As businesses reopen in Russia, this article reviews additional responsibilities for employers relating to the processing of employees' personal data.

Under the Decree of the Moscow Mayor No. 68- UM dated June 8, 2020 (available only in Russian here), a phased withdrawal of restrictions related to the spread of coronavirus infection began from 9 June. This includes a return to work for a large number of organisations.

Starting from 16 June 2020, organisations and individual entrepreneurs carrying out operations in real estate, leasing, law, accounting, etc. are able to resume work.

Processing of new categories of data

Starting from 12 May 2020, the Decree of the Moscow Mayor No. 55-UM dated May 7, 2020 (available only in Russian here) (the 'Mayor's Decree') imposed new duties on employers, which imply expanding the volume of processed data.

Under the Mayor's Decree, employers, inter alia, are required to provide:

  • Clinical tests determining whether an employee is infected with the coronavirus. The tests must be carried out in relation to not less than 10% of the company's employees located in the workplace (starting from 1 June, the tests must be carried out every 15 calendar days).
  • Blood collection from employees to carry out a laboratory assessment to establish whether employees are infected with the coronavirus and whether they have immunity from this infection.
  • Body temperature checks on employees in the workplace not less than every four hours.

Under Russian law, health data is considered to be special category of personal data. Therefore, processing it imposes additional requirements on employers.

Data protection measures to be taken by employers

The obligations imposed on employers to collect employees' health data must be fulfilled in accordance with current data protection legislation. This means that the employer should take the following measures:

Legal grounds for the data processing

To begin with, it is necessary to ensure appropriate legal grounds for the employees' data processing. Russian employment laws lay down that employees' health data may be processed to the extent necessary to verify employee's capacity to perform his/her employment duties. Meanwhile, the Federal Law on Personal Data as a rule requires written consent to justify the processing of such data.

Personal data processing policy

Documents regulating personal data processing must reflect all categories of personal data that are processed by the employer in practice.

In other words, if an employer has started the processing of special categories of personal data in order to comply with epidemiological requirements and it was not previously provided by the internal policies, it is necessary to update the policies and notify employees about such update.

Information on processing of personal data

As a rule companies processing personal data should send a notification specifying the categories of processed personal data to the Russian Data Protection Authority ('Roskomnadzor').

Since new categories of personal data are being proessed, companies should check if the previously submitted notification reflects new processes.

Compliance with general data protection requirements of Russian law

When special categories of personal data are processed, it is obligatory to comply with other provisions imposed by Russian data protection laws (including the obligation to delete personal data when there are no appropriate legal grounds for their processing).

European approach

The European Data Protection Board (EDPB) published a statement on the processing of personal data in the context of the COVID-19 outbreak https://edpb.europa.eu/news/news/2020/statement-edpb-chair-processing-personal-data-context-covid-19-outbreak_en  . In it, the EDPB stated that processing of personal data in the context of the epidemic can be justified by legal grounds such as processing for the reasons of public interest in the area of public health, protection of vital interests or compliance with a legal obligation.

However, companies that are subject to the requirements of both Russian and European data protection laws must double check that the legal ground that is used for processing of personal data of employees under European law will be also lawful under Russian law.

Risk of second wave and the use of digital monitoring systems

Since there is a risk of a second wave of COVID-19 and renewed self-isolation measures, companies are required to reflect the possibility of processing special categories of personal data in internal documents related to data protection. The application of social monitoring programmes may also directly affect the ability of employees to be present personally in the workplace. Moreover, social monitoring programmes influence the process of data processing by employers, which must be reflected in companies' internal data protection documents.

Consequently, despite a phased withdrawal of restrictions, currently employers have to process an expanded volume of personal data. Taking into account the sensitivity of this data, employers need to pay particular attention to compliance with Russian data protection laws.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.