Employees’ data protection issues during the removal of restrictions caused by coronavirus infection

Employees’ data protection issues during the removal of restrictions caused by coronavirus infection

23 June 2020

Under the Decree of the Moscow Mayor No. 68-UM dated June 8, 2020 (available only in Russian here), a phased removal of restrictions caused by the spread of coronavirus infection began from June 9. This includes the return to work of a large number of organizations.

Starting from June 16, 2020 organizations and in-dividual entrepreneurs carrying out operations with real estate, activities in the area of rent, leas-ing, law, accounting, etc. are able to resume work.

This newsletter reviews additional responsibilities for employers relating to the processing of em-ployees’ personal data.

Processing of new categories of data


Starting from May 12, 2020, the Decree of the Moscow Mayor No. 55-UM dated May 7, 2020 (available only in Russian herehere) (the “Mayor’s Decree”) imposed new duties on employers, which imply expanding the volume of processed data.

Under the Mayor’s Decree, employers, inter alia, are required to provide:

  • clinical tests determining whether an employee is infected with the coronavirus infection. The re-spective tests shall be carried out in relation to not less than 10% of the company’s employees locat-ed in the workplace (starting from June 1, the tests shall be carried out each 15 calendar days);

  • blood collection from employees for carrying out the laboratory assessment for understanding whether an employee is infected with the corona-virus infection and whether an he/she has immuni-ty from this infection;

  • body temperature measurements to employees in the workplace not less than every 4 hours. Under Russian laws, health data are considered as special category of personal data. Therefore, it imposes additional requirements on employers.

Data protection measures to be taken by employersData protection measures to be taken by employers


The obligations imposed on employers to collect employees’ health data shall be fulfilled in accord-ance with current data protection legislation. This means that the employer should take the following measures:

  • Legal grounds for the data processing

To begin with, it is necessary to ensure appropri-ate legal grounds for the employees’ data pro-cessing. Russian employment laws lay down that employees’ health data may be processed to the extent necessary to verify employee’s capacity to perform his/her employment duties. Meanwhile, the Federal Law on Personal Data as a rule re-quires written consent to justify the processing of such data.

  • Personal data processing policy

Documents regulating personal data processing must reflect all categories of personal data that are processed by the employer in practice.

In other words, if an employer has started the processing of special categories of personal data in order to comply with epidemiological require-ments and it was not previously provided by the internal policies, it is necessary to update the poli-cies and notify employees about such update.

  • Information on processing of personal data

As a rule companies processing personal data should send to Russian Data Protection Authority (“Roskomnadzor”) the notification specifying the categories of processed personal data.

Since new categories of personal data are pro-cessed, companies should check if the previously submitted notification reflects new processes.

  • Compliance with general data protection require-ments of Russian law

When special categories of personal data are pro-cessed, it is required to comply with other provi-sions imposed by Russian data protection laws (in-cluding the obligation to delete personal data when there are no appropriate legal grounds for their processing).

European approach


European Data Protection Board (“EDPB”) pub-lished herea statement on the processing of personal data in the context of the COVID-19 outbreak. The EDPB stated that processing of personal data in the context of the epidemics can be justified by such legal grounds as processing for the reasons of public interest in the area of public health, pro-tection of vital interests or compliance with a legal obligation.

However, companies that are subject to the re-quirements of both Russian and European data protection laws must double check that the legal ground that is used for processing of personal data of employees under European law will be also lawful under Russian law.

Risk of second wave and the use of digital monitoring systems


Since there is a risk of the second wave of COVID-19 and renewal of self-isolation measures, it is re-quired that companies reflect the possibility of processing of special categories of personal data in internal documents related to data protection. The application of social monitoring programs may also directly affect the ability of employees to pre-sent personally in the workplace. Moreover, social monitoring programs influence the processes of data processing by employers, which must be re-flected in companies’ internal data protection doc-uments.

Thus, despite a phased removal of restrictions, currently employers have to process the expanded volume of personal data. Taking into account sen-sitivity of the data employers need to pay more attention to the compliance with Russian data pro-tection laws.


We hope that the information provided herein will be useful for you. If you or any of your colleagues would like to receive our newsletters via e-mail, please fill in the 'Subscribe' form at the bottom of the page.

Practices: hereData Protection and Cybersecurity Practice

Note: Please be aware that all information provided in this letter was taken from open sources. Neither ALRUD Law Firm, nor the author of this letter bear any liability for consequences of any decisions made in reliance upon this information.


We hope that the information provided herein will be useful for you.

If any of your colleagues would also like to receive our newsletters, please send them the link to complete a Subscription Form .
Learn more about our practices:
Data Protection and Cybersecurity



Note: please be aware that all information provided in this letter is based on an analysis of publicly available information as well as our understanding and interpretation of legislation and law enforcement practices. Neither ALRUD Law Firm nor the authors of this letter bear any liability for the consequences of any decisions made in reliance upon this information.

Sincerely,
ALRUD Law Firm

Lesnaya st., 7, 12th fl., Moscow, Russia, 125196
Т: +7 495 234 96 92, Т: +7 495 926 16 48, info@alrud.com
alrud.com
We use cookies to offer better performance of the website and fulfill some other purposes specified in the Privacy Policy. By way of ticking the box you provide your consent to use of cookies. Otherwise, we will only use technical cookies, which are necessary for proper functioning of the website.
Accept