Do I have to obtain employees' consent in order to collect their personal data?
The processing of any personal data may impose obligations to the individuals the data is related to, the data subjects. Some jurisdictions only recognize processing personal data as lawful if the data subject has provided express consent. Other jurisdictions require a legal obligation to process the data, and may not require consent. The processing of HR personal data has raised questions and court decisions in a few countries, and interpretations may vary based on data privacy and labor law requirements.
Processing personal data in Russia is only allowed when there is a legitimate purpose for data processing and an appropriate legal ground to do so. Internal policies on data processing should be provided to employees and include:
- the employer’s (i.e., the data controller’s) name and address;
- terms and definitions used in the document;
- an explanation of the policy’s goals;
- the purposes of data processing;
- legal grounds for data processing, the categories of data subjects whose personal data is processed (ex., employees), and the categories of personal data being processed;
- processing methods (automated, non-automated) and operations (recording, systematization, etc.);
- information on the transfer of personal data to the third parties, including cross-border transfers;
- information on any data processors processing personal data on behalf of the employer;
- information on measures implemented to ensure the personal data’s security and confidentiality;
- terms of the personal data processing, including retention periods and conditions relating to termination of processing;
- data subjects’ rights and how these rights can be exercised.
Permitted Reasons for Processing Employee Data
Russia’s Labor Code (2001, Chapter 14, Arts. 85 - 90) outlines when employee personal data processing is permitted. Under the Labor Code (Art. 86), employee personal data can only be processed by employers:
- to assure compliance with laws and legislative requirements;
- to aid employees in employment, education and promotion;
- for the personal safety of employees;
- to control the quality and quantity of work; or,
- to guarantee the safety of company property.
These purposes are construed very narrowly by the Russian authorities. Therefore, companies rely on the Personal Data Law when processing personal data for other purposes. When it comes to HR-related activities (Federal Law No. 152 of July 27, 2006 on Personal Data, Art. 6), the most appropriate legal grounds include when:
- the employee (or other individual) consents to the processing, including written consent where required by law;
- the processing is necessary to fulfill the controller’s (i.e., the employers) functions and obligations under Russian law or international treaties;
- the processing is carried out in connection with the participation of a person in constitutional, civil, administrative, criminal proceedings, or legal proceedings in state arbitrazh courts;
- necessary to execute a contract when the employee (or other data subject) is a party, beneficiary or guarantor;
- necessary to protect the life, health or other vital interests of the employee and it’s not possible to obtain that employee’s consent; or, when
- necessary for the exercise of the rights and legitimate interests of the employer or third parties, provided that this does not violate the rights and freedoms of the employee.
When using consent as the legal basis to process an employee or job applicant’s personal data, the consent should specific, informed and conscious. In addition, the consent should be requested by the employer in a way that enables the employer to provide proof of the consent (e.g., upon the Roskomnadzor’s request). Individuals have the right to revoke their consent at a later date, but employers can continue processing the personal data if there is another permitted reason to process the personal data.
When an individual is required by law to provide their personal information and refuses, the employer must explain the legal consequences of refusing to provide their personal data.
Generally, if personal data is received from a source other than the employee (or other data subject), the employer must request the individual’s written consent and inform the employee of the following (This can be included in the consent form):
- the name and address of the employer or, the employer’s representative;
- the purpose of processing the personal data and the legal basis for processing;
- the users of the personal data;
- the rights that the employee has relating to their personal data; and,
- the source of the personal data.
Under Russia’s Labor Code, employers must receive written consent from the employee before:
- requesting the employee’s personal data from a third party (where requesting data from the third party is the only way to obtain the data) (Art. 86);
- sharing personal information with a third party, except where specified by federal law or when necessary to prevent a threat to the health/life of the employee (Art. 88); or,
- sharing personal information for commercial purposes (i.e. such as for sales or marketing purposes) (Art. 88).
When written consent is required, the consent should include (Federal Law No. 152 of July 27, 2006 on Personal Data, Art. 9):
- the employee’s (or other data subject’s) name; address; number and date of issue of the main document proving identity along with the authority that issued the document;
- in cases where the employee is using a representative, consent should include the representative’s: name; address; number and date of issue of the main document proving identity along with the authority that issued the document; details of the power of attorney or other document confirming the authority of this representative (upon receipt of consent from the representative of the subject personal data);
- name and address of the controller (i.e. the employer) receiving the consent of the subject of personal data;
- the purpose of the personal data processing (As Roskomnadzor and courts construe this requirement literally, consent should only contain one processing purpose. That said, in practice, many controllers integrate a general processing purpose and include reference to the specific tasks necessary to fulfill the general purpose into the written consent. For example, the general purpose may be to manage the employment relationship and the specific task may be to provide payroll);
- a list of the personal data that the employee (or other data subject) has given consent to be processed;
- the name and address of the person performing the processing of personal data on behalf of the employer, if the processing is entrusted to such a person (such as a third-party processor);
- a list of actions (e.g., collection, recording, etc.) with personal data for which consent is given, and a general description of the methods (automatic, manual, mixed) used by the employer for processing personal data;
- the period during which the employee’s consent is valid, as well as the method the employee can use to revoke consent;
- the employee’s signature.
Although regulators have been silent about automated decision making in regards to employee data (i.e., making decisions, such as who to promote, based solely on the automated processing of an employee’s personal data), it’s important to note that the Russian Labour Code (Art. 86) prohibits any automated decision-making with regard to employees. This restriction cannot be lifted by the individual’s consent.
Processing Special Categories of Sensitive Data
Russia’s Personal Data Law (Art. 10) and Labour Code (Art. 86) generally prohibit the processing of special categories of personal data including race, nationality, political views, religious or philosophical beliefs, health status, and intimate life. In addition, special categories of personal data include criminal convictions data.
This information can only be processed under certain exceptions. The exceptions that would most likely apply to employers include the following:
- if the employee (or other data subject) agrees to the personal data processing in writing (note: This is the key legal ground for processing sensitive employee data. The other items will rarely apply.);
- if the processing of the individual’s personal data is carried out in accordance with Russian legislation on state social assistance, labor legislation or pension legislation;
- if necessary to protect the life, health or other vital interests of the employee or the life, health or other vital interests of others and, obtaining the consent of the subject of personal data isn’t possible; or,
- if necessary to establish or exercise the rights of the employee or third parties, as well as in connection with the administration of justice.
Employers are not allowed to collect certain sensitive personal information under Russia’s Labor Code:
- Employers are not allowed to receive or process personal information relating to an employee’s political, religious and other convictions, or information about the employee’s private life. Note that per the Constitution of the Russian Federation (Art. 24), employers have the right to receive and process personal information about an employee’s private life only with the employee’s written permission, and only in cases where the information is relevant to the role (Russia Labor Code, Art. 86-4). In practice, this prohibition may be lifted in certain cases with the employee’s consent and other formalities (notices, etc.). An example of when this prohibition may be lifted might include when an employer is implementing a diversity program to protect employees from discrimination, and the personal data is being used to ensure equal access to employment opportunities.
- Employers cannot receive and process information about an employee’s membership in a professional organization, public organization or, about the employee’s in a trade union, except when permitted under federal law (Russia Labor Code, Art. 86-5).
- Employers are not allowed to require information about an employee’s state of health unless it’s related to their ability to perform their job (Russia Labor Code, Art. 88).
Biometric personal data (ex., fingerprint data) can generally only be processed with the employee’s written consent.
HR Best Practices: Before processing personal employee data in Russia, determine whether there is a legitimate purpose for data processing and an appropriate legal ground to process the data. Commit to properly informing employee and documenting legal rationales for data collection. When consent is used as the legal basis, ensure the consent is specific, informed and conscious.