A number of changes to the legislation on the protection of personal data have entered into force on 01.09.2022. Generally, the new rules introduce new obligations of the employer relating to collections, storage and use of personal data and new formalities which need to be undergone as well as widening of authorities of the state body for monitoring the use of personal data issues (Roskomnadzor).

E.g. it is now necessary to notify Roskomnadzor of the beginning (intention) of processing personal data received from an employee. There is no obligation to submit the notification only in case personal data is processed without the use of automation tools. The notification must to be sent in all other cases. This means that almost all employers now need to file this notification and to register as an operator of personal data. Roskomnadzor also must be notified of any accident with the leakage of personal data or breaches of the rules of storage/use of personal data.

Also, a consent to use personal data now needs to be “unambiguous and specific”, which means the specific purpose of personal data processing as well as the list of data to be processed must to be indicated in the consent. Therefore, consents to use personal data now need to be drafted more carefully.

New requirements for internal company regulations regarding personal data (regulations on protection of personal data, privacy policies, etc.) have been enacted. Personal data now needs to be categorized, internal regulations must contain detailed lists of personal data processed by a company.

The requirements for collection of personal data via web-sites, access to the stored personal data and notifications on the use to be provided to the employee have also become stricter.

Roskomnadzor must be notified of cross border transfer of personal data before March 1, 2023.

As of the date of this article the definite case law relating to the newly introduced amendments has not been formed, since the amendments to the law are new.

Do I need consent to process employee data?

Consent is to be received by the employer from the employee to process any personal data of the employee (e.g. name and telephone number are considered to be personal data). The requirements for such consent have recently become stricter: it now needs to be “unambiguous and specific”. This means that starting from September 2022 such consent can not be provided for “use and/or processing of personal data in any manner, provision to any persons” etc. Consent needs to be provided for specific manipulations with personal data.

There are exceptions provided by the Federal Law “On Personal Data” (the Law) for situations where such consent can not be received or where it is not provided, but still personal data can be processed (e.g. for administration of justice). Such exceptions need to be studied on a case-by-case basis.

What are the privacy and data protection issues inherent in alcohol / drug testing?

The personal data received in course of alcohol / drug testing must be treated in the same manner as any other personal data with all restrictions inherent to its processing, storage and use. Having said this we must again refer to vatious exceptions where personal data may be processed without the consent of its owner. Examples are: an employer has the right to terminate unilaterally employment relations with an amployee if an amployee appeares at work in a state of alcoholic intoxication. This means that for the purpose of following the requirements of the Lobour Code of the Russian Federation, the employer can store this data.

Please bear in mind that the state of health (which may come to the knowledge of the employer in the course of alcohol / drug testing) falls within the special cathegory of personal data (together with data relating to race, nationality, political opinions, religious or philosophical beliefs, intimate life). Processing of personal data of this cathegory is not allowed except for the reasons exhaustively listed in the Law or with the consent of the owner.

How can I legitimately monitor employees’ email, internet usage and social media?

The Law protects personal data as such rather than means of transfer of personal data. If there is no personal data transferred via email, the information will not fall within the protection of the Law. However, monitoring an employee’s email may fall within action of Article 138 of the Criminal Code of Russia “Violation of the secrecy of correspondence, telephone conversations, postal, telegraphic or other messages”. Please note that even processing information from a work web-chat system may be held criminal offence in case a conversation contains messages of private nature.

The same relates to any systems of exchange of messages.

Anyone (including the employer) can monitor data in the social media which the owner of the account opened for public. Regarding all other data see above: monitoring such data may be quallified as violation of the secrecy of correspondence.

What are the limits of using artificial intelligence in employment?

Limits of use of artificial intelligence including in employment (and, specifically in data protection) has not special regulation at present. However, the legislation is moving towards this regulation along with the development of the technology itself. E.g. the Law specifically states that processing of personal data relating to the state of health obtained as a result of depersonalization of personal data is allowed in order to improve the efficiency of state or municipal government, as well as for other purposes provided for by the federal law relating to experiment with teh use of AI technologies. This means that the legislator understands the need of special regulation of AI issues with regard to employement and data protection.

What are the data protection issues in whistleblowing?

Personal data of whistleblowers are generally protected in the same manner as all other personal data. The new rules of protection of personal data are rather strict (most of operations with personal data need specific consent of the owner of personal data) and it seems that stricter regulation of whistleblowing is not needed at present. Since the rules are newly-enacted, time will show the approach of courts to applying these rules.