What does consent to the processing of personal data mean? Form of employee consent to the processing of personal data. Consent to the processing of personal data: sample Written consent of citizens to the processing of their data

Personal data refers to personal information relating to an individual. This includes not only full name and passport data, it can be character traits, place of residence, date of birth, personal characteristics, information taken from work book or other documents. It would seem that such information is often publicly available. However, you need to understand that their use is permitted only if the individual provides permission.

Conventionally, personal information about a person is divided into three groups:

  1. Public. Such information may include date of birth, full name, nationality and gender individual.
  2. Biometric. Physiological and external parameters and features are indicated here.
  3. Special. Information about place of work, hobbies, religion, health, law-abidingness.

If someone uses the data of the last two groups without the consent of their owner, this is considered a violation of the law. Naturally, such actions will have to be answered before the law. However, in the modern world, when great attention is paid to the safety of personal data, even publicly available information belonging to the first group cannot be used without permission.

Consent form

To give your consent to the use of personal information for any specific purposes, simply fill out a special form. Of course, consent can be written in any form. However, it will be more convenient to use a template. You can fill it out not only by hand, but also on the computer. If consent is concluded within the organization, a special form is used here. At the same time, it contains not only information about the employee, but also the name of the company of which he is an employee.

It is recommended to carefully approach the procedure for drawing up a permit. Here the data owner has the opportunity to indicate which information can be used. It also indicates what exactly it allows to do with this information.

Although the law provides for a certain period of validity of this document and the ability to revoke it at any time, it is also recommended to indicate this in the document. In addition, the individual must indicate that he is giving permission voluntarily, without any coercion. The person confirms his words with a signature.

The legislation does not provide for any specific validity period of the document on consent to the processing of personal data. However, when concluding consent to the processing of their data, an individual must indicate the method by which he can withdraw it. The expiration date is also indicated. of this document. Here you can use one of the options:

  • Specify a specific date after which given consent will be considered invalid;
  • Please note that the consent will be valid until the data owner writes a written cancellation of this document;
  • Make a note that this permission will expire immediately after the operator uses the data.

In addition, the data owner has the right to change the validity period of the document, or cancel it early. As a rule, the review is drawn up in the same form in which the permit was drawn up. An individual can also increase this period. Amendments can be made if necessary. To avoid any difficulties with your consent in the future, all changes are not only confirmed by signatures, but also indicated by dates.

For quite some time now, personal information has been the property of a person. Any actions with her without consent are a violation of the law. Today he is active Civil service, engaged in monitoring the safety of information. If the operator deliberately or accidentally discloses the received data, he faces disciplinary or administrative responsibility. Depending on the circumstances, liability may also be criminal.

This kind of information is “asked for” in various institutions that people encounter throughout their lives. If a person does not mind the use of his data for any specific purpose, he gives permission in writing.

However, not every document needs to be signed. First you need to carefully read its text. If difficulties arise with the correct analysis of documents, it is recommended to seek help from a qualified lawyer. It will help you determine whether the organization requiring the data is exceeding its authority. The specialist will also tell you whether it is possible to give permission to use the requested data. For example, if a citizen has a criminal record and wants to get a job, for example, as a salesperson, he may not provide this information. This information indicated only if the desired position can be obtained only in the absence of a criminal record.

(Video: “Consent to the processing of personal data of children, legal consequences. Collection of information about children.”)

Educational, medical, government and other institutions quite often ask for personal information with permission to process it. Most often it is requested:

  • during employment;
  • when registering a child for school or preschool;
  • when drawing up a contract by a financial or insurance organization.

Each operator must obtain permission to use the information. But the law provides exceptions in certain circumstances:

  • When collecting information by federal services;
  • To provide public services;
  • For legal proceedings;
  • To protect the rights of a citizen when it is not possible to obtain his consent;
  • To protect the rights of third parties;
  • Journalists are allowed to use some data without the citizen's consent;
  • Once open data is legally available, it can also be used without permission.

In many other situations, permission − necessary condition to use the information. Moreover, every citizen, confirming such a document, must have an idea of ​​the purposes for which the information will be used. For example, if after a purchase a store asks for your permission to notify you about promotions, this should be clearly stated.

(Video: “Changes from 07/01/2017 and consent form for the processing of personal data - Elena A. Ponomareva”)

In some cases, taking personal data from citizens is required by law. For example, when applying for a job, an employee will have to provide personal information. After all, an employment contract obliges the company to know where the employee is registered, what education he has, and what his name is. Although consent is not needed here, because the company does not intend to use this data. However, if translation is intended wages to a bank card, the company will have to provide your data financial organization. Naturally, this will require your permission.

Who has the right to process information about a person

The person or organization that collects and processes personal information is called a processor. Certain requirements are imposed on such persons:

  • The operator must ensure that the data received is completely safe;
  • Control over compliance with the law on personal data between the employee and the company;
  • Monitor the correctness of granting permission and cancellation;
  • Use the received data only in accordance with the law;
  • It is strictly forbidden to copy information onto any media without permission, or make videos or photos of it;
  • When entering information into a computer, the operator must protect it from leakage.

When information is processed by a company employee, the rules of his work are prescribed in job descriptions. Of course, the company requires confidentiality of the information received. In this case, the operator must, in any convenient way, publicly familiarize all company employees with the rules for the provision and processing of personal data.

Before starting to collect information, the operator must register with Roskomnadzor. It is entered into the register, thereby notifying of its intention to work with personal information.

To provide your consent, you just need to fill out a special form. It can be obtained free of charge from the organization that requires your data. You can also download the form to fill out online. To fill it out, you must use exclusively Russian. Enter details of documents issued only by Russian institutions. If the form is being filled out by a minor, you will need to provide the details of his guardian or parent.

Is it possible to process information about a person without the consent of the owner?

There are situations in which consent to the processing of personal information is not a prerequisite:

  • If it is planned to post information about employees on the Internet. For example, educational and medical institutions must provide information about the qualifications and education of their employees;
  • When it is necessary to process information from close relatives, for example, to process alimony or social payments;
  • In the event that you need to know about the employee’s health in order to understand how capable he is of performing his duties;
  • If necessary, transfer information to the prosecutor's office, police, military commissariat, security service, Pension fund;
  • To prevent a threat to the life and health of a citizen.

Written statement of consent to the processing of personal data

Any work with information should begin only after receiving written consent. It is enough to fill out a form containing the following points:

  • passport details;
  • purpose of processing;
  • name of the organization for which the information is provided;
  • duration of the permit;
  • review options;
  • signature of the person to whom the information belongs.

Withdrawal of consent to the processing of personal data

As a rule, information is used almost immediately after written permission is received. Thus, there is simply no point in revoking it, since the operator, after using the data, simply deletes it. In any case, every citizen has the right to withdraw his consent. For example, if a person provided his data when applying for a job. Upon dismissal, he may withdraw his consent by requesting that the existing information be deleted or destroyed. In addition, a citizen has the right to withdraw his consent if there are suspicions that the information is being used for other purposes.

The review is issued in the same format as the permit. To do this, you need to contact the operator to whom personal information was previously provided and submit an application to him. Within one month after accepting the application, the operator must stop processing the data and destroy it.

The law provides for situations when information processing is not stopped despite the provision of a written response:

  • The information is used to fulfill obligations under an international treaty;
  • The citizen provides government services, therefore information about it is posted on the Unified Portal and is available to every visitor;
  • When vital interests are protected;
  • The person himself made the information publicly available, for example, through social networks;
  • Information is used in research;
  • The data concerns the debtor from whom the debt is collected through the court;
  • The information is the property of the author of the articles or a journalist who carries out professional activities.

The conclusion of an employment relationship between an employee and an employer obliges the latter to properly collect, systematize, accumulate, update, store and use any information relating to a specific employee or allowing him to be identified. Such information is combined under the concept of personal data, and the listed processes and operations are called processing. At the legislative level, both terms are defined and regulated by the Constitution Russian Federation, and chapter 14 Labor Code Russian Federation. A sample permission to use personal data is mandatory document, which must be issued to each employee and given to him to sign. In case of its absence, the company will face a fine.

Composition of the employee's personal data

Legislative documents do not contain a strict listing of personal data. As a rule, the employee provides the following information to the employer:

  • about education;
  • labor and general experience;
  • family composition;
  • military registration;
  • wages;
  • social benefits;
  • position held;
  • having a criminal record;
  • address at the place of registration and residence;
  • contact numbers;
  • places of work or study of family members;
  • conditions employment contract;
  • availability of declared material assets;
  • materials on advanced training, retraining, certification and internal investigations and others.

What to write in the application

First of all, it must formulate the permission to process personal data itself, no matter how trite it may sound. Work with information should begin with the consent of the employee. The need for this step is dictated by clause 1 of Art. 6, which reads:

“consent... is given by the subject... or his representative in any form that allows confirming the fact of its receipt, unless otherwise established by Federal Law.”

  • Full name and passport details of the employee or his representative;
  • full name and address of the employer;
  • purpose of information processing;
  • list of data to be processed;
  • validity period of the permit;
  • ways to withdraw consent;
  • employee signature.

Why is consent to processing during employment formed?

In fact, the employer gets access to the employee’s personal data at the time of reviewing the resume or application form, i.e. before official employment. Consequently, from this moment the employer has the right to attract, in accordance with Art. 90 Labor Code of the Russian Federation, to administrative, disciplinary or criminal liability in case of incorrect handling of the information received. To protect the interests of both parties, it is first necessary to provide the employee with a sample application for permission to process personal data for review. The corresponding document must be signed before concluding an employment contract.

If the employee refuses to sign the consent

In accordance with paragraph 1 of Art. 9, the provision of data about oneself is given by the subject voluntarily. Thus, the employee has the right not to give consent if the use of data about him is not directly related to the performance of job responsibilities. In other words, refusal to sign the authorization should not prevent labor relations. Moreover, it is not required when it comes to transferring information to the Pension Fund of the Russian Federation, the tax service and other bodies established by law. However, in practice, refusal sometimes entails the inability to carry out labor activity, for example, when the employer has established access control.

To be honest, we thought that after the peak of activity in the summer of 2017, we would never raise the topic of personal data protection (hereinafter in the article - PD). It seemed to us that the topic had exhausted itself... that it would never be of interest to anyone, since almost everyone already had an understanding that personal data must be protected, like one’s own child, from the crazy outside world.

But no matter how much we would like to sit on a unicorn and ride it to the land of fantasy along the rainbow, the fact remains that our personal data is still at risk. The litmus test for us, and therefore for regulators in this area, is consent to PD processing. And, unfortunately, we are forced to admit that most of the consents that we see in everyday life are either drawn up illiterately or not drawn up at all.

Therefore, just in case, we will repeat it for those who still do not understand the issue in the tank.

What is consent to the processing of personal data and why give it?

This is a declared fact that the PD subject (usually your client) allows the processing of his PD, and in some cases, its use for marketing purposes. But we’ll dwell on marketing goals a little later.

Why should this fact be declared?

Because from the point of view of clause 3 of Article 9 of the Federal Law “On Personal Data” FZ-152 (hereinafter referred to as FZ-152), the obligation to provide evidence of obtaining consent or proof of the existence of grounds not to collect such consent rests with OPERATOR, that is, on you.

ABOUT! Are there cases when consent can NOT be collected? What are these?

Yes, of course, there are such cases and they are described in clauses 2-11, part 1, article 6, part 2. Article 10 and Part 2 of Article 11. In short (actually not briefly, but as much as possible) in simple words), then these are the cases:

  • processing is carried out to perform the functions assigned to the operator by law;
  • processing is carried out in connection with the participation of a person in legal proceedings or is necessary for execution judicial act;
  • processing is carried out for the purpose of providing state and municipal services;
  • the subject is a party to an agreement under which he is a beneficiary;
  • processing is carried out to protect the life and health of the subject, if it is impossible to obtain consent;
  • processing is necessary for professional journalistic, scientific, literary or other creative activities, unless the legal rights of the PD subject are violated;
  • processing is carried out for statistical purposes, subject to depersonalization of personal data;
  • processing of PD is carried out, which the PD subject himself has made publicly available;
  • processing of personal data is carried out, which are subject to mandatory disclosure in accordance with the legislation of the Russian Federation;
  • processing is carried out in connection with international treaties about readmission*

_____________________________

* Readmission (English to readmit - to take back) is the consent of the state to accept back into its territory its citizens (as well as, in some cases, foreigners who were previously located or living in this state) who are subject to deportation from another state.

_____________________________

  • in accordance with the law “On the Population Census”;
  • processing is carried out in accordance with labor legislation;
  • processing is carried out for medical or medical-prophylactic purposes by a person professionally engaged in medical activities, which is subject to medical confidentiality legislation;
  • PD of members of a public or religious organization is processed by the organization itself in accordance with the law and PD is not transferred without the consent of the subject;
  • processing is carried out in accordance with the legislation of the Russian Federation on defense, on security, on countering terrorism, on transport security, on anti-corruption, on operational investigative activities, on enforcement proceedings, on the procedure for entry and exit, on citizenship of the Russian Federation;
  • when processed by prosecutorial authorities in connection with the implementation of prosecutorial supervision;
  • processing is carried out in accordance with the legislation on compulsory types of insurance;
  • processing is carried out in accordance with the legislation of the Russian Federation for the purpose of placing children without parental care.

If your activity falls under any of these points, then MAYBE You don’t have to obtain consent to process personal data from your clients. But... that's not certain. If you see something similar to your activity, then be sure to refer to Federal Law-152 and read the listed points yourself, and also support your knowledge with legislation in the field of your activity. Because the task of proving that you do not have to take consent lies on your shoulders.

What must be in agreement?

And now to the question of how to correctly draw up consent to the processing of personal data. From the point of view of our beloved Federal Law-152, the consent must necessarily include:

  • full name of the PD subject;
  • PD subject address
  • number of the main identification document, as well as the date of issue and by whom it was issued;
  • all the same information about the representative of the PD subject, as well as the details of the document confirming the grounds of the representative to act on behalf of the subject (for example, if the subject is a child, then the basis for the parent’s action will be the child’s birth certificate or the parent’s passport with a note about the child);
  • name or full name, as well as address of the PD operator;
  • purpose of PD processing (clear and understandable);
  • list of personal data for the processing of which consent is given;
  • name or full name, as well as the address of the operator on behalf, if any (i.e. if you transfer the processing of your clients’ personal data to another legal entity, then the client must also agree with this and know about it);
  • a list of actions for which consent is given (they can be found in Article 3 of Federal Law-152);
  • the period during which the consent is valid;
  • signature of the subject of personal data.

You wrote that the subject must provide his full name, address, as well as details of an identity document. But what if I only process my full name, email and phone number?! Why do I need to know his passport details?

Good question, in this case we usually write in consent like this: “Full name, address and details of an identity document are processed exclusively in paper form in order to obtain consent to the processing of personal data.”

How to sign a consent?

We said that consent to PD processing must include the signature of the PD subject, but we did not say in what form. On at the moment Federal Law 152 assumes that consent is obtained in writing with a handwritten signature of the subject or in the form of an electronic document signed with an electronic signature.

What should I do if my client (the PD subject) and I never see each other in person and he doesn’t have an electronic signature?

In the same article 9 of Federal Law-152 in paragraph 1 there is a wonderful proposal “Consent to the processing of personal data may be given by the subject of personal data or his representative in any form that allows confirmation of the fact of its receipt, unless otherwise provided by federal law.” We also made an official request to the regulator (Roskomnadzor), although it is not authorized to interpret the legislation. In this request, we directly asked whether the use of check boxes (this is where you need to check a box) is suitable for obtaining consent to processing. So, the regulator answered us unequivocally - it’s suitable. So if you never meet your personal data subjects in person and electronic signatures they cannot have it, then your only opportunity to obtain consent is to check the box on the site. But this does not negate the fact that you are obliged to tell the subject about the policy for protecting his personal data, as well as provide the text of consent in electronic form.

We seem to have sorted out the main points. Now let's talk about the main errors (accidental or intentional) that we see in consents.

Mistake #1. There is no agreement in principle.

Without comment, we have already answered the question why it is needed and in what cases there is no need for consent.

Mistake #2. Not all data is provided.

Once again, we ask you to carefully read the list of information that must be included in the consent.

Mistake #3. PD is transferred to third parties, but specific names are not indicated in the consent.

There are situations when companies, for one reason or another, do not want to say to whom PD is transferred. Dear subjects, it seems to us that this is a reason to think about how transparently the company providing you services conducts its business. To say to whom they can transfer your personal data is their sacred duty, prescribed by law. So stop fussing, let’s directly indicate to whom we transfer the personal data of our subjects.

Mistake #4. From the point of view of Federal Law-152, the company is not at all obliged to take consent and everything seems to be correct, it does not take it, but at the same time, for example, it posts information about employees on its website or transfers personal data to third parties.

This is a 100% violation of the legislation “On Personal Data”. Even if you may not consent to the processing of personal data of subjects, you must consent to the transfer of personal data to third parties, unless otherwise provided by law, and also take consent to post personal data on public resources, which is the organization’s website, honor board , telephone directory, etc.

Mistake #5. Consent to the processing of personal data is filled out by an employee of the organization, asking the subject for his personal data.

It is not directly stated anywhere that this cannot be done, but in this case an interesting picture emerges. You have an additional channel for information leakage, which will undoubtedly complicate your life in terms of personal data protection, so just don’t do it.

And for dessert, let's talk a little about marketing.

Many... many companies collect phone numbers and email addresses to send out “useful” information about promotions and other cool things (articles, advertising, etc.). So, in Article 15 of Federal Law-152 it is written in black and white that you are required to obtain additional consent for sending out marketing information or political campaigning. And immediately stop mailing at the request of the subject!


Well, as a bonus to everyone who read/scrolled to the end of the article, an example of consent to the processing of personal data.

If you have any questions, you can ask them by email:

Consent to the processing of personal data is an official document that allows organizations to work with a citizen’s personal information. Any legal entity or individual who receives, uses, transmits or stores such information must have it. The article contains a sample agreement for the processing of personal data and requirements for its execution.

What is considered personal information of citizens?

Personal data and the procedure for handling them are regulated by Federal law dated July 27, 2006 No. 152-FZ. In accordance with this document, any information relating to him is considered personal information of a citizen. What exactly this information about a person is is not disclosed in the law, but in practice it is subject to protection:

  • Full name;
  • date and place of birth;
  • residence and registration address;
  • marital status and property status;
  • education;
  • nationality and political views;
  • religion and health status;
  • other general and specific information that allows you to identify a citizen.

Usually the person provides all this information himself. Users of such information become government bodies, medical, educational and credit organizations, commercial structures. All of them are considered personal data operators and must have an agreement with citizens on the processing of their personal information.

What actions with personal data require the consent of citizens

Law No. 152-FZ states that consent is required for any action (or combination thereof) performed with personal information:

  • collection and recording;
  • systematization and accumulation;
  • clarification and use;
  • extraction and anonymization;
  • transfer of both the information itself and access to it;
  • blocking and storage;
  • deletion and destruction of information.

It doesn’t matter how exactly the processing takes place: on paper, with or without automation tools, online - the operator must obtain consent from each owner to process personal data (post it on the website, for example). At the same time, the activities of employers with personal data are a separate case, since they are additionally regulated by Chapter 14 of the Labor Code of the Russian Federation. And they must receive a written statement of consent to the processing of personal data from each employee - a document that differs slightly from the general sample.

Sample consent form for the processing of personal data

Officials do not provide a standard form of permission to manipulate citizens’ personal information. But the agreement itself must be drawn up in writing, and there are a number of requirements for it (Article 9 of Law No. 152-FZ):

  • the main criteria of the document are specificity, awareness and consciousness;
  • among the mandatory details of the personal data subject are full name, address, passport details;
  • the operator's name, address and, if desired, contact information should be provided;
  • in agreement indicate:
    • the purpose of obtaining information and acting on it;
    • list of data that the citizen transmits;
    • names of third parties who may have access to the information;
    • the duration of the agreement and the method of its revocation;
    • personal signature of the personal data owner.

For employers, all these requirements are also relevant, but they must also be guided by the norms of the Labor Code of the Russian Federation. In particular, they are prohibited from working with specific personal information of employees, and all general personal data are allowed to be used only for the implementation of employer functions (filing reports, preparing a package of documents for employment, sending for training or qualification assessment, etc.).

A sample of filling out consent to the processing of personal data from an employee looks like this.

How to draw up consent to the processing of personal data, watch our video:

Why do you need the employee’s written consent to process his data?

Obtaining a person's written consent to process his personal data becomes necessary for a legal entity or individual who gains access to this data. The main issues related to personal information about a person are regulated by the Law “On Personal Data” dated July 27, 2006 No. 152-FZ. These include:

  • determination of the range of information that is personal;
  • establishing conditions for the processing, storage and destruction of data by their recipient;
  • a description of situations both requiring and not requiring a person’s consent to process information about him;
  • listing the rights of the personal data carrier to become familiar with the results of their processing;
  • determining the responsibility of persons who disclosed personal information.

The most common case of obtaining and processing personal information about a person is the collection and analysis by an employer of information about its employee (already employed or newly hired).

In addition to publicly available information, to which Law No. 152-FZ includes data on full name, gender, date of birth, the employer also needs other information contained in the documents presented for employment (Article 65 of the Labor Code of the Russian Federation) :

  • in an identity card (passport);
  • work book;
  • Pension Fund certificate;
  • training documents;
  • military registration documents;
  • additional certificates (in particular, about no criminal record) or documents, the presence of which is a condition of employment for a certain job.

The collection and processing of such data requires the employer to obtain the employee’s prior written consent to these actions (Clause 1, Article 9 of Law No. 152-FZ). Consent is voluntary and can be revoked by the employee.

Read about what else you need to do when concluding an employment contract in the article “The procedure for concluding an employment contract (nuances)” .

Read about responsibility for disclosure of personal data.

What is included in the consent statement?

The list of main points that must be reflected in the document confirming consent to the processing of personal data is contained in clause 4 of Art. 9 of Law No. 152-FZ. This:

  • information about the person authorizing the processing of data (full name, passport details) or his representative (he will additionally need a document certifying his authority);
  • information about the recipient of personal information (name or full name, address);
  • determining the purpose for which the data is provided;
  • list of information that is subject to processing;
  • methods of data processing, including indication of another person who will perform the processing, if there is an intention to involve him in this;
  • the validity period of the consent or the method of its withdrawal;
  • handwritten signature of the person giving permission.

ATTENTION! In the statement of consent to the processing of personal data, it is advisable to indicate 1 purpose for which the information is collected. Currently, there is no direct prohibition to include several purposes for processing personal data in one consent. At the same time, there is a risk that Roskomnadzor and then the court will consider this a violation (Resolution 9 of the Arbitration court of appeal dated August 16, 2016 No. 09AP-30182/2016-AK). But the Ministry of Telecom and Mass Communications has prepared a draft according to which it will be possible to include several goals in one statement.

Read about the basic principles of drawing up a document certifying the authority of a representative in the article “Power of attorney to receive salary - sample” .

2020 Consent Document: Form and Sample

The consent form for the processing of personal data does not have a legally approved form. When registering it, you only need to comply with the obligation to include in it the information provided for in paragraph 4 of Art. 9 of Law No. 152-FZ. Each recipient of personal information can develop a consent form independently, reflecting in it the list of information he needs and the features of their processing.

One of the consent samples for the processing of personal data can be found on our website.

Results

According to current legislation, the processing of most personal data about a person must be carried out with his written consent. The document containing such consent does not have a specific form, but there is a list of mandatory information that must be included in it. The final list of necessary personal data is developed by the recipient of this information.



Related publications