The subject of personal data is an individual who is characterized by individual information that defines him as a citizen (indirectly or directly). Verification of personal information about a person can be carried out only with his consent, which is confirmed by the signature in a special document.
Key concepts
It is difficult to determine whether a citizen is an operator with the authority to collect and verify personal data (PD), therefore it is recommended to read Law No. 152 FZ, which clearly defines the essence of the concepts that are the subject of attention of those interested in this process:
- Personal Information;
- operator;
- processing personal data.
It is customary to call private any information related to a particular individual, called the subject. The operator is a state or local authority, a representative of a legal organization or an individual who is involved in the processing of the entity’s PD, as well as organizational issues related to the ultimate goals of processing, the composition of personal information, and operations to analyze actions performed with private data.
Processing personal data - this is an analysis of information about an individual carried out using automated processing to achieve a specific result. Such operations may include:
- storage;
- receipt;
- application;
- clarification;
- change;
- opening access;
- update;
- blocking;
- removal;
- depersonalization;
- blocking.
Personal Data
The law at the federal level does not describe clear boundaries within which a portrait of an individual should be formed. But, given that the subject is, as mentioned above, any information, it is generally accepted that the personal data of the subject is:
- his birthday
- his name, patronymic and last name;
- the photo;
- address;
- Email;
- telephone number;
- links to your own site or page on a social network.
This list can be increased several times by adding subjective information identifying the person as a citizen of a social society. Receiving data of this type, each becomes a PD operator. Anyone who places a registration or feedback form on their resource becomes an informational "guide".
Operator Categories
In the Federal Law No. 152 there is a division, depending on the status:
- representative of government agencies;
- municipal authorities;
- legal entities and individuals;
- SP.
The category of fines for violations depends on the category (legal entities pay a higher amount than individuals).
Regardless of the class of operators, everyone had to deal with the processing of private information based on the consent of the subject of personal data. Such a procedure is practiced before placing a new employee in the company, when filling out a special online order form or questionnaire on social pages.
In contrast to individual entrepreneurs and individuals, organizations are required by law to have higher requirements, this applies to the formation of a package of documents and requirements for the appointment of a person who will control this process. The most stringent framework for compliance with labor protection requirements is for the authorities, which have great authority and work with a vast array of PD citizens.
Rights of the subject of personal data
Each person has powers and legal rights that the inspector should not infringe or violate:
- The subject should be informed about the analysis of his personalized characteristics, tell about the purpose, procedure, familiarize with the name of the legal entity or the name of the individual engaged in the processing of personal information.
- Citizens are required to inform about the period of time during which the processing and further storage of information will be carried out, about its potential interagency transfer, as well as the person who was entrusted with the processing of private characteristics.
- The rights of the subject of personal data imply the admissibility of the requirement to clarify his PD, the subsequent removal of information, if it is irrelevant.
- All information about the person received by the operator (without her knowledge) must be deleted, otherwise the law provides for the protection of her rights.
- Identification of a citizen occurs in conditions comfortable for both parties. Information should not affect PD of other entities (special cases: when there are reasons for opening access to such data).
- Feedback in the form of a request of the subject of personal data should contain the number of the document (passport) of the applicant, information about the place, date and body of its issuance, information and documents confirming relations with the operator (date of conclusion of the contract and its number) or other data that can prove fact of standard verification. The request can be sent in writing or via the Internet, but always with an electronic signature.
- If information on the online request was not provided, a second call to the operator is possible only 30 days after the first attempt. Another period may be established in accordance with the Federal Law or the agreement to which the subject of the PD is a party.
- The operator has the right to refuse to re-apply the personal data to the subject. This is a sign that the documentation does not meet the necessary conditions provided for in Part 4.5 of Art. 14152 Federal Law. The information operator is required to motivate and explain his refusal.
Declassification of information
The operator is not always obliged to leave the person’s PD under the heading “secret”, there are situations when such information is not considered closed, the conclusion is made in accordance with the Federal Law Art. 22 (part 2) No. 152. Secrecy is not required if:
- PD depersonalization occurs;
- PDs are publicly available;
- it is only about F. I. O. subjects;
- repeated similar actions are observed in the form of issuing a pass to the territory (or for other similar purposes);
- information is in a signed agreement to which the PD subject acts;
- the use of personal data without the consent of the subject is necessary exclusively for the execution of agreements;
- information concerns a representative of public associations or religious organizations.
Without permission
The consent of the subject to the processing of personal data is not always required, there are situations when there is no need for a personal presence of a citizen. This scenario is provided for by Federal Law No. 152 (Part 1, Article 6 of July 27, 2006). The signature on the document is optional if the verification of the PD:
- necessary for the implementation of international readmission agreements of the Russian Federation;
- conducted on the basis of the Federal Law, where its objectives, conditions and a list of persons whose characteristics are subject to verification are prescribed;
- carried out as part of the execution of a signed contract, one of the parties of which is the subject;
- will affect the vital interests of a citizen;
- is necessary in order to achieve scientific goals, provided that the information taken will subsequently be anonymous;
- plays an important role in protecting the life of the subject of PD, if obtaining the consent of the individual is impossible;
- it is considered an integral part of the journalist’s workflow or in order to achieve discoveries in the scientific, literary or other creative fields of activity, provided that this does not violate the rights and freedoms of the PD subject;
- affects persons (in accordance with the Federal Law) to be published, including those who hold public office, similar posts of the state civil service, as well as the characteristics of candidates for elected posts of state or local scale.
Damage Assessment Methodology
A third party may cause harm to the personal data subject if the access to his identification information is not agreed upon, as a result of which it has been modified, distributed, copied or deleted. Any random access is considered an invasion of privacy.
A violation of the security of access to information may appear as inconsistent with the subject:
- distribution of PD and their processing, which vary depending on the initial goals and the set deadlines (deviation from the clauses of the agreement signed in the contract is a violation of confidentiality);
- closure of access to PD or their removal, refusal to disclose verification details and analysis of subject data (limitation of spatial capabilities);
- PD changes, the temporary impossibility of changing them, for the subject of personal data is the destruction of the complexity of his information.
Illegal actions can also be called receiving PD from unauthorized persons who do not appear as a subject, as well as actions implying a certain result, characterized from a legal point of view, relating to the subject of PD or affecting his desires and possibilities, based only on checking his personal characteristics.
Forms of harm
It is necessary to think about the protection of the subject of personal data when unlawful actions in relation to personal information have been noticed that entailed the following types of damage:
- non-pecuniary damage - the torment of a citizen at a psychological level, as well as physical torment that violates human rights not related to property, or related to property belonging to him, or other tangible or intangible benefits;
- Losses - financial losses incurred by an entity whose privacy rights have been violated, potential financial income or possible revenue in cash equivalents have not been received as a result of a violation of confidentiality.
The assessment by the body for the protection of the rights of subjects of personal data of potential damage occurs when using the elements of accounting for the consequences:
- minimum (low) level - is determined by the violation of the complexity and generality of PD, including their open availability;
- medium - represents the consequences of deviation from the standard typology of information processing, which also negatively affects its integrity and accessibility, but in this case entails psychological harm or material damage;
- high level - other possible cases.
Full protection of the rights of subjects of personal data may occur after the correct assessment of time and analysis of the operator's actions. Monitoring is carried out by a responsible authorized person in accordance with the methodology and based on the legality of these measures.
Authorized body for the protection of rights
Such a representative is the federal executive body, whose functions include monitoring and supervising the compliance of PD processing with the laws of the Russian Federation. His work is the implementation of state control over the processing of personal information of the subject, which should occur based on their requirements of regulatory acts. The procedure for inspecting entrepreneurs, organizations and other authorized legal entities that can collect and process PD is established by the Government of the Russian Federation (Federal Law No. 16 of 02.22.2017).
The Commissioner for the Rights of the Subjects of Personal Data analyzes the citizen's statements about the conformity of the contents of the PD and the methods of processing them with the goals of their verification and analysis and makes an appropriate decision on whether the procedure was lawfully carried out.Otherwise, the question of the application of appropriate measures is being decided.
Verification consent sample
The text of the basic document, which represents consent to the processing of personalized information, is required not to violate the rights of the subject of personal data, but rather to protect them. Accordingly, Federal Law No. 152 and a list of actions that a citizen agrees to should be spelled out: systematization, clarification, amendment, collection, use, transfer of PD. It is imperative to indicate the purposes for which data is collected, for example, if such consent is signed in the store (organization) when buying or selling software in the name of the subject, then this should be spelled out.
The consent separately emphasizes the clause on the protection of the rights of the subject of personal data, which guarantees the confidentiality of the information received, as well as the general provisions of the policy of hiding classified information. There must be a list of the types of processed data, for example: F. I. O., address of residence and e-mail, phone number, bank payment history and other important personal information.
Some documents prescribe the validity period of the consent, others have an unlimited period. If it is possible to withdraw the signed application for verification of private information, then this should be written down in the document, as well as the consequences of such an action.
Abuse of authority
All actions that the employer or operator can perform with the personified information received are prescribed in the text of the bilateral agreement. Often, citizens make claims that their banking history has become the object of verification, but no one has allowed to sign the corresponding document. Processing of private information without the consent of the subject of personal data may result in liability in the form of administrative or disciplinary. In exceptional cases, when severe damage was caused, criminal proceedings are possible.
To determine a clear framework and which vital characteristics are considered publicly available and which do not go beyond the boundaries of individuality and secrecy, a citizen needs to analyze the consent document and only then sign it.
If there is no way to figure it out yourself, for example, in the case of a job, it is recommended that you hire a qualified lawyer. Information about whether the subject was serving a term in places of deprivation of liberty should be provided only if the position that the person wants to get requires a criminal record, in another situation, the subject is entitled not to provide such data.
A personal data subject is a citizen who has the right not only to transfer his personal information for processing and checking it for a specific purpose (purchase, sale, taking a loan, etc.), but also to protect the information provided from its unauthorized distribution, destruction and misuse.