How recent changes to the law on personal data will affect recruitment agencies

On September 1, the requirements for compulsory processing of personal data of Russians through databases located in Russia came into force. In addition, the registry of prohibited sites - violators of the law on personal data. The media has been discussing the possible consequences of these changes for popular Internet services and large foreign companies that will have to transfer information to servers in Russia for a whole year.

However, the law does not only apply to such giants as Twitter and Facebook. It concerns the majority of companies working with personal data, including recruitment agencies. The law has hardly changed, only a few articles have been added. However, firstly, the changes affected the ways of storing data, and, secondly, they attracted so much attention and happened in such a politically difficult time that we can expect a quick increase in checks and an increase in the amount of fines for violations. What did the recruiters expect from the Law on Personal Data, iChar was helped by Pavel Savitsky, head of the Intellectual Property and Information Technology practice, an adviser to the law firm Borenius.

Will the candidates need additional consent for processing resumes from work sites?

No, the rules on the localization of personal data do not require new consent. The general rule continues to be that, according to which, the first company that collects this data must receive consent to the processing of personal data. Having entered into a service agreement with the work site, the company is automatically exempt from the need to ask each candidate for consent to the processing of personal data. However, if there is an opportunity to send a resume on your company's website (not necessarily an agency), it is useful to add the checkbox “I agree to personal data processing” to the “Send resume” button, and develop the text of the agreement with the help of a lawyer.
')

Personal Data Act and LinkedIn

LinkedIn is not so clear. According to Pavel Savitsky, as long as the candidate did not agree to the processing of his data, everything that this person has posted to the social network should remain online. Therefore, a recruiter cannot collect his database with information about candidates from LinkedIn . Here the only “bulletproof” way to look for candidates is a special package of services for recruiters (unfortunately, paid). Paying for it, you tick off all the necessary agreements and get a tool for searching and selecting candidates within the social network itself, without the need to write and record something separately.
Alas, not all recruiters use such services: LinkedIn is most appreciated for the possibility of personal contact with candidates. If you are going to provide the employer with the data obtained during the correspondence, it is better to ask the candidate about this directly in the dialogue and take a screenshot of his answer. Of course, this is not a signature of consent to the processing of personal data, but still in the case of a controversial situation, the screenshot will be proof of your desire to comply with the law.

Law “On Personal Data” and social network

The law says: if personal data are taken from public sources, then consent to their processing is not required. At the same time, it remains unclear whether public sources are a social network.
It should be remembered that the privacy policy of the site may change, and the user is not always able to keep track of it. Remember, earlier in VKontakte there were completely closed profiles? Then the privacy policy of the site changed, and on such pages there was more public information. Every time something like this happens, there may be information in the public domain that the user did not want to make publicly available. Therefore, it is not worthwhile to consider social networks obviously open source of information .

Server in the Russian Federation

Here in this question news really is, and the news is substantial. If your site provides for uploading resumes, it is crucial that the server where the data goes after the download is located in Russia. If you use data storage services abroad, think about the urgent transfer to Russia of at least databases with information about candidates, as well as data about your own employees. Pavel notes that the use of Apple, Microsoft and Google’s cloud storage remains in question (DropBox, OneDrive and Google Drive, respectively). The same applies to inexpensive overseas hosting for storing sites and other information.

In accordance with the Law on Personal Data, it is now necessary to store and process personal data of Russians, primarily on the territory of the Russian Federation. At the same time, there is no ban on the transfer of personal data of Russians abroad as necessary. The main thing - the main storage and processing should be carried out in Russia.

Mandatory notification to Roskomnadzor

All recruiting companies are required to send a notice to Roskomnadzor that they are engaged in the processing of personal data , if they have not done this yet. This requirement applies to all companies that process personal data of people who are not their employees. Based on the notification, Roskomnadzor includes the company in the register of personal data operators. By notifying the state, the company will comply with the law and will not have to pay a fine for the violation (at present, from 3 to 5 thousand rubles).

Regulation on the processing of personal data

Each recruitment company (like any business that processes personal data) must have personal data processing rules approved, a person responsible for compliance with these rules must be appointed, and regular internal checks of compliance with the rules should be carried out. As Savitsky notes, when conducting inspections, Roskomnadzor is interested not only in the presence of “correct documents”, but also in the planned implementation of the rules that are provided for in such documents. The rules indicate who is responsible for the processing of personal data, how it happens, how much time, for what purpose and what kind of personal data the company stores, where these rules should be published, etc. In addition, the law requires companies to evaluate the level of security data storage (this applies to information about candidates both in electronic form and on paper) and ensure their confidentiality. It is predicted that over time the number of inspections will increase, and fines will increase. Therefore, it is necessary to create corporate standards for processing personal data and bring all processes in order as soon as possible.

***

The law “On personal data” is unlikely to qualitatively change the life of a recruiter: asking LinkedIn a question more than usual will not be difficult. But the leaders of the recruitment agencies have to painstakingly re-examine the business for compliance with all the requirements of the law. According to the head of Roskomnadzor, Alexander Zharov, no strict penalties are foreseen in 2015. Therefore, the business has time to fix all the flaws.