It has proved that the protection of the employee's personal data is an element of labour relations, and in order to ensure their uniform legal regime, the protection of the employee's personal data should be considered an independent institution of labour law. After all, social relations related to the protection of an employee's personal data are separate types of legal relations in the field of labour, which can both precede (providing information during employment with a certain employer), accompany (for example, making a decision on the promotion of an employee), and arise from labour relations (for example, the disclosure of commercial secrets), the specifics of which are related to the key subjects of labour law – employees and employers.
The author has defined that the personal data of an employee is information related to general data about the identity of the employee and/or a candidate for the position, the professional qualifications of the employee/ a candidate for the position, business, professional qualities, as well as information about special requirements that may be established by legislation to employees/ a candidates for the position in connection with the nature of their work (for example, filling out the income declaration, passing a special check, etc.). That is, the employee's personal data should ensure his/her identification not only and not so much as a person, but primarily as an employee. This means that the personal data of the employee and applicant for the position is, first of all, information related to professional qualifications, business, professional qualities and compliance of the employee and applicant for the position with the requirements that may be presented to him in connection with the nature of the work.
The classification of the employee's personal data, in terms of their collection, processing and legal regime of use, should be carried out into the following groups:
a) general “questionnaire” personal data (information about the surname, first name, patronymic, date and place of birth, passport data, information about educational professional skills, information about the “history” of labour activity, etc.);
b) special personal data: race, nationality, political views, religious or philosophical beliefs, state of health, private life. The collection and processing of this personal data must be prohibited for the employer;
c) personal data with limited access, which should include information about adoption, criminal record, participation in criminal proceedings as a suspect, financial assistance or services provided or received, income declaration, results of a special check, etc.;
d) biometric personal data – information containing the characteristics of a person's physiological and biological characteristics, which make it possible to establish his personality. This data is “sensitive data” and has a special legal protection regime. Their processing by the employer requires special approval by the Commissioner of the VRU.
The thesis substantiates that the specificity of the protection of personal data of persons who carry out their professional activities on the basis of an employment contract is manifested, first of all, in the fact that the basic requirements for the processing of an employee's personal data are established by legislation, and the procedure for carrying out individual operations with personal data employee (collection, storage, use, distribution) can be detailed in local legal acts. The obligation not to disclose personal data may also be provided by laws and by-laws for certain categories of persons, for example, for civil servants.
Four consecutive actions for the implementation of the mechanism for the protection of the employee's personal data are identified: a) determine the technical and organizational measures that must be taken; b) appoint a person responsible for the processing and protection of personal data. If the employer is a government body, local government or enterprise that processes sensitive personal data, appoint a responsible person. In other cases, according to the decision of the head of the enterprise; c) develop Regulations on the procedure for processing and protecting personal data (Appendix A); d) obtain an obligation not to disclose personal data from employees who come into contact with personal data of other persons during work. Register the obligations received in the Journal of registration of obligations about non-disclosure of personal data.