We draw up a sample obligation of non-disclosure of personal data of employees. We draw up a sample obligation on non-disclosure of personal data of employees Consent on non-disclosure of personal data sample

AGREEMENT No.______

ABOUT NON-DISCLOSURE OF PERSONAL DATA

«_____»_____________________

In the person of __________________________________________________________________, acting on the basis of ________________, hereinafter referred to as the “Transmitting Party”, and in the person of Director Alexandrova Galina Georgievna, acting on the basis of the Charter, hereinafter referred to as the “Receiving Party”, together referred to as the “Parties”, have entered into this Agreement on the non-disclosure of personal information data (hereinafter referred to as the Agreement) about the following:

ARTICLE 1.

1.1. In this Agreement, “Personal Data” means information provided by the Transmitting Party to the Receiving Party in written, electronic or any other form and relating to an individual identified or determined on the basis of such information (subject of personal data), including his last name, first name, patronymic, year, month, date and place of birth, address, family, social, property status, education, profession, income, other information.

1.2. Persons gaining access to personal data must ensure the confidentiality of such data and the security of such data during their processing, with the exception of publicly available and anonymized personal data.

ARTICLE 2.

2.3. When processing personal data, the receiving party undertakes to comply with the norms of the current federal legislation and the requirements of regulators regarding the security of personal data.

2.4. The Receiving Party undertakes to process personal data received from the Transferring Party solely for the purpose of fulfilling Agreement No._____ dated “___”_______ 20____. (hereinafter referred to as the Agreement).

2.5. The receiving party undertakes to take all necessary organizational and technical measures to ensure the confidentiality and security of personal data, to protect them from unauthorized, including accidental access, destruction, modification, blocking, copying, distribution and other unlawful actions.

2.6. The Receiving Party provides access to Personal Data only to persons who need it to fulfill the obligations of the Receiving Party to the Transferring Party, and only if they have accepted obligations to ensure the safety of the Personal Data that has become known to them under the terms of this Agreement.

2.7. The Receiving Party undertakes, at the request of the Transferring Party, to provide information about the state of affairs regarding the protection of personal data.

2.8. The Receiving Party undertakes to provide, upon request, to the Transferring Party a list of its employees authorized to work with personal data.

2.9. The receiving party undertakes not to involve third parties in the processing of personal data.

2.10. The Receiving Party undertakes not to distribute or provide personal data to third parties, including its employees and employees of the Disclosing Party who are not authorized to work with personal data, without the written permission of the Disclosing Party, except as required by current legislation.

2.11. The Receiving Party undertakes not to, without the written permission of the Transferring Party, copy the personal data base or part thereof, transfer personal data to any tangible media, as well as copy and replicate physical personal data media, except in cases provided for for the purposes of processing personal data or the terms of the Agreement .

2.12. The Receiving Party undertakes not to take any actions to modify personal data without the written permission of the Transferring Party, except in cases where this is intended for the purpose of processing personal data.

2.13. The receiving party undertakes not to combine personal data information system databases created for incompatible purposes.

2.14. The receiving party undertakes, at the request of the subject of personal data or his legal representative, to provide free of charge information about the fact and methods of processing his personal data and other information related to this subject of personal data in accordance with the Federal Law of January 1, 2001 “On Personal Data”.

2.15. The Receiving Party undertakes, in agreement with the Transferring Party, to take all necessary corrective measures in relation to personal data if inaccurate personal data or unlawful actions with it are identified.

2.16. The Receiving Party undertakes to immediately inform the Transferring Party about the fact of disclosure or threat of disclosure, illegal receipt or illegal use of transferred personal data committed by the Receiving Party, its Representatives, or the fact of disclosure or threat of disclosure that has become known to the Receiving Party.

ARTICLE 3.

3.1. The receiving party is responsible for the actions of its employees that lead to the disclosure of Personal Data to any third parties.

3.2. The responsibility to prove the fact of disclosure of Personal Data and to collect evidence confirming the fact of disclosure of Personal Data rests with the Disclosing Party.

3.3. Any damage caused to the Disclosing Party as a result of the disclosure of Personal Data is determined and compensated in accordance with the current legislation of the Russian Federation.

3.4. The Parties undertake to peacefully resolve all disputes, controversies or disagreements that may arise between them in relation to or in connection with this Agreement, or the performance, violation, termination or invalidity of this Agreement, however, if the Parties are unable to reach an agreement, then all disputes, contradictions and disagreements are subject to settlement in the Arbitration Court in accordance with the current legislation of the Russian Federation.

ARTICLE 4

4.1. The transmitting party transfers personal data to the Receiving Party in accordance with the List of Personal Data (Appendix 1 to the Agreement).

4.2. Personal data is transferred to the Receiving Party:

On a tangible medium according to an act of acceptance and transfer of tangible media, in which the type of material medium must be recorded;

Using a public information system.

4.3. This Personal Data Non-Disclosure Agreement does not provide for any right to subsequent commercial use of Personal Data.

ARTICLE 5

5.1. This Agreement comes into force from the moment it is signed by both Parties and is valid until the Parties declare its termination. The Party terminating this Agreement must notify the other Party 30 (thirty) days before the date of termination. Termination of this Agreement does not relieve the Receiving Party from the obligation to ensure the confidentiality of personal data transferred under this Agreement.

5.2. The Transferring Party has the right to demand that the Receiving Party return the transferred personal data to it at any time by sending a written notice to the Receiving Party. Within 15 days after receiving such a notification, the Receiving Party must destroy the personal data transferred to it under the act for carrying out contractual activities and return all tangible media with personal data, their copies and copies.

5.3. The rights and obligations of the Parties under this Agreement in the event of reorganization of any of the Parties shall pass to the corresponding successor(s). In the event of liquidation of any Party or upon termination of this Agreement, the Receiving Party must, before completion of the liquidation (before termination of this agreement), destroy the personal data transferred to it for the implementation of contractual activities according to the act and return all material media with personal data, their copies and copies .

5.4. If the Receiving Party is required by law to provide personal data to government authorities of the Russian Federation or government authorities of constituent entities of the Russian Federation, or government authorities of foreign states, as well as other bodies authorized by law to require the provision of personal data, the Receiving Party is obliged to immediately notify the Transferring Party in writing about this fact. Side. At the same time, the Receiving Party undertakes to do everything in its power to ensure the confidentiality of the provided personal data.

5.5. Additions and changes to this Agreement can only be made on the basis of a written agreement signed by duly authorized representatives of the Parties.

5.6. . The Parties hereby undertake not to assign or otherwise transfer their rights and obligations arising from this Agreement without the prior written consent of the other Party.

5.7. If any provision of this Agreement is found to be invalid, such invalidity will not affect the remaining provisions of this Agreement or the entire Agreement as a whole.

5.8. IN CONFIRMATION OF THE ABOVE, the Parties have signed this Agreement in 2 (two) copies having equal legal force, one for each of the Parties, at the place indicated above and on the date indicated above.

6.Legal addresses and payment details of the parties:

An obligation of non-disclosure of personal data is signed by employees whose official duties require access to personal information of employees. We will tell you in this article how to correctly compose the text of the obligation to ensure the security of personal information.

In the article:

Download documents on the topic:

Why is there an obligation of non-disclosure of personal data of employees?

The collection, processing and storage of personal information of citizens of the country is regulated by law (Federal Law No. 152-FZ “On Personal Data”). Protecting an employee's personal information and privacy rights is the employer's responsibility. He, by necessity, has access to documents and information that are qualified by law as personal.

This is the information:

• details of identity documents;
• about education, specialty, official position;
• about family composition, residential address;
• declared property, salary, etc.

Mandatory documents that an employee fills out and signs when applying for a job include. The subjects of personal data include not only those employees with whom employment contracts have been concluded, but also those persons who work under civil contracts.

Attention! To obtain personal information about an employee from third parties, the written consent of the employee is required.

Consent of the subject of personal data to the processing of his personal data

Those employer representatives who have access to this information due to their official duties must sign a non-disclosure agreement. Collection officials processing and storage of personal data of employees determined by order of the head. The list of admitted persons usually includes representatives of:

• accounting;
• personnel service;
• personnel services;
• lawyers.

Form “Obligation of non-disclosure of personal data of employees”

For violation of the obligations that the operator assumes by signing an agreement on non-disclosure of personal data, the employer is liable before the law. The employer is subject to sanctions provided for by the Code of Administrative Offenses of the Russian Federation, as well as certain provisions of the Labor, Civil and Criminal Codes of the Russian Federation. Therefore, it is so important that the issues of collecting, processing and storing personal information about employees are regulated by the employer’s internal regulations.

What internal document establishes responsibility for non-disclosure of personal data?

All employers must develop and approve a Regulation on Employee Personal Data. The document is drawn up taking into account the provisions of the Labor Code of the Russian Federation and other federal laws, but the employer has the right to determine the work procedure and other procedural issues independently. Each new employee applying for a job signs on the sheet of familiarization with the Regulations.

Regulations on working with personal data of employees

The structure of the Regulations on working with personal data of employees includes sections:

• general provisions;
• obtaining and systematizing data;
• storage of personal information;
• use and processing;
• broadcast;
• confidentiality guarantees.

Adjust the structure of the document taking into account the specifics of working with information in the organization, adapt the norms of the Regulations to the operating conditions of a particular enterprise.

As an appendix, develop document forms accompanying the process of collecting, using and storing information, including a sample non-disclosure agreement. Approve the Regulations on Personal Data by the head of the enterprise.

Questions and answers from the HR System expert

How to organize the processing of employees’ personal data?

Narrated by N. Kovyazina, Deputy Director of the Department of Medical Education and Personnel Policy in Healthcare of the Russian Ministry of Health.

First, determine what personal data you are going to process and for what purposes. Then find out whether the employee's consent is required for data processing. Obtain consent if required. Ask the employee for the necessary information and documents. In this recommendation, we will tell you how to correctly receive, store and transmit personal data of employees...

Read the expert's answer

How to draw up a personal data non-disclosure agreement sample

When composing the text, use universal formulations, without limiting the list of operations only to the functionality of a specific position. Include in the text of the obligation on non-disclosure of personal data all operations - collection, processing, and storage.

In your written agreement on non-disclosure of personal data, include a complete and specific list of personal data. This will prove that the employer is right in the event of a dispute. Include in the text part a phrase about sanctions for violation of this obligation provided for in Article 90 of the Labor Code of the Russian Federation “Responsibility for violation of the rules governing the processing and protection of employee personal data.”

When is an obligation drawn up, and when is an agreement on non-disclosure of personal data made?

It depends on who is entrusted with the collection, processing and storage of personal data. When data is used in an organization and employees appointed by order of the manager are involved in this, it is advisable to sign obligation of non-disclosure of personal data of employees, a sample of which is given above.

In the case where accounting or personnel records are outsourced, enter into an agreement with the outsourcer privacy agreement. Under such an agreement on non-disclosure of personal data, one party undertakes to transfer personal information about employees to the second party. The second party undertakes obligations to protect information, comply with requirements for the processing and safety of the submitted personal data.

Responsibility of the operator for violation of the non-disclosure agreement of personal data

In the obligation to non-disclose personal data of employees, a reference is made to Article 90 of the Labor Code of the Russian Federation. The employee is thereby notified that violation of the signed document gives the employer the right to hold him accountable, depending on the severity of the consequences:

• disciplinary,
• material,
• administrative,
• criminal

When disciplinary action is taken, the employee receives a reprimand or reprimand. The employer can dismiss him based on Article 192 of the Labor Code of the Russian Federation. Fire an employee for failure to comply with the obligation of non-disclosure of personal data It is also possible on the basis of paragraph 6, subparagraph “c” of Article 81 of the Labor Code. Dismissal on this basis is carried out for disclosure of legally protected secrets to which the employee received access in connection with the performance of official duties. In relation to certain categories of employees listed in Part 5 of Article 189 of the Labor Code of the Russian Federation, other types of disciplinary sanctions are also provided.

Useful video

Responsibility for disclosure of personal data. What will they be punished for?

Svetlana Shnaider, HR Director of Asset Development OJSC, member of the Labor Legislation Committee of the National Union of Personnel Managers, practicing lawyer

At the document level, the relationship between the subject and the operator looks like this: the subject consents to the processing of personal data, and the operator assumes an obligation of non-disclosure. This scheme also applies to labor relations in which the subject is the employee and the operator is the employer.

Why is it needed and when is it written?

The document is intended to enable the employer to indicate responsibility and, if violations are identified, to involve employees who have access to the personal information of colleagues. The number of people whose responsibilities include processing and non-disclosure may vary. If in small organizations everything is limited only to the chief accountant, then in medium and large companies employees working with personal information are listed in structural divisions:

• accounting;
• Human Resource department;
• Information Technology Department;
• sales department or service department (if we are talking about customer information).

The list can be expanded depending on the specifics and structure of the organization. Thus, the employer’s package of standard personnel documents should include a form of obligation on non-disclosure of personal data. The optimal time for signing this document by responsible persons is at the time of hiring.

What does the law say about this?

The article on non-disclosure of personal data to third parties (Article 7) is contained in. However, the mere existence of the Law “On the Protection of Personal Data” does not give the employer the right to impose liability by default on employees who have access to personal information. The need to formalize an obligation of non-disclosure of information is dictated by Government Resolution No. 687 of September 15, 2008 “On approval of the Regulations on the specifics of processing personal data carried out without the use of automation tools.” In accordance with paragraph 6 of the Resolution, “persons processing... data... must be informed about the fact of their processing of personal data,... as well as about the features and rules for such processing established by regulatory legal acts...”. In addition, a mandatory measure to protect personal information is the appointment by order of persons responsible for processing (Part 1 of Article 22.1).

Sample agreement on non-disclosure of personal data of employees

Sample order on non-disclosure of personal data

Non-disclosure agreement of personal data (sample 2020)

In addition to the non-disclosure obligation, the employer, in accordance with Article 8 of the Labor Code of the Russian Federation, can enter into an agreement with relevant personnel on the non-disclosure of personal data of employees, the sample of which differs from a simple obligation in that it indicates both parties to the process - both the employer and the employee.

Sample agreement on non-distribution of personal data

The need for such an agreement is due to the requirements set out in paragraph 7 Article 86 of the Labor Code of the Russian Federation, — the administration is entrusted with the responsibility to protect employees’ personal data from illegal use, loss or access by third parties. Consequently, employees who have access to the data bank of other employees are required to keep this information secret. And since this information is known in connection with the performance of their job duties, the employer, in accordance with Article 8 of the Labor Code of the Russian Federation, has the right to enter into a non-disclosure agreement with such employees.

At the same time, it is possible to hold workers who disclosed such information accountable only if it became known to them in connection with their work and they undertook not to disclose such information (clause 43 of the Resolution of the Plenum of the Supreme Court of the Russian Federation dated March 17, 2004 No. 2). That is why the employer must draw up an appropriate legally significant document with employees who, due to their job duties, have access to the personal data of other employees.

Responsibility for violation

Art. 24 states that violation of the rules for handling personal information entails liability established by the legislation of the Russian Federation. The nature of responsibility is specified in several articles of the Code of Administrative Offenses of the Russian Federation. For example, for the processing of personal data incompatible with the purposes of collection, penalties are fixed in the form of fines from 1,000 to 3,000 rubles for citizens, from 5,000 to 10,000 rubles for officials and from 30,000 to 50,000 rubles for legal entities. And for the disclosure of personal data, in accordance with the law, fines are imposed on guilty citizens in the amount of 500 to 1,000 rubles, and on officials in the amount of 4,000 to 5,000 rubles.

August 25, 2017, 03:56, question No. 1733836 Olga, Moscow

Collapse

Lawyers' answers (2)

Good day! We are an MCC, we are recruiting employees under a service agreement, one of the potential employees says that we are obliged to send her an agreement on non-disclosure of her personal data (since she filled out the candidate form), we, as an MCC within the organization, sign this agreement on non-disclosure of information our borrowers, but they did not previously sign non-disclosure agreements with their employees because By law we are obliged not to transfer them to third parties, should we send her this agreement?

Good afternoon In this case, we are most likely talking about a signature - Consent to the processing of personal data - within the framework of an employment contract. You are hiring an employee - and not a client - these are two different things.

Labor Code of the Russian Federation, Article 86. General requirements for the processing of employee personal data and guarantees of their protection

Guide to HR issues. Questions of application of Art. 86 Labor Code of the Russian Federation

In order to ensure the rights and freedoms of man and citizen, the employer and his representatives, when processing the employee’s personal data, are obliged to comply with the following general requirements:
1) the processing of an employee’s personal data can be carried out solely for the purpose of ensuring compliance with laws and other regulations, assisting employees in employment, education and career advancement, ensuring the personal safety of employees, monitoring the quantity and quality of work performed and ensuring the safety of property;
(as amended by Federal Law dated July 2, 2013 N 185-FZ)

2) when determining the volume and content of the employee’s personal data to be processed, the employer must be guided by the Constitution of the Russian Federation, this Code and other federal laws;
3) all personal data of the employee should be obtained from him. If the employee’s personal data can only be obtained from a third party, then the employee must be notified about this in advance and written consent must be obtained from him. The employer must inform the employee about the purposes, intended sources and methods of obtaining personal data, as well as the nature of the personal data to be obtained and the consequences of the employee’s refusal to give written consent to receive it;
4) the employer does not have the right to receive and process information about the employee that, in accordance with the legislation of the Russian Federation in the field of personal data, belongs to special categories of personal data, except for the cases provided for by this Code and other federal laws;
(Clause 4 as amended by Federal Law dated 05/07/2013 N 99-FZ)

(see text in the previous edition)

5) the employer does not have the right to receive and process the employee’s personal data about his membership in public associations or his trade union activities, except for the cases provided for by this Code or other federal laws;
(as amended by Federal Law No. 90-FZ of June 30, 2006)

(see text in the previous edition)

6) when making decisions affecting the interests of an employee, the employer does not have the right to rely on the employee’s personal data obtained solely as a result of their automated processing or electronic receipt;
7) protection of the employee’s personal data from unlawful use or loss must be ensured by the employer at his expense in the manner established by this Code and other federal laws;
(as amended by Federal Law No. 90-FZ of June 30, 2006)

(see text in the previous edition)

8) employees and their representatives must be familiarized, against signature, with the employer’s documents establishing the procedure for processing personal data of employees, as well as their rights and obligations in this area;
(as amended by Federal Law No. 90-FZ of June 30, 2006)

(see text in the previous edition)

9) employees should not waive their rights to maintain and protect secrets;
10) employers, employees and their representatives must jointly develop measures to protect the personal data of employees.