What documents are needed for personal data storage?

The task was to implement ERP. It will be introduced the personal data of the customers. How to organize their storage and protection? What documents are needed for implementation?
April 7th 20 at 15:45
2 answers
April 7th 20 at 15:47
Well, for starters, let's see what data You will collect.
For example, your name + phone number.
Name - this is what we need to protect.
However, if data are processed for purposes of performance of the Contract is a separate agreement, for example, is not necessary.
Then first define what data and how You will handle, make this happiness right in the Contract (in fact likely that they will already be there) and add in the Agreement something like "informing about new products and services" and it will give the right from time to time to call.
In General, that's all.

But that's the case, if You have zero business doing. If previously conducted business in the Google Doc (suspended) and now decided to implement ERP - reread the documentation available. Probably do not need anything at all (almost always there's a common phrase about automated ways of processing and storage) or enter next to the name of your ERP (in most cases, to certify that it is not necessary).

The MOST IMPORTANT thing: to do something superficially, not to score. In this scenario, in case of audit there will be a requirement to fix, but not a suspension.
Entered Personal and Passport details of the customer and passport details given to them man. Everything is stored in a database on a server in Russia. This data is used to create a contract, create the payment orders. The functionality of the system is written currently already uses https connection(though the development time with the free certificate). Access the system pair login:password. The access server is available only 1 ip and additional authorization over the phone. - Destinee_Kassulke70 commented on April 7th 20 at 15:50
April 7th 20 at 15:49
Personal data processing — any action (operation) or set of actions (operations) committed with use of means of automation or without use of such means with personal data including collection, recording, systematization, accumulation, storage, clarification (update, change), extraction, use, transfer (distribution, granting, access), depersonalization, blocking, deletion, destruction of data (article 3 of the Law on personal data).

The personal data protection act obliges the employer to comply with certain requirements for the processing of these data. For example, the processing of personal data is carried out only with the consent of the employee (paragraph 1, article 6, article 9 of the Law on personal data). To avoid litigation it is better if the agreement is in writing. The same rule applies to job seekers.

In some cases a written consent form expressly provided for by law (part 4 of article 9 of the Law on personal data). For example, written consent of the employee to the processing of personal data is required:

1) when receiving personal data of the employee from a third party (paragraph 3 of article 86 of the labour code). But in this case, the employee must first notify and obtain his written consent (clause 3 of article 86 of the labour code).

The notice must specify (clause 3 of article 86 of the labour code):

  • the purpose of obtaining the personal data of the employee from a third party;
  • expected sources of information (persons from whom data will be requested);
  • methods of obtaining data, their nature;
  • the possible consequences of the employer in obtaining the personal data of the employee from a third party.

Failure of the employee to familiarize with notification on expected receipt of personal data from another person, it is advisable to draw up an appropriate act.

Find more questions by tags Data protectionJurisprudence in ITPersonal data