1. What regulates personal data protection?

Articles 23 and 24 of the Russian Constitution grant Russian citizens "a right to privacy of correspondence, telephone conversations, mail, telegraph and other communications" and provide that no one can collect, keep, use and disseminate private personal information without the consent of the person to whom it belongs. Article 23 of the Russian Constitution further provides that the right to privacy of correspondence, telephone conversations, mail, telegraph and other communications may be restricted only by a court decision.

On December 19, 2005 Russia ratified the European Council Convention on the Protection of Individuals with regard to Automatic Processing of Personal Data (the "Convention"), which protects individual right to personal and family privacy, privacy of correspondence, telephone conversations, mail, telegraph and other communications. The Convention defines any information relating to an identified or identifiable individual as "personal data". Under Article 5 of the Convention any personal data undergoing automatic processing must be: (1) obtained and processed fairly and lawfully; (2) stored for specified and legitimate purposes and not used in a way incompatible with those purposes; (3) adequate, relevant and not excessive in relation to the purposes for which it is stored; (4) accurate and, where necessary, kept up to date; (5) preserved in a form which permits identification of the owners of such data for no longer than is required for the purpose for which such data is stored.

More detailed rules for collection, processing and transfer of employee personal data in Russia are set out in the Federal Law dated July 27, 2006 No. 152-FZ "On Personal Data" (the "Personal Data Law") and the Labor Code of the Russian Federation (the "Labor Code"). Specifically, Article 3 of the Personal Data Law identifies as personal "any information concerning a certain individual or an individual who may be identified on the basis of that information."

  1. What are the rules for collection, processing and transfer of personal data?

Article 6 of the Personal Data Law and Article 9 of the Federal Law July 27, 2006 No 149-FZ "On the information, information technologies and protection of information" provide that subject to certain exemptions the general principle is that collection, processing and transfer of personal data may only take place subject to a written consent of the person whose personal data is being processed and subject to the transferee ensuring confidentiality of the data. The Personal Data Law further requires that such consent include (1) individual's name, address, ID number, including issuance date and issuing authority; (2) name and address of the person or entity collecting the data (referred to as "data operator"); (3) a description of the purpose of the data collection, processing and transfer; (4) types of personal data with regard to which the consent is given; (5) actions to be performed with the personal data and a general description of personal data processing methods used by the operator; and (6) consent period and procedure for withdrawal of the consent. To be valid and enforceable employee's consent must contain all of the information listed under (1) through (6) above. In addition, it must specifically include a consent to "cross-border transfer" of the data. If the consent is too broad, there is a risk that it may be unenforceable.

  1. Is there special regulation for personal data of employees?

The Labor Code limits the scope of personal data that may be collected by an employer to information relevant to employment in compliance with applicable law. The employer must collect personal data directly from the employee, and, to the extent the information could only be obtained from third parties, the employer may collect it only with the employee's written consent. The employer is required to inform the employee about procedures it has in place for processing and transfer of information and is required to obtain the employee's written acknowledgement confirming his/her familiarity with such procedures. The employer is also required to ensure proper safekeeping of personal data and to allow employees access to their personal data files and opportunity to correct inaccurate information.

When transferring personal data, the employer must observe the following requirements:

  • not to provide personal data to a third party without the employee's written consent, except where such transfer is required to reduce a risk to the employee's life and health (Articles 6 and 9 of the Personal Data Law and Article 88 of the Labor Code);
  • not to provide personal data for commercial purposes without the employee's written consent unless specifically required by law (e.g. providing personal data to governmental authorities such as the Pension Fund and tax authorities) (Article 88 of the Labor Code);
  • to limit access to employee's personal data only to specially authorized persons (Article 88 of the Labor Code);
  • to warn persons obtaining personal data that this information may be used only for the purposes it is being provided for (Article 88 of the Labor Code);
  • to transfer employee's personal data within one company in accordance with the internal procedures acknowledged by the employee (Article 88 of the Labor Code);
  • it is advisable to enter into confidentiality agreements between the transferor and transferee in the event of a transfer (including cross-border transfer) of personal data (Article 6 of the Personal Data Law).

In addition to the above requirements, Article 63 of the Federal Law dated July 7, 2003 No. 126-FZ "On Communications" (as amended) (the "Law on Communications") provides that a person has a right to privacy of correspondence, telephone conversations, mail, telegraph and other communications transmitted via telecommunications and electronic networks, unless such right is limited by federal law. There is a court precedent that held personal incoming and outgoing emails (even those stored on employer's servers) to be private information1. This precedent can be used to support an argument that collection and transfer of such emails require consent from senders and recipients of such emails.

Pursuant to the Law on Communications, in the absence of a consent from the owner of personal data, access to such data transmitted through electronic means is only permitted (1) pursuant to a court order, or (2) without a court order if specifically permitted by law (e.g., to prevent terrorist attacks or to carry out a criminal investigation).

Article 22 of the Personal Data Law requires that a person/company collecting, processing and transferring personal data notify the Russian Federal Service of Supervision in the Area of Communication and Mass Communications (the "Federal Service") prior to commencing such activity. Such notification is not required in cases specifically provided for in the Personal Data Law such as processing of personal data by an employer only or in cases where the collected personal data is not being transferred to third parties. Failure to comply with the notification requirement may lead to an order from the Federal Service prohibiting collecting, processing and transferring of personal data.

  1. Is there any liability for violations of privacy laws?

Articles 5.39 of the Russian Code of Administrative Offences ("Administrative Code") provides that an unlawful refusal to make available to a citizen and/or company information which must be provided under federal laws, delay in providing such information, or provision of incorrect information will result in administrative fines in the range of 1,000 – 3,000 rubles (approximately US$ 28 - 83) imposed on the relevant officers or officials. Article 13.11 of the Administrative Code further provides that a violation of procedures for collecting, keeping, using and disseminating of personal data will result in administrative fines imposed on officials of a company in the range of 500 - 1,000 rubles (approximately US$ 14 - 28) and on a company in the range of 5,000 – 10,000 rubles (approximately US$ 139 - 278). These fines may be imposed per each violation of privacy laws and could add up.

Unlike Article 13.11 of the Administrative Code which sets out sanctions for violation of procedures for collecting, keeping, using and disseminating of personal data, Article 137 of the Russian Criminal Code ("Criminal Code") provides that "[u]nlawful collection or dissemination of personal data that constitutes personal or family secret without the consent of the person as well as public dissemination of such data..." is punishable by (1) a fine in the amount of up to 200,000 rubles (approximately US$ 5,575); (2) in the amount of the convicted person's salary or other income for a period of up to 18 months; (3) compulsory community service for a period of 120 – 180 hours; (4) arrest for a period of up to 4 months; or (5) imprisonment for a period of up to 2 years. Article 138 of the Criminal Code further provides for the following sanctions for breach of privacy of citizens' correspondence, telephone conversations, mail and other communications: (1) fine in the amount of up to 80,000 rubles (approximately US$ 2,620); (2) fine in the amount of the convicted person's salary or other income for a period of up to 6 months; (3) compulsory community service for a period of 120 – 180 hours; or (4) imprisonment for a period of up to 1 year. If these offences are committed by a person acting in his official capacity or using of special technical devices, criminal sanctions may include: (1) a fine in the amount of 100,000 – 300,000 rubles (approximately US$ 3,270 – 9,830); (2) a fine in the amount of the convicted person's salary or other income for a period from 1 to 2 years; (3) disqualification from holding certain offices or engaging in certain activities for a period from 2 - 5 years; (4) compulsory community service for a period of 180 - 240 hours; or (5) imprisonment for a period from 1 to 4 years.

Footnote

1 Decision of the Federal Arbitrage Court of Moscow District dated July 15, 2009 No КА-А40/6260-09.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.