Some Issues Related to the Transfer of Employees’ Personal Data
- By Maria Landau
- Feb. 16 2010 00:00
Although Russia’s main law on personal data protection, RF Federal Law No. 152-FZ on Personal Data of July 27, 2006 (the “Personal Data Law”), has been in effect for nearly four years, it continues to present difficult issues for many employers, whose HR and other departments must process their employees’ personal data on a daily basis.
Among the most common issues that employers face is whether and in what manner employees’ personal data can be transferred to other entities within the same group as the employing company. This kind of transfer has long become the norm for Russian companies that are part of a group with foreign companies, with headquarters outside the Russian Federation that accumulate the personal data of all employees in the group, but the law has yet to decide the procedure for such transfers. One point is clear: The employee’s written consent is required.
A frequent question is whether the presence of a standard provision on data processing in an employment agreement is sufficient proof of the employee’s written consent, including to the transfer of personal data to third parties. Our view is that this is not sufficient. The primary purpose of the written consent is to protect the employee’s personal data, as well as to ensure that the employee is fully informed of how the data will be processed. It is therefore advisable that the employment contract or the separate written consent to personal data processing (depending on the employer’s rules) describes in as much detail as possible to whom and for what purposes the employee’s personal data may be transferred.
A further issue in the transfer of personal data to corporate headquarters is the question of cross-border transfers of personal data. As a general rule, cross-border transfers must comply with the general processing rules established by the Personal Data Law (including the written consent requirement). Transfers of personal data to an entity in a state that does not provide adequate protection for personal data rights are generally prohibited. However, Article 12 of the Personal Data Law provides additional conditions under which such transfers are permitted, including a requirement for the employee’s additional written consent to the cross-border transfer.
It should be noted that applicable Russian law does not establish any criteria for determining whether a foreign state provides “adequate protection” of personal data. According to a number of labor specialists, these criteria may be derived from Article 25 of Directive 95/46/EC of the European Parliament and of the Council of Oct. 24, 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data. Article 25, which concerns the transfer of data to third countries, states that “the adequacy of the level of protection afforded by a third country shall be assessed in the light of all the circumstances surrounding a data transfer operation or set of data transfer operations.” In this regard, “particular consideration shall be given to the nature of the data, the purpose and duration of the proposed processing operation or operations, the country of origin and country of final destination, the rules of law, both general and sectoral, in force in the third country in question and the professional rules and security measures which are complied with in that country.”
Assessments of the adequacy of protection afforded by foreign states, for purposes of Russian law compliance, should also be guided by a Telecommunications and Mass Communications Ministry letter of May 13, 2009 No. DS-P11-2502 on cross-border transfers of personal data. This letter states that one criterion for assessing states in this regard may be whether the state has ratified the Convention for the Protection of Individuals with regard to automatic processing of personal data of Jan. 28, ETS No. 108.