Responsibility for transferring personal data to third parties

The law on the transfer of personal data to third parties is regulated at the federal level. The documented document describes the correct processing of available information, its safety and destruction, takes into account options for the possible provision of such material at the request of the authorities, its intended use. A separate paragraph explains the cases of the imposition of monetary penalties for the discovery and dissemination of personal data without permission.

What is “personal information”?

On July 8, 2006, an edited document on this kind of data was published in the Federal Law, which provides relevant definitions of a legal act and its structural interaction with other laws. Its latest revision was carried out in 2017, it began with general provisions, described the conditions for the possible processing of information, the rights of citizens, the obligations of operators, and the supervision of government agencies.

Transfer of personal data to third parties - what is meant by this? This is any information directly or indirectly related to the subject. The disclosure of information must comply with certain principles in order to avoid possible penalties:

• following the intended purpose permitted by law;
• fairness and legality of data collection;
• the exception of the combination of goals and purposes when using information databases;
• directed collection of information, inadmissibility of their redundancy;
• relevance of information;
• the valid storage period, after which the data is depersonalized and deleted.

Confidentiality

For any targeted collection of information, there must be consent to the transfer of personal data to third parties. Without an officially signed document, no one has the right to verify certain personal data. The Federal Law prescribes the preservation of the information received, therefore, operators and consultants with access to the data do not have the right to distribute it without the consent of the subject. Information analysis is carried out only with written permission. In case of violation of the rules and principles of the disclosure of personal data, as well as confidentiality of available information about a citizen, a representative is liable for a certain nature. Most often, a fine, and in rare exceptional cases - a more serious punishment.

Phone call

The transfer to third parties of personal data, namely a telephone number and related information about its owner, including a detailed description of financial wealth and marital status, level of education, is also considered a violation of the law.

Such cases may occur when credit companies or firms wishing to get new customers may be asked to provide information about acquaintances, relatives, who may be interested in the proposed service. Many, without suspecting anything bad, no doubt spread to the consultants the necessary information about phone numbers, their owners, even the level of earnings. At first glance, trivial information, but made public without the consent of the owner, can become part of an administrative offense - article 13.11 of the Code of Administrative Offenses, for neglect of Law 152-FZ “On Personal Data”. In order not to become a hostage to an awkward situation, it is necessary to avoid the transfer of personal data to third parties without consent.

Banking

Most often, data is unconsciously transmitted, implying banking information that was not originally intended for publicity, which is already interpreted in part 2 of article183 of the Criminal Code "On the illegal disclosure of information constituting a commercial or banking secret, without the consent of their owner ...". When obtaining a loan or participating in any other financial transactions, the consent of the person whose credit history is planned to be verified is necessary. Otherwise, data verification will not be legally legal, and may endanger the interests of depositors and creditors. A client of a bank cannot, having come to the appropriate department or at the reception of a consultant, “automatically” consent to the systematization, collection, distribution and transfer to third parties of personal data. For this, there is a special document - consent, which is provided for signature before sending any customer information to the database.

In the case when the document is signed, the analysis of personal data, namely the inclusion of information in the credit bureau of the borrower is considered legal. After that, Art. 857 of the Civil Code of the Russian Federation, according to which the bank gives a guarantee of confidentiality about the bank account or deposit, as well as about other operations on the account and other information. In case of non-compliance with the rules and the concurrent disclosure by the bank of any information - the transfer to third parties of the client’s personal data, the credit institution may be required to recover damages. It is important that such controversial points were spelled out in the contract, otherwise it makes no sense to go to court.

Responsibility for breaking the law

Specific circumstances and the severity of the offense entail liability: administrative or criminal.

Administrative include:

1. Refusal to timely transfer to a citizen information permitted by law (Article 5.39 of the Administrative Offenses Code of the Russian Federation) involves a fine to an official from 5 thousand to 10 thousand rubles.
2. Analysis of personal data not prescribed by law, or violation of the intended purpose (part 1 of article 13.11 of the Administrative Code) - a warning or a fine persons - 3 thousand rubles., officials - up to 10 thousand rubles., legal. persons - up to 50 thousand rubles.
3. Processing information without a signed consent to the transfer of personal data to third parties (Part 2 of Article 13.11 of the Administrative Code) is a fine of up to 5 thousand rubles. for citizens, up to 20 thousand rubles. official subject, up to 75 thousand rubles. legal entity.
4. Failure to properly fulfill the obligations of operators to close universal access to data analysis (Part 3 of Article 13.11 of the Code of Administrative Offenses of the Russian Federation) - warning or recovery from citizens of up to 1 thousand rubles, officials up to 6 thousand rubles, with individual entrepreneurs up to 10 thousand rubles ., from jur. persons up to 30 thousand rubles.
5. Failure to anonymize data (Part 7 of Article 13.11 of the Code of Administrative Offenses) - a fine on an official of up to 6 thousand rubles or a warning.

The criminal liability for the transfer of personal data to third parties is the following violations and the corresponding sanctions:

1. Illegal receipt and public distribution of personal information (Art. 137 of the Criminal Code of the Russian Federation) - recovery of up to 200 thousand rubles. or compulsory labor up to 360 hours, or correctional labor - up to 1 year, or forced labor - up to 2 years, or arrest up to 4 months, or imprisonment up to 2 years.
2. With a similar act with the use of official position, the penalty increases to 300 thousand rubles. either forced labor up to 4 years, or arrest up to 6 months, or imprisonment up to 4 years. In each case, the employee is deprived of the right to occupy a certain position from 2 to 5 years.
3. Opening access to protected information resulting in its destruction, modification or copying (Art. 272 ​​of the Criminal Code of the Russian Federation) - a fine of up to 200 thousand rubles. or correctional labor up to 1 year, restriction or imprisonment up to 2 years, forced labor.

Other types of liability and related sanctions

The civil type of violation is also provided for the transfer of personal data to third parties, article 15 of the Civil Code, when losses are incurred (expenses for restoring the violated right, unearned income) when circumventing the law.Then the sanction is compensation for the damage caused. When causing moral harm under Art. 24 of the Law on Personal Data, Art. 151 of the Civil Code, compensation is also provided for, more often in cash.

The disciplinary liability applies to employees of the enterprise who have been convicted of disclosing and transferring personal data to third parties, Article 81, Part 1, Clause 6, Sub-Clause “C” of the Labor Code, as a result of which layoff is provided. In case of other violations in this area, Art. 90 and 192 of the TC involves a reprimand or comment.

Personal Information Protection

In order to prevent your individual information from falling into the circulation of information processing of undesirable personalities, it is worth remembering that for each such request it is necessary to sign a personally documented consent. For example, many financial institutions believe that with the conclusion of an agreement with a client, a citizen’s consent to the processing of his personal information automatically extends to the subsequent possible transfer of personal data by banks to third parties - collection agencies. If this clause is not in the agreement signed between the client and the bank, disclosing information about the borrower to representatives of such companies is illegal. An important aspect is to be careful when reading each contract, so that in case of violation of any of the points there are grounds for filing a lawsuit.

Worker and employer

The company decided to classify personal information as confidential information when there is a special mode of operation and a plan to protect all available data about employees. Often conflicts on this controversial topic arise in enterprises where disclosure and transfer of personal data of an employee to third parties is possible only on the basis of written consent. Employees who, due to their duty, have received and legally own their colleagues' data, are required to use them only for their intended purpose and in no case to disclose information. Exceptions may be determined only by federal laws.

Consent

A sample of the transfer of personal data to third parties, which will be posted below, must be executed in accordance with all the rules, in accordance with the law and the provisions noted in the legal acts of the company or enterprise. There is an unwritten instruction of special requirements for the preparation of this document, which is recommended to be written:

1. A cap where the full name of the company is indicated, as well as the name and position of the head to whom the paper is addressed.
2. The full name and position of the employee, passport details, place of residence are indicated below.
3. The essence of the consent of the transfer of personal data to third parties, sample: “I authorize the provision of my information and its processing in my interests in accordance with the Federal Law No. 152” (can be written in free form).
4. A list of what will be processed.
5. List of persons and legal organizations to which data can be transferred.
6. The nature of the planned analysis: mixed, systematized, including subsequent storage, transfer, depersonalization, destruction.
7. Validity.
8. The procedure and external circumstances in which the employee has the right to revoke the authority of the document.
9. Conclusion

What do I subscribe to?

When writing an application for the transfer of personal data to third parties, the following information is processed and can be transferred in the future:

• where and when was the person born;
• address of registration and residence with the provision of a landline phone number (if available and registered);
• married or single;
• social status;
• in which institution he studied;
• who works and seniority;
• salary and other income;
• passport details, pension certificate, military service.

You can get around the ban on the transfer of personal data to third parties only with the written consent of the subject.Such documentary evidence is quite common in private institutions and in municipal organizations, and is evidence in a dispute, and also confirms the legality of the transfer of personal information.

Exclusive rights

The ability to obtain personal data about an employee is possessed by some organizations that need this information to perform their functions:

1. Representatives of pension and social insurance funds.
2. Federal Labor Inspectorate and bodies of state supervision and control over compliance with the implementation of labor legislation.
3. Tax.
4. Trade unions, the executive branch in the investigation of industrial accidents.

Residents of this category must comply with the regime of secrecy, the intended use of all collected information, be responsible for the transfer of personal data to third parties. And with a personal desire for their publication and distribution.

How are others?

In the 21st century, almost all Western countries approved laws that envisage regulation of the collection and processing of personal information. Italy and France have imposed a ban on employers to collect personal information about employees, if we are not talking about professional qualities, qualification requirements, which is necessary in employment. Other countries are also trying to limit the widespread processing of personal data, as well as information related to race, political or religious views, social status, sexual preferences, membership in organizations, alcohol use, health status, property status.

Foreign standards

In the countries of near and far abroad, it is customary to distinguish two approaches to the determination of personal data. In the Netherlands, New Zealand and Sweden, any information about a particular person is considered such, in the UK they detail the concept by setting criteria and categories. English-speaking neighbors do not allow the collection of information on racial origin, religious and political views, mental health, criminal record and sexual orientation. There is a law in the United States that prohibits managers from investigating workers ’past. If an entrepreneur wants to know everything about his subordinate, he needs to take written permission from him.

In Russia, this concept may vary from the principles of organization, but, in its essence, this is information necessary for the employer to establish labor relations. There is no specific list by law. The type of information required is determined by the regulatory act of the company within federal law.

The Federal Law No. 152 indicates that any information about a particular person, including his name and initials, date and place of birth, information on social status, marital status, level of property income, education, and fixed income may be in the form of personal information. Depending on the purpose of processing the available data, the list can be expanded or modified.

Each time you have to sign important documents, you need to pay attention to whether you consent to the collection and processing of information about yourself, and whether you can subsequently use and transfer personal data to third parties. If there has been a violation of the law, causing moral or material damage as a result of the disclosure of personal information, it is recommended that you file a lawsuit with a court that requires administrative fines and other sanctions. If there is no documentary evidence of an information leak, unfortunately, it will be difficult to prove a violation of the law.