General requirements for personal data protection

We would like to remind you of the internal documents that employers are required under Russian law to draw up and approve to ensure personal data protection.

1. Employee personal data regulations

Articles 86-88 of the Russian Labor Code provide for this document which must set out a procedure for processing, storing and using employees’ personal data. This document also provides for the rights and obligations of employees upon personal data handling.

The person responsible for personal data processing should be designated either in the regulations or in a separate order [1].

2. Consent for personal data processing

Consents for personal data processing must be obtained from individuals before processing of personal data begins. In certain cases, consent is not required (for example, for conclusion and performance of employment contracts [2]).

If employers transfer their employees’ personal data to third parties, it is recommended to obtain the consent of such employees even if the employees’ personal data are transferred for employment contract performance purposes.

In some cases, consent must be obtained in writing and contain certain mandatory elements[3]. For example, consent for cross-border transfer of personal data if the data recipient is not in the list of countries with adequate level of data protection[4].

3. Operator assignment order

If employers transfer their employees’ personal data to third parties such as, for example, banks or insurance companies, they must submit to the data recipient an assignment order providing a list of actions (operations) to be performed with personal data and specifying the purpose of personal data processing. This order should also set out the data recipient’s obligation to keep personal data confidential and ensure personal data security during their processing. It should also specify the requirements for protection of personal data being processed[5]. Such assignment order may be included in any contract with the data recipient or drawn up as a separate agreement.

4. Roskomnadzor notification

It is usually necessary to notify Roskomnadzor before processing personal data although the law provides for some exceptions to this rule[6]. One of these exceptions, in particular, is when personal data are processed in accordance with labor law.

In such case, employers are not, as a rule, required to notify Roskomadzor when they process their employees’ personal data.

Liability

The law provides for liability for violation of the procedure for personal data processing in the form of a fine of up to RUB 20,000 imposed on company officers and a fine of up to RUB 75,000 imposed on legal entities[7].

Each violation of personal data protection may separately give rise to liability.

Recommendation

We recommend that employers:

  • Verify that approved documents for personal data protection are available;
  • Ensure that the provisions of these documents are observed in practice.

We would be pleased to provide the following services related to personal data protection:

  • Drafting regulations on personal data protection;
  • Drafting consent for personal data processing;
  • Drafting contracts with provisions on operator assignment order;
  • Preparing and submitting Roskomnadzor notification;
  • Auditing personal data documents.

[1] Article 22.1 Federal Law N 152-FZ On Personal Data dated July 27, 2006
[2] Article 6 Federal Law N 152-FZ On Personal Data dated July 27, 2006
[3] Article 9 Federal Law N 152-FZ On Personal Data dated July 27, 2006
[4] Article 12 Federal Law N 152-FZ On Personal Data dated July 27, 2006
[5] Article 6 Federal Law N 152-FZ On Personal Data dated July 27, 2006
[6] Article 22 Federal Law N 152-FZ On Personal Data dated July 27, 2006
[7] Article 13.11 Russian Code of Administrative Offenses