1) What laws in Russia regulate the protection of employee personal data, and how do they compare to international standards?
In the Russian Federation, the issues of processing and protection of personal data of employees are regulated, in particular, by:
1. The Labor Code of the Russian Federation (hereinafter referred to as the "Labor Code of the Russian Federation").
2. Federal Law No. 152-FZ dated 07/27/2006 "On Personal Data" (hereinafter referred to as "Law No. 152-FZ").
3. Order No. 178 dated 10/27/2022 of Roskomnadzor "On approval of Requirements for the assessment of harm that may be caused to personal Data subjects in case of violation of the Federal Law "On Personal Data".
Law No. 152-FZ establishes requirements for the processing and protection of personal data similar to the requirements of the Council of Europe Convention No. 108 on the Protection of Individuals with Automated Processing of Personal Data, and also contains additional definitions and requirements.
2) What types of employee personal data are typically protected under labor laws?
Law No. 152-FZ defines personal data as any information relating directly or indirectly to a specific or identifiable individual (subject of personal data). Employers, as a rule, process the following personal data of employees and obliged to comply with the requirements established by the relevant laws:
3) How to ensure compliance with personal data protection legislation when transferring employee personal data to third parties (e.g., contractors, partners)?
An employer must obtain written consent from an employee for the transfer of his or her personal data to a third party. If the employee has not given his consent, the transfer of his personal data to a third party is impossible. But there are exceptions: transfer of data to the PFR, FSS, tax authorities, at the motivated request of the prosecutor's office and internal affairs, at the request of the court, etc. There is no need to obtain the employee's consent in cases related to the performance of his or her official duties, including when sending an employee on a business trip, as well as when it is necessary in order to prevent a threat to the employee's life and health.
Before transferring personal data, the employer is obliged to warn a third party that they can be used only for the purposes for which they were reported and to obtain confirmation that such a requirement will be complied with by a third party (paragraph 4, part 1 of Article 88 of the Labor Code of the Russian Federation). As a rule, this obligation is fulfilled by signing an agreement on the processing of personal data or inclusion of the respective provisions in a contract with a third party.
4) In what form is consent obtained for the processing of employees' personal data?
Since, in the event of a dispute, the employer must prove that the employee has consented to the processing of his personal data, consent is usually in writing and such consent must comply with the requirements of Article 9 of Law No. 152-FZ. It is mandatory to obtain the employee's consent to the processing of his/her personal data in writing: if the employee's personal data from a third party; when transferring employee's personal data to third parties, except in cases where it is necessary to prevent threats to the life and health of the employee, as well as in other cases provided for by federal laws; for processing special categories of personal data of an employee directly related to issues of labor relations – information about race, nationality, political views, religious and philosophical beliefs, health status, intimate life. In addition, it is required to issue a separate consent to the processing of personal data allowed for distribution (in particular, for the publication of personal data on a website).
5) What personal data of employees may not be requested and processed by the employer?
According to Article 86 of the Labor Code of the Russian Federation an employer does not have the right to receive and process information about an employee related to special categories of personal data in accordance with the legislation of the Russian Federation in the domain of personal data, as well an employee’s personal data about his membership in public associations or his trade union activities, except in cases provided for by the Labor Code of the Russian Federation or other federal laws.
6) What are the consequences of violating employee data protection laws?
In case of violation of the requirements for the processing of personal data of employees, the following consequences are possible, in particular:
Authors: Yana Dianova, Vladislava Novokreshchenova