Products
By Use Cases By Roles
Data Command Center
View
Learn more

AI Security & Governance

Discover, assess, and safeguard AI usage

Learn more

Asset and Data Discovery

Discover dark and native data assets

Learn more

Data Access Intelligence & Governance

Identify which users have access to sensitive data and prevent unauthorized access

Learn more

Data Privacy Automation

PrivacyCenter.Cloud | Data Mapping | DSR Automation | Assessment Automation | Vendor Assessment | Breach Management | Privacy Notice

Learn more

Sensitive Data Intelligence

Discover & Classify Structured and Unstructured Data | People Data Graph

Learn more

Data Flow Intelligence & Governance

Prevent sensitive data sprawl through real-time streaming platforms

Learn more

Data Consent Automation

First Party Consent | Third Party & Cookie Consent

Learn more

Data Security Posture Management

Secure sensitive data in hybrid multicloud and SaaS environments

Learn more

Data Breach Impact Analysis & Response

Analyze impact of a data breach and coordinate response per global regulatory obligations

Learn more

Data Catalog

Automatically catalog datasets and enable users to find, understand, trust and access data

Learn more

Data Lineage

Track changes and transformations of data throughout its lifecycle

Learn more

Compliance Management

Automate Compliance with Global AI and Data Frameworks using Common Controls and Tests
Data Controls Orchestrator
View
Data Command Center
View
Sensitive Data Intelligence
View

Asset Discovery
Data Discovery & Classification
Sensitive Data Catalog
People Data Graph
Learn more

Privacy

Automate compliance with global privacy regulations

Data Mapping Automation

View

AI Security & Governance

View

Data Subject Request Automation

View

People Data Graph

View

Assessment Automation

View

Cookie Consent

View

Universal Consent

View

Vendor Risk Assessment

View

Breach Management

View

Privacy Policy Management

View

Privacy Center

View

Learn more

Security

Identify data risk and enable protection & control

Data Security Posture Management

View

AI Security & Governance

View

Data Access Intelligence & Governance

View

Data Risk Management

View

Data Breach Analysis

View

Learn more

Governance

Optimize Data Governance with granular insights into your data

Data Catalog

View

Data Lineage

View

Data Quality

View

AI Security & Governance

View

Compliance Management

View
Data Controls Orchestrator
View
Solutions
Technologies

Covering you everywhere with 1000+ integrations across data systems.

Snowflake

View

AWS

View

Microsoft 365

View

Salesforce

View

Workday

View

GCP

View

Azure

View

Oracle

View

Databricks

View

Learn more

Regulations

Automate compliance with global privacy regulations.

US California CCPA

View

CPRA
California Privacy Rights Act

View

European Union GDPR

View

Thailand’s PDPA

View

China PIPL

View

Canada PIPEDA Compliance Solution

View

Brazil's LGPD

View

+ More

View

Learn more

Roles

Identify data risk and enable protection & control.

Privacy

View

Security

View

Governance

View

Marketing

View
Resources

Blog

Read through our articles written by industry experts

Collateral

Product brochures, white papers, infographics, analyst reports and more.

Knowledge Center

Learn about the data privacy, security and governance landscape.

Securiti Education

Courses and Certifications for data privacy, security and governance professionals.
Company

About Us

Learn all about Securiti, our mission and history

Partner Program

Join our Partner Program

Contact Us

Contact us to learn more or schedule a demo

News Coverage

Read about Securiti in the news

Press Releases

Find our latest press releases

Careers

Join the talented Securiti team

Consent Requirements in Russia

By Anas Baig | Reviewed By Maria Khan

Published October 18, 2021

In today’s digital world, an individual’s consent is considered to be one of the primary legal basis to collect and process personal data. Consent means that data subjects authorize organizations to collect and process their personal data. The exact requirements for obtaining consent may vary from one jurisdiction to another. However, most global data protection laws based on the framework of the European Union’s GDPR require consent to be freely given, specific, informed, and unambiguous. Such laws are based on the opt-in consent framework requiring organizations to obtain the data subject’s consent prior to certain data processing activities.

The default rule in Russia is also opt-in. In fact, the Russian Federal Law 152-FZ on Personal Data which is the primary data protection legislation in Russia imposes certain unique requirements for obtaining consent from data subjects. Let’s look into the consent requirements of the Russian data protection legal framework in detail.

Under Federal Law 152-FZ on Personal Data, the data subject’s consent is one of the ten grounds for organizations to collect and process personal data.

Other grounds on which personal data processing is allowed are:

Performance of the contract,
Compliance with a legal obligation,
Protection of vital interests of the data subject,
Processing necessary for the execution of a judicial act,
Processing necessary for the execution of powers of federal executive bodies,
Processing necessary for statistical or research purposes,
Processing to exercise rights and legal interests of the data controller,
Processing for professional activities of a journalist or legal activities of media, and
Processing subject to compulsory publication or disclosure under law.

For data processing activities where consent is required, data subjects must be able to provide consent to the processing freely of their own will.

Under Russian Law, the data subject’s consent must be:

Freely given
Specific
Informed
Conscientious

The Federal Law on Personal Data requires organizations to allow data subjects to withdraw their consent at any time. In the case of consent withdrawal, data controllers must cease the processing of personal data. Where the storage of personal data is no longer required, organizations must destroy the data within a period not exceeding thirty days from the date of receipt of the consent revocation request.

Consent in writing:

The Federal Law on Personal Data does not specify any formal method of obtaining consent. However, for certain data processing activities, consent must be in writing. These data processing activities include the following:

Obtaining consent for cross-border data transfers from Russia to countries that do not provide adequate data protection.
Obtaining consent for the processing of sensitive personal data.
Obtaining consent for the processing of biometric personal data.
Obtaining consent for the processing of personal data for automated decision-making.
Obtaining consent for employees’ data processing or transferring employees’ data to third parties.

Consent in writing must contain the following:

Data subject’s identity, address, identification document details.
Details of the representative of the data subject (if any).
The purpose of personal data processing.
The list of personal data for which consent is given.
Method of processing.
The period of validity of consent.
The signature of the data subject.

Consent for publicly disseminated data:

March 2021 Amendments to the Federal Law on Personal Data that became effective on July 1 2021 have introduced a new consent requirement for “publicly disseminated data”. As per the Amendments, consent of the data subject is required to distribute or allow the personal data to be disseminated to an unlimited number of persons. This may be relevant for companies or entities considering making personal data available to an indefinite number of persons such as posting personal data on a publicly available website or rely on the collection and processing of personal data from publicly available sources.

The Amendments also clarify the following consent obligations for organizations in connection to publicly disseminated data:

Consent for publicly disseminated data must be obtained separately from other kinds of consents.
While obtaining consent from the data subject, data controllers must provide the data subject with the opportunity to select the categories of personal data which they permit for dissemination.
Consent to the processing of personal data for distribution can be provided directly or using the information system of the regulatory body (Roskomnadzor).
Silence or inaction of the data subject under no circumstances can be considered consent to the processing of personal data for dissemination.
While providing consent for publicly disseminated data, the data subject has a right to establish prohibitions on the transfer of personal data as well as prohibitions on processing or processing conditions. These prohibitions, however, would not extend to access, i.e. would not prevent the data controller from letting third parties access the personal data. Any prohibitions established by the data subject would not apply to cases of processing data in the state, public, and other public interests determined by the legislation of the Russian Federation.
The data subject has a right to withdraw consent and in the case of a consent withdrawal request from the data subject, the transfer (distribution, provision, access) of personal data must be stopped.

In addition, the content of consent must have certain elements such as the name of the data subject, the purposes of personal data processing, the categories and lists of personal data for which consent is given, and the period of validity of the consent. Moreover, if personal data is disseminated and processed, made publicly available without consent, the burden of proof falls on every data controller who has disseminated or otherwise processed the data.

Consent for Direct Marketing:

Under the Russian data protection framework, a data subject’s consent is the only legal basis for sending direct marketing communications. Direct marketing may include the processing of personal data in order to promote goods and services to potential consumers. In all cases, prior consent of the data subject is required. In the case of consent withdrawal from receiving marketing communications, the data controller must immediately stop the data processing and honor the consent withdrawal request.

Consent for employees’ personal data:

As per Chapter 14 of the Labor Code of the Russian Federation, employees’ consent must be obtained in writing. Organizations must not disclose the personal data of their employees to a third party without the written consent of the employee (except where disclosure is required under law or is necessary to prevent a threat to the life and health of the employee). Similarly, organizations must not disclose the personal data of their employees for commercial purposes without the employee’s written consent.

Consent for personal data belonging to children:

The Federal Law on Personal Data specifies that where a data subject lacks the legal capacity to consent, consent to the processing of their personal data must be obtained from a legal representative of the data subject. As best practice prevalent in Russia, consent must be obtained from legal representative/parental authority where a child is below the age of eighteen.

Consent for the use of cookies:

Since cookies are considered to be personal data, the same rules would apply to the collection of cookies. This means that prior opt-in consent must be obtained from users before the use of non-essential cookies or any cookies that are used for marketing purposes.

What’s Next?

Organizations aiming to comply with the Russian data protection legal framework must keep in consideration the afore-mentioned consent requirements.

Securiti’s Universal Consent Management Solution enables marketers to adequately advertise and market their products in a compliant manner by capturing consent and automating revocation.

Securiti’s Cookie Consent Banner Solution enables companies to build cookie consent banners as per the applicable legal requirements when collecting personal data for non-essential purposes on digital properties.

Ask for a DEMO today to understand how Securiti can help you comply with consent requirements of global data privacy laws and regulations, with ease.

Also, download our Whitepaper on State of Global Consent Requirements to learn about consent requirements specific to your country.