Under the Decree of the Moscow Mayor No. 68-UM dated June 8, 2020 (available only in Russian here), a phased removal of restrictions caused by the spread of coronavirus infection began from June 9. This includes the return to work of a large number of organizations.
Starting from June 16, 2020 organizations and individual entrepreneurs carrying out operations with real estate, activities in the area of rent, leasing, law, accounting, etc. are able to resume work.
This newsletter reviews additional responsibilities for employers relating to the processing of employees’ personal data.
Starting from May 12, 2020, the Decree of the Moscow Mayor No. 55-UM dated May 7, 2020 (available only in Russian here) (the “Mayor’s Decree”) imposed new duties on employers, which imply expanding the volume of processed data.
Under the Mayor’s Decree, employers, inter alia, are required to provide:
clinical tests determining whether an employee is infected with the coronavirus infection. The respective tests shall be carried out in relation to not less than 10% of the company’s employees located in the workplace (starting from June 1, the tests shall be carried out each 15 calendar days);
blood collection from employees for carrying out the laboratory assessment for understanding whether an employee is infected with the coronavirus infection and whether an he/she has immunity from this infection;
body temperature measurements to employees in the workplace not less than every 4 hours.
Under Russian laws, health data are considered as special category of personal data. Therefore, it imposes additional requirements on employers.
The obligations imposed on employers to collect employees’ health data shall be fulfilled in accordance with current data protection legislation. This means that the employer should take the following measures:
To begin with, it is necessary to ensure appropriate legal grounds for the employees’ data processing. Russian employment laws lay down that employees’ health data may be processed to the extent necessary to verify employee’s capacity to perform his/her employment duties. Meanwhile, the Federal Law on Personal Data as a rule requires written consent to justify the processing of such data.
Documents regulating personal data processing must reflect all categories of personal data that are processed by the employer in practice.
In other words, if an employer has started the processing of special categories of personal data in order to comply with epidemiological requirements and it was not previously provided by the internal policies, it is necessary to update the policies and notify employees about such update.
As a rule companies processing personal data should send to Russian Data Protection Authority (“Roskomnadzor”) the notification specifying the categories of processed personal data.
Since new categories of personal data are processed, companies should check if the previously submitted notification reflects new processes.
When special categories of personal data are processed, it is required to comply with other provisions imposed by Russian data protection laws (including the obligation to delete personal data when there are no appropriate legal grounds for their processing).
European Data Protection Board (“EDPB”) published a statement on the processing of personal data in the context of the COVID-19 outbreak. The EDPB stated that processing of personal data in the context of the epidemics can be justified by such legal grounds as processing for the reasons of public interest in the area of public health, protection of vital interests or compliance with a legal obligation.
However, companies that are subject to the requirements of both Russian and European data protection laws must double check that the legal ground that is used for processing of personal data of employees under European law will be also lawful under Russian law.
Since there is a risk of the second wave of COVID-19 and renewal of self-isolation measures, it is required that companies reflect the possibility of processing of special categories of personal data in internal documents related to data protection. The application of social monitoring programs may also directly affect the ability of employees to present personally in the workplace. Moreover, social monitoring programs influence the processes of data processing by employers, which must be reflected in companies’ internal data protection documents.
Thus, despite a phased removal of restrictions, currently employers have to process the expanded volume of personal data. Taking into account sensitivity of the data employers need to pay more attention to the compliance with Russian data protection laws.
We hope that the information provided herein will be useful for you. If you or any of your colleagues would like to receive our newsletters via e-mail, please fill in the 'Subscribe' form at the bottom of the page.
Practice: Data Protection and Cybersecurity
Note: Please be aware that all information provided in this letter was taken from open sources. Neither ALRUD Law Firm, nor the author of this letter bear any liability for consequences of any decisions made in reliance upon this information.