Thus, the organization commits itself to the confidentiality and security of the information provided to it.

Federal Law of July 27, 2006 No. 152-FZ "On Personal Data" establishes the level of responsibility of organizations regulations... The above law stipulates: "Persons guilty of violating the requirements of this Federal Law bear civil, criminal, administrative, disciplinary and other liability stipulated by the legislation of the Russian Federation."

On January 1, 2011, this law has undergone some changes. It was amended, several new provisions appeared. According to one of the main provisions of this law, all users of 1C programs must bring all personal data information systems that were created before January 1, 2010 in accordance with the requirements of this Federal Law.

Since the beginning of last year, the penalties from operators who commit violations in the processing of personal data have also increased significantly. Companies' information systems are regularly audited by the relevant regulatory authorities. In case of violations, in particular, that the safety of personal data is not one hundred percent, the company cannot avoid penalties.

How to improve security? There is an answer.

To begin with, let's try to figure out what difficulties can arise for companies storing personal data of employees and customers.

So the first thing. Based on the norms of the legislation, we will take the first steps to protect personal data, and we will carry out a number of technical, organizational and administrative measures. Taking into account the level of development of the information system, the security of access to it for users, as well as third parties, we will build an individual security complex.

Second. You will probably have to get certified for your data protection software (if not already certified). We will tell you whether authorized operators (for example, FSTEC) carry out certification. The software is subjected to deep research with a wide in-depth analysis, from the executive code to the source code of the programs. The level of control of not declared software capabilities is analyzed.

As complicated and cumbersome as all of the above may sound, there are several more important factors affecting successful work any organization. Whether or not you are required to certify your software? It all depends on the class of the information system for processing personal data. There are four classes of systems in total. Certification is mandatory only for the first class, whether it is needed for the second and third classes - this is determined by the specialist operator. The fourth class information system does not require certification.

The main difference between the first class is the availability of information about race and nationality, about political views and religious beliefs, about the state of health or intimate life. The second case in which your IP can be ranked in the first class is the storage of information about more than one hundred thousand customers and employees. If you store personal data of employees, or information about sick leave- then your system belongs to the first class!

Be fully armed!

How to be? You can try to do everything yourself, arm yourself with frantic patience, plunge into the legislative jungle and heroically wade through them. Painstakingly study legal and technical terms. And if you are successful, you will understand what to do with your information system now. There will be many subtleties and questions in this matter. For example, what to do if the system does not pass certification, urgently change it, or leave it? What kind of software to certify and what is “non-declared software capabilities”? Your head is spinning, but there are still no answers to exciting questions? ..

Let's try to help. So, not declared capabilities? This means that it is possible to "download" information from your software in a manner not specified in its documentation.

The software used to store the personal data of your customers and employees is subject to certification. If you use Excel or Word, then certify these programs. If you use specialized software, subject it to certification.

But if you use 1C programs: store personal data, keep records of information in the program on the 1C: Enterprise platform - we can reassure you, you are all right!

Impenetrable protection against "1C"!

Firm "1C" does not leave its clients alone with the problems arising from innovations in the legislation. More recently, 1C has released New Product- protected software package "1C: Enterprise, version 8.2z" to protect information from unauthorized access to information. This product has successfully passed the certification of the FSTEC of Russia. Protected software package (ZPK) "1C: Enterprise, version 8.2z" approved software tool general purpose with built-in means of protecting information from unauthorized access (NSD) to information that does not contain information constituting a state secret.

What is not less important! Each copy of the ZPK has its own certificate. And the number of protected software systems that are on sale is limited. Since a limited number of complexes have passed the certification.

The protected software package consists of:

direct distribution of the certified platform;

checksum form;

registration card of the protected product;

specification;

application description;

test documentation;

program description;

copy of the FSTEC certificate of Russia (plus - FSTEC sticker).

So, installing protected software package in the company, allows you to use all configurations running on the platform "1C: Enterprise 8.2" (for example, "1C: Salary and Personnel Management 8", "1C: Manufacturing Enterprise Management 8", etc.), when creating an information system of personal data of any class ... Additional certification of applied solutions is not required, since the platform is certified. Separate user licenses (keys) are not required either.

In addition, ZPK "1C: Enterprise, version 8.2z" supports a special mode of compatibility with versions 8.0 and 8.1. This allows it to be used with configurations developed for versions 8.0 and 8.1 without making changes to the configurations themselves. In this mode, applied solutions developed on the 1C: Enterprise platform versions 8.0 and 8.1 can be used with the version 8.2 platform without additional processing.

100% support

Are you a 1C user and a client of the Center for Integrated Business Development of 1C-Business Architect? You are doubly lucky!

The installation of the certified ZPK "1C: Enterprise, version 8.2z" will be carried out by a highly qualified specialist. The work will be done with high quality and within the offered free hours (2 hours for the 32-bit version and 4 hours for the 64-bit version).

If you want to additionally protect your data, experts will help you select and install the appropriate software.

Do you work in the 1C: Enterprise 7.7 product line that is incompatible with the 1C: Enterprise version 8.2z? Don't let this bother you. Our specialists have considerable experience in translating clients from "7" to "8"!

We are ready to help you! Regardless of the volume and complexity of the tasks! Whether it is a full range of work from the correct organization of secure communication lines, workplaces, a server room and to the development of the necessary job descriptions, including appropriate training for your company's employees who work with personal information.

Specialists of the Center for Integrated Business Development "1C-Business Architect" will be happy to provide you with information and technical support.

From July 1, 2017, liability for violations when interacting with personal data of individuals has been significantly toughened. This follows from the provisions of the Federal Law dated 07.02.2017 No. 13-FZ). The changes will affect all employers, without exception, who are associated with the processing of personal data of employees and contractors who are individuals. Moreover, we can say that the amendments apply to almost the entire business community that interacts with the personal data of individuals (for example, the owners of sites that collect personal data of visitors). How do you prepare for the change? Will fines increase? Who will be identified violations in the processing of personal data? Let's figure it out.

Personal data: special information

Personal data of employees is any information required by an employer in connection with labor relations and relating to a specific employee (clause 1 of article 3 of Federal Law No. 152-FZ of July 27, 2006 "On Personal Data").

For an employer (organization or individual entrepreneur), the personal data of employees is most often summarized in their personal cards and personal files. At the same time, almost every calving manager or HR specialist knows that personal data can only be obtained personally from employees. If personal information can only be obtained from third parties, then Russian legislation obliges to notify the employee about this and obtain written consent from him (clause 3 of part 1 of article 86 Labor Code RF).

Employers are not entitled to receive and process personal data that are not directly related to labor activity person. That is, it is impossible to collect information, for example, about the religion of employees. After all, such information is a personal or family secret and can in no way be associated with the implementation of job responsibilities(Clause 4 of Part 1 of Article 86 of the Labor Code of the Russian Federation).

Having received personal data, the employer, by virtue of the requirements of the legislation, is obliged not to distribute or disclose it to third parties without the consent of the employee (Article 7 of the Federal Law of July 27, 2006 No. 152-FZ).

Personal data can be understood as any information directly or indirectly related to a specific individual (subject of personal data) - paragraph 1 of Article 3 of the Federal Law of July 27, 2006 No. 152-FZ. Examples of such information can be surname, first name, patronymic, date and place of birth, place of residence, etc.

How an employer is obliged to protect personal data

In order to protect and restrict access to personal data, the employer must ensure high-quality and modern system their protection. How exactly do you do this? This issue is decided by each employer independently. At the same time, the procedure for receiving, processing, transferring and storing personal data should be fixed in local act organizations, for example, in the Regulation on the processing of personal data of employees (Articles 8, 87 of the Labor Code of the Russian Federation, clause 2 of part 1 of Article 18.1 of the Federal Law of July 27, 2006 No. 152-FZ).

Also, the employer must have an officially appointed employee who is responsible for working with personal data (part 5 of article 88 of the Labor Code of the Russian Federation). This could be, for example, a human resources employee who interacts with personal affairs, obtains the consent of employees for processing, maintains employee cards, etc.

Employer checks on the processing of personal data are carried out by Roskomnadzor divisions. By order of the Ministry of Telecom and Mass Communications of the Russian Federation No. 312 dated November 14, 2011, the Administrative Regulations for Roskomnadzor's performance of functions related to the implementation of state control(supervision).

What liability applies to employers

For violation of the procedure for obtaining, processing, storing and protecting personal data of employees, disciplinary, material, administrative and criminal liability is provided (Article 90 of the Labor Code of the Russian Federation, part 1 of Article 24 of the Federal Law of July 27, 2006 No. 152-FZ). Let's take a look at each of these responsibilities.

Disciplinary responsibility

Disciplinary responsibility for violations when working with personal data can be brought to justice by employees who, by virtue of labor relations are obliged to comply with the rules for working with personal data, but violated them (Article 192 of the Labor Code of the Russian Federation). That is, you can bring to justice, for example, the manager of the personnel department, who is entrusted with the relevant work. For a disciplinary offense in the collection, processing and storage of personal data, the employer can punish his employee by applying one of the following penalties to him (part 1 of article 192 of the Labor Code of the Russian Federation):

comment;
rebuke;
dismissal.

Material liability

Material liability of an employee may occur if, in connection with a violation of the rules for working with personal data of an organization, direct actual damage is caused (Article 238 of the Labor Code of the Russian Federation). Suppose that a responsible employee of the HR department committed a gross violation - he disseminated personal data of employees on the Internet. The workers, having learned about this, filed a lawsuit against the employer, which ruled: “to pay the injured workers monetary compensation- 50,000 rubles each ”. In such a situation, the employer has the opportunity to assign limited financial responsibility within the limits of his average monthly earnings (Article 241 of the Labor Code of the Russian Federation). Recovery of the damage caused can be carried out by order of the manager no later than one month from the date of the final determination of the amount of damage caused by the employee. If the monthly period has expired, then the damage will have to be collected through the court. This procedure is provided for in Article 248 of the Labor Code of the Russian Federation.

Administrative responsibility

For violation of the procedure for the collection, storage, use or dissemination of personal data of the employer and officials supervisory authorities can bring to administrative responsibility in the form of fines, which may amount to:

for officials (for example, general director, chief accountant, personnel officer or individual entrepreneur): from 500 to 1000 rubles;
for the organization: from 5,000 to 10,000 rubles.

A separate (independent) fine for officials for disclosing personal data in connection with the performance of official or professional duties ranges from 4,000 to 5,000 rubles. Such measures of responsibility are described in Articles 13.11 and 13.14 of the Code of Administrative Offenses of the Russian Federation.

Criminal liability

Criminal liability for a director, chief accountant or head of the human resources department of a company or another person responsible for working with personal data may arise for illegal actions:

collection or dissemination of information about the private life of an employee, which constitutes his personal or family secret, without his consent;
dissemination of information about the employee in a public speech, publicly displayed work or mass media.

For such violations in terms of handling personal data, the following measures of criminal liability are allowed:

a fine of up to 200,000 rubles (or in the amount of the convicted person's income for a period of up to 18 months);
compulsory work for up to 360 hours;
correctional labor for up to one year;
forced labor for up to two years, with or without the deprivation of the right to hold certain positions or engage in certain activities for up to three years;
arrest for up to four months;
imprisonment for up to two years with the deprivation of the right to hold certain positions or engage in certain activities for up to three years.

The same acts committed by a person using his official position are punished more severely:

with a fine of 100,000 to 300,000 rubles. (or in the amount of the convicted person's income for a period from one to two years);
deprivation of the right to hold certain positions or engage in certain activities for a period of two to five years;
forced labor for up to four years, with or without the deprivation of the right to hold certain positions or engage in certain activities for up to five years;
arrest for a term of four to six months;
imprisonment for up to four years with the deprivation of the right to hold certain positions or engage in certain activities for up to five years (Article 137 of the Criminal Code of the Russian Federation).

What will change from July 1, 2017

Federal law of 07.02. 2017 No. 13-FZ expanded the list of grounds for bringing an employer to administrative responsibility in the field of personal data protection, and also increased the amount of administrative fines. This law comes into force on July 1, 2017. We must say right away that the administrative responsibility in the field of personal data has been significantly toughened. At the same time, the following is important: instead of the only type of administrative liability described in Article 13.11 of the Administrative Code of the Russian Federation, seven will appear. Thus, it will be possible to apply different fines for various violations of employers in the field of personal data. If several violations are revealed for different compositions, then, accordingly, the number of fines may increase. Let us explain the new offenses in more detail.

Violation 1: processing personal data for "other" purposes

Since July 1, 2017, the processing of personal data in cases not provided for by law, or the processing of personal data incompatible with the purposes of collecting personal data - independent species administrative violation (part 1 of article 13.11 of the Code of Administrative Offenses of the Russian Federation). Here is an example: the employing organization collects personal data of employees and transfers this data to third-party companies for advertising purposes (name, phone numbers, regions of residence, income level are transferred). Then advertising firms begin to send employees by phone, e-mail and home addresses various spam and advertising offers. If in such actions of the employer no criminal offense is revealed, then it will be possible to apply administrative responsibility. From July 1, 2017, the administrative penalty may be as follows:

or warning;
or fines.

Violation 2: processing personal data without consent

The processing of personal data by the employer, according to general rule, is possible only with the written consent of employees. Such consent must include the following information (part 4 of article 9 of the Law of July 27, 2006 No. 152-FZ):

Full name, address of the employee, details of the passport (other document proving his identity), including information about the date of issue of the document and the issuing authority;
name or full name and address of the employer (operator) receiving the employee's consent;
the purpose of processing personal data;
a list of personal data for the processing of which consent is given;
name or full name and address of the person processing personal data on behalf of the employer, if the processing will be entrusted to such a person;
a list of actions with personal data, for the performance of which consent is given, general description methods used by the employer to process personal data;
the period during which the employee's consent is valid, as well as the method of its withdrawal, unless otherwise provided by federal law;
employee signature.

Since July 1, 2017, the processing of personal data without the consent of the employee in writing, or if the written consent does not contain the above information, this is an independent administrative violation provided for in part 2 of Article 13.11 of the Administrative Code of the Russian Federation. Penalties are possible for him:

Violation 3: access to the personal data processing policy

The operator of personal data (for example, an employer or an Internet site) is obliged to publish or otherwise provide unrestricted access to the document defining his policy with respect to the processing of personal data, to information on the implemented requirements for the protection of personal data. The operator who collects personal data on the Internet (for example, through the website) is obliged to publish on the Internet a document defining its policy regarding the processing of personal data and information on the requirements for the protection of personal data being implemented, as well as to provide access to the specified document... This is provided for by paragraph 2 of Article 18.1 of the Law of July 27, 2006 No. 152-FZ.

Many Internet users face this obligation in practice. So, for example, when you leave any application on the sites and indicate your full name and e-mail, you can pay attention to the link to such documents: "Policy for the processing of personal data", "Regulation on the processing of personal data", etc. ... However, we must admit that some sites neglect this and do not provide any link. And it turns out that a person leaves a request on the site, does not know for what purposes the site collects personal data.

Some employers also list available vacancies on their websites and invite candidates to fill out an "About Me" form. In such cases, the website must also provide access to the Personal Data Processing Policy.

Since July 1, 2017, in part 3 of article 13.11 of the Administrative Code of the Russian Federation, an independent offense has been highlighted - the operator's failure to fulfill the obligation to publish or provide unrestricted access to a document with a policy on the processing of personal data or information on their protection. Liability under this article may look like a warning or administrative fines:

Violation 4: withholding information

Personal data subject (that is, individual who owns this data) has the right to receive information regarding the processing of his personal data, including information containing (part 7 of article 14 of the Law of July 27, 2006 No. 152-FZ):

confirmation of the fact of personal data processing by the operator;
legal grounds and purposes of personal data processing;
the purposes and methods of processing personal data used by the operator;
the name and location of the operator, information about persons (with the exception of the operator's employees) who have access to personal data or to whom personal data may be disclosed on the basis of an agreement with the operator or on the basis of federal law;
processed personal data relating to the relevant subject of personal data, the source of their receipt, unless another procedure for submitting such data is provided for by federal law;
terms of processing personal data, including the terms of their storage;
the procedure for the exercise by the subject of personal data of the rights provided for by this Federal law;
information on the performed or expected cross-border data transfer;
name or surname, first name, patronymic and address of the person who processes personal data on behalf of the operator, if the processing is entrusted or will be entrusted to such a person;
other information provided for by the Federal Law or other federal laws.