Personal Data Processing in Labor and Civil Law Relations in Russia

 

June 5, 2023

BRACE Law Firm ©

 

From the very beginning of its operations, almost any company collects and uses the personal data of its employees and counterparties.

Previously, such processing could be carried out without notifying Roskomnadzor. However, on September 1, 2022, amendments to Federal Law No. 152-FZ dated July 27, 2006, On Personal Data (the "Law on Personal Data", "FZ No. 152-FZ", or "Law No. 152-FZ") came into force, which significantly changed the rules for working with personal data.

In this article, we consider what personal data is processed in labor and civil law relations, as well as the requirements for its processing and protection.

What is Considered Personal Data of Employees?

In accordance with Clause 1 of Article 3 of the Law on Personal Data, personal data means any information relating to a directly or indirectly identified or identifiable individual (subject of personal data). Thus, personal data consists of any information about a person that directly or indirectly allows for their identification.

The Law on Personal Data distinguishes several categories of personal data: general, special, and biometric. Furthermore, the Law does not contain an exhaustive list of general personal data.

In labor relations, general personal data includes: the full name, date and place of birth of the employee, their address and telephone number, passport data, information on family, social and property status, education, profession, position held, work experience, etc. This list is not exhaustive; in practice, questions often arise regarding the classification of certain information as personal data. For example, whether information about an employee's salary constitutes personal data. In the opinion of Roskomnadzor, as the body authorized to protect the rights of subjects of personal data, information about a person's salary constitutes information containing the personal data of the subject.

Special personal data consists of information concerning race or nationality, political views, religious or philosophical beliefs, health status, and private life (Part 1 of Article 10 of FZ No. 152-FZ). The employer has no right to receive and process special personal data of employees, except in cases expressly provided for by federal laws.

Biometric personal data consists of information characterizing the physiological and biological characteristics of a person, on the basis of which their identity can be established (Part 1 of Article 11 of FZ No. 152-FZ). These include physiological data (fingerprint data, iris of the eyes, voice, DNA analysis, and others), as well as other physiological or biological characteristics of a person, including an image of the person (photograph and video recording). Many questions also arise when classifying information as biometric personal data.

For example, do photographic images contained in an employee's personal file or used to ensure passage to a protected area, or video footage of employees at workplaces and on the territory, constitute such data? In 2013, Roskomnadzor explained that an employee's photo contained in their personal file or video recordings of employees cannot be considered biometric personal data because the operator does not use them to establish identity. However, photographic images and other information used for passage to a protected area and the identification of a citizen's identity belong to biometric personal data. However, by Letter of Roskomnadzor No. 09-78548 dated November 19, 2021, these clarifications were recognized as irrelevant and removed from the official website of the regulatory body.

Currently, in this matter, one can rely on the position of Roskomnadzor formulated in Letter No. 08AP-6782 dated February 10, 2020, according to which biometric personal data will be considered as such under the following conditions:

• they are recognized as such by virtue of the provisions of regulatory legal acts;
• they characterize the physiological and biological characteristics of a person, on the basis of which their identity can be established;
• the operator uses them to establish the identity of the subject of personal data.

Courts adhere to a similar position. In particular, the Supreme Court of the Russian Federation, in Ruling No. 307-KG18-101 dated March 5, 2018, recognized the legality of issuing an order to eliminate violations committed by a personal data operator when using photographs on passes for identity identification.

We note that the issue of classifying certain information as personal data and its classification by type is not merely theoretical, as the requirements for its processing and the consequences of violating these requirements depend on it.

General Principles and Conditions for Personal Data Processing

In accordance with Part 3 of Article 3 of the Law on Personal Data, personal data processing is any action (operation) or set of actions (operations) performed with personal data, using automation tools or without using such tools. The Law on Personal Data includes collection, recording, systematization, accumulation, storage, clarification (updating, changing), extraction, use, transfer (distribution, provision, access), depersonalization, blocking, deletion, and destruction as such actions.

Before starting personal data processing, the employer must submit a corresponding notification to Roskomnadzor. The form of the notification of the intent to process personal data was approved by Order of Roskomnadzor No. 180 dated October 28, 2022. Failure to provide this information will lead to administrative liability under Article 19.7 of the CAO RF. We remind you that until September 1, 2022, this obligation did not apply to many employers.

The principles and conditions for processing personal data of employees are regulated in the Law on Personal Data, as well as in Chapter 14 of the Labor Code of the Russian Federation. Thus, when processing personal data, the following principles must be observed:

1. Personal data processing must be carried out on a legal and fair basis.
2. Personal data processing must be limited to the achievement of specific, predetermined, and legitimate goals. Processing of personal data incompatible with the purposes of personal data collection is not permitted.

Article 86 of the Labor Code defines the permissible purposes of processing in labor relations:

• ensuring compliance with laws and other regulatory legal acts;
• assisting employees in employment, obtaining education, and career advancement;
• ensuring the personal safety of employees;
• monitoring the quantity and quality of work performed and ensuring the safety of property.

Processing of employees' personal data for other purposes is prohibited.

3. It is not permitted to combine databases containing personal data processed for purposes incompatible with each other.
4. Only personal data that meets the purposes of its processing is subject to processing.
5. The content and volume of processed personal data must correspond to the declared purposes of processing and must not be excessive in relation to the declared purposes of their processing.
6. When processing personal data, the accuracy, sufficiency, and relevance of personal data must be ensured.
7. The storage of personal data must be carried out in a form that allows for the identification of the subject of personal data, and for no longer than required by the purposes of processing, unless otherwise established by federal law or a contract with the subject of personal data.

In What Cases is Personal Data Processing Possible Without the Employee's Consent?

As a general rule, personal data processing is carried out only with the consent of the subject of personal data, including the employee. Personal data can be processed without the consent of the subject only in cases expressly provided for by law. Regarding the topic under consideration, the processing of general personal data without the employee's consent, according to Part 1 of Article 6 of the Law on Personal Data, may be carried out in the following cases:

1. Processing is necessary to achieve goals provided for by an international treaty of the Russian Federation or by law, for the exercise and fulfillment of the functions, powers, and duties assigned by the legislation of the Russian Federation to the personal data operator. For example, the transfer of an employee's personal data to tax authorities, social insurance bodies, etc., for the purpose of fulfilling the employer's duties assigned by law, does not require the employee's consent.
2. Processing is carried out in connection with a person's participation in constitutional, civil, administrative, or criminal proceedings, or proceedings in arbitration courts.

Let us illustrate this with an example from judicial practice. In one case considered by a court, an employee sued an employer for compensation for moral harm caused by the processing of personal data in the amount of 100,000 rubles. The court established that a labor dispute regarding the legality of the plaintiff's dismissal had previously arisen between the parties. The employer attached a copy of the plaintiff's labor book to the appeal, which the employee considered a violation of the conditions for processing his personal data. The court decided that the copy of the labor book was submitted to the court within the rights granted to a party by procedural law to substantiate its position in the case. The court denied the recovery of moral harm to the employee.

3. Processing is carried out for personal data subject to publication or mandatory disclosure in accordance with federal law.

For example, in accordance with Federal Law No. 323-FZ dated November 21, 2011, On the Fundamentals of Health Protection of Citizens in the Russian Federation, a medical organization must inform citizens, including through the use of the Internet, about its medical workers, their level of education, and qualifications. In this regard, placing information containing the full name, position, education, and qualifications of medical workers on information stands and websites of a medical organization does not require their consent.

4. Processing of special personal data without the employee's consent is permitted in cases provided for by Part 2 of Article 10 of Law No. 152-FZ, including if the processing is carried out in accordance with legislation on state social assistance, labor legislation, and pension legislation of the Russian Federation.

Thus, by virtue of Article 69 of the Labor Code, certain categories of employees are subject to medical examination. A conclusion based on the results of a medical examination, containing information about the presence or absence of medical contraindications to work and the employee's health group, is sent to the employer.

5. Personal data processing is carried out in accordance with the legislation of the Russian Federation on defense, security, counter-terrorism, transport security, anti-corruption, operational-search activities, enforcement proceedings, criminal-executive legislation, as well as by prosecution authorities in connection with their exercise of prosecutorial supervision.

Based on this clause, it is permissible to transfer an employee's personal data upon receiving reasoned requests from prosecution authorities, law enforcement agencies, and other bodies authorized to request information about employees in accordance with the competence provided for by the legislation of the Russian Federation.

In other cases not expressly provided for by law, the employer must obtain the employee's consent for any actions with personal data.

Requirements for Consent to the Processing of an Employee's Personal Data

The requirements for the content of consent are provided for in Article 9 of Law No. 152-FZ.

First, it must be specific, objective, informed, conscious, and unambiguous.

Second, consent is given only in writing:

• for the processing of special categories of personal data;
• for the processing of biometric personal data;
• in cases of decision-making based solely on the automated processing of personal data.

In other cases, consent may be given in any other form. However, since the employer is obligated to provide proof of obtaining consent, we recommend processing written consent in all cases.

Third, the consent must contain the following mandatory set of data:

• Full name, address of the employee, and details of their identity document;
• Full name, address, details of the identity document, and details of the power of attorney or other document confirming the representative's powers;
• Name or full name and address of the employer;
• The purpose of personal data processing;
• A list of personal data subject to processing;
• Full name and address of the person or name of the organization processing personal data on behalf of the employer, if it is assigned to a third party;
• A list of actions with personal data for which the employee has given consent, and a general description of the processing methods;
• The period during which the employee's consent to process their personal data is valid, and the method for withdrawing consent;
• The employee's signature.

Separately from other consents for personal data processing, it is necessary to issue a consent for the processing of personal data permitted for distribution (actions aimed at disclosing personal data to an indefinite circle of persons). The requirements for the content of such consent were approved by Order of Roskomnadzor No. 18 dated February 24, 2021.

We note that an employee has the right to withdraw their consent to personal data processing at any time. In such a case, the personal data operator must stop the processing and, if their preservation is not required, destroy the personal data within 30 days from the date of receiving the withdrawal. An employer has the right to continue processing personal data upon receiving a withdrawal only in cases provided for by federal law.

In the opinion of Roskomnadzor, it is necessary to obtain consent for personal data processing not only from the employee but also from a job applicant. At the same time, consent is not required in the following cases:

• if a recruitment agency acts on behalf of the applicant, with which they have concluded a corresponding contract;
• when an applicant independently posts their resume on the Internet, making it available to an unlimited circle of persons;
• when processing data of applicants for state civil service positions, since the list of documents to be provided is determined by the Federal Law On the State Civil Service of the Russian Federation.

In case of a refusal to hire, the information provided by the applicant must be destroyed within 30 days, except for cases provided for by legislation on state civil service, where the storage period for the applicant's personal data is set at 3 years.

The opposite approach is expressed in these clarifications regarding the processing of personal data of dismissed employees. In this case, in the opinion of Roskomnadzor, the consent of dismissed employees to continue processing their personal data is not required during the periods provided for by federal legislation. For example, in accordance with Article 24 of the Tax Code of the Russian Federation, employers are obligated to ensure the safety of documents necessary for calculating, withholding, and transferring taxes for 5 years. Similar requirements are established in Federal Law No. 402-FZ dated December 6, 2011, On Accounting. In addition, archival legislation has approved storage periods for personnel documents. In these cases, processing does not require obtaining consent for personal data processing.

Also, in practice, the employer processes the personal data of not only the employee but also the employee's close relatives. This is permitted in the volume provided for by the unified form T-2 "Personal Employee Card" or in cases established by the legislation of the Russian Federation (receiving alimony, processing clearance for state secrets, processing social payments). In other cases, obtaining the consent of the employee's close relatives is a mandatory condition for processing their personal data.

Procedure for Obtaining Employee Personal Data

According to Article 86 of the Labor Code, as a general rule, all employee personal data should be obtained from the employee directly.

If personal data of an employee can only be obtained from a third party, the employee must be notified in advance, and their written consent must be obtained. In this case, the employer must inform the employee of the purposes, intended sources, methods of obtaining, and nature of the personal data, as well as the consequences of the employee's refusal to give consent to obtain it.

Storage and Use of Employees' Personal Data

According to Article 87 of the Labor Code, the procedure for storing and using employees' personal data is established by the employer in compliance with the requirements of federal legislation. The employer must define the issues of storage and use of personal data in a local act.

In practice, employers face the question of the right to store copies of passports, birth certificates of children, documents on education and advanced training, etc., in an employee's personal file. There is no uniform law enforcement practice on this matter. Thus, in reports on the analysis of law enforcement practice, Rostrud has repeatedly expressed an opinion on the admissibility of storing copies of documents provided that the employee's consent is obtained. At the same time, Roskomnadzor considers such storage to be the processing of personal data that is excessive in relation to the declared purposes of processing. Given the ambiguity of the opinions of regulatory bodies on the issue under consideration, we recommend not storing documents containing their personal data in employees' personal files unless such a need is expressly provided for in regulatory documents or their consent has been obtained.

Procedure for Transferring Employees' Personal Data

The transfer of personal data within one organization must be carried out in accordance with a local regulatory act, with which the employee must be familiarized against a signature. The employer must allow access to the personal data of employees only to specially authorized persons and only in the volume they need to perform specific functions.

When transferring personal data to third parties, the following rules must be observed:

• The transfer can only be carried out with the prior written consent of the employee. Exception: when it is necessary to prevent a threat to the employee's life and health, as well as in cases expressly provided for by federal laws.
• Persons receiving an employee's personal data must be warned that these data can only be used for the purposes for which they were communicated. Furthermore, the employer has the right to demand confirmation from these persons that this rule has been observed. Persons receiving an employee's personal data must observe the secrecy (confidentiality) regime.

Measures to Protect Employees' Personal Data

The employer must take measures aimed at ensuring the protection of employees' personal data. In accordance with Article 18.1 of Law No. 152-FZ, such measures include, in particular:

• Appointing a person responsible for organizing the processing of employees' personal data.
• Developing a set of documents regulating the processing of personal data and familiarizing employees with them. As a rule, this includes the following: a policy regarding the processing of personal data; a regulation on the protection of employees' personal data governing the storage, use, and processing of such data; an order approving the list of persons having access to employees' personal data; a non-disclosure agreement for personal data, as well as a set of documents regulating technical information protection measures.
• Applying organizational and technical measures to ensure the security of personal data.
• Assessing the harm that may be caused to the subjects of personal data when processing their data.
• Exercising internal control and (or) audit of the compliance of personal data processing with legislation and the Employer's local acts.

Specifics of Personal Data Processing in Civil Law Relations

When concluding a civil law contract, the personal data of the person who is a party to the contract may also be required. This can be the full name, position, registration address, details of an identity document, INN, OGRNIP, and others.

Their processing must also be carried out in compliance with the requirements of the Law on Personal Data. At the same time, by virtue of Clause 5 of Part 1 of Article 6 of FZ No. 152-FZ, personal data can be processed without obtaining consent for personal data processing if the processing is necessary for the execution of a contract to which the subject of personal data is a party, beneficiary, or guarantor.

Thus, if the processing of a person's personal data is carried out for the purpose of executing a contract, consent is not required. However, processing for other purposes, as well as assigning personal data processing to another person or disclosing personal data to third parties, requires consent. For example, when concluding a service contract, a client's personal data will be used both directly for the execution of the contract and for the purpose of promoting goods and services in the market, etc. To minimize the possible risks of being held liable, we recommend obtaining consent for the processing of a person's personal data upon concluding a contract.

Liability for Violations of Personal Data Processing for Employees

For violating legislation when processing personal data, one may be held administratively, criminally, civilly, materially, and disciplidarily liable. We note that the subjects of liability in some cases can only be individuals, and in some, both individuals and legal entities.

The most common type of liability for violating the rules for processing personal data is administrative liability. Both the employer and its officials can be held administratively liable. Administrative liability is provided for by Article 13.11 of the CAO RF and contains a significant number of offense elements:

• processing of personal data in cases not provided for by law, or incompatible with the purposes of personal data collection – the maximum penalty for officials is a fine of up to 20,000 rubles, for legal entities – up to 100,000 rubles;
• processing of personal data without the written consent of the subject of personal data or in violation of the requirements for consent – the maximum penalty for officials is a fine of up to 40,000 rubles, for legal entities – up to 150,000 rubles;
• failure to fulfill the obligation to publish a policy on personal data processing – the maximum penalty for officials is a fine of up to 12,000 rubles, for individual entrepreneurs – up to 20,000 rubles, for legal entities – up to 60,000 rubles;
• failure to fulfill the obligation to provide the subject of personal data with information concerning the processing of their personal data – the maximum penalty for officials is a fine of up to 12,000 rubles, for individual entrepreneurs – up to 30,000 rubles, for legal entities – up to 80,000 rubles;
• failure to fulfill a legal requirement of a personal data subject to clarify personal data, block them, or destroy them – the maximum penalty for officials is a fine of up to 20,000 rubles, for individual entrepreneurs – up to 40,000 rubles, for legal entities – up to 90,000 rubles;
• failure to fulfill the obligation to preserve personal data during processing without the use of automation tools, if this resulted in unlawful actions regarding personal data – the maximum penalty for officials is a fine of up to 20,000 rubles, for individual entrepreneurs – up to 40,000 rubles, for legal entities – up to 100,000 rubles;
• failure to fulfill the obligation to ensure actions with personal data using databases located on the territory of the Russian Federation during personal data collection – the maximum penalty for officials is a fine of up to 200,000 rubles, for legal entities and individual entrepreneurs – up to 6,000,000 rubles.

In addition, the CAO RF contains norms establishing liability for failure to meet requirements for personal data protection and failure to fulfill duties when interacting with Roskomnadzor.

Regarding criminal liability, there is no specific norm for violating the rules for processing personal data in the Criminal Code of the Russian Federation. However, law enforcement agencies may see the following elements of a crime in the violator's actions:

• Part 1 of Article 137 of the Criminal Code "Illegal collection or distribution of information about a person's private life, constituting their personal and family secret, without their consent". The maximum penalty is imprisonment for up to 2 years with deprivation of the right to hold certain positions or engage in certain activities for up to 3 years.
• Article 140 of the Criminal Code "Unlawful refusal of an official to provide a citizen with documents and materials collected in the prescribed manner and directly affecting the rights and freedoms of the citizen". The maximum penalty is deprivation of the right to hold certain positions or engage in certain activities for up to 5 years.

Only individuals are subject to criminal liability. We note that cases of criminal prosecution for such violations are rare.

Civil liability occurs in the form of compensation for moral harm to the subject of personal data and compensation for losses. In contrast to criminal prosecution, claims for compensation for moral harm for violations of the rules for processing personal data are much more common. The court determines the amount of compensation for moral harm, taking into account the degree of the violator's guilt and the degree of suffering from the moral harm; however, as a rule, courts award minimum amounts.

The procedure for material and disciplinary liability is determined by the Labor Code of the Russian Federation. For violating the rules for processing personal data, the employer may bear material liability to its employees in the form of compensation for damage caused.

An employee guilty of non-performance (improper performance) of their labor duties regarding the processing of personal data can be held disciplinarily liable (Part 1 of Article 192 of the Labor Code). For example, for disclosing colleagues' personal data or failing to comply with requirements for their protection. At the same time, employees who disclosed such information can only be held liable if it became known to them in connection with the performance of their labor duties, and they undertook not to disclose such information (Clause 43 of the Decree of the Plenum of the Supreme Court of the Russian Federation No. 2 dated March 17, 2004, On the Application by the Courts of the Russian Federation of the Labor Code of the Russian Federation). For committing a disciplinary offense, the employer has the right to apply disciplinary sanctions in the form of a remark, a reprimand, as well as dismissal under Subclause "c" of Clause 6 of Part 1 of Article 81 of the Labor Code.

Summing up, we draw attention to the need for strict compliance with the requirements of current legislation when working with the personal data of employees and clients, and timely tracking of changes occurring in regulation; otherwise, there is a high risk of being held liable.

_________________________

References

1. Letter of Roskomnadzor No. 08KM-3681 dated February 7, 2014, On the transfer by the employer of information about the wages of employees to third parties.
2. Clarification of Roskomnadzor On the issues of classifying photographic and video images, fingerprint data, and other information as biometric personal data and the specifics of their processing.
3. Order of Roskomnadzor No. 180 dated October 28, 2022, On the approval of notification forms of intent to process personal data, of changes in the information contained in the notification of intent to process personal data, and of the termination of personal data processing.
4. Decision of the Blagoveshchensk City Court of the Amur Region dated December 7, 2022, No. 2-7967/2022~M-7726/2022.
5. Order of Roskomnadzor No. 18 dated February 24, 2021, On the approval of requirements for the content of consent to the processing of personal data permitted by the subject of personal data for distribution.
6. Clarification of Roskomnadzor dated December 14, 2014, Questions regarding the processing of personal data of employees, applicants for vacant positions, as well as persons in the personnel reserve.