Concise and to the point with ALRUD: HR & DIGITAL (№9)

Ban on foreign information security services from “unfriendly” jurisdictions

Decree No. 250 of the Russian President dated 1 May 2022 “On Additional Measures to Ensure the Information Security of the Russian Federation” previously imposed restrictions on the use of foreign information security means. In particular, government authorities, state corporations, systemically important organizations, and subjects of critical information infrastructure (“CII subjects”) are prohibited from using information security means as of 1 January 2025:

• Originating from “unfriendly” states;

• Or from manufacturers that are organizations under the jurisdiction of “unfriendly” states, directly or indirectly controlled by them or affiliated with them.

Decree No. 500 of the Russian President dated 13 June 2024 extended the scope of the ban: as of 1 January 2025, government authorities, state corporations, systemically important organizations and CII subjects are also prohibited from using cybersecurity services (work or services) from companies from “unfriendly” states.

If your company belongs to government authorities, state corporations, systemically important organizations or CII subjects, we recommend that together with IT you conduct an audit of software and IT services used for HR, accounting and personnel management purposes in order to ensure timely compliance with the requirements of the above-mentioned presidential decrees.

A 14th package of sanctions, including IT restrictions, has been imposed against Russia

The USA has significantly expanded sanctions against Russia, with new restrictions affecting financial infrastructure, cloud services and information technology.

The USA will ban a number of software and IT services as of 12 September 2024. The US Department of the Treasury, together with the State Department, issued a special decree with the following restrictions:

• It is prohibited to provide any person in Russia with design services and IT consulting services;

• It is prohibited to supply cloud technology and IT support services for business management, as well as design and manufacturing software.

Russian companies using such software for HR purposes may consider the following courses of action:

• Change the vendor, which will allow them to continue using the software in Russia;

• Localize relevant HR processes.

Exemption from liability for personal data leaks due to the insignificance of the offence

During the ‘I Give My Heart to Children’ Russian Professional Skills Competition for Continuing Education Employees, there was a technical failure that led to the brief publication (three minutes) of information about a personal data subject on the competition website. The subject’s passport details, registration address, telephone number and email address were published, all of which constitutes personal data.

In court, the data controller pointed out that the incident was caused by a technical malfunction in the service, third parties did not gain access to the personal data since the violation was eliminated as soon as possible, and no damage was caused to the subject of the personal data. The Russian Federal Service for Supervision of Communications, Information Technology and Mass Media, (Roskomnadzor) reported that it did not receive any complaints about the data controller as a result of the incident. In accordance with the law, the data controller sent a notification about the leak of personal data.

A justice of the peace of the Danilovsky District of Moscow (Case No. 05-1415/456/2023) ruled that the data controller had failed to ensure the confidentiality of personal data and had not prevented unauthorized access to it by third parties, and qualified the offence under Part 1 of Article 13.11 of the Code of Administrative Offences of the Russian Federation. However, since the court had no evidence that information about the personal data subject had been copied, obtained or used by third parties to violate its legally protected rights, including through the competition website, the court relieved the data controller of administrative liability due to the insignificance of the offence and limited itself to a verbal reprimand.