Does HR data processing require registration under data protection laws?
Data protection laws sometimes include conformity assessments, which help to ensure businesses follow regulations. Requirements can include registration before the Data Protection Authority and random audits.
In Russia, Controllers, such as employers, are required to notify the Data Protection Authority of the intention to process personal data, with few exceptions (Data Protection Law, Sec. 22). These exceptions are treated very restrictively by the Roskomnadzor (The Federal Service for Supervision of Communications, Information Technology and Mass Media), and therefore almost all companies fall within the scope of the requirement to file a notification. The exceptions that may apply to employers include when the personal data:
- is processed in accordance with labor legislation;
- is received by the employer in connection with the conclusion of an agreement to which the subject of personal data is a party, such as an employment contract (Note: This exception only applies if personal data is not disseminated or provided to third parties without the consent of the employee and, the personal data is used by the employer exclusively for the execution of the contract);
- is made publicly available by the employee;
- includes only the last names, first names and patronymics of the employee;
- is (a) processed without the use of automation in accordance with Russian laws and regulations, (b) requirements for ensuring the security of personal data during its processing have been established, and (c) the rights of the employee are observed.
HR Best Practices: Employers and other data Controllers are required to notify the Data Protection Authority if personal data will be processed, with few exceptions. The notification should be filed once and include all of the company’s data processing activities. If there are any changes in processing activities, the data controller is obliged to notify the Roskomnadzor of the changes within ten business days.
Only the company, branch or representative office which is registered in Russia can file the notification. The requirement to notify Roskomnadzor is not applicable to non-Russian legal entities without any presence in Russia (branch, representative office, or subsidiary).