This is the second part of two-article series, “When the GDPR is not quite enough: Employee privacy considerations in Russia, Belarus, and Ukraine." Find the first part of this article
According to local Labor Codes, an employee must provide the following documents during the hiring process: a passport or another ID, employment record book, insurance certificate of mandatory pension insurance, military record document (for employees eligible for military service), diploma, or certificate (for positions that require special knowledge or training).
An employment record book (“trudovaya knizhka” in Russian), being a remnant from the Soviet era, is still used in Russia, Belarus, and Ukraine and serves as an official record of an individual’s employment history.
A personnel file, which is a primary source of employee data, typically includes copies of the above documents, the employment agreement with an individual, and the company’s internal orders that are to be issued when an employee is hired, transferred, disciplined, or dismissed. Personnel files must be stored in hard copies on the company’s premises and available for audit to state authorities (e.g. local labor inspectors). The retention periods might be surprisingly long in Russia, Belarus, and Ukraine. Most employment-related documentation should be retained for 75 years or permanently. In case of the company’s dissolution, these documents must be passed to state archives.
Multinationals are often interested in having access to employee data from all of their group companies for global recruiting, HR, training & development, and many other business purposes. They increasingly rely on central information systems to manage their workforce globally (e.g. HRIS, learning management systems, etc.). Provided that they meet relevant data protection requirements further discussed in the next chapter, companies are free to use such systems; however, proper paper files will be essential as a proof of compliance with local employment laws in Russia, Belarus, and Ukraine.
Data processing & transfer
Similar to the Opinion on Data Processing at Work further clarifies that employees’ consent is highly unlikely to be a legal basis for data processing at work, and employers must rely on another legal ground in most cases of employees’ data processing.
In contrast, local companies in Russia, Belarus, and Ukraine often rely on employees’ consent to justify their processing. The Russian law provides numerous legal grounds including those mentioned in the GDPR, but consent is widely used when companies do not have other legal grounds for data processing. In Ukraine, similarly, consent is the predominant basis for data processing; though other justifications are also available.
Moreover, consent will be required for cross-border transfer of personal data from Russia and Ukraine to those countries that do not provide an “adequate level of data protection." Both Russia and Ukraine are signatories to the Council of Europe’s Convention 108. An adequate level of data protection is presumed if a country-recipient of personal data is also a signatory of this Convention (51 signatories; the U.S. is not among them).
In addition, Russia’s Roskomnadzor, the federal communications supervisor, has approved its own list of countries with an appropriate level of data protection. It includes 23 “white-listed” countries, e.g. Canada, New Zealand, and Australia; the U.S. is not on this list either. In practice, it means that employee consent will be needed to transfer data from Russian or Ukrainian subsidiaries to their U.S. parent company.
Under the Belarusian laws, consent is strictly required for personal data collection and processing unless “Belarusian legislation provides otherwise." Belarus is not a signatory of Convention 108, and there is no specific provision on cross-border data transfer. In absence of specific laws or guidelines, Belarusian companies prefer to rely on consent for any type of processing, including cross-border data transfer.
To sum up, employees’ consent seems to be the only option for a U.S.-headquartered multinational to access local employee data from Russia, Belarus, and Ukraine for its business needs. These countries’ laws do not recognize certain leave the Russian market.
Let’s look closer at the law’s scope and application. First, the Russian data localization rule represents an imperative law provision and, therefore, cannot be changed by an agreement with data subjects or their consent. Second, it applies to “operators”, i.e. entities or individuals who process personal data and/or determine the purposes and scope of processing. Note that Russian laws do not differentiate between controllers and processors.
The Russian data localization law has adopted a broad approach to its territoriality. It covers Russian and foreign operators with representative offices or branches in Russia. According to the clarifications issued by the Ministry of Telecom and Mass Communications (Minkomsvyaz), the law also applies to foreign entities which, even without a physical presence in Russia, conduct business via websites that targets Russian individuals (e.g. when their website accepts payment in Russian rubles, etc.).
In the HR context, for example, a U.S. multinational needs to comply with the data localization law if it collects, update, and store personal data of Russian employees hired by its branch in Russia. Conversely, a U.S. company is not subject to this law if it hires a Russian citizen on the territory of the United States to perform a job at its U.S. offices.
Many debates have been held around the definition of “personal data” in attempts to limit the scope of the Russian data localization rule. Similar to the GDPR, the term covers “any information relating to an identified or identifiable natural person." Minkomsvyaz did not elaborate on this definition referring to general provisions of Russian laws. But in most cases, employee data which multinationals would like to access for their talent acquisition, HR management, or similar purposes will likely include employees’ names, contact details or some other identifiers, and therefore will be captured by data protection laws.
Having determined that the data localization rule is applicable, one needs to know what data processing activity is allowed and what is forbidden by the rule. As noted above, certain guidance in the form of clarifications and FAQs is presented at the Minkomsvyaz’s website. Such clarifications are different from the agency’s regulations as they are not binding. Although without legal force, they serve as the only formal guidance on the Russian data localization law.
In its guidance, Minkomsvyaz has introduced the terms of “primary” and “secondary” databases. A database where personal data of Russian citizens is initially recorded and updated (primary database) must be located in Russia. Then data from such a database can be transferred outside of Russia to secondary databases, subject to cross-border data transfer rules. To comply, multinationals consider using separate local systems (before sending data to a global system) or changing its IT architecture and creating customized local applications within their global systems, both usually comes at high cost.
Note that prior to the processing of personal data in Russia, “operators” (i.e. controllers and processors) are required to notify Roskomnadzor. The notification form includes, among others, an indication of whether cross-border data transfer is envisioned and physical locations of its databases. Accordingly, this information will be assessed by Roskomnadzor to audit the company’s compliance with the data localization law. Such notification is not required in very limited cases, for example, for processing employee data in compliance with Russian labor laws. This exception is interpreted very narrowly by Roskomnadzor. If there is any transfer of employee data to third parties (e.g. accounting firms, etc.), the exception will likely not apply.
As to the enforcement, Roskomnadzor may impose administrative fines on companies and employees responsible for data processing. In July 2017, the amounts of such fines were substantially increased. The Roskomnadzor’s power to block access to a company’s website remains in place and presents one of the harshest consequences of non-compliance for customer-facing companies.
The GDPR certainly represents the major change in data protection regulation in the EU and provides a high bar for data privacy worldwide. With all eyes on the GDPR, compliance with data protection laws in other regions could fall out of the priorities for many companies. Monetary penalties under local laws may not be compared to the GDPR