This is the second part of two-article series, “When the GDPR is not quite enough: Employee privacy considerations in Russia, Belarus, and Ukraine." Find the first part of this article here.
Before a deep dive into the issues of employee data processing and transfer, it is worth examining the requirements for employment documentation in Russia, Belarus, and Ukraine. Generally, paper files remain the prevailing form of such documentation, and they are extensively used by local companies to demonstrate compliance to state regulators. Among other purposes, employee records maintained in a prescribed way present a proof of proper employee data collection allowing its further processing.
According to local Labor Codes, an employee must provide the following documents during the hiring process: a passport or another ID, employment record book, insurance certificate of mandatory pension insurance, military record document (for employees eligible for military service), diploma, or certificate (for positions that require special knowledge or training).
An employment record book (“trudovaya knizhka” in Russian), being a remnant from the Soviet era, is still used in Russia, Belarus, and Ukraine and serves as an official record of an individual’s employment history.
A personnel file, which is a primary source of employee data, typically includes copies of the above documents, the employment agreement with an individual, and the company’s internal orders that are to be issued when an employee is hired, transferred, disciplined, or dismissed. Personnel files must be stored in hard copies on the company’s premises and available for audit to state authorities (e.g. local labor inspectors). The retention periods might be surprisingly long in Russia, Belarus, and Ukraine. Most employment-related documentation should be retained for 75 years or permanently. In case of the company’s dissolution, these documents must be passed to state archives.
Multinationals are often interested in having access to employee data from all of their group companies for global recruiting, HR, training & development, and many other business purposes. They increasingly rely on central information systems to manage their workforce globally (e.g. HRIS, learning management systems, etc.). Provided that they meet relevant data protection requirements further discussed in the next chapter, companies are free to use such systems; however, proper paper files will be essential as a proof of compliance with local employment laws in Russia, Belarus, and Ukraine.
Data processing & transfer
Similar to the EU’s approach, Russia, Belarus, and Ukraine generally prohibit processing of personal data unless such processing is based on valid legal grounds. This should be considered by multinationals looking to implement enterprise technology solutions and transfer local employee data to their HQ for managing employee-related processes on a global level.
The legal grounds covered by the GDPR for employee data processing include employee consent, performance of a contract, legal obligations (e.g. tax calculation, salary administration), and legitimate interest. Consent cannot represent a valid legal ground for processing if there is a clear imbalance between data subjects and controllers. The Article 29 Working Party’s Opinion on Data Processing at Work further clarifies that employees’ consent is highly unlikely to be a legal basis for data processing at work, and employers must rely on another legal ground in most cases of employees’ data processing.
In contrast, local companies in Russia, Belarus, and Ukraine often rely on employees’ consent to justify their processing. The Russian law provides numerous legal grounds including those mentioned in the GDPR, but consent is widely used when companies do not have other legal grounds for data processing. In Ukraine, similarly, consent is the predominant basis for data processing; though other justifications are also available.
Moreover, consent will be required for cross-border transfer of personal data from Russia and Ukraine to those countries that do not provide an “adequate level of data protection." Both Russia and Ukraine are signatories to the Council of Europe’s Convention 108. An adequate level of data protection is presumed if a country-recipient of personal data is also a signatory of this Convention (51 signatories; the U.S. is not among them).
In addition, Russia’s Roskomnadzor, the federal communications supervisor, has approved its own list of countries with an appropriate level of data protection. It includes 23 “white-listed” countries, e.g. Canada, New Zealand, and Australia; the U.S. is not on this list either. In practice, it means that employee consent will be needed to transfer data from Russian or Ukrainian subsidiaries to their U.S. parent company.
Under the Belarusian laws, consent is strictly required for personal data collection and processing unless “Belarusian legislation provides otherwise." Belarus is not a signatory of Convention 108, and there is no specific provision on cross-border data transfer. In absence of specific laws or guidelines, Belarusian companies prefer to rely on consent for any type of processing, including cross-border data transfer.
To sum up, employees’ consent seems to be the only option for a U.S.-headquartered multinational to access local employee data from Russia, Belarus, and Ukraine for its business needs. These countries’ laws do not recognize certain data transfer mechanisms such as standard contractual clauses or binding corporate rules used in the EU. This may lead to a complex data transfer model when a U.S. multinational uses SCCs, BCR, or EU-U.S. Privacy Shield for employee data transfer from the EU, and employee consent, or other available mechanisms, for data transfer from non-EU countries.
In Russia and Ukraine, consent may be given in any form that allows to demonstrate that a data subject has agreed to the processing. However, the Russian law specifically refers to “written consent” for cross-border data transfer and provides the requirements for its content. Such consent should include the full name of an individual and his/her passport or other ID details, the name and address of the company, the specific purpose(s) of data processing, and the term of consent and procedure for its revocation, among others. The Belarusian law generally refers to “written consent” but does not dictate its content.
Consent in electronic form is usually considered as “written” consent (e.g. clicking the “I agree” button), and this form might be rather convenient for multinationals that strive to use common practices across all their systems and locations. However, due to the unclear regulation of electronic signature in Russia, Belarus, and Ukraine, companies are usually advised to err on the side of caution and, following the approach discussed in the previous chapter, prepare and execute employees’ consent in paper form.
Russia’s data localization
The Russian data localization law is the most significant and controversial development in the region. Belarus and Ukraine do not (yet) have a similar rule. Effective September 2015, “operators” must record, systematize, accumulate, store, amend, update, and retrieve personal data of Russian citizens using databases physically located in Russia. This law created a lot of uncertainty for foreign companies which faced a difficult choice: to adapt the company’s IT infrastructure at, most likely, considerable costs and comply with the law; do nothing and take risks of non-compliance; or just leave the Russian market.
Let’s look closer at the law’s scope and application. First, the Russian data localization rule represents an imperative law provision and, therefore, cannot be changed by an agreement with data subjects or their consent. Second, it applies to “operators”, i.e. entities or individuals who process personal data and/or determine the purposes and scope of processing. Note that Russian laws do not differentiate between controllers and processors.
The Russian data localization law has adopted a broad approach to its territoriality. It covers Russian and foreign operators with representative offices or branches in Russia. According to the clarifications issued by the Ministry of Telecom and Mass Communications (Minkomsvyaz), the law also applies to foreign entities which, even without a physical presence in Russia, conduct business via websites that targets Russian individuals (e.g. when their website accepts payment in Russian rubles, etc.).
In the HR context, for example, a U.S. multinational needs to comply with the data localization law if it collects, update, and store personal data of Russian employees hired by its branch in Russia. Conversely, a U.S. company is not subject to this law if it hires a Russian citizen on the territory of the United States to perform a job at its U.S. offices.
Many debates have been held around the definition of “personal data” in attempts to limit the scope of the Russian data localization rule. Similar to the GDPR, the term covers “any information relating to an identified or identifiable natural person." Minkomsvyaz did not elaborate on this definition referring to general provisions of Russian laws. But in most cases, employee data which multinationals would like to access for their talent acquisition, HR management, or similar purposes will likely include employees’ names, contact details or some other identifiers, and therefore will be captured by data protection laws.
Having determined that the data localization rule is applicable, one needs to know what data processing activity is allowed and what is forbidden by the rule. As noted above, certain guidance in the form of clarifications and FAQs is presented at the Minkomsvyaz’s website. Such clarifications are different from the agency’s regulations as they are not binding. Although without legal force, they serve as the only formal guidance on the Russian data localization law.
In its guidance, Minkomsvyaz has introduced the terms of “primary” and “secondary” databases. A database where personal data of Russian citizens is initially recorded and updated (primary database) must be located in Russia. Then data from such a database can be transferred outside of Russia to secondary databases, subject to cross-border data transfer rules. To comply, multinationals consider using separate local systems (before sending data to a global system) or changing its IT architecture and creating customized local applications within their global systems, both usually comes at high cost.
Note that prior to the processing of personal data in Russia, “operators” (i.e. controllers and processors) are required to notify Roskomnadzor. The notification form includes, among others, an indication of whether cross-border data transfer is envisioned and physical locations of its databases. Accordingly, this information will be assessed by Roskomnadzor to audit the company’s compliance with the data localization law. Such notification is not required in very limited cases, for example, for processing employee data in compliance with Russian labor laws. This exception is interpreted very narrowly by Roskomnadzor. If there is any transfer of employee data to third parties (e.g. accounting firms, etc.), the exception will likely not apply.
As to the enforcement, Roskomnadzor may impose administrative fines on companies and employees responsible for data processing. In July 2017, the amounts of such fines were substantially increased. The Roskomnadzor’s power to block access to a company’s website remains in place and presents one of the harshest consequences of non-compliance for customer-facing companies.
The GDPR certainly represents the major change in data protection regulation in the EU and provides a high bar for data privacy worldwide. With all eyes on the GDPR, compliance with data protection laws in other regions could fall out of the priorities for many companies. Monetary penalties under local laws may not be compared to the GDPR heavy fines (up to 4 percent of annual global turnover or €20 million), but the price for non-compliance with local laws may include administrative and criminal liability against the company’s DPO and executives, blocking access to its resources, reputational and other risks.
This overview has not provided an exhaustive list of potential privacy issues at the workplace in the region. Multinationals need to examine national laws and seek professional advice while implementing internal corporate processes globally (e.g., workplace investigations, monitoring of employee use of companies’ electronic resources are typically among “sensitive” employee-related issues). However, this article may serve as a starting point for U.S. multinationals looking to expand their presence in Russia, Belarus, and Ukraine.
Photo credit: Ilya Subbotin
If you want to comment on this post, you need to login.