30 September 2023

Personal Data Consent in Russia: Legal Requirements and Compliance for Operators

September 30, 2023

BRACE Law Firm ©

Any company utilizes a large volume of personal information regarding employees, clients, and counterparties in its operations. In most cases, working with the personal data of individuals requires obtaining their consent. In recent years, legal requirements regarding the procedure for obtaining such consent have changed.

This article examines the instances in which the consent of a personal data (the "PD") subject is required for processing, the circumstances under which personal data may be processed without consent, the requirements for documenting consent, and the penalties for violating the established procedure.

Who Must Obtain Consent for PD Processing and in Which Cases?

According to Article 3 of Federal Law No. 152-FZ dated July 27, 2006, On Personal Data (the "Personal Data Law", "Law No. 152-FZ", or the "Law"), processing of personal data means any action (operation) or set of actions performed with or without the use of automation tools involving personal data, including: collection, recording, systematization, accumulation, storage, clarification (updating, modification), extraction, use, transfer (distribution, provision, access), depersonalization, blocking, deletion, and destruction of personal data. Thus, personal data processing is essentially any action performed with such data.

State and municipal authorities, legal entities, individual entrepreneurs, and self-employed citizens who organize or perform the processing of personal data are referred to as personal data operators (the "Operators" or "operators").

As a general rule, an operator must obtain the consent of the personal data subject to process their personal data (Clause 1 of Part 1 of Article 6 of the Personal Data Law). Personal data may be processed without consent only in cases expressly provided for by Law No. 152-FZ.

When Is Personal Data Processing Permitted Without the Consent of the PD Subject?

The Personal Data Law regulates the list of grounds for processing personal data without the consent of the PD subject across several articles. These grounds vary depending on the category of personal data being processed. As a reminder, the Law distinguishes the following categories of personal data:

General (Full name, date and place of birth, passport data, registration and residential address, telephone number, information on family, social and property status, education, profession, position held, work experience, etc.);
Special (Information concerning racial or ethnic origin, political views, religious or philosophical beliefs, health status, and intimate life);
Biometric (Information characterizing the physiological and biological characteristics of a person: photo and video images, dactyloscopic data, iris data, DNA analysis results, and voice data).

1. Processing general categories of personal data without the consent of the PD subject is permitted in the following cases (Part 1 of Article 6 of Law No. 152-FZ):

to perform functions, powers, and duties imposed on the Operator by the legislation of the Russian Federation or an international treaty;
in connection with the participation of a person in constitutional, civil, administrative, or criminal proceedings, or proceedings in arbitration courts;
to execute a judicial act or an enforcement document;
to exercise the powers of government authorities, state extra-budgetary funds, local self-government bodies, or organizations involved in the provision of state and municipal services;
to conclude or perform a contract to which the PD subject is a party, beneficiary, or guarantor;
to protect the life, health, or other vital interests of the PD subject if obtaining consent is impossible;
to exercise the rights and legitimate interests of the Operator or third parties, or to achieve socially significant goals, provided that the rights and freedoms of the PD subject are not violated;
to carry out the professional activities of a journalist or mass media outlet, or scientific, literary, or other creative activities, provided the rights and legitimate interests of the PD subject are not violated;
for statistical or research purposes, provided that the personal data is mandatory depersonalized.

2. Processing special categories of personal data without the consent of the PD subject is permitted in the following cases (Part 2 of Article 10 of Law No. 152-FZ):

in connection with the implementation of international readmission treaties (the state's consent to take back its citizens who are subject to deportation from another state);
in accordance with Federal Law No. 8-FZ dated January 25, 2002, On the National Population Census;
in accordance with legislation on state social assistance, labor legislation, and pension legislation of the Russian Federation;
to protect the life, health, or other vital interests of the personal data subject or other persons if obtaining consent is impossible;
for the purpose of providing medical and medico-social services by a person professionally engaged in medical activities and obligated to maintain medical confidentiality;
processing by a public association or religious organization of the personal data of its members;
to exercise the rights of the PD subject or third parties, or in connection with the administration of justice;
in accordance with the legislation of the Russian Federation on defense, security, anti-terrorism, transport security, anti-corruption, operational-investigative activities, enforcement proceedings, and penal enforcement legislation;
by prosecution authorities in connection with their exercise of prosecutorial supervision;
in accordance with legislation on mandatory types of insurance and insurance legislation;
by authorized state and municipal authorities or organizations for the purpose of placing children left without parental care;
in accordance with Russian legislation on citizenship;
processing of depersonalized personal data concerning health status.

3. Biometric personal data may be processed without the consent of the PD subject in the following cases (Part 2 of Article 11 of Law No. 152-FZ):

in connection with the implementation of international readmission treaties;
in connection with the administration of justice and the execution of judicial acts;
in connection with mandatory state dactyloscopic registration and state genomic registration;
in cases provided for by the legislation of the Russian Federation on defense, security, anti-terrorism, transport security, anti-corruption, operational-investigative activities, state service, the notary system, penal enforcement legislation, and legislation on the procedure for exit from and entry into the Russian Federation and on citizenship of the Russian Federation.

We note that some of the grounds discussed above overlap or are identical, while others apply only to one category of personal data. These grounds are examined in more detail in our article Concept, Types, and Conditions of Personal Data Processing.

Types of Consent for Working with Personal Data

Since March 1, 2021, the Personal Data Law provides for two types of consent that an Operator must obtain to work with personal data:

Consent to the processing of personal data (the "Consent to PD Processing");
Consent to the processing of personal data authorized by the personal data subject for distribution (the "Consent to PD Distribution").

The procedure for obtaining these is detailed below.

Consent to the Processing of Personal Data

The requirements for the Consent to PD Processing are regulated by Article 9 of the Personal Data Law.

First, the consent must be specific, objective, informed, conscious, and unambiguous.

Second, requirements for consent vary depending on the category of personal data.

The Operator may obtain consent for the processing of general personal data in any form; however, the Operator must be able to confirm its existence. Silence or inaction of a person does not constitute consent to PD processing.

Operators may process special and biometric personal data only on the basis of written consent from the PD subject. In this regard, consent in the form of an electronic document signed with an electronic signature is equivalent to consent on paper.

Furthermore, pursuant to Part 2 of Article 16 of Law No. 152-FZ, written consent of the PD subject is required if the Operator makes a legally significant decision based solely on the automated processing of personal data. For example, a decision to hire a candidate based exclusively on online testing results.

Third, written consent must include the following information:

the full name and address of the personal data subject, and the details of their identity document (number, date of issue, and issuing authority);
the full name, address, and identity document details of a representative, as well as details of the power of attorney or other document confirming the representative's authority (if consent is obtained from a representative);
the name or full name and address of the PD operator;
the purpose of personal data processing;

According to the explanations of Roskomnadzor, purposes should be formulated based on an analysis of the legal acts regulating the Operator's activities, constituent documents, the actual activities carried out by the operator, and specific business processes. Examples include maintaining personnel and accounting records, compliance with tax and pension legislation, promoting goods, works, and services on the market, etc.[1]

We recommend approaching the formulation of purposes carefully, as Law No. 152-FZ establishes that the content and volume of processed personal data must correspond to the declared purposes of processing (Part 5 of Article 5 of Law No. 152-FZ). To avoid risks of administrative liability, it is advisable to separately specify the list of processed data and the scope of actions for each purpose.

the list of personal data subject to processing;

The list of processed data must be specified in full, while avoiding the inclusion of redundant data not required for the declared purposes.

the name or full name and address of the person to whom the processing is entrusted (if processing will be carried out by a third party);
the list of actions with personal data for which consent is given;
a general description of the processing methods (automated, without the use of automation tools, or mixed);
the period during which the consent is valid and the method for its revocation;

Notably, in a case that reached the Supreme Court of the Russian Federation,[2] the courts supported the Operator's position that the absence of a specific expiration date in the consent does not violate the Law. The consent stated that it was valid for an indefinite period and could be revoked based on a written statement from the PD subject. The courts ruled that the validity period of the subjects' consent ends at the moment of written revocation.

the signature of the PD subject.

In the event of the incapacity of a PD subject, the legal representative provides consent for personal data processing; in the event of death, heirs provide consent, unless it was given by the personal data subject during their lifetime.

The Law imposes on the Operator the burden of proving that consent was obtained from the PD subject; therefore, we recommend documenting it in writing or in another form that allows for confirmation of its receipt.

Documenting Consent for PD Processing in Electronic Form

The Personal Data Law does not contain direct rules or specific features regarding the documentation of consent in cases where personal data is provided remotely via the Internet.

According to Roskomnadzor's explanations in the FAQ section of its website, if the Law does not require written consent, it may be expressed in any manner, specifically by checking an electronic box. In practice, Operators place a consent form and a "I Agree to the processing of personal data" button or a field where a corresponding checkmark must be placed on their webpage. Personal data should not be sent without the subject confirming their consent for processing.

If the Law requires written consent, the document must be signed either on a paper carrier or in electronic form (using an electronic signature as an equivalent to a handwritten signature).

Consent to the Processing of Personal Data Authorized for Distribution

Since March 1, 2021, a separate Consent to PD Distribution must be documented apart from the general consent for processing (Part 1 of Article 10.1 of the Personal Data Law). This provision still raises many questions in practice.

First, let us clarify the terminology. What constitutes the distribution of personal data? Article 3 of Law No. 152-FZ, which defines basic concepts, lists the transfer (distribution, provision, access) of personal data as one of the processing actions. Distribution of personal data refers to actions aimed at disclosing personal data to an indefinite circle of persons, while provision refers to disclosing data to a specific person or a specific circle of persons.

Thus, based on a literal interpretation of the Law, a PD operator must obtain consent from the PD subject if it plans to disclose personal data to an indefinite circle of persons. For example, publishing it on a website, in social networks, or posting it on a bulletin board. This interpretation was also reflected in the explanatory note to the bill introducing this consent. However, Article 10.1 of Law No. 152-FZ uses all terms: transfer, distribution, provision, and access. Consequently, there is a widespread opinion that a separate consent must also be obtained in cases where data will be disclosed to specific persons, such as transferring an employee's data to a bank for the issuance of a payroll card.

Requirements for the content of the consent to PD distribution were approved by Roskomnadzor Order No. 18 dated February 24, 2021. [3] It must contain:

the full name and contact information of the PD subject (telephone number, email address, or postal address);
information about the PD operator (name, address, INN, OGRN);
information about the Operator's information resources (address consisting of the protocol name ("http" or "https"), server ("www"), domain, directory name on the server, and the web page file name) through which access to personal data will be provided to an unlimited circle of persons;
the purposes of personal data processing;
the category and list of personal data for which consent is given;
the category and list of personal data for which the PD subject sets conditions and prohibitions, as well as the list of established conditions and prohibitions

For example, when providing consent for the publication of a review on the operator's website, a client may specify that they permit the distribution of their full name but prohibit the publication of their residential address and photo.

Opposite each type of personal data within the corresponding category, there must be fields or marks allowing the subject to set prohibitions and restrictions on the distribution of such data.

conditions under which the obtained personal data may be transferred by the PD operator: only via its internal network with access restricted to specific employees, using information and telecommunications networks, or without the transfer of obtained personal data.

If the PD subject has established prohibitions and conditions for processing, the Operator must publish this information for the notice of third parties within three days of receiving the consent for PD distribution (Part 10 of Article 10.1 of Law No. 152-FZ).

Prohibitions and conditions do not apply if personal data processing is carried out in state, public, or other public interests (Part 11 of Article 10.1 of Law No. 152-FZ). However, the provisions of the Law do not provide an answer as to what should be understood by these interests.

the validity period of the consent.

Consent to PD distribution may be provided directly to the PD operator or through Roskomnadzor's information system. Roskomnadzor has implemented functionality allowing the Operator to prepare a consent form template. Using a builder-style service, the Operator only needs to fill in the required fields. The Operator may send the generated template to Roskomnadzor to receive recommendations on its formation.

As noted above, in our view, the wording of Article 10.1 of the Personal Data Law is not very successful and requires refinement, as many of its provisions allow for varying interpretations.

Revocation of Consent for the Processing and Distribution of Personal Data

A PD subject has the right to revoke consent for the processing of their data (Part 2 of Article 9 of Law No. 152-FZ). This can be done at any time and without providing reasons.

The Law does not regulate requirements for the revocation procedure. A revocation statement is drafted in free form. A sample of such a statement is available on Roskomnadzor's website. The method of revocation is specified when documenting the Consent to PD Processing. Roskomnadzor recommends revoking consent using the same method through which it was provided. In any case, it is important to record the date the Operator received the revocation.

In accordance with Part 5 of Article 20 of Law No. 152-FZ, the PD operator must stop processing personal data and destroy it within 30 days from the date the revocation is received. A different period may be established in a contract where the personal data subject is a party, beneficiary, or guarantor. Processing may also continue in cases where the Personal Data Law permits processing without the subject's consent.

The revocation of consent for distribution and the termination of personal data distribution are handled differently. Pursuant to Part 12 of Article 10.1 of Law No. 152-FZ, to terminate the transfer of personal data, the subject sends a demand, which must include:

the surname, first name, patronymic (if any), and contact information (telephone number, email address, or postal address) of the personal data subject;
a list of personal data for which distribution must be terminated.

The validity of a previously given consent for distribution terminates from the moment the Operator receives the demand; accordingly, the Operator must stop distributing such personal data upon receipt.

A demand to terminate the transfer of personal data may be presented not only to the original Operator but also to any other person performing its processing. Other persons must stop the transfer within three working days from the moment the demand is received.

Distribution of personal data may continue when necessary to exercise the powers of public authorities (Part 15 of Article 10.1 of the Personal Data Law). Notably, the provisions of Article 10.1 of Law No. 152-FZ do not contain references to other grounds for processing without the subject's consent specified in the Law, which may lead to negative consequences for Operators.

Liability for Violations in Working with Consents for Personal Data Processing

Operators are held administratively liable under Part 2 of Article 13.11 of the CAO RF for processing personal data without the written consent of the subject or in violation of consent requirements. This entails a fine of 6,000 to 10,000 rubles for citizens, 20,000 to 40,000 rubles for officials, and 30,000 to 150,000 rubles for legal entities.

Consider an example from judicial practice. A prosecutor's office conducted an audit of a management company's compliance with personal data legislation. During the audit, it was established that the full names of children were stored on the company's computers, yet the management company lacked written consent from the parents for the processing of their children's personal data. No other legal grounds for data processing were provided. By order of a justice of the peace, the management company was found guilty of an administrative offense under Part 2 of Article 13.11 of the CAO RF and fined 30,000 rubles. Attempts to challenge the order in higher courts were unsuccessful. [4]

If the law does not mandate a written form of consent, there is a risk of liability under Part 1 of Article 13.11 of the CAO RF for processing personal data in cases not provided for by law. This entails an administrative fine of 2,000 to 6,000 rubles for citizens, 10,000 to 20,000 rubles for officials, and 60,000 to 100,000 rubles for legal entities.

For example, in one case, Roskomnadzor identified the processing of individual V.'s personal data without his consent, which occurred when a bank employee called V.'s mobile phone with commercial offers. The bank was found guilty of an administrative offense under Part 1 of Article 13.11 of the CAO RF and fined 60,000 rubles. [5]

In the event of failure to comply with a PD subject's demand to terminate processing when no legal basis for processing without consent exists, administrative liability may arise under Part 5 of Article 13.11 of the CAO RF. This entails an administrative fine of 2,000 to 4,000 rubles for citizens, 8,000 to 20,000 rubles for officials, 20,000 to 40,000 rubles for individual entrepreneurs, and 50,000 to 90,000 rubles for legal entities. Fines increase for repeated violations.

Furthermore, in cases of unlawful distribution, a personal data subject may file a lawsuit to have the activities of an internet resource declared unlawful and to compel Roskomnadzor to restrict access to it.

To illustrate this with a judicial example, we note that the number of such lawsuits has been growing in recent years. Subject Z. discovered that his personal data — full name, information about his work as a university lecturer, and insulting information regarding his appearance, qualification level, and work circumstances — was posted on the internet resource "pro….co". He sent a demand to delete his personal data via the feedback form on the resource, but received no response. This led to a lawsuit to declare the internet resource's activities unlawful and to compel Roskomnadzor to restrict access by entering the domain names, page pointers, and network addresses into the Register of Violators of Personal Data Subjects' Rights.

The court established that the internet resource had not obtained Z.'s consent to distribute his personal data and that no other legal grounds for processing existed. Access to the site was open, required no registration or password, and allowed any internet user to view and copy the information. The court found these actions to be in violation of the Personal Data Law and granted the claim in full. [6]

Additionally, a PD subject is entitled to demand compensation for moral damages if they believe their personal data was processed unlawfully. For instance, in one case, subject A. filed a claim against a newspaper for moral damage compensation in the amount of 120,000 rubles for the use of her image without her consent. The claim was based on the newspaper's publication of an article titled "Grandmother — 'Aggressor' or Victim?" featuring her image. Upon hearing the case, the court concluded that the newspaper failed to prove the lawfulness of distributing the plaintiff's image, as she had not given consent. Assessing the degree of the plaintiff's moral suffering and taking into account the criteria of reasonableness and justice, the court recovered 5,000 rubles from the newspaper in favor of A.[7]

In conclusion, we emphasize the need for strict compliance with legislative requirements for obtaining consents when working with the personal data of employees and clients, as well as the timely monitoring of regulatory changes. Ignoring these duties entails the risk of liability in the form of fines — which are increasing annually — as well as judicial claims.

_____________________________

References

[1] Recommendations on Drafting a Document Defining the Operator's Policy Regarding Personal Data Processing in the Order Established by Federal Law No. 152-FZ dated July 27, 2006, On Personal Data.

[2] Ruling of the Supreme Court of the Russian Federation No. 307-KG18-101 dated March 5, 2018, in Case No. A42-342/2017.

[3] Roskomnadzor Order No. 18 dated February 24, 2021, On Approving the Requirements for the Content of Consent to the Processing of Personal Data Authorized by the Personal Data Subject for Distribution.

[4] Resolution of the Second Court of Cassation of General Jurisdiction dated December 2, 2022, in Case No. 16-8909/2022.

[5] Resolution of the Second Court of Cassation of General Jurisdiction dated June 1, 2023, in Case No. 16-2897/2023.

[6] Default Judgment of the Sovetsky District Court of Samara dated September 5, 2023, in Case No. 2-3310/2023.

[7] Ruling of the First Court of Cassation of General Jurisdiction No. 88-12009/2022 dated May 18, 2022.