“N+1” or a new type of consent to the processing of personal data
Previously we wrote in our article about new rules for the processing of publicly available personal data, which came into force on March 1, 2021.
The other day, the regulator Roskomnadzor published an order detailing the content of a consent to the dissemination of personal data. The order will enter into force on 1 September 2021 and will be limited to 1 September 2027.
In particular, according to the order, the consent includes the following data:
- surname, first name, and patronymic (if any) of the subject of personal data;
- contact details of the personal data subject (phone number, e-mail address or mailing address of the personal data subject);
- information about the personal data operator;
- information resources in which personal data will be distributed: an address consisting of the name of the protocol (http or https), server (www), domain, directory name on the server and the name of the file and web page through which access will be provided to the general public and other actions with personal data with respect to the personal data subject;
- the purpose of distributing personal data;
- the categories and a list of personal data of which the dissemination is permitted by the personal data subject, for example:
– name, patronymic (if any), year, month, date of birth, place of birth, address, marital status, social status, property status, education, profession, income, other information relating to the personal data subject);
– special categories of personal data (race, nationality, political views, religious or philosophical beliefs, health, intimate life, criminal record);
– biometric personal data (DNA, iris, fingerprint information, a color digital photographic facial image, voice, a photo-image of the palm vein pattern obtained in near-infrared range and other information);
- categories and a list of personal data for the dissemination of which the subject establishes conditions and prohibitions, as well as a list of the conditions and prohibitions established (to be filled if the subject so wishes);
- conditions under which personal data may be transmitted only through an internal network that provides access to information only for strictly defined employees, or using an information and telecommunications network, or without the transmission of the data received (to be filled in at the request of the subject);
- validity period of the consent (a specific validity period or a particular date).
Consent is given to a specific operator and does not entitle others to use the subject’s personal data for their own purposes. Consent can be obtained in any form that allows the fact of its receipt to be confirmed; there is no uniform form, so operators should independently develop a consent form that includes the mandatory information in accordance with the Order.
As for a previously obtained consent, it remains in effect in terms of the processing of personal data, except for the dissemination of such data.
The Order clarifies the content of a consent to disseminate personal data, leaving operators to set the form of such consent based on their own discretion and needs.