These instructions describe the procedure for selecting a personal data processing purpose when using the Toloka for Customers.
Disclaimer: The information presented herein should not be taken as legal advice. We recommend that you seek legal advice on what you need to do to comply with the requirements of the applicable privacy legislation.
Determine the need to process personal data
1.1. Determine what tasks you will solve with Toloka.
1.2. It should be clear from the task what result you want to get when performing the task by Tolokers.
1.3. Determine which tasks require the collection of personal data. Don't ask for personal data that isn't needed to perform a task.
Determine what personal data is needed for a particular task.
Formulate the purpose of personal data processing
2.1. Based on the task for which personal data is collected, formulate the purpose of processing personal data.
2.2. The purpose is formulated by answering the question: “What will I do with the data received from Tolokers?”
Responsibilities of the company processing personal data
3.1. The purposes for processing personal data should be stated in your Privacy policy.
3.2. Define the criteria for applicable privacy law. Before selecting a legal basis for processing personal data, you must check your business for the following criteria for determining the applicable law:
| Criteria | Example |
|---|---|
| Applicable law applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the country of applicable law, regardless of whether the processing takes place in the Country or not. | If data processing is done in the context of an organizational unit in the EU. In other words, if the office is physically located in any of the EU countries, and data is processed in that office, the GDPR is mandatory. |
Applicable law applies to the processing of personal data of data subjects who are in the country of applicable law by a controller or processor not established in the Country, where the processing activities are related to:
| If the data subject is located in the EU and the processing is related to the offer of goods and services. Here, the data subject is not only European citizens, but also people with passports from other countries who are in Europe passing through, traveling or living temporarily. And goods and services do not necessarily have to be paid for (for example, a mobile app that you downloaded in the free version). |
| Applicable law applies to the processing of personal data by a controller not established in the country of applicable law, but in a place where Member State law applies by virtue of public international law. | Where Member State law applies by virtue of public international law, GDPR should also apply to a controller not established in the Union, such as in a Member State's diplomatic mission or consular post. |
3.3. Determine the legal basis. The choice of the legal basis for processing Personal Data must be made on the basis of applicable law and the purpose of processing Personal Data:
| Legal basis | Description | Example |
|---|---|---|
| Legitimate interest | Legitimate interest of the company should not violate the rights and freedoms of the subjects of personal data and should be applied only as a last resort, and should be applied when other legal grounds are not applicable | The processing of personal data strictly necessary for the purposes of preventing fraud also constitutes a legitimate interest of the data controller concerned. Important: When using this legal basis, a balancing of interests procedure must be conducted. |
| Legal requirement | Applies when the applicable laws of the country require processing the subject's Personal Data | The tax law requires transferring subjects' Personal Data to the tax authorities |
| Contract with the data subject | Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract | A contract for the provision of services to the subject of personal data, involving the processing of personal data. |
| Consent to the processing of Personal Data | Consent to the processing of Personal Data is used in the absence of other legitimate grounds provided by law. Consent can only be a legitimate basis if the data subject is offered control and a free choice to accept or reject the proposed conditions without adverse consequences | To send marketing newsletters, the consent of the subject of personal data must be obtained. |
3.4. Toloka provides a form for obtaining personal data principals' consent within the tasks for the Tolokers, in case such consent is required by applicable law and data processing is not covered by the User Agreement or other legal basis.
Last updated: July 11, 2023