Employee Data Privacy

Are there any restrictions on transferring personal data and how can these be overcome?

Cross-border data transfers affect all organizations that engage online IT services, cloud-based services, remote access services and global HR databases. Understanding the applications of lawful data transfer mechanisms is essential to validate recipients located in other nations. Data transfers typically include the following examples:

• personal data communicated over the telephone, by email, fax, letter, through a web tool or in person to another country;
• IT systems or data feeds which lead to personal data being stored on databases hosted outside the country;
• people/entities outside the country being able to access or "see" personal data held in the country; and
• the use of personal data by third parties through external solutions, e.g., outsourcing, offshoring and cloud computing.

Russian employee data can be transferred internationally, as long as a few key requirements are met.

Data Localization Requirement: When processing Russian citizens personal data, the original version of the data must be stored on a database located in Russia, per the Personal Data Law. This means that the recording, systematization, accumulation, storage, specification (update, modification) and retrieval must be completed in Russia. While there are a couple exceptions to the localization requirement, they are very narrow and usually do not apply to employee data. Note that:

• the local database should be maintained, accurate and updated. When updating or modifying personal data, the changes should primarily/initially be made in the local Russian database; and,
• storing the collected data and extracting the personal data should be carried out in the local database. Given that any further processing of personal data requires its extraction from the database, the master data (accurate and updated) should be stored in the local database. The non-Russian database would contain a copy of the master data.

Once the data has been processed, it can be transferred outside of the country for further processing (subject to additional requirements).

Database ownership: The employer does not need to own the local Russian database to meet the data localization requirement. Employers can use third parties by renting a server facility or using a Russian-based cloud (note that PeopleDoc does not have a Russian-based cloud environment). A data processing agreement which complies with Russia’s Personal Data Law should be completed when using a third party to store personal data.

International Employee Data Transfers: Cross-border transfer is defined as the transfer of personal data to a foreign third party abroad. This includes foreign individuals, legal entities and state authorities. In Russia, the transfer of personal to affiliates (including those with shared information systems) is considered a transfer to a third-party.

Employee data can be transferred outside of Russia to third-party data processors, as long as certain requirements are met:

• Consent: The employer must obtain the employee’s written consent to personal data processing;
• Data Processing Agreements: A Russian data processing agreement exists between the employer and the third-party processor. When data is transferred between the company’s own databases, an agreement is not required. That said, when data is transferred between a subsidiary and the parent company’s database (or vice versa), a data processing agreement is required. The data processing agreement is also required when data is transferred or shared with any other third parties (such as an external payroll provider);
• Personal Data Processing Policy/Privacy Policy: The employer’s Personal Data Processing Policy/Privacy Policy should include provisions describing the data transfer practices, including specifying a list of recipient countries where data will be transferred as well as names, address and roles of any third parties to which personal data is transferred. Practically, some companies may provide a general description of third parties and enable individuals to obtain more detailed information from the company upon request;
• Data localization: The original version of the personal data is localized in Russia upon collection (as outlined above).

Note that cross-border transfer of personal data doesn’t required authorization from the Roskomnadzor or other supervisory authority. That said, employers and other data Controllers are required to notify the Data Protection Authority of the intention to process personal data including the intention to transfer data internationally.