Who is the subject of personal data? Personal data subject consent form

Personal data is any information related to a specific individual or determined on their basis. These include F. I. O., place, date of birth, family, social, property status, address of residence, profession, education, etc. The subject of personal data is, more simply, a carrier of such information. As sources of information can be a passport, medical card, financial statements and so on.

Limited access

Personal data without the consent of the subject can not be entered into any documents and databases. With the permission of the information carrier, information about its full name, address, place, date of birth, subscriber number, etc., may be included in publicly available sources. The current legislation guarantees the protection of the rights of personal data subjects. Persons carrying out the collection and subsequent work with such information, for violation of the confidentiality of information are liable, up to criminal.

Operators

They collect and work with information related to the identity of the citizen. The subjects of personal data processing are municipal or state structures, individuals and organizations. They not only carry out work with information, but also determine the goals and content of certain operations with information. Moreover, in order to perform any action, the operator must obtain the consent of the subject of personal data .

Access to personal information

One of the possibilities that the subject of personal data is endowed with is obtaining information about the operator. The information carrier may know the address of the person, the availability of relevant information from the person. The representative of the subject of personal data has similar capabilities. The authority of this person must be confirmed by documents drawn up in accordance with legislative requirements. Familiarization with the information available to the operator is another opportunity that the subject of personal data has. This is necessary, in particular, to verify the accuracy of the information. This possibility may be limited only in cases expressly provided by law. The storage medium may present a request to the operator to clarify, block or destroy it. This opportunity is realized in cases when the information is outdated, incomplete, illegally obtained, unreliable, is not necessary for the purposes declared by the operator.

The subject of personal data is the main participant in operations with information about his personality. In accordance with this, he can take legal measures to ensure the protection of information and prevent damage to his personality, good name, reputation.

Provision of information

Information about the availability of data from the operator should be transmitted to the subject in an accessible form. It is not allowed to include personal information of other persons in them. Providing access to information is possible at the request of the data carrier entity or his attorney. The application must contain information about the main document confirming the identity of the citizen - the number, date and place of issue, name of the authorized structure. The request must be subject to the signature of the subject.

If another person acts on his behalf, information about the document confirming the authority is given. In this case, the representative shall sign the statement. The appeal may be sent electronically. In this case, the application must contain a digital signature.

List of available information

The subject has the right to receive information containing different data. These include, but are not limited to:

1. Confirmation of the fact of working with personal information and its purpose.
2. Data processing methods used by the operator.
3. Information about employees who have access to information, or to whom it can be provided.
4. The list of information with which work is carried out, sources of their receipt.
5. Duration of processing and storage of available data.
6. Information about the legal consequences of working with information.

Legislation

As mentioned above, the right to access personal data may be limited. This happens if:

1. Work with information obtained as part of intelligence, operational-search, other similar activities is carried out for the defense of the country, ensuring its security and maintaining order in society.
2. Data processing is carried out by employees who detained the subject on suspicion of a crime, or charged him, or applied one of the existing preventive measures to him. The exception is the cases enshrined in the CPC.
3. Providing information will violate the constitutional freedoms and rights of third parties.

Collection of information

Legislation may require an entity to provide its data for processing. In such cases, the operator must explain to the person the consequences of failure to comply with the requirements. If the information was not received from the carrier, except when it was provided on the basis of the Federal Law, or if it is publicly available, the person collecting the information should provide the following data to the subject:

1. The name of the operator and its address (for individuals - F. I. O.).
2. Purpose of working with information, legal basis.
3. Potential users of information.
4. Rights of the subject established by law.

Security measures

The operator is obliged to use all available and permissible means by which the rights of the subject of personal data are protected . In particular, he should apply cryptographic techniques that prevent accidental or illegal access to information, its destruction, blocking, modification, distribution and copying. The requirements for data security during their processing, to material carriers, storage technologies are established by the Government. Supervision of the execution of the requirements rests with the executive federal power structure within its competence. The rgan on protection of the rights of subjects of personal data exercises control without the possibility of familiarizing with the information.

Work with applications

The legislation regulates the procedure in accordance with which the consideration of requests of personal data subjects is carried out. Operators working with information have a number of responsibilities. First of all, upon receipt of the request, it is necessary to inform the subject or his authorized representative of the availability of relevant data. The operator should be given the opportunity to review the information within ten days from the date of receipt of the application.

If a decision is made to refuse the request, the authorized person must send a reasoned response. It must contain a reference to the provisions of a regulatory enactment providing for an appropriate basis. This must be done within seven days from the date of contacting the carrier of personal information or receiving an application. The opportunity to familiarize yourself with the data is provided to the subject / representative free of charge.

If necessary, the operator makes changes to the information, destroys or blocks the information. To this end, the subject (representative) provides information confirming that the data is outdated, obtained in an unlawful way, is unreliable, etc. The operator notifies the data carrier itself as well as the third parties to whom it was transmitted about the corrections made.

Troubleshooting

In case of revealing false information, detecting illegal actions by the operator when contacting or at the request of the subject / his representative to the authorized structure about the blocking, it should be carried out immediately. An interested person may provide documents in accordance with which information can be clarified. If unlawful actions of the operator are revealed, he is obliged to eliminate violations within three days from the moment of their discovery. If this is not possible, the information will be destroyed. This action must be completed within three days from the date of detection of violations.

Upon reaching the goal for which data processing was necessary, the operator must immediately stop all work with information. Moreover, he must destroy the information within three days, unless otherwise provided by law. The operator shall notify the subject or his representative of the committed actions. If the appeal or application has been sent by an authorized structure that implements functions in the field of personal information security, then it shall be notified.

Personal data subject consent form

A person’s permission to work with his personal information can be provided in any form, which allows confirming the fact of receipt, unless otherwise enshrined in Federal Law No. 152. In its explanations, Roskomnadzor (body for the protection of the rights of personal data subjects) recommends writing it in writing. Requirements for the document are present in Article 9 of the above Law. The written consent includes:

1. F. I. O., address of the person, information about the identity document (number, series, date of issue and name of the institution that issued it).
2. Information about the representative of the subject. In addition to F.I.O., addresses, information about the passport, details of the power of attorney are given.
3. The name or address of the operator.
4. The purpose of processing personal information.
5. The list of information for work with which their carrier gives permission.
6. Name or address and full name of the person processing the information on behalf of the operator.
7. The specific actions to be performed with the information. There should also be a general description of the methods used by the operator in processing the data.
8. The period during which the permit is valid, unless otherwise provided by law.
9. Signature of the data carrier.

Permission may be granted electronically. In this case, the document is authenticated by digital signature.

Responsibility for failure to comply with legal requirements

Persons found guilty of violating the requirements of Federal Law No. 152 may be charged with sanctions in accordance with applicable standards. In particular, Art. 13.11 of the Code of Administrative Offenses punishes illegal collection, storage, use, dissemination of information about citizens. The softest sanction is a warning. In addition, Art. 13.11 provides for fines for:

• individuals - 300-500 p.;
• employees - 500-1 000 p .;
• organizations - 5-10 thousand rubles

Non-pecuniary damage to the subject of personal data arising in connection with the infringement of his interests, violation of the requirements of the current legislation shall be compensated in the framework of civil proceedings. His compensation is carried out regardless of the recovery of property damage and losses incurred.

Information Notification

Before processing data, the operator must notify the authorized structure (Roskomnadzor) of its intention. An exception to this rule is fixed in part 22 of article of the Federal Law No. 152. The operator may not notify the authorized body if it works with data:

1. Related to persons with whom he is associated with an employment relationship.
2. Received upon conclusion of an agreement, one of the parties of which is the data subject. This is subject to a reservation. Information received by the operator should not be distributed and transmitted to third parties. It is used exclusively for the implementation of the terms of the contract and the execution of agreements with the information carrier.
3. Related to members of a religious or public organization. However, the information received should not be distributed without their permission.
4. Being publicly available.
5. Including only the name of the carrier.
6. Necessary for a single pass of a person to the territory where the operator is located, or for other similar purposes.
7. Contained in information databases having the status of automated systems.
8. Processed without the use of automation, in accordance with the Federal Law or other regulatory enactments, which provide requirements for the security of information when working with it and the interests of its carriers

Notification

The notice must be in writing. It is signed by an authorized employee. Electronic submission of notice is allowed. In this case, it is certified by a digital signature. The notice must indicate:

1. Name (F.I.O.) and address of the operator.
2. The purpose of working with information.
3. Categories of data to be processed.
4. The legal basis for working with information.
5. Categories of information carriers.
6. List of specific operator actions.
7. Description of the measures that will be taken to ensure the security of information.
8. Date of work with information.

The notice must also include a termination date or a condition under which the processing of personal data is completed.