Cross-border data transfers affect all organizations that engage online IT services, cloud-based services, remote access services and global HR databases. Understanding the applications of lawful data transfer mechanisms is essential to validate recipients located in other nations. Data transfers typically include the following examples:
Russian employee data can be transferred internationally, as long as a few key requirements are met.
Data Localization Requirement: When processing Russian citizens personal data, the original version of the data must be stored on a database located in Russia, per the Personal Data Law. This means that the recording, systematization, accumulation, storage, specification (update, modification) and retrieval must be completed in Russia. While there are a couple exceptions to the localization requirement, they are very narrow and usually do not apply to employee data. Note that:
Once the data has been processed, it can be transferred outside of the country for further processing (subject to additional requirements).
Database ownership: The employer does not need to own the local Russian database to meet the data localization requirement. Employers can use third parties by renting a server facility or using a Russian-based cloud (note that PeopleDoc does not have a Russian-based cloud environment). A data processing agreement which complies with Russia’s Personal Data Law should be completed when using a third party to store personal data.
International Employee Data Transfers: Cross-border transfer is defined as the transfer of personal data to a foreign third party abroad. This includes foreign individuals, legal entities and state authorities. In Russia, the transfer of personal to affiliates (including those with shared information systems) is considered a transfer to a third-party.
Employee data can be transferred outside of Russia to third-party data processors, as long as certain requirements are met:
Note that cross-border transfer of personal data doesn’t required authorization from the Roskomnadzor or other supervisory authority. That said, employers and other data Controllers are required to notify the Data Protection Authority of the intention to process personal data including the intention to transfer data internationally.
HR Best Practices: Russian employee data can be transferred internationally as long as certain requirements are met. When transferring Russian employee data internationally, ensure: (1) the original version of the data is stored on a Russian database; (2) employee consent is obtained; (3) there is personal data processing and/or privacy policy outlining the company’s data transfer practices; and, (4) when appropriate, the necessary data processing agreements are in place.