Irina Anyukhina

Reminder It is ****illegal**** for a company to ****refuse**** to provide ****benefits**** (e.g., ****voluntary medical insurance****) due to an ****employee's failure**** to provide ****consent**** to the processing of personal data. This was the conclusion reached by the 3rd Cassation Court of General Jurisdiction in ****Resolution No. 88-1047/2024 dated 15 January 2024****. Key facts of the case Per the employment contract, employees agreed to comply with all ****the requirements**** of the employer’s ****Internal Labour Regulations**** and other ****in-house policies****. In accordance with the ****Policy on Additional Benefits for Employees****, employees were eligible to receive benefits if they provide written ****consent**** to the processing of their personal data. In the absence of such consent, the benefits for employees could be ****suspended****. An employee who was reinstated at work and ****did not provide**** consent to the processing of personal data filed a claim in court to require the company to provide ****voluntary medical insurance****. All three court instances (district court, appellate court and court of general jurisdiction) ****supported the employee****, pointing out that legislation on personal data stipulates that the subject of personal data has the right to grant consent to the processing of such data. However, such consent must be provided ****exclusively voluntarily****. Whether or not a ****personal data subject**** exercises his/her rights ****cannot be made dependent**** on exercising the right to receive additional benefits provided to an employee as part of employment relations. As a result, the courts satisfied the employee's claims to require the employer to provide ****voluntary medical insurance**** on the terms of the existing in-house policy ****no later than 3 business days**** from the date on which the court decision takes effect. Claims To require an employer to provide voluntary medical insurance, recover the amount of food subsidies, provide compensation for delayed payments, provide annual paid leave, and provide compensation for moral damages Resolution To uphold the decisions of the lower court instances and dismiss the cassation appeal

On 18 July Irina Anyukhina, Partner, Head of ALRUD Labour and Employment Practice, will speak at ECOPSY offline conference ****“Smart strategies at the tight labour market”****. During her presentation, Irina will talk about the outstaffing pitfalls: regulation, execution of documents, risks. This year, manpower shortage has become the major problem for enterprises and a serious threat to the economy. Despite the fact that the level of unemployment fell to its record low a year ago, it continues to decline. ECOPSY and ALRUD experts, HR representatives from large manufacturing companies will discuss the touchiest issues. Please join us! You may register on the organizers’ website.

Roskomnadzor (Russian Data Protection Authority) plans to make it easier for personal data subjects to revoke consent to the processing of personal data Roskomnadzor proposes making it possible to ****revoke consent**** to the processing of personal data “in one click”. Technically, the mechanism can be implemented as part of the ****consent management system that the Ministry of Digital Development, Communications and Mass Media**** created on the basis of the ****Gosuslugi**** service, but it will require revisions to standards. The relevant draft law may be considered as early as September. Business fears that implementing the plan will lead to ****increased costs for the restructuring of information systems****. Criminal liability for violating the secrecy of correspondence and destroying corporate information The Oktyabrsky District Court of Ufa handed down a ****verdict**** in a criminal case against a ****former employee of the company****. He was found guilty of committing crimes under Part 1 of Article 138 of the Russian Criminal Code (****violation of the secrecy of correspondence****) and Part 2 of Article 272 of the Russian Criminal Code (****unlawful access to legally protected computer information committed out of self-interest****). The court found that in November 2023, a man who previously worked as a ****system administrator**** remotely ****copied the email correspondence****, ****contacts****, and ****personal data**** of the general director and ****corporate information**** containing ****trade secrets**** and ****destroyed**** them. The defendant pleaded guilty to the crimes. The court sentenced him to a ****fine of 120,000 RUB**** (approximately 1,364 USD or 1,268 EUR). The verdict does not contain information about the company filing a ****civil claim**** in criminal proceedings to ****compensate for damages**** caused as a result of the destruction of corporate information. Question Can the data controller be subjected to ****administrative liability**** during the ****moratorium on inspections****? Position of the 8th Court of the General Jurisdiction (Case No. 2a-2919/2022) If a violation is ****revealed**** during the consideration of materials received, including from a citizen, Roskomnadzor may ****conduct an inspection**** and ****initiate an administrative offence case**** or ****refuse**** to initiate it.

Ban on foreign information security services from “unfriendly” jurisdictions Decree No. 250 of the Russian President dated 1 May 2022 “On Additional Measures to Ensure the Information Security of the Russian Federation” previously imposed restrictions on the ****use of foreign information security means****. In particular, government authorities, state corporations, systemically important organizations, and subjects of critical information infrastructure (“CII subjects”) are prohibited from using ****information security means**** as of 1 January 2025: ****Originating**** from “unfriendly” states; Or from ****manufacturers**** that are organizations under the jurisdiction of “unfriendly” states, directly or indirectly controlled by them or ****affiliated**** with them. Decree No. 500 of the Russian President dated 13 June 2024 extended the scope of the ban: as of 1 January 2025, government authorities, state corporations, systemically important organizations and CII subjects are also prohibited from ****using cybersecurity services**** (work or services) from companies from “unfriendly” states. If your company belongs to government authorities, state corporations, systemically important organizations or CII subjects, we recommend that together with IT you conduct an ****audit of software**** and ****IT services used for HR****, ****accounting**** and ****personnel management**** purposes in order to ensure timely compliance with the requirements of the above-mentioned presidential decrees. A 14th package of sanctions, including IT restrictions, has been imposed against Russia The USA has significantly expanded sanctions against Russia, with new restrictions affecting financial infrastructure, ****cloud**** services and information technology. The USA will ban a number of software and IT services as of ****12 September 2024****. The US Department of the Treasury, together with the State Department, issued a special decree with the following restrictions: It is prohibited to provide any person in Russia with ****design services**** and ****IT consulting services****; It is prohibited to supply ****cloud technology**** and ****IT support services**** for business management, as well as design and manufacturing software. Russian companies using such software for ****HR purposes**** may consider the following courses of action: Change the ****vendor****, which will allow them to continue using the software in Russia; ****Localize**** relevant HR processes. Exemption from liability for personal data leaks due to the insignificance of the offence During the ‘I Give My Heart to Children’ Russian Professional Skills Competition for Continuing Education Employees, there was a technical failure that led to the brief publication (****three minutes****) of information about a personal data subject on the competition website. The subject’s ****passport details****, ****registration address****, ****telephone number**** and ****email address**** were published, all of which constitutes personal data. In court, the data controller pointed out that the incident was caused by a technical malfunction in the service, third parties did not gain access to the personal data since the violation was ****eliminated**** as soon as possible, and ****no damage**** was caused to the subject of the personal data. The Russian Federal Service for Supervision of Communications, Information Technology and Mass Media, (Roskomnadzor) reported that it ****did not receive any complaints**** about the data controller as a result of the incident. In accordance with the law, the data controller sent a ****notification about the leak**** of personal data. A justice of the peace of the Danilovsky District of Moscow (Case No. 05-1415/456/2023) ruled that the data controller had failed to ensure the ****confidentiality of personal data**** and had not prevented ****unauthorized access**** to it by third parties, and qualified the offence under Part 1 of Article 13.11 of the Code of Administrative Offences of the Russian Federation. However, since the court had no evidence that information about the personal data subject had been ****copied****, ****obtained**** or ****used**** by ****third parties**** to violate its legally protected rights, including through the competition website, the court relieved the data controller of administrative liability due to the ****insignificance of the offence**** and limited itself to a ****verbal reprimand****.

Within a complicated labor dispute involving a middle-level employee, the ALRUD team offered the client comprehensive out-of-court legal defense. The project involved the development and adjustment of the legal position for a client who was representing themselves in court. We made it a priority to address any inconsistencies and violations attributed to the employee, while also preparing a strong defense against claims for a substantial bonus payment. During a series of strategy meetings with the client, we provided insightful commentaries and valuable recommendations on how to proceed in court. Through this collaboration, the company was able to enhance its defense strategy, identify strong justifications for disciplinary sanctions, and ultimately protect its position with success. The project presented a challenge in dealing with numerous infringements and violations, some of which exceeded the usual procedural terms. The non-financial audit performance was carefully analyzed to determine the validity of any violations, with a strong focus on the legal aspects. The project was crucial for the client as it helped them avoid paying a substantial bonus and default interest, which could have greatly increased their financial expenses. In addition, the company's strong confirmation of the legality of the disciplinary sanctions has further solidified its position in terms of corporate governance. ALRUD team working on the project included Partner Irina Anyukhina and Senior Associate Margarita Egiazarova.

The State Duma will consider a draft law on the possibility for the plaintiff to receive personal data (“PD”) of the defendant Amendments are planned to be made to the ****Civil Procedure Code**** of the Russian Federation. It is proposed to grant the plaintiff the right to file a ****motion**** to the court for assistance in ****establishing information about the defendant****, which is necessary to file a claim in court, but the plaintiff does not have. In addition, if the law is adopted, the court will be able to independently determine the ****ist of data**** about the defendant necessary to accept the claim. More than half of the surveyed small and medium-sized businesses are not ready for tougher sanctions for PD leaks Less than half of Russian companies (44%) from the ****SMB segment**** have managed to ****review their PD protection measures**** against the background of possible tightening of sanctions for their leaks. 50% of companies have not even studied the amendments in detail, and some do not plan to strengthen protection at all yet. Some of the respondents (45%) expect to strengthen protective processes ****“within a year”****, another 8% - ****“in the next six months”****. There are also those (4%) who do not plan to review the protection at all yet. At least 32% of SMB respondents are concerned about ****reputational risks**** from sanctions. 68% of respondents are concerned about ****financial losses****, including from the imposition of fines. It is noteworthy that only 43% of respondents have conducted an audit of PD processing processes over the past 3 years, 11% conducted an audit more than 3 years ago. Almost a quarter (21%) have never conducted an audit at all. 25% of the respondents could not give an answer to this question. We remind you that the draft laws on ****administrative and criminal liability for PD leaks**** are planned to be finally considered this ****spring session of the State Duma****. Regardless of the adoption of these bills in this session, we recommend that data controllers be prepared to tighten liability for PD leaks. To this end, companies should conduct an ****audit of PD processing processes and an IT security audit****. A draft law on the right of the Federal Tax Service to transfer information that constitutes a tax secret to interdepartmental commissions has been adopted in the first reading According to the new law on employment, ****interdepartmental commissions**** on combating ****illegal employment**** will be created in the regions of the Russian Federation. They have the right to receive from various authorities, including the ****tax service****, PD and information constituting a ****tax secret****. They want to extend the effect of the tax secrecy regime to cases where the tax authorities transfer relevant information and information to interdepartmental commissions of the subjects of the Russian Federation and territorial bodies of the ****Federal Service for Labour and Employment (Rostrud)****. Following the results of the prosecutor's office's inspection, the DPO of the company was brought to administrative liability The ****Prosecutor's office**** of the Kirovsky district of Saratov conducted an inspection of compliance with legislation in the field of PD protection in a medical company. During the supervisory activities, together with a specialist of the ****Roskomnadzor Department**** for the Saratov region, a fact of ****illegal dissemination of a database containing PD of clients****, in particular ****phone numbers**** and ****full names****, was revealed. According to this fact, the district prosecutor's office initiated an administrative offense case under Part 1 of Article 13.11 of the Administrative Code of the Russian Federation ****against a responsible official of a medical company****. According to the results of the consideration of the case, the DPO was sentenced to an ****administrative fine in the amount of RUB 10,000 (approx. USD 112, EUR 103)****. Question Can an employer track the ****location**** of employees through their personal smartphones?Can an employer track the location of employees through their ****personal smartphones****? Answer from Rostrud The employer has the right to monitor the employee through an ****application in a mobile phone****, if this is related to the ****performance of job duties****. We additionally note the need to obtain the ****consent of employees to track and process PD****.

The International Bar Association Global Employment Institute (IBA GEI) published its 12th annual global report on general international trends in human resources law with examples from 54 countries. Irina Anyukhina, Partner of ALRUD Labour Practice, covered a block of issues related to current regulatory trends and developments in Russian labour and migration law, including artificial intelligence, flexible working, alternative workforce, unions, labour disputes. The global report can be found here.

On 22 May 2024 ALRUD hosted face-to-face meeting of HR-Club on the topic: “Financial liability in labour relations: a dialogue on the eternal”. The following experts from ALRUD Labour Practice participated in the discussion: Irina Anyukhina, Partner, Maria Nevezhina, Senior Associate, PhD in Law, Ekaterina Bronitsyna, Associate. The participants discussed how to bring an employee to financial liability effectively and safe for the company; how to recover damages; how to document the procedure so that even the most demanding court would take the employer’s side; how to bring top-management to liability without reputational losses. ALRUD HR-Clubs are held in the format of live discussion, exchange of views, and dialogue between business and lawyers. Dialogue between legal counsels and practitioners makes the event the most useful for all the club members. If you or your colleagues would be interested to participate, we invite you to join the discussion. Please address all the issues concerning participation to Senior Marketing Manager Anna Glukhova: aglukhova@alrud.com

The Federation Council clarified how the Russian Digital Code will look like Work on the ****Digital Code****, which will become the basis for legal regulation of relations in the field of ****information**** and ****digital technologies****, will take at least another ****year****, and a significant part of the future document is planned to be devoted to the protection of ****personal**** and ****biometric data****. The structure of the Code reflects two parts – ****general**** and ****special****: the general part will list the basic concepts, terms, principles, subjects and objects of law, that is, all that is called the ****conceptual apparatus****; in a special part – specific types of state and social institutions, types of legal relations and ways of their regulation. Separately, the Federation Council noted that the special part involves three large sections: issues of ****communication****, ****information**** and ****personal data protection****. We recommend that employers monitor the development and adoption of the code, as it can have a direct impact on digitized HR processes in companies. Participants of JSC and LLC at online meetings will be identified by electronic signatures or biometric personal data Draft amendments to the ****laws on JSC and LLC**** have been prepared for the second reading in the ****government bill**** (No. 103501-8). Initially this document was devoted to another issue: it provided for the possibility of the JSC to suspend the sending of ****correspondence**** and payment of ****dividends**** to ****shareholders**** who have not ****contacted the company for more than two years**** (the so-called ****lost shareholders****). It is proposed to use a choice of five options when identifying a participant in online meeting: enhanced qualified electronic signature, enhanced unqualified electronic signature, personal data from the ****Unified Identification and Authentication System**** (ESIA), as well as information from the ****Unified Biometric System**** (EBS). At the same time, ****non-public JSC**** will be able to deviate from the rules set out: specify in the charters other ways to ****reliably identify persons**** taking online participation in the meeting and ways to sign ballots. The bill also regulates the general rules for online meetings. For example, such a format should provide for ****broadcasting****, and the company is obliged to ****keep a record**** of it. If there are significant ****technical problems**** that make it impossible to hold a meeting, the vote is declared ****invalid****. Question Should the Data Protection Officer (DPO) be directly subordinate to the General director?Should the Data Protection Officer (DPO) be directly subordinate to the General director? Answer from Roskomnadzor The DPO receives instructions directly from the ****executive body**** of the organization that is the data controller and is accountable to it.The DPO receives instructions directly from the executive body of the organization that is the data controller and is ****accountable to it****.

Dear Ladies and Gentlemen, We present to your attention our new format - a quarterly review of the key changes in labour legislation and related areas. The document includes a description of the latest legislative changes, which either have already entered into force in the current 2024 or will be put into effect in the near future. This review will be useful for HR directors, company executives, compliance officers, heads of legal departments and other interested parties.