Regarding the Issue of Personal data Protection of Employees in Conditions of Digital Transformation

: the specified article examines personal data, their list and history of occurrence, practice of application, their extension to labor relations, and guarantees of protection of personal data of the employee. It is noted that the personal data of an employee is a narrower concept than personal data and in connection with the lack of legal regulation of the protection of personal data of employees during their processing, urgent issues arise that require legal regulation by special legal norms, taking into account the practice of the EcHR and European experience. In addition, in the case of exercising the right to work, processing of personal data is carried out in accordance with the Labor Code of Ukraine, in which there are no special regulations regarding the specified mechanism, and other normative legal acts, an employment contract (contract), and not on the basis of a separate consent to the processing of personal data. It was concluded that the employee’s personal data require legal regulation from our state, and their processing by employer requires a clear mechanism and algorithm of actions capable of protecting the employee’s rights.


Introduction.
In the world of digital technologies, almost every person has a smartphone that contains a lot of digital information: photos, videos, contacts of other people, personal correspondence in relevant messengers, attached discount cards, bank cards with the possibility of NFC payments, etc.Both the user of the corresponding smartphone and smartphone manufacturers, corresponding operating systems and applications for them take care of the protection of all this.Therefore, it is necessary to understand what exactly is personal data in general and during performance of work duties, what is the mechanism of their protection, procedure for processing by employer, issues arising while data processing and ways to their eliminating.
Analysis of recent researches and publications.In the modern science of labor law, this problem has been studied by many scientists, in particular, the works of such scientists as M. M. Grekova, V. V. Zhernakov, E. V. Krasnov, K. Yu.Melnyk, S. M. Prilypka, O. M. Yaroshenko, A. M. Chernobay.However, at present, this topic remains relevant and not fully explored.
Formulation of Research Objectives.This article purpose is to study the processing of the employee's personal data, current issues that arising while their processing, grounds for processing, and guarantees for processing protection of employee's personal data.
Main Content Presentation.Personal data is information or a collection of information about a natural person who is identified or can be specifically identified.The term: personal data refers only to natural persons 1 .
In the explanation of the Ministry of Justice "Some issues of practical application of Law of Ukraine: On Protection of Personal Data dated on 21.12.2011 2 , it is stated that legislation of Ukraine does not establish and cannot establish a clear list of information about a natural person that is personal data, for possibility of applying the provisions of the Law to various situations, including personal data processing in information (automated) databases and personal data card files that can arise in the future, in connection with changes in technological, social, economic and other fields of public life.In other words, the Ministry of Justice, recognizing issue existence did not answer the question of what information allows natural person identification.
Under specified circumstances, legislator does not define an exhaustive list of information belonging to personal data.However there is an approximate list of personal data defined by the Constitutional Court of Ukraine in its decision dated on: 20.01.2012 No. 2-рп/2012, according to which information about a person's personal and family life (personal data) is any information or a set of information about a natural person who is identified or can be specifically identified, namely: nationality, education, marital status, religious beliefs, state of health, financial status, address, date and place of birth, place of residence, etc., data on personal property and non-property relations of this person with other persons, in particular family members, as well as information about events and phenomena that occurred or are occurring in the household, intimate, social, professional, business and other spheres of the person's life, with exception of data related to exercise of powers by the person, who holds a position related to implementation of functions of the State or local self-government bodies.Such information about individual and his family members is confidential and may be shared only with their consent, except in cases specified by law, and only in the interests of national security, economic well-being and human rights.
List of personal data that is recognized as confidential information is not exhaustive 3 .
Personal data are divided according to the criterion of their "sensitivity" into general information (for example, full name, date and place of birth, citizenship, place of residence, etc.) and "sensitive" (state of health, ethnic origin, religion, identification numbers, fingerprints, audio-, video, photo recording, criminal record, etc.).A higher degree of protection is provided for sensitive personal data.It is prohibited to collect, store, use and transfer without the consent of the data subject, as a rule, specifically sensitive personal data 4 .

Funding
This research did not receive any specific grant from funding agencies in the public, commercial, or not-for-profit sectors.

Disclaimer
The funder had no role in the study design, data collection and analysis, decision to publish, or preparation of the manuscript.

Contributors
The author contributed solely to the intellectual discussion underlying this paper, case-law exploration, writing and editing, and accept responsibility for the content and interpretation.

Declaration of Competing Interest
The author declare that they have no conflict of interest.

Regarding the Issue of Personal data Protection of Employees in Conditions of Digital Transformation
In accordance with the first and second parts of Article 32 of the Basic Law, no one can be subjected to interference in his personal and family life, except for the cases provided for by the Constitution of Ukraine.It is not allowed to collect, store, use and distribute confidential information about a person without his consent, except in cases specified by law, and only in the interests of national security, economic well-being and human rights 5 .
Issues regarding the protection of personal data are present in the everyday life of every person: at work, during interaction with State authorities, local self-government bodies, courts, law enforcement agencies, in health care institutions, when buying goods, receiving services, while traveling and even using the Internet.
The first law: On Information Protection was adopted by the USA back in 1906, and the intensive development of the relevant legislation began only after the advent of computer technology.In Europe, personal data has been protected for about half a century.In Ukraine from January 1, 2011, since the Law: On Personal Data Protection No. 2297-VI dated on: June 1, 2010 entered into force on that day.It regulates all legal relations related to the protection and processing of personal data and is aimed at protecting the fundamental rights and freedoms of a person and a citizen, in particular the right to non-interference in personal life, in connection with the processing of personal data.
Until 2014, the controlling body in this area was the State Service for Personal Data Protection.Currently, control over compliance with legislation in the field of personal data protection is entrusted to the Commissioner of the Verkhovna Rada of Ukraine for Human Rights and the courts.
There is generally no legal regulation of the protection of personal data of employees in the labor legislation, although relevance of this issue is determined by the fact that when hiring for any job, and in the process of work itself, employee should provide the employer with his personal data, namely information about person himself, his education, marital status, information about work experience, and in some cases information about income for the past year, etc.However, the draft Labor Code of Ukraine eliminates this gap, in particular, it contains norms that regulate issues related to the protection of personal data of employees, namely: the employer is prohibited from providing third parties with any information about the reasons for dismissal and other information about the employee, except for providing them at the request of the employee and in other cases provided by law; information about the employee's salary is classified as confidential information, which is provided to any bodies or persons only in cases provided for by law, or upon the employee's consent or request; the employer's responsibility for causing moral damage and other personal rights of the employee are determined 6 .
A. Chernobay, giving a definition of personal data, noted that concept of an employee's personal data is much narrower than the concept of a person's personal data, since it is not about all information (facts, events, circumstances of a person's private life, etc.), but only about such circumstances, which characterize a natural person as an employee.The employee's personal data should be considered as information that employer needs to obtain regarding each employee in connection with employment relationship 7 .Ключові слова: персональні дані, класифікація, захист, обробка персональних даних працівника, підстави обробки, згода на обробку, гарантії захисту.

Regarding the Issue of Personal data Protection of Employees in Conditions of Digital Transformation
In accordance with Article 24 of the Labor Code of Ukraine, when concluding an employment contract, a citizen should submit a passport or other identity document, an employment book and in cases provided for by law, a document on education (specialization, qualification), on the state health and other documents 8 .
Information about employees reflected in personnel documents, including age, date and place of birth, place of residence, place of residence, registration number of the taxpayer registration card, social status, benefits in accordance with the law (single mothers, women with children under the age of three, Participant in liquidation of the consequences of the disaster in Chernobyl, minors, pensioners, etc.) are considered personal data of the employee, which in their totality make up the personal data base or part of it.In addition, the documentation of enterprises, institutions and organizations in electronic form and/or in the form of filing cabinets containing structured personal data of employees in a certain way is also considered a personal data base or its part.
Under the specified circumstances while hiring employee is obliged to provide the employer with personal data that directly characterizes the person as an employee of the relevant type of activity.After receiving the necessary data from the employee, employer starts its processing.When the employer processes personal data of any employee, a number of questions arise that should be investigated.
The legislator provides such a term as: processing of personal data is any action or set of actions, such as collection, registration, accumulation, storage, adaptation, change, renewal, use and dissemination (distribution, realization, transfer), depersonalization, destruction personal data, including using information (automated) systems.The processing of personal data on racial or ethnic origin, political, religious or ideological beliefs, membership in political parties and trade unions, criminal convictions, as well as data related to health, sexual life, biometric or genetic data is prohibited.Provision of the first part of this article does not apply if the processing of personal data is carried out on the condition that the subject of personal data provides unambiguous consent to processing of such data.
However, the legislator determines that processing of personal data is carried out, in particular, in the cases provided for by the laws of Ukraine, in the manner determined by legislation.
The grounds for processing personal data in accordance with requirements of the Law are: the consent of the subject of personal data to the processing of his personal data; permission to process personal data granted to the owner of personal data in accordance with the law exclusively for exercise of his powers; conclusion and execution of a transaction to which the subject of personal data is a party or which was concluded for the benefit of the subject of personal data or for implementation of measures preceding conclusion of the transaction at the request of the subject of personal data; protection of vital interests of the subject of personal data; the need to fulfill the obligation of the owner of personal data provided by law; the need to protect the legitimate interests of the owner of personal data or a third party to whom personal data is transferred, except when the needs to protect the fundamental rights and freedoms of the subject of personal data in connection with the processing of his data prevail over such interests.
Although Directive 95/46/EC of the European Parliament and the Council "On the protection of natural persons in the processing of personal data and on the free movement of such data 9 " has lost its validity, some of its provisions are interesting to study.In particular, the document stipulates

REGARDING THE ISSUE OF PERSONAL DATA PROTECTION OF EMPLOYEES IN CONDITIONS OF DIGITAL TRANSFORMATION
Abstract: the specified article examines personal data, their list and history of occurrence, practice of application, their extension to labor relations, and guarantees of protection of personal data of the employee.It is noted that the personal data of an employee is a narrower concept than personal data and in connection with the lack of legal regulation of the protection of personal data of employees during their processing, urgent issues arise that require legal regulation by special legal norms, taking into account the practice of the EcHR and European experience.In addition, in the case of exercising the right to work, processing of personal data is carried out in accordance with the Labor Code of Ukraine, in which there are no special regulations regarding the specified mechanism, and other normative legal acts, an employment contract (contract), and not on the basis of a separate consent to the processing of personal data.It was concluded that the employee's personal data require legal regulation from our state, and their processing by employer requires a clear mechanism and algorithm of actions capable of protecting the employee's rights.
Keywords: personal data, classification, protection, processing of employee's personal data, grounds for processing, consent to processing, protection guarantees.
that member states provide that personal data can be processed only under the condition that: (a) the data subject has unambiguously given his consent; (b) whether the processing is necessary for performance of a contract to which data subject is a party, or for taking measures at the request of the data subject before signing the contract; (c) whether the processing is necessary to comply with a legal obligation to which the controller is bound; (d) whether the processing is necessary to protect the vital interests of the data subject; (e) whether the processing is necessary for performance of a task carried out in public interest or in exercise of official powers vested in the controller or a third party to whom the data is provided; (f) whether the processing is necessary for the purposes of the legitimate interests pursued by the controller or by the third party or parties for whom the data are provided, except when such interests are overridden by the interests of the fundamental rights and freedoms of the data subject requiring protection in accordance with paragraph 1 of the article 1.
Natural or legal entity that determines the purpose of personal data processing, establishes the composition of this data and the procedures for its processing (unless otherwise determined by law), is considered the owner of personal data in accordance with the requirements of the Law.In other words, in this case, the owner of personal data is the employer, and employee himself is the subject of personal data.
Employers process the personal data of their employees every day and for various purposes.Data can relate to payment of wages to employees, vacations, accounting for sick leave, payments in connection with pregnancy and childbirth, evaluation of work results, etc.Any processing of an employee's personal data should be carried out only for a specific purpose.
Modern European approach to the processing of personal data can be outlined in the form of the following principles: 1) legality, fairness and transparency: personal data must be processed legally, fairly and transparently.Any information about purpose, methods and scope of personal data processing should be presented as accessible and simple as possible; 2) application restrictions -personal data must be collected and used exclusively for the purpose stated by the enterprise (or online service); 3) data minimization; it is prohibited to collect personal data in a larger volume than is necessary to achieve the purpose of processing; 4) accuracy: personal data that are inaccurate must be deleted or corrected (at the request of the user); 5) storage limitations: personal data should be stored in a form that allows identification of data subjects for no longer than is necessary to achieve the purpose of processing; 6) integrity and confidentiality while processing data of employees and customers, the enterprise is obliged to ensure protection of personal data from unauthorized or illegal processing, destruction and damage.
In order to directly implement labor relations, any enterprise, institution or organization collects, accumulates, stores, changes, destroys information about its employees in its card files or specific information programs.
Thus, while hiring or entering into employment contract (contract), the employer usually receives from the person his/her passport data, registration number of the tax payer's registration card, documents on the acquired education, information on the state of health in cases provided for by law, etc. Receipt of specified information by the employer is collection of personal data.
As a rule, information about employees is stored by the employer in personal files, developed information personnel programs, thus it is about accumulation of a personal data base and its storage.
The employee changed his name, surname, patronymic, as a result of which his personal actions changed, therefore, making changes to the employee's personal file is a change of personal data.

Regarding the Issue of Personal data Protection of Employees in Conditions of Digital Transformation
Employee who is dismissed from the relevant job has the right to apply to the relevant personnel officer, department with a demand to destroy all his personal data after his dismissal.
Legislator separately singles out the manager of personal data; this is a natural or legal person who is granted the right to process this data on behalf of the owner by the owner or by law.Administrator can process personal data only for the purpose and to the extent specified in the contract with the owner.There are not always managers at the enterprise.These include a personnel consultant, the company's personnel department, personnel service specialists, a consulting firm, etc.
While working with the above information, it is important to observe the main principles of personal data protection: the employer and personnel service specialists are responsible for preservation of personal information and the media on which it is stored; a clear permission-delimitation system of access to personal data should be organized for managers (of all levels) and other employees; regular control of electronic and paper documents, databases and files in the personnel service and in the relevant structural subdivisions of enterprise should be carried out.
However, a number of issues that arise directly during the processing of personal data of employees and their protection guarantees are noted.First of all, it is worth noting here the lack of a clear understanding of the components of personal data and the types of information about a person, which the law refers to as personal data -the legislation of Ukraine has not established and cannot establish a clear list of information about a natural person, which is personal data, for the possibility of applying the provisions of the Law of Ukraine: On Protection of Personal Data to various situations, including when processing personal data in information databases and personal data files, that can arise in the future, in connection with changes in economic, social and other spheres of public life 10 .In addition, currently there is no proper regulatory and legal regulation of the procedure and mechanisms for conducting inspections of the premises of enterprises where personal data are processed; currently representatives of the authorized body have the right to freely enter any premises where personal data are processed (that is, practically every office and enterprise) that is tantamount to the right to conduct a search, which until now was only available to law enforcement agencies.Enterprise should define the circle of employees who work with personal data (accounting, HR department, director, his deputies, legal counsel, system administrator, etc.) and who sign non-disclosure obligations.Another problematic point that requires a reliable system of protection of personal data in the process of their processing is the placement of this data on the Internet.Because personal data is or can be the object of use in an automated processing system, people leave a large amount of their data there when they use the Internet.And, most importantly, the use of data is not limited or regulated by anything, that is, in fact, such data remains unprotected.Such databases are constantly being improved, unified and more and more relevant to a person's private life 11 .In addition, there are no special regulations in Ukraine that would regulate the employee's personal data, their processing, protection guarantees, etc., which should take into account the practice of the ECtHR, European experience, approaches, and be close to European legislation.In order to protect his personal data from illegal encroachments, a person can use any means not prohibited by law.In particular, in case of illegal processing of personal data and interference in a person's personal life, the subject of personal data has the right to contact the owner and/or manager of personal data with a reasoned demand: prohibit such processing; make changes to your personal data (in case of their inaccuracy);  demand their removal (destruction).At the same time, employers themselves must take measures to increase the security of employees' personal data 12 .However, if the personal data of a person stored in automated processing systems, for example, got into the Internet and further spread over the network, or if it was located on a server that was actually located in another country and was subject to the legislation of another country, which is significantly different from ours, in this case there are no effective mechanisms to guarantee their protection, which is an urgent issue at this time all over the world.
Currently, in Ukraine, the employer is not obliged to obtain consent from its employees for the processing of their personal data, provided that the employee's personal data (for example, name, patronymic and surname of the employee, information about education, marital status) is used by the employer for the exercise of rights and obligations of the owner in the field of labor relations in accordance with the law with the provision of appropriate protection.However, written consent is required for the processing of the employee's data on racial or ethnic origin, political, religious or ideological beliefs, membership in political parties and trade unions, criminal convictions, as well as data relating to health, sexual life, biometric or genetic data.However, if enterprise processes data from this list, it should notify the Human Rights Commissioner 13 .
In other words, in the case of exercising the right to work, processing of personal data is carried out in accordance with the Labor Code of Ukraine, in which there are no special regulations regarding the specified mechanism, and other normative legal acts, an employment contract (contract), and not on the basis of a separate consent to the processing of personal data.
Conclusions.Taking into account the above, it should be noted that the protection of personal data of an employee in Ukraine is currently not regulated by special laws, therefore, upon hiring, the employer processes it in accordance with the requirements of the Law of Ukraine: On the Protection of Personal Data, which is general for all persons in various spheres of our life, that is, in this case there is no effective system of guarantees for the protection of personal data of the employee, which is especially relevant in the conditions of martial law, in particular, for example, when automated systems with personal data of employees were transferred and copied to computer servers located outside of Ukraine, or in the case of the occupation of a certain part of our territory, the personal data of employees were also at risk, which is a violation of the employee's labor guarantees.Therefore, we propose to improve the national legislation regarding the employee's personal data and their processing by the employer requires a clear mechanism and algorithm of actions that are able to protect the employee's rights even in conditions of war or state of emergency.Mots-clés : données personnelles, classification, protection, traitement des données personnelles du salarié, motifs du traitement, consentement au traitement, garanties de protection.