Concise and to the point with ALRUD: HR & DIGITAL (№13)

The Ministry of Digital Development, Communications and Mass Media of the Russian Federation has expanded the list of risk indicators for violations of the processing of personal data (“PD”)

On 1 August 2024, the Ministry adopted Order No. 682, which includes a ****new risk indicator**** for violations that occur when conducting state control (supervision) over the processing of PD. The new risk indicator is for when ****two or more violations**** of the requirements of Federal Law No. 149-FZ dated 27 July 2006 with respect to Articles 10.2-2 (the provision of information using ****recommendation technologies****) are detected ****within a single year****.

As of 1 October 2023, when using ****recommendation technologies****, website owners must:

1) Prevent the use of technologies that violate the ****rights**** and ****legitimate interests**** of ****citizens**** and ****organizations****, as well as the ****legislation**** of the Russian Federation;

2) ****Inform**** users about the use of recommendation technologies;

3) Specify the ****email address**** to which user requests should be sent;

4) Make the ****terms of the use**** of technologies available in Russian.

When ****processing the PD of employees****, recommendation technologies may be used by employers, e.g., on ****internal portals**** and ****websites****, in ****corporate messengers****, and on ****training platforms****.

The government has made it easier for small IT startups to obtain IT accreditation

Regulation No. 1149 of the Government of the Russian Federation dated 26 August 2024 was adopted, which stipulates that:

1) The ****verification of the share of income**** from the ****IT activities**** of startups included in the register of ****small technology companies**** that were established ****less than three years ago**** shall be cancelled. Now, in order to receive accreditation, this share of income must exceed ****30% of revenue****.

2) Companies from new regions (****Donetsk, Kherson, Luhansk and Zaporizhzhia Regions****) shall be able to receive accreditation ****regardless of the average monthly amount**** of payments to employees. This exception shall be valid ****until 1 July 2025****.

3) Applications for the ****annual accreditation confirmation**** procedure shall only be accepted in ****electronic form**** through the Gosuslugi portal.

4) As part of the confirmation procedure, the salary level check shall be carried out for ****two quarters instead of five****.

5) If the company received accreditation in the ****year of its incorporation****, it shall not be required to undergo the planned confirmation procedure during that year.

As a general rule, organizations are ****entitled to receive state accreditation**** if:

1) Their main type of ****economic activity**** is one of the types contained in ****Attachment 1 to the Regulation on State Accreditation****;

2) The ****average salary**** of employees is no less than the ****average for the country**** or the ****region**** in which the organization is ****registered****;

3) Income from IT business activities is more than 30% of total income;

4) The ****official website**** of the organization contains information in Russian about the ****IT activities**** performed by the company.

Reminder

****Posting**** a photo of an employee ****on the Internet**** is regarded as the ****dissemination of biometric PD**** to an indefinite number of persons and is only allowed with their ****written consent****.

This conclusion was reached by the 2nd Cassation Court of General Jurisdiction in its ****ruling dated 4 July 2023 in Case No. 88-13675/2023****.

Facts of the case

While working for a company, an employee participated in a ****corporate photo shoot**** arranged by the employer as an ****incentive measure****. After she was ****terminated****, she discovered that her former employer had ****illegally****, ****without her consent****, ****published**** and used her photo image on a ****job search website**** to attract job seekers.

The employee complained to her former employer, who informed her that based on the ****environment**** in which the photo shoot was held and the employee’s ****subsequent behaviour****, it followed that she had provided her ****consent**** and had also been informed about the ****purpose of the photo shoot****.

The employer’s arguments were supported by the court of first instance, which also explained that the photo shoot had been conducted ****during working hours****, for which the employer accrued and ****paid salary****. The appellate instance deemed this ruling to be ****erroneous****, since ****voluntary participation**** in a photo shoot does not mean that an employee agrees to the publication and use of the images that the company received for image purposes when posting vacancies on the Internet. Furthermore, the court ruled that the employer ****had failed to prove**** there were ****legitimate grounds**** for using the images.

In addition, the use of the image could be justified ****during the employment period****, but should have been restricted following the ****dismissal of the employee****. The appellate court’s conclusions were supported by the cassation court, which also clarified that ****posting**** a photo in the public domain constitutes the ****dissemination**** of an employee’s ****biometric PD****.

An official from the company was subjected to administrative liability for violations of PD processing

****Roskomnadzor**** (the Russian personal data protection authority) received materials from the Krasnodar city administration about the discovery of a violation of PD processing during the monitoring of ****documentation containing the PD of employees and clients**** of Russian Telephone Company.

Based on the results of the review, a ****protocol on an administrative offence**** envisaged by Part 6 of Article 13.11 of the Administrative Code of the Russian Federation was filed against an official of Russian Telephone Company.

The decision of a justice of the peace in Judicial District No. 243 found the official guilty and imposed a ****fine of RUB 8,000 (approximately USD 88 or EUR 80)**** against him.

This decision answers a question that our clients frequently ask about whether the person responsible for organizing the processing of PD (****DPO****) can be subjected to ****administrative liability****.