• Insights

Diversity and inclusion policies: practical recommendations for personal data processing in Russia

Written by
ALRUD, a confident Russian leader in labour and employment law.
There is growing interest recently in race and ethnicity data processing in Russia as many employers seek ways to provide equal career opportunities for their employees and combat discrimination, including by developing programmes to encourage diversity and inclusion. This article highlights the most sensitive issues that companies in Russia may face in the pursuit of this worthy purpose.

Justification for ethnicity data processing 

Diversity and inclusion programmes imply the processing of special categories of personal data. According to the general rule of Russian employment and data protection laws, companies may process special categories of personal data, including ethnicity data, in a limited number of cases. 

This means it is possible to carry out diversity and inclusion programmes in Russia, provided that:  

  • There is a legitimate purpose for their implementation and for processing of personal data within the programme.  
  • Companies observe certain formalities required by Russian data protection and employment laws. 


Legitimate purpose of the programme 

The Russian Constitution lays down a general guarantee that individuals enjoy equal rights and opportunities irrespective of their sex, race, nationality, etc. Further, Russian employment laws prohibit any sort of discrimination in labour relations. We believe that these legal guarantees may serve as a basis for the justification for employers implementing diversity and inclusion programmes and processing the related personal data. 

However, employers must make it clear that career opportunities will be equal for everybody and there will be no privileged status for a particular nationality or ethnicity in the recruitment process or during the course of an individual’s employment. Otherwise, there is a risk of possible allegations of discrimination on the grounds of ethnicity.  

Mandatory formalities to observe 

In order to ensure due implementation of diversity and inclusion programmes, companies must bear in mind and observe the following legal formalities: 

  • Duly implement an internal diversity and inclusion policy explaining the processes involved and related personal data processing activities. 
  • Familiarise employees with the policy’s content and train them on diversity and inclusion issues. 
  • Request individuals’ written consent in a manner compliant with the mandatory requirement where data is not collected anonymously. 
  • Implement a procedure of timely and safe deletion of data collected within the diversity and inclusion programme. 
  • Assess the security threats and implement additional safeguards to protect sensitive data. 
  • Properly localise Russian citizens’ personal data upon collection.  
  • Implement effective control over the operation of the programme (such as internal reporting, selective internal checks, etc.).  


Potential risks 

In addition to obvious reputational concerns, inappropriate implementation of diversity and inclusion programmes may trigger the risk of individual complaints to the supervisory authorities and courts, administrative penalties (up to RUB 100,000), and criminal liability for the company’s officials. 

Implementation of diversity and inclusion programmes has a significant impact on individuals’ privacy and employment, which is always on the Russian supervisory authorities’ radar. Therefore, companies must carefully analyse their intended practices and take all necessary steps to make them legally compliant. 


The ByWord: The Gig Economy

In this publication, we present our findings from 40 countries around the world on how governments are grappling with the question of how to protect gig-economy workers without jettisoning the benefits the gig economy provides to consumers.