The subject of personal data is who? The consent form of the personal data subject

Personal data refers to any information relating to a particular or on their basis natural persons. носитель такой информации. These include FI, the place, date of birth, family, social, property status, address of residence, profession, education, etc. The subject of personal data is, more simply, the carrier of such information. As sources of information can act as a passport, medical card, financial statements and so on.

Limited access

не могут вноситься ни в какие документы и базы. Personal data without the consent of the subject can not be entered into any documents and databases. With the permission of the information carrier, information about its name, address, location, date of birth, subscriber number, etc. can be included in public sources. The current legislation guarantees protection of the rights of subjects of personal data. Persons collecting and following such information for violation of the confidentiality of information are liable, up to and including criminal.

Operators

They collect and work with information pertaining to the individual's identity. – муниципальные или госструктуры, физлица и организации. Subjects of personal data processing - municipal or state structures, physical persons and organizations. They not only work with information, but also determine the goals and content of certain operations with information. . At the same time to perform any action the operator must obtain the consent of the subject of personal data .

Access to personal information

получение информации об операторе. One of the possibilities that the subject of personal data is endowed with is the obtaining of information about the operator. The data carrier may know the address of the information, the presence of the relevant information from the person. . The representative of the personal data subject has similar possibilities. The powers of this person must be supported by documents issued in accordance with legislative requirements. Acquaintance with the information that the operator has at hand is another possibility that the subject of personal data has. необходимо, в частности, для проверки достоверности сведений. This is necessary, in particular, to verify the reliability of information. This possibility can be limited only in cases directly stipulated by law. The information carrier can present a requirement to the operator for its clarification, blocking or destruction. This possibility is realized in cases when the information is obsolete, incomplete, illegally obtained, unreliable, not necessary for the purposes stated by the operator.

The subject of personal data is the principal participant in operations with information about his personality. In accordance with this, he can take legal measures to ensure the protection of information and prevent damage to his personality, good name, reputation.

Provision of information

Information about the availability of data from the operator should be transferred to the subject in an accessible form. It is not allowed to include other people's personal information in them. или его поверенного. The provision of access to information is possible at the request of the data carrier or its attorney. The application should contain information about the main document confirming the identity of the citizen - the number, date and place of issue, the name of the authorized structure. In the request, the signature of the subject is mandatory.

If another person acts on his behalf, information on the document confirming the authority is given. The signature in the application is then put by the representative. The request can be sent electronically. In this case, the application must contain a digital signature.

List of available information

The subject is entitled to obtain information containing different data. Among them, among others, are:

1. Confirmation of the fact of work with personal information and its purpose.
2. Data processing methods used by the operator.
3. Information about employees who have access to information, or to whom it can be provided.
4. List of information with which work is carried out, sources of their receipt.
5. The processing and storage of the available data.
6. Information about the legal consequences of working with information.

Legislation requirements

As mentioned above, the right to access personal data may be restricted. This happens if:

1. Work with information obtained in the framework of intelligence, operational-investigative, other similar activities is carried out for the defense of the country, ensuring its security and protecting order in the society.
2. The processing of data is carried out by employees who detained a person on suspicion of a crime or brought charges against him, or applied one of the existing preventive measures to him. The exceptions are the cases fixed by the CCP.
3. The provision of information violates the constitutional freedoms and rights of third parties.

Collection of information

Legislation may provide for the entity to provide its data for processing. In such cases, the operator should explain to the person the consequences of refusal to comply with the requirements. If the information was not received from the carrier, except when it was provided on the basis of the Federal Law or if it is publicly available, the person collecting the information must provide the following data to the entity:

1. The name of the operator and his address (for physical persons - FIO).
2. The purpose of work with information, a legal basis.
3. Potential users of information.
4. Rights of the subject, established by law.

Security measures

. The operator is obliged to use all available and permissible means, which ensure the protection of the rights of the subject of personal data . In particular, it must use cryptographic techniques to prevent accidental or illegal access to information, their destruction, blocking, modification, distribution and copying. Data security requirements for their processing, for physical media, storage technologies are established by the Government. Supervision over the implementation of orders is vested in the executive federal structure of power within its competence. осуществляет контроль без возможности ознакомления со сведениями. The law on protection of the rights of subjects of personal data carries out control without the possibility of acquaintance with the information.

Working with applications

. Legislation regulates the procedure, according to which the requests of subjects of personal data are processed . Operators working with information have a number of responsibilities. First of all, when a request is received, it is necessary to inform the subject or his authorized person about the availability of relevant data. The operator should be given the opportunity to review the information within ten days from the date of receipt of the application.

In the event of a decision to dissatisfy the request, the authorized person must send a reasoned response. It should contain a reference to the provisions of a normative act providing for an appropriate basis. This must be done within seven days from the date of the carrier's application of personal information or receipt of the application. The opportunity to get acquainted with the data is provided to the subject / representative free of charge.

If necessary, the operator makes changes to information, destroys or blocks information. To this end, the entity (representative) provides information that confirms that the data is out of date, received illegally, is unreliable, etc. The operator notifies the data carrier itself, as well as third parties to whom they were transferred, of the corrections made.

Elimination of violations

In case of revealing unreliable information, detection of unlawful actions of the operator when applying or at the request of the subject / his representative to the authorized structure on blocking, it must be carried out immediately. The interested person can provide documents, according to which the information can be specified. If unlawful actions of the operator are revealed, within three days from the time of their discovery, he is obliged to eliminate the violations. If this is not possible, the information will be destroyed. This action must be committed within three days from the date of detection of violations.

When the goal for which data processing was needed is reached, the operator must immediately stop all work with information. In this case, he must destroy the information within three days, unless otherwise provided by law. The operator notifies the subject or his representative about the committed actions. If the application or application was sent by an authorized body that carries out functions in the field of personal information security, then it is also notified.

The consent form of the personal data subject

Permission of a person to work with his personal information can be provided in any form that confirms the receipt, unless otherwise provided by Federal Law No. 152. In its explanations, Roskomnadzor (the body for the protection of the rights of subjects of personal data) recommends writing it in writing. Requirements for the document are present in Article 9 of the above Law. The written consent includes:

1. Name, address of the person, information about the document confirming the identity (number, series, date of issue and name of the institution that issued it).
2. Information about the representative of the subject. In addition to the FI, the address, information about the passport, the requisites of the power of attorney are given.
3. The name or address, the FI of the operator.
4. The purpose of processing personal information.
5. A list of information that the carrier is authorized to work with.
6. Name or address and name of the person performing information processing on behalf of the operator.
7. Specific actions to be taken with information. There should also be a general description of the methods used by the operator in data processing.
8. The period during which the permit is valid, unless otherwise provided by law.
9. Signature of the data carrier.

Permission can be provided electronically. In this case, the document is certified with a digital signature.

Responsibility for non-compliance with legislative requirements

Persons found guilty of violating the requirements of Federal Law No. 152 may be sanctioned in accordance with applicable regulations. In particular, Art. 13.11 The Administrative Code provides for penalties for illegal collection, storage, use, dissemination of information about citizens. The most gentle sanction is a warning. In addition, Art. 13.11 provides for penalties for:

• Individuals - 300-500 rubles;
• Employees - 500-1 000 rubles;
• Organizations - 5-10 thousand rubles.

Moral harm to the subject of personal data that arose in connection with the infringement of his interests, violation of the requirements of the current legislation, is subject to reimbursement in the civil proceedings. His compensation is carried out regardless of the recovery of property damage and incurred losses.

Notification of work with information

Before the processing of data, the operator must notify the authorized structure (Roskomnadzor) of his intention. The exception to this rule is fixed in Part 22 of Article ФЗ No. 152. The operator may not notify the authorized body if it is working with the data:

1. Relating to persons with whom he is connected by labor relations.
2. Received at the conclusion of the contract, as one of the parties is the data subject. In this case, there is a reservation. Information received by the operator should not be distributed and transferred to third parties. It is used exclusively to implement the terms of the contract and formalize agreements with the carrier.
3. Relating to the participants of a religious or social organization. However, the information received should not be disseminated without their permission.
4. Are publicly available.
5. Including only the FIO of the carrier.
6. Necessary for a single pass of a person to the territory where the operator is located, or in other similar purposes.
7. Contained in information databases that have the status of automated systems.
8. Processed without the use of automation means, according to the Federal Law or other regulatory acts that require information security when working with it and respecting the interests of its carriers.

Notification processing

The notice must be in writing. It is signed by an authorized employee. You can send a notification in electronic form. In this case, it is certified with a digital signature. In the notice it is necessary to indicate:

1. Name (FIO) and address of the operator.
2. The purpose of working with information.
3. The categories of data that will be processed.
4. The legal basis for working with information.
5. Categories of persons who carry information.
6. List of specific operator actions.
7. Description of measures that will be taken to ensure the safety of information.
8. Date of beginning work with information.

The notice must also contain a term of termination or a condition under which processing of personal data is completed.