Instructions for Customers on the choice of the purposes for personal data processing

These instructions describe the procedure for selecting a personal data processing purpose when using the Toloka for Customers.

Disclaimer: The information presented herein should not be taken as legal advice. We recommend that you seek legal advice on what you need to do to comply with the requirements of the applicable privacy legislation.

Choosing the purpose of personal data processing

  1. Determine the need to process personal data

    1.1. Determine what tasks you will solve with Toloka.

    1.2. It should be clear from the task what result you want to get when performing the task by Tolokers.

    1.3. Determine which tasks require the collection of personal data. Don't ask for personal data that isn't needed to perform a task.

    Determine what personal data is needed for a particular task.

  2. Formulate the purpose of personal data processing

    2.1. Based on the task for which personal data is collected, formulate the purpose of processing personal data.

    2.2. The purpose is formulated by answering the question: “What will I do with the data received from Tolokers?”

  3. Responsibilities of the company processing personal data

    3.1. The purposes for processing personal data should be stated in your Privacy policy.

    3.2. Define the criteria for applicable privacy law. Before selecting a legal basis for processing personal data, you must check your business for the following criteria for determining the applicable law:

    Applicable law applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the country of applicable law, regardless of whether the processing takes place in the Country or not.If data processing is done in the context of an organizational unit in the EU. In other words, if the office is physically located in any of the EU countries, and data is processed in that office, the GDPR is mandatory.

    Applicable law applies to the processing of personal data of data subjects who are in the country of applicable law by a controller or processor not established in the Country, where the processing activities are related to:

    • the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the country of applicable law;
    • the monitoring of their behavior as far as their behavior takes place within the country of applicable law.
    If the data subject is located in the EU and the processing is related to the offer of goods and services. Here, the data subject is not only European citizens, but also people with passports from other countries who are in Europe passing through, traveling or living temporarily. And goods and services do not necessarily have to be paid for (for example, a mobile app that you downloaded in the free version).
    Applicable law applies to the processing of personal data by a controller not established in the country of applicable law, but in a place where Member State law applies by virtue of public international law.Where Member State law applies by virtue of public international law, GDPR should also apply to a controller not established in the Union, such as in a Member State's diplomatic mission or consular post.

    3.3. Determine the legal basis. The choice of the legal basis for processing Personal Data must be made on the basis of applicable law and the purpose of processing Personal Data:

    Legal basisDescriptionExample
    Legitimate interestLegitimate interest of the company should not violate the rights and freedoms of the subjects of personal data and should be applied only as a last resort, and should be applied when other legal grounds are not applicableThe processing of personal data strictly necessary for the purposes of preventing fraud also constitutes a legitimate interest of the data controller concerned.

    Important: When using this legal basis, a balancing of interests procedure must be conducted.
    Legal requirementApplies when the applicable laws of the country require processing the subject's Personal DataThe tax law requires transferring subjects' Personal Data to the tax authorities
    Contract with the data subjectProcessing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contractA contract for the provision of services to the subject of personal data, involving the processing of personal data.
    Consent to the processing of Personal DataConsent to the processing of Personal Data is used in the absence of other legitimate grounds provided by law. Consent can only be a legitimate basis if the data subject is offered control and a free choice to accept or reject the proposed conditions without adverse consequencesTo send marketing newsletters, the consent of the subject of personal data must be obtained.

    3.4. Toloka provides a form for obtaining personal data principals' consent within the tasks for the Tolokers, in case such consent is required by applicable law and data processing is not covered by the User Agreement or other legal basis.

Last updated: July 11, 2023

Getting started
Important tips
Useful recommendations
Working with Toloka
Project analysis
Toloka settings
Task interface
Template Builder
HTML/CSS/JS editor
Help and support