HR Compliance Assist

 Back to Topics

Employee Data Privacy

Russia - Registration Requirements

 Download as a PDF

Does HR data processing require registration under data protection laws?

 

chris-adamus-30858Data protection laws sometimes include conformity assessments, which help to ensure businesses follow regulations. Requirements can include registration before the Data Protection Authority and random audits. 

In Russia, Controllers, such as employers, are required to notify the Data Protection Authority of the intention to process personal data, with few exceptions (Data Protection Law, Sec. 22). These exceptions are treated very restrictively by the Roskomnadzor (The Federal Service for Supervision of Communications, Information Technology and Mass Media), and therefore almost all companies fall within the scope of the requirement to file a notification. The exceptions that may apply to employers include when the personal data:

  • is processed in accordance with labor legislation;
  • is received by the employer in connection with the conclusion of an agreement to which the subject of personal data is a party, such as an employment contract (Note: This exception only applies if personal data is not disseminated or provided to third parties without the consent of the employee and, the personal data is used by the employer exclusively for the execution of the contract);
  • is made publicly available by the employee;
  • includes only the last names, first names and patronymics of the employee;
  • is (a) processed without the use of automation in accordance with Russian laws and regulations, (b) requirements for ensuring the security of personal data during its processing have been established, and (c) the rights of the employee are observed.


HR Best Practices: Employers and other data Controllers are required to notify the Data Protection Authority if personal data will be processed, with few exceptions. The notification should be filed once and include all of the company’s data processing activities. If there are any changes in processing activities, the data controller is obliged to notify the Roskomnadzor of the changes within ten business days.

Only the company, branch or representative office which is registered in Russia can file the notification. The requirement to notify Roskomnadzor is not applicable to non-Russian legal entities without any presence in Russia (branch, representative office, or subsidiary).

 

UKG's HR Compliance Assist team relies on a network of internal and external compliance experts and lawyers to provide clients with best practices and recommendations on topics such as HR document retention, employee data privacy, and HR electronic records. HR Compliance Assist also provides local compliance monitoring and alert services in select countries where UKG's customers have employees. HR Compliance Assist is a service exclusively available to UKG customers.

Share Your Feedback

Let's Talk