Justification for ethnicity data processing 

Diversity and inclusion programmes imply the processing of special categories of personal data. According to the general rule of Russian employment and data protection laws, companies may process special categories of personal data, including ethnicity data, in a limited number of cases. 

This means it is possible to carry out diversity and inclusion programmes in Russia, provided that:  

• There is a legitimate purpose for their implementation and for processing of personal data within the programme.  
• Companies observe certain formalities required by Russian data protection and employment laws. 

Legitimate purpose of the programme 

The Russian Constitution lays down a general guarantee that individuals enjoy equal rights and opportunities irrespective of their sex, race, nationality, etc. Further, Russian employment laws prohibit any sort of discrimination in labour relations. We believe that these legal guarantees may serve as a basis for the justification for employers implementing diversity and inclusion programmes and processing the related personal data. 

However, employers must make it clear that career opportunities will be equal for everybody and there will be no privileged status for a particular nationality or ethnicity in the recruitment process or during the course of an individual’s employment. Otherwise, there is a risk of possible allegations of discrimination on the grounds of ethnicity.  

Mandatory formalities to observe 

In order to ensure due implementation of diversity and inclusion programmes, companies must bear in mind and observe the following legal formalities: 

• Duly implement an internal diversity and inclusion policy explaining the processes involved and related personal data processing activities. 
• Familiarise employees with the policy’s content and train them on diversity and inclusion issues. 
• Request individuals’ written consent in a manner compliant with the mandatory requirement where data is not collected anonymously. 
• Implement a procedure of timely and safe deletion of data collected within the diversity and inclusion programme. 
• Assess the security threats and implement additional safeguards to protect sensitive data. 
• Properly localise Russian citizens’ personal data upon collection.  
• Implement effective control over the operation of the programme (such as internal reporting, selective internal checks, etc.).  

Potential risks 

In addition to obvious reputational concerns, inappropriate implementation of diversity and inclusion programmes may trigger the risk of individual complaints to the supervisory authorities and courts, administrative penalties (up to RUB 100,000), and criminal liability for the company’s officials. 

Implementation of diversity and inclusion programmes has a significant impact on individuals’ privacy and employment, which is always on the Russian supervisory authorities’ radar. Therefore, companies must carefully analyse their intended practices and take all necessary steps to make them legally compliant.