Consent to the processing of personal data is fraught with the use of them for purposes other than those for which they were transferred. On Monday, May 23, the lawyer of the Yurlov and Partners law office Gleb Sitnikov warned the Russians about this.
“The risk for the subjects of personal data (PD) is always the same – their use without their consent and not for the purposes for which they were transferred. When giving consent, you should carefully read its content and compare it with the real purposes of processing. If the list of PD and the goals specified in the consent clearly go beyond reasonable limits, there is reason to ask questions to the operator, ”he emphasized in an interview with Izvestia.
At the same time, according to the expert, citizens have the right to withdraw consent to data processing. However, such a step does not always entail the termination of processing.
“It is also necessary to distinguish the withdrawal of consent from the notification of illegal processing of PD, since the latter, unlike withdrawal, in any case requires the termination of processing and deletion of PD. PD subjects need to take into account that their withdrawal of consent does not always necessarily entail the complete removal of their data from the operator’s database,” Sitnikov warned.
He explained that consent to the processing of personal data is a prerequisite for processing, except in cases specified by law. For example, consent is not required if the processing takes place for the purposes of concluding and executing a contract with the PD subject. Nevertheless, many companies collect consents when concluding contracts.
“The consent must contain a list of data, the purposes and terms of their processing. In some cases, consent must be in writing. For example, for biometric PD. The most stringent requirements for the content of the consent to the processing of personal data are those allowed for distribution, ”the lawyer explained.
On April 3, Mikhail Zhuravlev, lecturer at the Faculty of Law at the Higher School of Economics, spoke about how to act competently when personal data is leaked. According to him, you should contact the owners of the site directly, referring to the law “On Personal Data”. In addition, you can contact search engine operators. According to Art. 10.3 of the Federal Law “On Information, Information Technologies and Information Protection”, they are required to remove links to sites with information about citizens that are distributed in violation of the law.
The expert also emphasized that, even if the user has given consent to the processing of personal data, if necessary, he can withdraw it on the basis of Part 2 of Art. 9 and part 5 of Art. 21 of the law on personal data.