Employees’ Data Protection Issues during the Removal of Restrictions caused by Coronavirus Infection
Under the Decree of the Moscow Mayor No. 68-UM dated June 8, 2020 (available only in Russian here), a phased removal of restrictions caused by the spread of coronavirus infection began from June 9. This includes the return to work of a large number of organizations.
Starting from June 16, 2020 organizations and in-dividual entrepreneurs carrying out operations with real estate, activities in the area of rent, leas-ing, law, accounting, etc. are able to resume work.
This newsletter reviews additional responsibilities for employers relating to the processing of em-ployees’ personal data.
Processing of new categories of data
Starting from May 12, 2020, the Decree of the Moscow Mayor No. 55-UM dated May 7, 2020 (available only in Russian [here](https://www.mos.ru/upload/documents/docs/68-YM(4).pdf (the “Mayor’s Decree”) imposed new duties on employers, which imply expanding the volume of processed data.
Under the Mayor’s Decree, employers, inter alia, are required to provide:
-
clinical tests determining whether an employee is infected with the coronavirus infection. The re-spective tests shall be carried out in relation to not less than 10% of the company’s employees locat-ed in the workplace (starting from June 1, the tests shall be carried out each 15 calendar days);
-
blood collection from employees for carrying out the laboratory assessment for understanding whether an employee is infected with the corona-virus infection and whether an he/she has immuni-ty from this infection;
-
body temperature measurements to employees in the workplace not less than every 4 hours. Under Russian laws, health data are considered as special category of personal data. Therefore, it imposes additional requirements on employers.
Data protection measures to be taken by employers
The obligations imposed on employers to collect employees’ health data shall be fulfilled in accord-ance with current data protection legislation. This means that the employer should take the following measures:
- Legal grounds for the data processing
To begin with, it is necessary to ensure appropri-ate legal grounds for the employees’ data pro-cessing. Russian employment laws lay down that employees’ health data may be processed to the extent necessary to verify employee’s capacity to perform his/her employment duties. Meanwhile, the Federal Law on Personal Data as a rule re-quires written consent to justify the processing of such data.
- Personal data processing policy
Documents regulating personal data processing must reflect all categories of personal data that are processed by the employer in practice.
In other words, if an employer has started the processing of special categories of personal data in order to comply with epidemiological require-ments and it was not previously provided by the internal policies, it is necessary to update the poli-cies and notify employees about such update.
- Information on processing of personal data
As a rule companies processing personal data should send to Russian Data Protection Authority (“Roskomnadzor”) the notification specifying the categories of processed personal data.
Since new categories of personal data are pro-cessed, companies should check if the previously submitted notification reflects new processes.
- Compliance with general data protection require-ments of Russian law
When special categories of personal data are pro-cessed, it is required to comply with other provi-sions imposed by Russian data protection laws (in-cluding the obligation to delete personal data when there are no appropriate legal grounds for their processing).
European approach
European Data Protection Board (“EDPB”) pub-lished a statement on the processing of personal data in the context of the COVID-19 outbreak. The EDPB stated that processing of personal data in the context of the epidemics can be justified by such legal grounds as processing for the reasons of public interest in the area of public health, pro-tection of vital interests or compliance with a legal obligation.
However, companies that are subject to the re-quirements of both Russian and European data protection laws must double check that the legal ground that is used for processing of personal data of employees under European law will be also lawful under Russian law.
Risk of second wave and the use of digital monitoring systems
Since there is a risk of the second wave of COVID-19 and renewal of self-isolation measures, it is re-quired that companies reflect the possibility of processing of special categories of personal data in internal documents related to data protection. The application of social monitoring programs may also directly affect the ability of employees to pre-sent personally in the workplace. Moreover, social monitoring programs influence the processes of data processing by employers, which must be re-flected in companies’ internal data protection doc-uments.
Thus, despite a phased removal of restrictions, currently employers have to process the expanded volume of personal data. Taking into account sen-sitivity of the data employers need to pay more attention to the compliance with Russian data pro-tection laws.
Practices:Data Protection and Cybersecurity Practice
Note: Please be aware that all information provided in this letter was taken from open sources. Neither ALRUD Law Firm, nor the author of this letter bear any liability for consequences of any decisions made in reliance upon this information.
Link to article