Consent to Personal Data Processing: How to Draft a Document to Avoid a Fine?

In accordance with sub-paragraph 3, paragraph 3, clause 1 of Article 3 of Federal Law No. 152-FZ of July 27, 2006 (hereinafter – "FL No. 152"), personal data processing refers to any action performed with personal data (e.g., collection, recording, updating, storage).

In legal relations concerning personal data processing, there are always two mandatory participants:

Operator – an entity that organizes and/or carries out personal data processing;
Personal Data Subject – an individual who provides their personal data to the operator for processing.

Personal data processing is considered lawful when:

Such a right or obligation is stipulated by Russian Federation legislation, and the data subject's consent is not required (paragraphs 2 – 11, part 1, Article 6 of FL No. 152);
The personal data subject has provided appropriate written consent (paragraph 1, part 1, Article 6 of FL No. 152).

Thus, the data subject's consent is the legal basis for personal data processing in cases where such processing is not explicitly mandated by law.

As a general rule, consent for personal data processing can be given in any form that allows the operator to prove the fact of obtaining such consent. In practice, operators draft such consent in written or electronic form (e.g., by checking a box on a website).

However, there are cases where consent must be in written form (e.g., when processing special categories of personal data, biometric data, or for cross-border transfer of personal data).

Important! Consent for personal data processing must be drafted separately from other documents; including consent for personal data processing within a contract is not considered proper consent (part 1, Article 9 of FL No. 152). This position is confirmed by Roskomnadzor's clarifications.

Important! If you, as a personal data operator, plan to disseminate personal data (i.e., disclose personal data to an indefinite circle of persons), you must obtain additional consent specifically for this action (part 1, Article 10.1 of FL No. 152), which must be drafted separately from other consents.

Requirements for the content of consent for personal data processing are established by Article 9 of FL No. 152.

Typical errors for which Roskomnadzor imposes liability measures include:

vague purposes ("for any legitimate purposes");
a broad list of personal data not aligned with the processing purposes;
absence of a term or procedures for withdrawing consent.

The C Cases team recommends that operators include the following sections in their consent forms:

Information about the personal data subject (full name, date and place of birth, passport details of a Russian Federation citizen);
Information about the personal data operator (e.g., for a legal entity – OGRN, INN, information about the person authorized to act on behalf of the legal entity without a power of attorney);
Purposes of personal data processing (e.g., conducting market research, sending promotional emails);
List of personal data for which consent is given for processing (e.g., full name, place of birth, email address);
Actions the operator is entitled to perform with personal data (e.g., collection, recording, storage, updating);
The period for which such consent is granted.

When personal data is processed without proper consent from the data subject (or with consent lacking mandatory details), liability arises as stipulated by Part 1, Article 13.11 of the Administrative Offenses Code of the Russian Federation.

For individuals: an administrative fine ranging from 10,000 rubles to 15,000 rubles;
For officials and individual entrepreneurs: an administrative fine ranging from 50,000 rubles to 100,000 rubles;
For legal entities: an administrative fine ranging from 150,000 rubles to 300,000 rubles;

When personal data is processed without proper mandatory written consent from the data subject (or without mandatory details), liability arises as stipulated by Part 2, Article 13.11 of the Administrative Offenses Code of the Russian Federation:

For individuals: an administrative fine ranging from 10,000 rubles to 15,000 rubles;
For officials and individual entrepreneurs: an administrative fine ranging from 100,000 rubles to 300,000 rubles;
For legal entities: an administrative fine ranging from 300,000 rubles to 700,000 rubles.

Consent to personal data processing constitutes an independent legal basis for processing in cases where such processing is not explicitly stipulated by law. Properly executed consent allows the operator to confirm the legality of actions taken with personal data and significantly reduces the risk of administrative liability.

Given the increasing scrutiny from Roskomnadzor and the rising number of personal data breaches, preparing proper consent for data processing is shifting from a formal recommendation to an essential condition for business legal security.

If, as a personal data operator, you need to determine whether consent is required in a specific situation, prepare a correct consent text, consider the requirements for processing special categories of personal data, and review existing documents for legal risks, the C Cases team can help you prepare a comprehensive set of documents and protect your interests in interactions with data subjects and regulatory bodies.

‍

Sources

Federal Law No. 152-FZ of July 27, 2006;
Code of Administrative Offenses of the Russian Federation No. 195-FZ of December 30, 2001.