Personal Data Under Russian Employment Law: Some Aspects
Pursuant to the effective labor legislation, personal data shall be deemed to be information required by the employer to provide for fulfillment by employees of their labor functions and relating to a specific employee. The general rule is that personal data may include, inter alia, the employee's work record book, orders pertaining to the employee, employment contracts, and all information to be generated and stored in the employee's personal file in the company's HR Department.
Processing of personal data, which means, inter alia, its collection, storage, transfer, use, etc. may generally be carried out given the person's consent. For example, the Russian Labor Code strictly stipulates that personal data may be transferred only within one company. If personal data is transferred between companies of one group, the prior written consent of the employee is required. In practice, such consent is obtained by executing an employment contract containing a relevant clause. Another possible way of obtaining the employee's consent to the processing of personal data is a receipt given by the employee.
Irrespective of the employer's obligation to obtain the employee's consent to processing personal data, Russian legislation provides a list of obligations to be observed by the employer when processing personal data. One essentially requires employers to approve an internal document that, among other things, regulates the details of personal data processing and establishes the rights and duties of the parties. All employees shall be acquainted with said document against their signatures when they are hired (before execution of the employment contract), this being another obligation to be observed by the employer. Yet the given requirement is often ignored by companies, which might well become subject to penalties imposed on the basis of a labor inspectorate inspection.
Regarding inspections carried out either by state authorities or auditing companies, it is worth noting that the employer is entitled to allow access to an employee's personal data only to specially authorized persons, who are, in turn, allowed access only to the personal data they need to fulfill specific obligations. Thus, with respect to inspections carried out by state authorities, the employer is entitled to submit personal information to the extent required by the auditing authority. Given that auditing companies are not authorized bodies, execution of confidentiality agreement with an auditing company is vital. The more detailed the agreement, the less the risk of being sued by employees.
Generally, with some exceptions (depersonalization of personal data, public personal data), personal data is confidential information, this imposing on the employer (as the operator) the duty to ensure the safety of personal data during processing. This means ensuring and observing specific requirements set by the current legislation on personal data, including special ones relating to data systems and organizational management.
It should, in any case, be borne in mind that the employer is always responsible both for proving the personal data-employment correlation and for obtaining the employee's consent to data processing in case a dispute arises.
In addition, taking into account that the methods, scope and nature of personal data requested by the employer should be in line with the predetermined processing goals, the employer should declare such goals beforehand. In relation to a potential employee, the goals may well be the subject either of a candidate questionnaire or employment offer made to the person. Determination of goals is, for example, especially vital since the employer requests sensitive personal data (state of health, etc.) in order to determine whether or not the employee is able to carry out his/her duties (the only possible grounds set by the legislation for requesting information on a person's state of health).
In conclusion, it is worth noting that, for infringement of the requirements on personal data processing set by the current legislation, both the employer and the employee may be held liable. The current legislation provides for different kinds of liability, such as administrative, civil, criminal, and disciplinary.