1. How is the protection of employees' personal data regulated?

Chapter 14 of the Labor Code and Federal Law No. 152-FZ "On Personal Data", dated July 27, 2006 (as amended) (the Personal Data Law) deal with the protection of employees' personal data. Personal data constitutes any information directly or indirectly relating to the identified or identifiable individual.

The authority responsible for overseeing legitimate data processing, accepting notifications, performing registration and maintaining the register of data operators, carrying out inspections and enforcement is the Federal Service for Supervision of Communications, Information Technologies and Mass Media (Roskomnadzor).

2. What is the "processing of personal data"?

Personal data processing means any action or combination of actions performed with regard to/with any personal data, including collection, recording, systematization, accumulation, storage, adjustment (updating, amending), extraction, use, transfer (distributing, providing or authorizing access to), depersonalization, blockage, deletion and destruction of any personal data.

3. What are the main employer obligations in relation to processing employees' personal data?

Generally, all employers must:

  • Obtain their employees' consent to the processing and transfer of their personal data.
  • Ensure that certain types of operations (e.g. collecting, storing, updating) involving the personal data of Russian citizens are performed with the use of databases located on Russia-based servers (for more details, see items 4 and 5 below).
  • Submit a notification on processing of personal data and location of servers to Roskomnadzor.
  • Take technical, organizational and other measures for protection of personal data contained in informational systems (e.g. restricting access to personal data).

4. Do employees' consents to process/transfer their personal data have to be in writing?

The Labor Code and the Personal Data Law do not provide any specific requirements to the form of this consent.

However, there is an exhaustive list of situations that require employees' written consent:

  • Processing of biometric data.
  • A cross-border transfer of personal data to jurisdictions that do not provide an adequate level of protection for personal data (for more details, see item 7 below).
  • The processing of data in relation to an individual's race, nationality, political, religious and philosophical views, health or private life.
  • Transfer of an employee's personal data to a third party by the employer.

5. What is required by the Data Localization Law?

As of September 1, 2015, while collecting personal data (including through the internet or telecommunications networks) a data operator is obliged to ensure that recording, systematizing, accumulating, storage, adjustment (updating, amending) and extraction of personal data of Russian citizens is performed with the use of databases located within the territory of Russia.

6. Is cross-border transfer of employees' personal data still allowed?

Yes. Prior to the cross-border transfer of personal data, a data operator must ensure that the foreign country to which the personal data is to be transferred provides "adequate protection" of the individual's personal data.

7. What is considered an "adequate level of protection" of personal data?

An "adequate level of personal data protection" is considered to exist if the foreign state (to which the personal data is to be transferred):

  • Is a signatory to the Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data, dated January 28, 1981 (e.g. Germany, the UK, Ireland).
  • Is included in the "List of Foreign States which are non-parties to the Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data that Provide Adequate Protection of Personal Data Subject's Rights" (the "List") maintained by Roskomnadzor. The List includes, among others, Australia, Argentina, Canada, and Israel. Note that the USA is not included in the List.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.