Personal Data Regulation: New Challenges

Alexey Dingin
Personal Data Law

At the end of January 2007 new Federal Law No. 152-FZ "Concerning Personal Data" came into effect. It was adopted in order to establish clear and sound rules for processing the personal data of individuals and in particular to enhance the protection of personal data while it is processed by third parties.

Though Personal Data Law was essentially devoted to personal data in general, it affected the procedure of personal data processing within employment relations previously regulated by the Employment Code of the Russian Federation only. Once the Personal Data Law came into effect, personal data protection of employees will be regulated by both the Employment Code and the Personal Data Law.

In addition, the Personal Data Law establishes new rules on cross-border transfers of personal data, which will influence the HR practice of many international companies.

Personal Data: What Is It?

Personal data can be defined as any information related to an identified or identifiable individual (data subject) including a data subject's name, date and place of birth, address, social and property status, education, profession, income and any other information. Such a broad open-ended definition requires employers to comply with effective regulation more strictly since almost all information about employees falls within this definition.

It is worth mentioning that under respective provisions of the Employment Code of the RF every employer in the RF should adopt internal regulation concerning employees' personal data processing and, moreover, acknowledge its employees with such regulation against signature. If the above regulation has not been adopted by an employer we recommend developing and accepting such a document in order to run your HR practice in compliance with the Employment Code of the RF. If the regulation concerned has already been adopted in a company, it is advisable to check it complies with the new legal environment.

Personal Data Processing

The Personal Data Law sets a number of principles of personal data processing, inter alia, legality of aims and modes of personal data processing and good faith, authenticity of personal data, processing personal data only for the purposes declared by the operator beforehand, etc.

From the effective date onwards, personal data processing is permitted only with the consent of the data subject. There are certain exemptions and exceptions to this, including the processing of personal data for the purposes of fulfilling an agreement (including employment agreements) to which the data subject is a party.

The general rule of the Employment Code that the personal data of an employee may not be transferred without his/her consent to third parties has been reconfirmed by the Personal Data Law. Therefore, the global exchange of personal data would only be possible after the consent for such actions has been obtained by the employer. An employer by no means may influence the decision of an employee refusing to give such consent and may not dismiss such an employee or impose any disciplinary sanctions.

Moreover, the Personal Data Law imposes another burden on employers since it provides that the processing of personal data requires that all necessary steps are taken to protect personal data processed including the usage of cryptographic devices and means. However, the Personal Data Law enables an employer to shift this burden to a third party following an agreement with it. If so, the obligation of the third party to comply with the confidentiality regime with respect to the personal data shall be considered as a material term of the agreement.

Cross-border Transfer of Personal Data

The general guideline for cross-border personal data transfers is that the operator must ensure the state to which the personal data is being transferred to guarantee the adequate protection of rights of the data subject prior to the transfer. Even if the state ensures adequate protection, the cross-border transfer of personal data may still be prohibited or restricted.

The Personal Data Law permits cross-border transfers of personal data to states which do not ensure adequate protection of personal data in cases (i) when the written consent of the personal subject has been obtained; (ii) when an international treaty provides for such transfer; (iii) when provided for by the federal law; (iv) when necessary for fulfilling a contract to which the data subject is a party; (v) for protection of life, health and other vital interests of the data subject.

The Personal Data Law also contains a specific chapter devoted to the rights of the data subject. This chapter, inter alia, contains the subject's rights to obtain information related to the operator and to the personal data possessed by the operator. The data subject is also entitled to make complaints against operators' acts and bring actions against them.

Operator's obligations are covered by a specific chapter and state regulations with respect to personal data processing and liability for breach of the Personal Data Law. The law provides for a state competent authority in the sphere of personal data protection and stipulates that its functions are endowed to the state executive supervising authority in the field of information technology and communication.

As a result, the Personal Data Law supplements provisions of the Employment Code of the RF with respect to personal data processing and would require additional effort from employers to be in compliance with new personal data legal environment.