In today’s digital world, an individual’s consent is considered to be one of the primary legal basis to collect and process personal data. Consent means that data subjects authorize organizations to collect and process their personal data. The exact requirements for obtaining consent may vary from one jurisdiction to another. However, most global data protection laws based on the framework of the European Union’s GDPR require consent to be freely given, specific, informed, and unambiguous. Such laws are based on the opt-in consent framework requiring organizations to obtain the data subject’s consent prior to certain data processing activities.
The default rule in Russia is also opt-in. In fact, the Russian Federal Law 152-FZ on Personal Data which is the primary data protection legislation in Russia imposes certain unique requirements for obtaining consent from data subjects. Let’s look into the consent requirements of the Russian data protection legal framework in detail.
Consent is one of the grounds for processing personal data:
Under Federal Law 152-FZ on Personal Data, the data subject’s consent is one of the ten grounds for organizations to collect and process personal data.
Other grounds on which personal data processing is allowed are:
- Performance of the contract,
- Compliance with a legal obligation,
- Protection of vital interests of the data subject,
- Processing necessary for the execution of a judicial act,
- Processing necessary for the execution of powers of federal executive bodies,
- Processing necessary for statistical or research purposes,
- Processing to exercise rights and legal interests of the data controller,
- Processing for professional activities of a journalist or legal activities of media, and
- Processing subject to compulsory publication or disclosure under law.
For data processing activities where consent is required, data subjects must be able to provide consent to the processing freely of their own will.
Under Russian Law, the data subject’s consent must be:
- Freely given
- Specific
- Informed
- Conscientious
The Federal Law on Personal Data requires organizations to allow data subjects to withdraw their consent at any time. In the case of consent withdrawal, data controllers must cease the processing of personal data. Where the storage of personal data is no longer required, organizations must destroy the data within a period not exceeding thirty days from the date of receipt of the consent revocation request.
Consent in writing:
The Federal Law on Personal Data does not specify any formal method of obtaining consent. However, for certain data processing activities, consent must be in writing. These data processing activities include the following:
- Obtaining consent for cross-border data transfers from Russia to countries that do not provide adequate data protection.
- Obtaining consent for the processing of sensitive personal data.
- Obtaining consent for the processing of biometric personal data.
- Obtaining consent for the processing of personal data for automated decision-making.
- Obtaining consent for employees’ data processing or transferring employees’ data to third parties.
Consent in writing must contain the following:
- Data subject’s identity, address, identification document details.
- Details of the representative of the data subject (if any).
- The purpose of personal data processing.
- The list of personal data for which consent is given.
- Method of processing.
- The period of validity of consent.
- The signature of the data subject.
Consent for publicly disseminated data:
March 2021 Amendments to the Federal Law on Personal Data that became effective on July 1 2021 have introduced a new consent requirement for “publicly disseminated data”. As per the Amendments, consent of the data subject is required to distribute or allow the personal data to be disseminated to an unlimited number of persons. This may be relevant for companies or entities considering making personal data available to an indefinite number of persons such as posting personal data on a publicly available website or rely on the collection and processing of personal data from publicly available sources.
The Amendments also clarify the following consent obligations for organizations in connection to publicly disseminated data:
- Consent for publicly disseminated data must be obtained separately from other kinds of consents.
- While obtaining consent from the data subject, data controllers must provide the data subject with the opportunity to select the categories of personal data which they permit for dissemination.
- Consent to the processing of personal data for distribution can be provided directly or using the information system of the regulatory body (Roskomnadzor).
- Silence or inaction of the data subject under no circumstances can be considered consent to the processing of personal data for dissemination.
- While providing consent for publicly disseminated data, the data subject has a right to establish prohibitions on the transfer of personal data as well as prohibitions on processing or processing conditions. These prohibitions, however, would not extend to access, i.e. would not prevent the data controller from letting third parties access the personal data. Any prohibitions established by the data subject would not apply to cases of processing data in the state, public, and other public interests determined by the legislation of the Russian Federation.
- The data subject has a right to withdraw consent and in the case of a consent withdrawal request from the data subject, the transfer (distribution, provision, access) of personal data must be stopped.
In addition, the content of consent must have certain elements such as the name of the data subject, the purposes of personal data processing, the categories and lists of personal data for which consent is given, and the period of validity of the consent. Moreover, if personal data is disseminated and processed, made publicly available without consent, the burden of proof falls on every data controller who has disseminated or otherwise processed the data.
Consent for Direct Marketing:
Under the Russian data protection framework, a data subject’s consent is the only legal basis for sending direct marketing communications. Direct marketing may include the processing of personal data in order to promote goods and services to potential consumers. In all cases, prior consent of the data subject is required. In the case of consent withdrawal from receiving marketing communications, the data controller must immediately stop the data processing and honor the consent withdrawal request.
Consent for employees’ personal data:
As per Chapter 14 of the Labor Code of the Russian Federation, employees’ consent must be obtained in writing. Organizations must not disclose the personal data of their employees to a third party without the written consent of the employee (except where disclosure is required under law or is necessary to prevent a threat to the life and health of the employee). Similarly, organizations must not disclose the personal data of their employees for commercial purposes without the employee’s written consent.
Consent for personal data belonging to children:
The Federal Law on Personal Data specifies that where a data subject lacks the legal capacity to consent, consent to the processing of their personal data must be obtained from a legal representative of the data subject. As best practice prevalent in Russia, consent must be obtained from legal representative/parental authority where a child is below the age of eighteen.
Consent for the use of cookies:
Since cookies are considered to be personal data, the same rules would apply to the collection of cookies. This means that prior opt-in consent must be obtained from users before the use of non-essential cookies or any cookies that are used for marketing purposes.
What’s Next?
Organizations aiming to comply with the Russian data protection legal framework must keep in consideration the afore-mentioned consent requirements.
Securiti’s Universal Consent Management Solution enables marketers to adequately advertise and market their products in a compliant manner by capturing consent and automating revocation.
Securiti’s Cookie Consent Banner Solution enables companies to build cookie consent banners as per the applicable legal requirements when collecting personal data for non-essential purposes on digital properties.
Ask for a DEMO today to understand how Securiti can help you comply with consent requirements of global data privacy laws and regulations, with ease.
Also, download our Whitepaper on State of Global Consent Requirements to learn about consent requirements specific to your country.