Data protectioni Requirements for registration
As a general rule, before processing personal data, an operator is obliged to notify the Federal Service for Supervision in the Sphere of Communication, Information Technologies and Mass Communications of its intention to process personal data. The notification should contain information required by the respective laws in Russia.
The operator is defined as a legal entity, individual, state authority or municipal authority that individually or collectively organises or carries out the processing of personal data, and determines the purpose and content of processing that personal data or the operations to be performed with that data.
Employers have the right to process the personal data of their employees without notifying the above-mentioned authorised state body. However, if the purposes of personal data processing fall beyond the scope of labour law and employment relations, the employer is obliged to notify authorised state authorities of its intention to carry out the processing of employees' personal data.
According to the general rule, obtaining consent for the processing of employee personal data is required. If personal data may only be obtained from the third party, the employer is obliged to notify the employee in advance and obtain his or her written consent. The employer shall inform the employee of the purposes, probable sources and methods of obtaining the personal data, as well as of the nature of the personal data to be obtained and the consequences of an employee's refusal to provide written consent for the use of the data.
The general rule is that a subject of personal data shall make a decision to supply his or her personal data and give his or her consent to the data being processed of his or her own free will and in his or her own interest. As mentioned above, the employer is entitled to request personal data that is necessary for performance of the labour agreement with the employee. The consent of the employee will be required if the employer intends to transfer the personal data of its employee to third parties. Consent may be withdrawn by the personal data subject at any time.
To ensure the rights and liberties of the employee, the employer and its representatives must permit only specially authorised persons to access employees' personal data. Moreover, these persons shall be permitted to obtain only the employee personal data, which is necessary to fulfil particular functions. Employers shall adopt an internal policy covering the procedure of processing the personal data of employees. Such a policy shall be adopted in Russian (or in a bilingual form) by order of the CEO of the legal entity (or other authorised person) and all employees shall acknowledge familiarisation with their signatures.
The company is obliged to take the required organisational and technical measures, in processing the personal data, including using ciphering facilities (where applicable), to protect personal data against any illegal or accidental access, destruction, alteration, blocking, copying and dissemination, and other illegal actions.
The Federal Law of 21 July 2014 introducing amendments to the Federal Law on Personal Data sets out the obligation on operators of personal data to ensure that certain types of processing of personal data belonging to Russian nationals is carried out with the use of databases located in the territory of Russia at the moment of collection of personal data of Russian nationals, including collection via the internet. This localisation requirement entered into force on 1 September 2015.
The localisation requirement does not imply all possible types of processing in Russia. Only the following types of processing must be performed with the use of databases located in Russia: collection, recording, systematisation, accumulation, storage, adaptation or alteration, retrieval and extraction (the 'target types of processing').
The localisation requirement does not prevent companies from transferring data abroad. However, in the context of localisation requirements, some peculiarities shall be taken into account. Namely, personal data shall be initially placed in 'primary database', which shall be located and maintained (to the extent that maintenance involves the target types of processing) in Russia. Personal data contained in a primary database may be transferred abroad and be placed in other databases ('secondary databases') if the rules on cross-border data transfer are complied with.
In addition to the above, on 1 September 2015 a new enforcement mechanism in the sphere of personal data came into effect. It implies inclusion of information resources (domain names, references to web pages on the internet, website addresses), where the data is processed in violation of rights of personal data subjects, into the special registry of violators of data subject rights (the Registry). Under this mechanism, the Federal Service for Supervision in the Sphere of Communication, Information Technologies and Mass Communications is granted the power to restrict access to such information resources for users from Russia. The Federal Service for Supervision in the Sphere of Communication, Information Technologies and Mass Communications can apply such restrictions on the grounds of a court's decision.ii Cross-border data transfers
Russian law does not require registration for the purposes of the cross-border transfer of personal data.
The general rule is that for the cross-border transfer of personal data, the employer should ensure that the receiving states are parties to the Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data or are deemed by the Federal Service for Supervision in the Sphere of Communication, Information Technologies and Mass Communications as states providing adequate protection of the rights of the subjects of the personal data despite their non-membership to the aforementioned Convention (such states are listed in the respective order issued by the Federal Service for Supervision in the Sphere of Communication, Information Technologies and Mass Communications). If the employer performs a cross-border transfer of personal data to states that do not ensure adequate protection of the rights of the subject of the personal data, the Russian company must obtain written consent from the subject of the personal data (i.e., the employee).
Taking into account that employers are obliged to gain the consent of their employees when intending to transfer their personal data to third parties (regardless of the location of the receiving third party) and to avoid any possible claims from the employees regarding the processing of personal data by the company without consent, it is recommended in all cases of cross-border transfer that the employer obtains the written consent of the subject of the personal data, stating the scope of the personal data to be transferred cross-border, the purpose of the processing and the recipients of personal data. The employers should require the recipients of personal data to treat the data as confidential information. If the transfer is made on the ground of an agreement, the agreement should provide for an obligation of the recipient to treat the personal data as confidential.
Additional transfers of the personal data are allowed if the employee's consent covers such transfers.iii Sensitive data
Information relating to an employee concerning race or ethnic origin, political views, religious or philosophical convictions, state of health or private life is considered as sensitive data.
As a general rule, the employer may not request and process sensitive data. In cases directly associated with the issues of labour relations, the employer may obtain and process information on the private life of the employee only with his or her personal consent.
For a cross-border transfer of sensitive data the Russian company must obtain the written consent of the employee.iv Background checks
Russian law limits the amount and type of data that can be obtained on a candidate or an employee. The main principle is that the volume and character of personal data to be obtained on a candidate should be justified by a lawful reason. The Labour Code gives a full list of such reasons:
- to observe laws and regulations, for example if a certain check is prescribed by law the employer can demand this information, or if a certain job is prohibited to a specific category (e.g., employees under 18), the employer can also request personal data;
- to assist in employment, training and promotion (this may imply any information that this reasonably and lawfully requires to efficiently hire, train and promote);
- to ensure the personal safety of employees (this may appear to allow a rather broad interpretation, but the general principle of non-excessiveness is to be observed);
- to control performance (quality and volume of work done); and
- to ensure the safety of assets (the general principle of non-excessiveness is to be observed).
As mentioned above, Russian law gives a full list of documents the candidate must present, and prohibits the employer from requiring extra certifications. Thus, bank statements, credit repayment records, etc., cannot be demanded from the candidate. Moreover, even if the candidate voluntarily agrees to provide them, such requests can be interpreted as an invasion of privacy and discrimination on grounds of property. Additional documents can be required only if this is explicitly provided for in the legislation (e.g., public servants should present information on their income, property and material liabilities).
Criminal record checks may be required for certain jobs. For example, applicants for teaching positions may be subject to these checks as educational work is prohibited to those with a criminal record. In other instances, enquiring about an applicant's criminal background can be considered excessive. However, there is no relevant court practice so far.
There is a statutory minimum of information an employer is entitled to learn about a potential employee. Demanding further information or documents is illegal, and requesting them might be risky, as it may imply that the candidate was not hired for a protected reason or that an invasion of privacy took place.
An employer should also avoid receiving any information about, for instance, an applicant or employee's political, religious or other views, or membership of social organisations.
Obtaining information about an applicant or employee's private life is permitted only to the extent it is relevant to the job. For example, obtaining information about dependants is relevant to determining whether an applicant or employee is entitled to certain guarantees.