How the latest changes in the law on personal data will affect recruiting agencies

On September 1, requirements for mandatory processing of personal data of Russians through databases located in Russia entered into force. In addition, a registry of banned sites violating personal data laws begins to operate. The media have been discussing for a whole year the possible consequences of these changes for popular Internet services and large foreign companies that have to transfer information to servers in Russia.
However, the law applies not only to giants such as Twitter and Facebook. It applies to most companies working with personal data, including recruiting agencies. The law has not changed much, only a few articles have been added. However, firstly, the changes affected the ways of storing data, and secondly, they attracted so much attention and happened during such a politically difficult time that we can expect an early increase in inspections and an increase in the size of fines for violations. What to expect for recruiters from the Law on Personal Data, the head of the Intellectual Property and Information Technology practice, adviser to the Borenius law firm Pavel Savitsky helped the iChar agency understand .
Will candidates need additional consent to process resumes from work sites?
No, the rules on the localization of personal data do not require new consents. The general rule continues to apply, according to which the consent to the processing of personal data should be obtained by the first company that collects this data. Having concluded an agreement on the provision of services with the work site, the company is automatically exempted from the need to ask each candidate for consent to the processing of personal data. However, if it is possible to send a resume on the website of your company (not necessarily an agency), it will be useful to add the checkmark “I agree to the processing of personal data” to the “Send CV” button, and develop the consent text with the help of a lawyer.
Personal Data Act and LinkedIn
With LinkedIn, things are not so straightforward. According to Pavel Savitsky, until the candidate has agreed to the processing of his data, everything that this person posted on the social network should remain on the network. Consequently, the recruiter cannot collect his database with information about candidates from LinkedIn . Here the only “bulletproof” way to look for candidates is a special package of services for recruiters (unfortunately, paid). Paying for it, you check the boxes under all the necessary agreements and get a tool for searching and selecting candidates within the social network itself, without the need to record and account separately.
Alas, not all recruiters use such services: LinkedIn is more likely to be valued for the possibility of personal contact with candidates. If you intend to present to the employer the data obtained during the correspondence, it is better to ask the candidate about it directly in the dialogue and take a screenshot of his answer. Of course, this is not a signature under the consent to the processing of personal data, but nevertheless, in case of a contentious situation, a screenshot will be a proof of your desire to comply with the law.
Law "On Personal Data" and social networks
The law states: if personal data is taken from open sources, then consent to their processing is not required. At the same time, it remains unclear whether they are among the open sources of social networks.
It should be remembered that the privacy policy of the site may change, and the user is not always able to keep track of this. Remember, before in VKontakte there were completely closed profiles? Then the privacy policy of the site changed, and such pages became more public information. Every time something like this happens, information that the user did not want to make publicly available may be in the public domain. Therefore, it is not worth considering social networks to be an open source of information .

Server in the Russian Federation
There really is news on this issue, and the news is substantial. If your site provides for downloading resumes, it is crucial that the server where the data gets after loading is in Russia. If you use data storage services abroad, think about the urgent transfer to Russia of at least databases with information about candidates, as well as data about your own employees. Pavel notes that the use of cloud storage by Apple, Microsoft and Google (DropBox, OneDrive and Google Drive, respectively) remains in doubt. The same applies to inexpensive foreign hosting for storing sites and other information.
In accordance with the law "On Personal Data", now it is necessary to store and process personal data of Russians, primarily, on the territory of the Russian Federation. However, there is no ban on the transfer of personal data of Russians abroad as necessary. The main thing is that the main storage and processing should be carried out in Russia.
Mandatory notice to Roskomnadzor
All recruiting companies are obliged to send a notification to Roskomnadzor that they are engaged in the processing of personal data , if they have not yet done so. This requirement applies to all companies that process the personal data of people who are not their employees. Based on the notification, Roskomnadzor includes the company in the register of personal data operators. Having notified the state, the company will comply with the rule of law and will not have to pay a fine for violation (currently - from 3 to 5 thousand rubles).

Regulation on the processing of personal data
In each recruiting company (like any business that processes personal data), the rules for processing personal data must be approved, the person responsible for compliance with these rules must be appointed, regular internal checks of compliance with the rules must be carried out. According to Savitsky, Roskomnadzor during inspections is interested not only in the presence of “correct documents”, but also in the systematic implementation of the rules that are provided for in such documents. The rules indicate who is responsible for the processing of personal data, how it occurs, how much time, for what purpose and what kind of personal data the company stores, where these rules should be published, etc. In addition, the law requires companies to evaluate the level of security data storage (this applies to information about candidates as in electronic form,It is predicted that over time, the number of inspections will increase, and fines will increase. Therefore, it is necessary to create corporate standards for the processing of personal data and put all processes in order as soon as possible.
***
The Law on Personal Data is hardly capable of qualitatively changing the life of a recruiter: asking LinkedIn for one question more than usual will not be difficult. But the managers of recruiting agencies will have to painstakingly check the business for compliance with all legal requirements. According to the head of Roskomnadzor Alexander Zharov, strict penalties in 2015 are not expected. Therefore, the business has time to fix all the flaws.