Toloka makes every effort to guarantee the privacy and security of personal data. We expect all requesters and partners to handle personal data responsibly, and these guidelines provide a checklist to help you make the right decisions.
Disclaimer: You understand and confirm that you will not rely solely on the guidelines of Toloka and these guidelines shall not be used as a substitute for legal advice.
Before processing personal data, assess whether it is truly needed for the success of your project. Answer these questions about your project:
Determine what tasks you will solve with Toloka.
It should be clear from the task what result you want to get when performing the task by Tolokers.
Determine which tasks require the collection of personal data. Don't ask for personal data that isn't needed to perform a task.
Determine what personal data is needed for a particular task.
Based on the description of the tasks and results, formulate the purpose of processing personal data. Answer this question:
The purposes for processing personal data should always be stated in your Privacy Notice.
To understand your full legal responsibilities, you need to decide which privacy law is applicable and then determine the legal basis for processing personal data.
Define the criteria for applicable privacy law
Before selecting a legal basis for processing personal data, you must check your business for the following criteria to determine the applicable law:
| Criteria | Example |
|---|---|
| Applicable law applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the country of applicable law, regardless of whether the processing takes place in the Country or not. | If data processing is done in the context of an organizational unit in the EU. In other words, if the office is physically located in any of the EU countries, and data is processed in that office, the GDPR is mandatory. |
Applicable law applies to the processing of personal data of data subjects who are in the country of applicable law by a controller or processor not established in the Country, where the processing activities are related to:
| If the data subject is located in the EU and the processing is related to the offer of goods and services. Here, the data subject is not only European citizens, but also people with passports from other countries who are in Europe passing through, traveling or living temporarily. And goods and services do not necessarily have to be paid for (for example, a mobile app that you downloaded in the free version). |
| Applicable law applies to the processing of personal data by a controller not established in the country of applicable law, but in a place where Member State law applies by virtue of public international law. | Where Member State law applies by virtue of public international law, GDPR should also apply to a controller not established in the Union, such as in a Member State's diplomatic mission or consular post. |
Determine the legal basis
| Legal basis | Description | Example |
|---|---|---|
| Consent to the processing of personal data | Consent can only be a legitimate basis if the data subject is offered control and a free choice to accept or reject the proposed conditions without adverse consequences | To send marketing newsletters, the consent of the subject of personal data must be obtained |
| Contract with the data subject | Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract | In this case, it is important to clearly state the conditions for the processing of personal data in the task for Tolokers, including mutual consideration |
Use the Toloka consent form if needed
Toloka provides an integrated form for obtaining consent from the personal data subjects within the tasks for Tolokers. You can use this form if consent is required by applicable law and data processing is not covered by the User Agreement or other legal basis.
There are two common legal bases for processing voice recordings and images of real people: consent and contract, to which the data subject is a party.
If you use consent
The requirements for the contents of a consent may vary depending on the jurisdiction. In general, it is recommended to include the following minimum provisions in a consent form:
Consent may be collected in an electronic form. For example, users can confirm consent by checking a box with the link to the consent to the personal data processing.
Data subjects shall be provided with an easy-to-use way to withdraw their consent. For example, data subjects may be provided with a link to the opt-out page, which the data subject can use to withdraw consent. You should establish a process for deleting a data subject’s personal data if they withdraw consent.
Consent wording template
Acting freely, of my own free will and in my own interest, as well as confirming my legal capacity and considering the statements of [insert the link to the Privacy Notice], I am hereby giving consent to [name] (hereinafter – Controller) having its registered office at the address: [address] to the processing of my personal data on the following conditions:
Consent is given to the processing of my: [__________] The purpose of personal data processing is [__________] Personal data is processed until [__________] This consent can be withdrawn by sending the request at [email] [or the support team at [name] or using the functionality of the service] to exercise their rights in the processing of personal data.
If you use a contract
The contract (description of the task that the Toloker agrees to) shall be drawn in such a manner that it is clear that voice recordings and/or photos of a data subject are collected in return for a monetary reward.
The contract shall also include provisions on personal data processing and protection. It is recommended to include the following information in the contract template:
While voice recordings and photos do not constitute biometric personal data in the context of their processing on the Toloka platform, such data may present risks to the data subjects. Therefore, it is good practice to conduct a Data Protection Impact Assessment (DPIA) according to art. 35 of GDPR (or its equivalent in the applicable legislation, if it provides for such an assessment).
Photos containing health information (for example, photos of people with skin diseases) constitute a special category of personal data which is subject to strict rules of processing in the majority of jurisdictions.
Determine the data privacy legislation applicable to your case and choose the appropriate legal basis for the data processing. Possible legal bases for processing of special categories of personal data may differ depending on jurisdiction. For example:
| Jurisdiction | Legal Basis |
|---|---|
| Canada | PIPEDA provides for the following legal basis for processing of special categories of personal data: explicit consent |
| EU/EEA & UK | GDPR/UK GDPR provides for the following legal basis for processing of special categories of personal data: - explicit consent - controller’s or data subject’s obligations in the field of employment and social security - protection of the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent - processing of data relating to its members by a foundation, association or any other not-for-profit body with a political, philosophical, religious or trade union aim - processing of publicly available personal data - establishment, exercise or defense of legal claims - substantial public interest - processing for the purposes of preventive or occupational medicine - public interest in the area of public health - archiving purposes in the public interest, scientific or historical research purposes or statistical |
| USA | CCPA/CPRA provides for the following legal basis for processing of special categories of personal data: - consent VCDPA provides for the following legal basis for processing of special categories of personal data: - explicit consent |
| Switzerland | FADP provides for the following legal basis for processing of special categories of personal data: - explicit consent - controller’s or data subject’s obligations, when processing is prescribed by law or a collective agreement |
| Serbia | Serbian Personal Data Protection Law provides for the following legal basis for processing of special categories of personal data: - explicit consent - controller’s or data subject’s obligations, when processing is prescribed by law or a collective agreement - protection of the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent - processing of data relating to its members by a foundation, association or any other not-for-profit body with a political, philosophical, religious or trade union aim - processing of publicly available personal data - establishment, exercise or defense of legal claims - substantial public interest - processing for the purposes of preventive or occupational medicine - public interest in the area of public health - archiving purposes in the public interest, scientific or historical research purposes or statistical |