People often give official consent to the use of personal data: when applying for a job, concluding contracts in banks, mobile phone stores, when registering on social networks, on Internet portals, etc. But then they may change their mind or simply stop working in specific organization, and then they may want to revoke permission to process personal data. How to be in this case? When will the review not be satisfied? Read the article.
The procedure for revocation is determined by paragraph 2 of Art. 9 Federal Law dated July 27, 2006 No. 152-FZ. For example, this may be justified if the employee has facts that his information is being used for other purposes, is being disclosed to third parties, or the employer does not comply with the confidentiality regime. An employee can also revoke permission to process personal data upon dismissal. To do this, the owner of personal data needs to write a statement to the operator to whom he gave consent to store and use it (for example, an employer).
Sample withdrawal of consent to the processing of personal data
After accepting such a statement, the operator is obliged to stop working with confidential information and destroy personal data if their preservation is no longer required for the purposes of their processing. This procedure is carried out within 30 days after you receive a request to prohibit the use of information.
When is data revocation required?
As a rule, the need to revoke consent to the use of personal information arises when it comes to transferring it to third parties. For example, an employee, for some reason, no longer wants information about him to be posted on the company website or used in advertising materials. In another case, an applicant for a vacant position may change his mind about participating in the competition and prohibit the transfer of data to the security service. Often, a client of an organization wants to unsubscribe from receiving SMS or email messages. The most pressing situation is providing collectors with personal information about the bank borrower. One of the ways you can try to protect yourself is to revoke permission to process personal data.
What is included in personal data
This includes not only data from documents, but also any information about a person:
- FULL NAME.;
- passport details;
- place and date of birth;
- nationality;
- location;
- any contacts: phone number, email, social networks;
- SNILS and INN numbers;
- education;
- profession, place of work, salary;
- description of appearance (weight, hair color, DNA).
This also includes specific information that characterizes a person: habits and hobbies, belief in God, philosophical beliefs.
What the law says
The possibility and procedure for revoking consent to the processing of personal data are described in the Federal Law of July 27, 2006 No. 152-FZ “On Personal Data”. Let's look at the consequences of withdrawing consent to the processing of personal data.
After receiving an application to prohibit the use of personal information, the operator is obliged to stop working with the data and, if possible, ensure its destruction. The period within which the operator must fulfill this obligation, in accordance with clause 5 of Art. 21 of Law No. 152-FZ, does not exceed thirty days. But Federal Law imposes certain restrictions on the revocation of permission to process information. For example, the operator, despite receiving the revocation of permission, processes and transmits data if this is necessary for the administration of justice (Clause 2, Part 2, Article 11 152-FZ) or protecting the life (health) of the subject (Clause 6, Part 2, Art. 152-FZ) 11 152-FZ). In addition, work with information continues regardless of the cancellation of permission to ensure pension payments, payment of taxes, compulsory medical and social insurance.
When consent cannot be withdrawn
The law also establishes cases when data continues to be used despite the statement:
- the data of a person participating in the trial is processed;
- use is necessary to pay a person pensions, social benefits, provide him with social or medical services;
- for the conclusion or execution of an agreement, the beneficiary of which is the owner of the personal data;
- processing is necessary to preserve the life or health of their owner.
How to write an application for revocation of personal data
In order to revoke permission to use personal data, it is enough to send a corresponding application to the operator - this is the only way to revoke personal data provided by law. The application is written in free form; it is recommended to indicate the following points:
- full name of the organization;
- legal address, as well as the actual address of the branch, if we are talking about a bank;
- applicant details: full name, passport details, registration address;
- reference to legislative acts.
It is best to submit the application in person, in two copies. One copy, with a mark on registration of incoming documentation, remains in the hands of the applicant. If the application is sent to the bank, a photocopy of your passport and loan agreement should be attached to it.
Sample withdrawal of consent to the processing of personal data from an employer in 2021.
What documents need to be attached?
The main list of documents looks like this:
- Application written according to the sample
- Copy of the loan agreement
- Copy of significant pages of the passport
If for some reason you don’t have a loan agreement, it’s not a big deal. You can only attach a copy of your passport.
In principle, you can do without it, but your passport information will help bank employees quickly find you among numerous clients and make changes to your business.
Without a copy of the passport, they will look for a much longer case, although ideally the bank should stop processing the data within 3 days after submitting the application.
How to organize the destruction of personal data
After the operator receives a withdrawal of consent to processing from the owner, he has a certain time to organize and destroy information about their owner. Destruction of personal data is such actions of the operator as a result of which the material media with this information are either completely destroyed (paper) or, if the information is stored on machines, they are erased so that it is impossible to restore the source (see subparagraphs 3, 8 of Article 3 of the Federal Law dated 07.27.2006 N 152-FZ).
Destruction period
Time to perform | Grounds for liquidation | Link to the norm of the Federal Law of July 27, 2006 No. 152-FZ |
7 working days | When the PD subject or his representative provides information confirming that the data was illegally obtained or is not necessary for the stated purpose of processing | Part 1 Article 14, Part 3 Article 20 |
10 working days | When identifying illegal processing of personal data, if it is impossible to ensure its legality | part 3 of article 21 |
30 working days | Upon achievement of the purpose of PD processing | part 4 of article 21 |
30 working days | When the PD subject withdraws consent, if their preservation is no longer required for processing purposes | part 5 of article 21 |
Nuances
If it is not possible to destroy personal data within the period specified in the table above, the operator is obliged to block this information and destroy it within a period not exceeding 6 months, unless a different period is established by another law (see Part 6, Article 21 of the Federal Law of July 27, 2006 No. 152-FZ).
Latest Initiatives
On August 1, 2021, the Ministry of Telecom and Mass Communications prepared draft amendments to Federal Law No. 152-FZ dated July 27, 2006. The innovations concern the procedure for clarifying the requirements for the destruction of personal data. Thus, Article 21 of the Federal Law of July 27, 2006 N 152-FZ establishes the operator’s obligation to eliminate violations of the law committed during the processing of personal data, including the destruction of personal data. However, this norm does not contain requirements for the destruction of the data itself.
In order to eliminate this conflict, the Ministry of Telecom and Mass Communications proposed adding Part 7 to Article 21 with the following content:
“The destruction of personal data in the cases provided for in this article is carried out in accordance with the requirements established by the authorized body for the protection of the rights of personal data subjects.”
According to officials, the change is aimed at eliminating conflicts regarding the destruction of personal data, and at eliminating the possibility of a diverse interpretation of the understanding of actions confirming on the part of the operator the fact of destruction of personal data.
Nuances of revoking consent to processing
In judicial and law enforcement practice, the following nuances related to the withdrawal of consent to PD processing have been identified:
- In case of disputes regarding the transfer of personal data to collectors, it is necessary to prove, in particular, whether the data was transferred after the withdrawal of consent and whether collection activities are carried out in violation of the rights of a citizen. If evidence of this is not presented, then the citizen’s position on violations related to the processing of his data after the withdrawal of consent is not subject to judicial protection (appeal ruling of the Sverdlovsk Regional Court dated June 29, 2017 in case No. 33-10537/2017).
- The transfer of information about a citizen by the bank to third parties after their withdrawal of consent to process personal data does not contradict the law and is not the basis for compensation for moral damage (appeal ruling of the Sverdlovsk Regional Court dated October 5, 2016 in case No. 33-17390/2016).
- In addition to the deposit ticket, it is not necessary to obtain consent to process personal data (letter from the Ministry of Telecom and Mass Communications of Russia “On clarification...” dated March 24, 2016 No. P11-1-5405).
- Sending out advertising after revocation of consent to PD processing is illegal (appeal ruling of the Novosibirsk Regional Court dated September 27, 2016 No. 33-9626/2016).
Who fills it out?
The revocation of permission to work with personal information is made by the PD subject himself , the person who previously gave permission to the operator company. The document can be signed by the legal representatives of a citizen if he is declared incompetent, and by the parents of a minor child. In other cases, the signature of the owner of the confidential information is required.
Consequences of failure
Any actions entail some consequences. Reviewing personal information always has positive aspects .
In this case, when withdrawing information, a person can be calm that his personal data will not be used by third parties in fraudulent activities. The consequences also include the fact that if previously bank employees called the client, for example, to remind them of a debt or, on the contrary, to offer some new service, now they will not be able to do this.
Will the information disappear completely?
If the client is simply tired of advertising mailings and endless calls offering to take out a loan, this will work. Some banks really abuse spam, sending personal offers via SMS literally every day. It gets on your nerves. This type of mailing and calling must stop.
But the law indicates that information from the database does not completely disappear. There are reasons to continue storing, collecting and disseminating data:
- if the contractual relationship with the creditor has not been terminated. For example, there is a valid loan, credit or debit card, deposit, etc.;
- if the person is a participant in legal proceedings;
- processing is necessary to protect the life and health of a citizen;
- information may be required for the provision of medical services, diagnosis, identification;
- information will be required in case of compliance with security, counter-terrorism, criminal and executive laws.
A detailed description of all points is in Article 10 of Part 2 of Federal Law-152. If information is suddenly needed for these purposes, it will be provided by the financial organization to the department that requested it. That is, the data does not disappear without a trace.
Theory
To make it clear to everyone, personal data is any information relating to a directly or indirectly identified or identifiable individual, namely the subject of personal data. That is, your full name, phone number, weight, height, place of work, address of residence or registration - all this can be classified as personal data.
Processing of personal data means any action or set of actions performed using automation tools or without the use of such means with personal data, including collection, recording, systematization, accumulation, storage, clarification (updating, changing), extraction, use, transfer ( distribution, provision, access), depersonalization, blocking, deletion, destruction of personal data.
An operator within the framework of the Federal Law “On Personal Data” is a state body, municipal body, legal entity or individual that independently or jointly with other persons organizes and (or) carries out the processing of personal data, as well as determining the purposes of processing personal data, the composition of personal data, subject to processing, actions (operations) performed with personal data.
For example, if you consent to the processing of personal data before dental treatment in a private clinic, this private clinic will be the operator. And if you decide to withdraw your personal data, then the application must be submitted to this private clinic. I think everyone understands.
Will a review help me get rid of debt collectors?
Some debtors who are in arrears want to write a review of personal data in order to stop the actions of collectors and collection services. They want to withdraw personal data from the bank and stop the onslaught. But it's not that simple.
Since the loan agreement is valid, revocation of personal data will be impossible by law. In this case, you need to act a little differently - you need to draw up a refusal to interact with collectors. This can be done 4 months after the delay is recorded. After writing to the bank, collectors will not be authorized to communicate with the debtor. Detailed information in the material - how to sew collectors.
A source of information:
- Consultant.ru: Federal Law 152 On personal data.
about the author
Irina Rusanova - higher education at the International East European University in the direction of "Banking". Graduated with honors from the Russian Economic Institute named after G.V. Plekhanov with a major in Finance and Credit. Ten years of experience in leading Russian banks: Alfa-Bank, Renaissance Credit, Home Credit Bank, Delta Credit, ATB, Svyaznoy (closed). He is an analyst and expert of the Brobank service on banking and financial stability. [email protected]
Is this article useful? Not really
Help us find out how much this article helped you. If something is missing or the information is not accurate, please report it below in the comments or write to us by email
Consent can be revoked from any data controllers
Let us recall that on December 30, 2021, Russian President Vladimir Putin signed a law prohibiting the use of publicly available personal data without the consent of its owner, as well as granting the right to demand that the operator delete it. The changes boil down to one important point - the concept of publicly available personal data will no longer exist. That is, now the consent of the subject of personal data is the “exclusive legal basis” for the processing of information made publicly available.
According to the new law, any citizen can contact any personal data operator with a request to remove his personal data from public access without proving the fact of unlawful processing. Moreover, the law will allow verification of the subject of personal data without additional identification procedures. The law also excludes possible cases of the operator collecting redundant personal data.
According to RIA Novosti, the law introduces a new procedure for deleting data at the request of a citizen - now the personal data operator must delete the specified information within three working days without requiring evidence from the user. The collection of evidence is transferred to the operator himself. If an online resource does not comply with a citizen’s request, it will be fined.
The adoption of the document may lead to other legislative changes, for example, an increase in fines for violations in working with personal data, as well as an extension of the statute of limitations for relevant offenses. TASS wrote about this, citing the words of the initiator of the bill, Anton Gorelkin .
Personal information that will be deleted
The bank will only destroy information that was directly provided to it by the client. When applying for a loan, personal information mainly contains :
- Full name of the applicant;
- identity document details;
- age and gender;
- salary information;
- position held;
- contact numbers of the applicant;
- contact details of relatives and friends;
- information about marital status and number of children;
- job information, including address and telephone number;
- personal data of the spouses, namely full name, telephone number, place of work and position held;
- borrower's education;
- availability of real estate, car, land;
- availability of additional income;
- availability of bank cards from other banks;
- information about existing loans;
- and other information (depending on the credit institution).
All this data will be deleted from the credit institution’s general database 3 days after receiving the relevant application.
To summarize, we can say that revoking your personal data is quite simple . You must complete an application and submit it to the bank. Any person will be much calmer if his personal information is not possessed by various organizations without good reason.