Introduction

The basic legislative acts in this field are the Constitution of the Russian Federation as of 12 December 1993, the Labour Code of the Russian Federation of 30 December 2001 No. 197-FZ (as amended) ('the Labour Code'), and the Federal Law of 27 July 2006 No. 152-FZ on Personal Data ('the Personal Data Law').

In brief, the employer in Russia is not in a position to launch employee monitoring on its own, without undertaking preliminary steps to legitimise such monitoring. Despite the Labour Code explicitly stating that the employee is obliged to perform their work during established working hours (Article 91), this does not give the employer a right to restrict employee's right to privacy at work and personal data protection per se. For example, employees' email correspondence will be subject to a regime of privacy of correspondence, unless the employee is explicitly advised that such correspondence, as well as use of employer's IT infrastructure, is meant to be of work (not private) use.  

Forms of monitoring are not provided by the law and are determined by the employer based on their needs and technical capabilities.

Related legislation

Traditionally, employee monitoring systems are based on two regulations: a legal framework for the protection of privacy (including the privacy of communications) from one side, and the protection of personal data from the other side. Although those regulations are interconnected, they are different, and each must be complied with by the employer.

The right to privacy is provided, first of all, by the Russian Constitution.

According to Article 23 (2) of the Russian Constitution, 'everyone has the right to privacy of correspondence, telephone conversations, postal, telegraph and other communications. This right may be restricted only on the basis of a court decision'. Article 24 of the Russian Constitution further develops this idea by adding that 'collection, storage, use and dissemination of information about a person's private life without his or her consent is not permitted'.

These provisions are further developed in industry-specific law, such as Federal Law of 7 July 2003 No. 126-FZ on Communication, which confirms that the right to privacy of communication can only be restricted if allowed under federal laws. Such exceptions are provided mainly for cases where there is a need to ensure protection of public or state interests (e.g. Federal Constitutional Law of 30 January 2002 N 1-FKZ on Martial Law and Federal Law of 6 March 2006 N 35-FZ on Counter-Terrorism.

Article 137 of the Russian Criminal Code establishes criminal liability for illegal collection or transfer of an individual's private information without respective consent of the individual. No matter how such information is collected; by personal observation, wiretapping, questioning of others, including by recording information by audio, video, or photographic means, copying of documented information, or by stealing or otherwise acquiring it, all such actions without individual's consent will constitute a crime.

In addition to that, Article 138 of the Russian Criminal Code prohibits violation of privacy of individuals' correspondence, telephone conversations, postal, telegraph, and other communications. The crime occurs when access is obtained without the consent of the person whose secret they constitute or in the absence of legal grounds to restrict the constitutional right of individuals. It does not matter in this case whether any such communication includes information about individuals private life or not; the mere access to someone' communications will be a crime.

Based on the above, from a privacy perspective, consent of the employee must be obtained, which can be both explicit or implied (e.g. if employee monitoring is provided in internal policy of the employer, as commented in more details below).

In addition to the privacy issues, Russian personal data regulations also need to be complied with. The employer must first assess what types of personal data are collected and further processed during monitoring. For example, the employer will process name and surname, contact details of the employee, and depending on the type of monitoring, photos and video images of employees will constitute personal data or even biometric personal data (if data is used to identify an individual). There is no unified court practice whether the video recording should constitute personal data (a source of personal data) at all. So, in each case, depending on the methods of monitoring and the planned way of use of collected data, the employer will need to determinate the particular scope of employees' personal data processed for monitoring purposes.

The Personal Data Law generally requires a clear, substantive, informed, conscious, and unambiguous consent in any form from the individual to process their personal data (irrespective of whether the personal data is related to private or business use), except, in particular, for the case when personal data is processed in the context of the performance of an agreement with the data subject or when personal data processing is necessary for performing obligations imposed on the data operator by law.

Starting from 1 March 2022, the Labour Code was, however, amended to shed some light on employer's possibilities to monitor fulfilment by the employees of their job functions. Thus, it was confirmed that, in order to monitor the safety of work production, the employer has the right to use devices and equipment providing remote video, audio, or other recording of work processes, as well as to ensure storage of the information obtained (Article 214.2). Every employee shall have the right to receive up-to-date and accurate information about working conditions and labour protection at their working place, about the use of devices, equipment, and/or similar, providing remote video, audio, or other means of protection (Article 216.2). There is no additional guidance on how this monitoring might be implemented, and where lays the line between safety of work production and employee's privacy rights.

Thus, since the law does not provide clear legitimate grounds for employee monitoring, the safest way would be to get explicit and transparent consent for employees' personal data processing for purposes of monitoring. 

In case any sensitive information (about race, health, political views, etc.) or biometric data (e.g. photos and video footage used to identify data subject) is processed for monitoring purposes, written consent is required to obtained from the individual. A written form of consent means consent made and stored in a recordable medium and signed physically by the data subject or with an electronic signature. The written consent shall include: (i) the surname, first name, patronymic, address of the data subject, and information on the data subject's identity document; (ii) the details (name and address) of the data operator and/or third party processor; (iii) the purpose of the processing; (iv) a list of the relevant personal data to be processed; (v) a list of actions for which consent is given; and (vi) the term of the consent and the procedure for its revocation/withdrawal.

With respect to personal data, among other things, employers need to consider that the Russian data localisation rule (obliging data operators to ensure initial collection and processing on data of Russian citizens in databases in the territory) and cross-border data transfer rules (obliging data operators  from 1 March 2023 to file a cross-border data transfer notification with the Federal Service for Supervision of Communications, Information Technology, and Mass Media (Roskomnadzor') will apply. 

Finally, employment law provisions must be considered. In case the implementation of employee monitoring requires the introduction of changes to the employment agreement, the employees must be provided with two months' prior written notice due to change of organisation conditions of work. This prior notice will be required if changes are introduced into policies which are included into the employment agreement by reference. This is not clearly stated in the Labour Code, but rather constitutes a best practice based on enforcement practice and risks of claims from the part of the employee in case the notice is not made.   

If the employee does not agree to work under the new conditions and amend the employment contract, and there is no other vacant positions of the same or lower level (which is usually the case when employee monitoring is introduced for all employees in the company), the employee may be terminated from the company.

Concluding thoughts

Thus, summarising the above and with due account of the prevailing court practice and unofficial clarifications by the regulator, employee monitoring, including CCTV, is allowed if all the below conditions are met:

• It is carried out only for a clearly disclosed legitimate purposes related to the performance by the employees of their labour duties.

• It does not involve any covert monitoring, such as installing cameras in the private premises where employees do not perform their employment duties (e.g. rest rooms, change rooms). All monitoring must be explicitly disclosed; for example, for CCTV there must be visible information signs in the premises where CCTV cameras operate.
• Employees are properly notified and aware of the employee monitoring, and give their consent (either implicit or explicit) for the monitoring. The most common approach to meet this requirement would be for the employer to adopt internal local policy and make sure all the employees acknowledged in writing that they are aware of its content.
• Local regulation (policy) must be done in Russian (or bilingual), and be signed into a binding local act by the head of the local company. The acknowledgement of the employees is usually done in written form (e.g. by putting a signature in the list), or electronically if e-document management for HR documents is properly implemented in the company.
• Access to the video materials is restricted to a limited number of personnel within the company to ensure confidentiality.
• Employees give consent for their personal data processing for the purposes of monitoring.
• Where appropriate, the employer shall amend employment contracts with employees with two months' prior notice before implementing an employee monitoring system in the office. The necessity of this step will depend on the wording of existing employment contracts with employees).

Failure to properly implement the employee monitoring system may result in:

• Administrative liability for the violation of the labour rights of the employees. The amount of the administrative fines is up to RUB 5,000 (approx. €57) for the company's officers and RUB 50,000 (approx. €575) for the company itself.
• Administrative liability for the violation of the personal data regulations. The amount of the administrative fines is up to RUB 40,000 (approx. €540) for the company's officers and RUB 150,000 (approx. €2,000) for the company itself.
• Absence of the legitimate grounds to use the collected data to take disciplinary actions against employees.
• Claims from employees to compensate damages (if any) and moral harm.
• Criminal liability for violation of privacy for company's officers, since only individuals may be brought to criminal liability under Russian law. The maximum liability is up to four years of imprisonment with disqualification for up to five years.

Natalia Gulyaeva Partner
[email protected]
Alla Gorbushina Senior Associate
[email protected]
Hogan Lovells, Dusseldorf