IDC Names Securiti a Worldwide Leader in Data PrivacyView
In today’s digital world, an individual’s consent is considered to be one of the primary legal basis to collect and process personal data. Consent means that data subjects authorize organizations to collect and process their personal data. The exact requirements for obtaining consent may vary from one jurisdiction to another. However, most global data protection laws based on the framework of the European Union’s GDPR require consent to be freely given, specific, informed, and unambiguous. Such laws are based on the opt-in consent framework requiring organizations to obtain the data subject’s consent prior to certain data processing activities.
The default rule in Russia is also opt-in. In fact, the Russian Federal Law 152-FZ on Personal Data which is the primary data protection legislation in Russia imposes certain unique requirements for obtaining consent from data subjects. Let’s look into the consent requirements of the Russian data protection legal framework in detail.
Under Federal Law 152-FZ on Personal Data, the data subject’s consent is one of the ten grounds for organizations to collect and process personal data.
Other grounds on which personal data processing is allowed are:
For data processing activities where consent is required, data subjects must be able to provide consent to the processing freely of their own will.
Under Russian Law, the data subject’s consent must be:
The Federal Law on Personal Data requires organizations to allow data subjects to withdraw their consent at any time. In the case of consent withdrawal, data controllers must cease the processing of personal data. Where the storage of personal data is no longer required, organizations must destroy the data within a period not exceeding thirty days from the date of receipt of the consent revocation request.
The Federal Law on Personal Data does not specify any formal method of obtaining consent. However, for certain data processing activities, consent must be in writing. These data processing activities include the following:
Consent in writing must contain the following:
March 2021 Amendments to the Federal Law on Personal Data that became effective on July 1 2021 have introduced a new consent requirement for “publicly disseminated data”. As per the Amendments, consent of the data subject is required to distribute or allow the personal data to be disseminated to an unlimited number of persons. This may be relevant for companies or entities considering making personal data available to an indefinite number of persons such as posting personal data on a publicly available website or rely on the collection and processing of personal data from publicly available sources.
The Amendments also clarify the following consent obligations for organizations in connection to publicly disseminated data:
In addition, the content of consent must have certain elements such as the name of the data subject, the purposes of personal data processing, the categories and lists of personal data for which consent is given, and the period of validity of the consent. Moreover, if personal data is disseminated and processed, made publicly available without consent, the burden of proof falls on every data controller who has disseminated or otherwise processed the data.
Under the Russian data protection framework, a data subject’s consent is the only legal basis for sending direct marketing communications. Direct marketing may include the processing of personal data in order to promote goods and services to potential consumers. In all cases, prior consent of the data subject is required. In the case of consent withdrawal from receiving marketing communications, the data controller must immediately stop the data processing and honor the consent withdrawal request.
As per Chapter 14 of the Labor Code of the Russian Federation, employees’ consent must be obtained in writing. Organizations must not disclose the personal data of their employees to a third party without the written consent of the employee (except where disclosure is required under law or is necessary to prevent a threat to the life and health of the employee). Similarly, organizations must not disclose the personal data of their employees for commercial purposes without the employee’s written consent.
The Federal Law on Personal Data specifies that where a data subject lacks the legal capacity to consent, consent to the processing of their personal data must be obtained from a legal representative of the data subject. As best practice prevalent in Russia, consent must be obtained from legal representative/parental authority where a child is below the age of eighteen.
Since cookies are considered to be personal data, the same rules would apply to the collection of cookies. This means that prior opt-in consent must be obtained from users before the use of non-essential cookies or any cookies that are used for marketing purposes.
Organizations aiming to comply with the Russian data protection legal framework must keep in consideration the afore-mentioned consent requirements.
Securiti’s Universal Consent Management Solution enables marketers to adequately advertise and market their products in a compliant manner by capturing consent and automating revocation.
Securiti’s Cookie Consent Banner Solution enables companies to build cookie consent banners as per the applicable legal requirements when collecting personal data for non-essential purposes on digital properties.
Also, download our Whitepaper on State of Global Consent Requirements to learn about consent requirements specific to your country.
See how easy it is to manage privacy compliance with robotic automation.
At Securiti, our mission is to enable enterprises to safely harness the incredible power of data and the cloud by controlling the complex security, privacy and compliance risks.