Data Processing Addendum (Toloka Platforms – Users)
Effective Date: January 9, 2026
1. Scope, Roles, and Definitions
1.1. This Data Processing Addendum (the "Addendum") forms part of, and is incorporated by reference into, the Toloka Platforms Terms of Use (the "Terms") between Toloka AI BV and its relevant Affiliates (collectively, "Toloka", "we", "us") and each individual who registers for and uses the Toloka Platforms to perform Tasks and provide Services (the "User", "you").
1.2. Capitalised terms used but not defined in this Addendum have the meanings given to them in the Terms. In particular, "Customer" means a person or entity that engages Toloka for Services and/or posts Tasks on or through the Toloka Platforms, and "Customer Material" means any data, including Personal Data, that Toloka receives from or on behalf of a Customer and processes in connection with the Services.
1.3. For the purposes of this Addendum:
(a) "Applicable Privacy Laws" means all applicable data protection and privacy laws and regulations in the European Economic Area ("EEA") and the United Kingdom, including, without limitation:
(i) Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data ("GDPR");
(ii) the GDPR as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018, together with the Data Protection Act 2018 (collectively, the "UK GDPR"); and
(iii) any national implementing or supplementary legislation in the EEA or the UK relating to the protection of personal data and privacy;
in each case as amended, consolidated, replaced, or superseded from time to time.
(b) The terms "Personal Data", "Processing" (and "process"), "Controller", "Processor", "Data Subject", "Personal Data Breach" and "Supervisory Authority" shall have the meanings given to them in the GDPR and, where the UK GDPR applies, shall be interpreted consistently with the UK GDPR.
1.4. In respect of the Processing of Personal Data relating to Users (including Personal Data associated with a User’s Toloka account, profile, qualifications, telemetry, KYC and payment data, and any Personal Data that a User voluntarily includes in Outputs), Toloka acts as an independent Controller, and the User is the relevant Data Subject for the purposes of the Applicable Privacy Laws.
1.5. In respect of the Processing of Customer Material that Toloka receives from or on behalf of a Customer and makes accessible to the User solely via the Toloka Platforms for the performance of Tasks:
(a) the Customer is the Controller of such Customer Material;
(b) Toloka acts as the Customer's Processor in accordance with the applicable agreement between Toloka and the Customer; and
(c) to the extent that the User Processes such Customer Material in order to perform Tasks and provide the Services via the Toloka Platforms, the User acts as a sub‑processor engaged by Toloka.
1.6. This Addendum governs the rights and obligations of Toloka and the User in connection with the Processing of Personal Data under the Terms. Nothing in this Addendum shall be construed as creating any direct contractual relationship between the User and any Customer.
1.7. This Addendum does not amend, limit, or otherwise affect any rights or obligations as between Toloka and its Customers, including any controller-processor agreements, standard contractual clauses, data transfer mechanisms, or other data protection commitments agreed between Toloka and a Customer. Those remain governed exclusively by the separate written agreements concluded between Toloka and the relevant Customer.
2. Processing of Personal Data Relating to Users
2.1. When you perform Tasks, you may be asked or permitted to provide Personal Data relating to you as part of the Task content; for example:
images or video of yourself or your surroundings;
voice recordings or other audio;
free‑text content that includes biographical, professional, or contact information.
2.2. Where you voluntarily provide such Personal Data relating to you in connection with a Task:
(a) Toloka Processes that Personal Data as Controller; and
(b) Toloka may transmit or make such Personal Data available to the relevant Customer, and to that Customer's authorised processors and sub‑processors, as part of the Deliverables for the Task.
2.3. Where the GDPR or the UK GDPR applies, Toloka may Process and retain such Personal Data relating to you, and any associated metadata (such as Task identifiers, timestamps, quality labels and other operational data), on the following legal bases and for the following purposes:
(a) Performance of a contract (Article 6(1)(b) GDPR / UK GDPR):
routing and displaying your content to the correct project and Customer;
enabling review, acceptance, and payment for the Task; and
administering your use of the Toloka Platforms under the Terms.
(b) Legitimate interests (Article 6(1)(f) GDPR / UK GDPR):
demonstrating the provenance, quality, and scope of Deliverables provided to Customers;
handling quality disputes, audits, feedback, and operational queries from Customers;
operating, securing, monitoring, and improving the Toloka Platforms, including fraud prevention and abuse detection; and
managing Toloka’s legal, risk, and compliance position.
(c) Compliance with legal obligations (Article 6(1)(c) GDPR / UK GDPR):
sanctions / KYC checks and other due‑diligence measures where required under Applicable Privacy Laws or other applicable laws; and
responding to lawful requests from courts, Supervisory Authorities, or other competent public authorities.
(d) Consent (Article 6(1)(a) and, where relevant, Article 9(2)(a) GDPR / UK GDPR):
for specific Task types that involve special categories of Personal Data (for example, health‑related images or other data revealing information listed in Article 9(1) GDPR / UK GDPR), where Applicable Privacy Laws require explicit consent. In such cases, Toloka will obtain your consent through Task‑level flows or the Toloka Platforms user interface.
2.4. By accepting the Terms and performing Tasks, you acknowledge that Toloka and its Customers may retain Personal Data relating to you that is linked to specific Tasks for as long as reasonably necessary to:
(a) perform and evidence their contractual obligations;
(b) comply with applicable legal, tax, accounting, and regulatory obligations;
(c) respond to audits, inspections, and regulatory or Supervisory Authority inquiries; and
(d) establish, exercise, or defend actual or potential legal claims.
After the expiry of the applicable retention periods, Toloka will delete or irreversibly de‑identify such Personal Data, unless continued retention is required by Applicable Privacy Laws or other mandatory legal obligations.
2.5. Where Toloka relies on your consent to Process any Personal Data (including special categories of Personal Data), you may withdraw that consent at any time via the contact details and mechanisms described in Toloka’s Privacy Notice. Withdrawal of consent does not affect the lawfulness of Processing based on consent before its withdrawal, nor does it affect Processing that is required by law or is necessary for the purposes set out in Clause 2.4.
3. Processing of Customer Material by the User
3.1. Where Toloka makes Customer Material available to you solely via the Toloka Platforms for the purpose of enabling you to perform Tasks and provide the Services on Toloka's behalf, you shall Process such Customer Material only:
(a) on Toloka’s documented instructions as set out in the Terms, this Addendum, and applicable Task‑level instructions and guidelines; and
(b) to the extent strictly necessary to perform the Tasks and provide the Services via the Toloka Platforms.
3.2. Without prejudice to the generality of Clause 3.1, you shall:
(a) Process Customer Material only within the Toloka Platforms and any other tools or virtual environments expressly identified by Toloka in the relevant Task instructions;
(b) comply with all Task‑specific instructions, guidelines, and policies (including, without limitation, content, security, confidentiality, and privacy rules) communicated or made available by Toloka; and
(c) treat all Customer Material as confidential in accordance with Section 12 (Confidentiality) of the Terms and this Addendum.
3.3. You shall not, in relation to Customer Material:
(a) copy, download, export, store, or otherwise retain Customer Material outside the Toloka Platforms or other tools expressly authorised by Toloka;
(b) make screenshots, screen recordings, photographs, or any other captures of Customer Material;
(c) sell, license, disclose, or otherwise make Customer Material available to any third party;
(d) allow any other person to access or perform Tasks using your account or credentials; or
(e) Process Customer Material for your own purposes or for any purpose other than the performance of the relevant Tasks.
3.4. If you believe that any instruction from Toloka infringes Applicable Privacy Laws, or you are unable to comply with an instruction, you shall promptly notify Toloka in writing and cease the relevant Processing (other than secure storage within the Toloka Platforms) until Toloka confirms, amends, or withdraws the instruction.
3.5. You shall promptly notify Toloka (via the Toloka support channels or the contact details set out in Toloka’s Privacy Notice) if you become aware of:
(a) any Personal Data Breach affecting Customer Material (including, without limitation, accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Customer Material); or
(b) any request, complaint, or other communication from a Data Subject or Supervisory Authority relating to Customer Material that you have Processed.
You shall provide Toloka with all information reasonably requested and cooperate with Toloka in investigating, mitigating, and remediating any such Personal Data Breach or incident, and in responding to any such request, complaint, or communication, in each case to the extent permitted by Applicable Privacy Laws.
3.6. You shall not appoint any further sub‑processor or otherwise permit any third party to access Customer Material via your account or in connection with the Services. Sub‑contracting of Tasks, sharing credentials, or allowing another person to work under your account is strictly prohibited.
3.7. Upon closure of your Toloka account, or upon Toloka's written request, you shall promptly delete any Customer Material that you may have inadvertently stored or retained outside the Toloka Platforms and, upon Toloka's request, confirm in writing that such deletion has been completed, except to the extent that Applicable Privacy Laws require you to retain certain data.
4. Toloka's Obligations in Relation to Customer Material
4.1. Toloka shall ensure that there is an appropriate legal basis and, where required by Applicable Privacy Laws, a written controller-processor data processing agreement or other legally valid instrument in place between Toloka and each relevant Customer for the Processing of Customer Material, including for the engagement of Users as sub‑processors.
4.2. Toloka shall provide you with:
(a) clear Task‑level instructions and guidelines that define how Customer Material must be handled when performing Tasks; and
(b) appropriate contact details and channels for raising any questions or concerns relating to data protection or security.
4.3. Toloka shall take appropriate steps to ensure that Users who Process Customer Material are subject to obligations of confidentiality with respect to such data as set out in the Terms and this Addendum.
5. Data Subject Rights
5.1. In relation to Personal Data relating to you that Toloka Processes as Controller (as described in Clause 2), you shall have the rights granted to Data Subjects under Applicable Privacy Laws, including (where applicable and subject to legal limitations): the right of access; rectification; erasure; restriction of Processing; data portability; and objection to Processing, as well as the right to withdraw consent where Toloka relies on consent as a legal basis.
5.2. You may exercise your rights by contacting Toloka using the methods and contact details set out in Toloka’s Privacy Notice. Toloka shall handle such requests in accordance with Applicable Privacy Laws.
5.3. In relation to Customer Material, you acknowledge that:
(a) you are not a Controller of such data; and
(b) you shall not respond directly to any Data Subject request, complaint, or other communication relating to Customer Material.
If you receive any such request, complaint, or communication directly, you shall promptly forward it to Toloka and shall not respond except in accordance with Toloka’s documented instructions.
6. International Transfers – General
6.1. Where Personal Data relating to you or Customer Material is transferred between the EEA, the UK, and other countries, Toloka shall implement appropriate transfer mechanisms in accordance with Applicable Privacy Laws, which may include, as appropriate:
(a) an adequacy decision adopted by the European Commission or the UK Government in respect of the destination country; and/or
(b) the execution of standard contractual clauses for international data transfers adopted by the European Commission under Article 46 GDPR and/or any equivalent mechanism under the UK GDPR (including, where applicable, the UK International Data Transfer Addendum).
6.2. Where you access Customer Material hosted in the EEA or the UK from a location outside the EEA or the UK, you shall not circumvent any technical or geographic access restrictions implemented by Toloka (for example, by using unauthorised VPNs or proxy services) in a manner that would undermine Toloka's or a Customer's compliance with Applicable Privacy Laws.
7. Survival and Precedence
7.1. This Addendum forms part of the Terms and shall survive termination of your Toloka account to the extent reasonably necessary for Toloka to:
(a) retain and use Personal Data in accordance with Clause 2.4; and
(b) comply with its obligations to Customers and with Applicable Privacy Laws and other mandatory legal requirements.
7.2. In the event of any conflict or inconsistency between this Addendum and the Terms relating to the Processing of Personal Data, this Addendum shall prevail to the extent of such conflict or inconsistency, unless the Terms provide greater protection to you as a Data Subject under Applicable Privacy Laws.
8. International Transfers – Standard Contractual Clauses
8.1. EU/EEA to Non‑EEA Transfers Where the User Acts as Sub‑Processor
8.1.1. To the extent that:
(a) the GDPR applies to Toloka's Processing of Customer Material on behalf of a Customer; and
(b) Toloka, acting as Processor for the Customer, makes such Customer Material available to you via the Toloka Platforms while you are located in a country outside the EEA that does not benefit from an adequacy decision adopted by the European Commission under Article 45 GDPR,
Toloka and you agree that the Standard Contractual Clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679, Module 3 (Processor to Processor), as set out in Commission Implementing Decision (EU) 2021/914 of 4 June 2021 (the "SCCs"), are hereby incorporated by reference into this Addendum and shall apply to such transfers.
8.1.2. For the purposes of the SCCs:
(a) the data exporter shall be the Toloka entity that, under the relevant agreement with the Customer, acts as Processor and makes Customer Material available to you via the Toloka Platforms; and
(b) the data importer shall be you, the User, insofar as you Process Customer Material made available via the Toloka Platforms.
8.1.3. The information required by the SCCs in Annex I, Annex II and Annex III is set out in Attachment A to this Addendum.
8.2. EU/EEA to Non‑EEA Transfers of Personal Data Relating to Users
8.2.1. Where Toloka acts as Controller of Personal Data relating to you and transfers such Personal Data from the EEA to a recipient established in a country outside the EEA that does not benefit from an adequacy decision under Article 45 GDPR, Toloka shall ensure that an appropriate transfer mechanism is in place in accordance with Chapter V GDPR. Such mechanism may include, as appropriate:
(a) the execution of standard contractual clauses for international data transfers adopted by the European Commission under Article 46 GDPR; or
(b) any other lawful transfer mechanism recognised under the GDPR.
8.2.2. Such controller‑level transfer arrangements will be set out in Toloka’s agreements with the relevant recipients and are not reproduced in full in this Addendum.
8.3. UK Transfers and UK Addendum
8.3.1. To the extent that the UK GDPR applies to a transfer of Personal Data:
(a) for transfers where you act as sub‑processor outside the UK, Toloka and you agree that the SCCs described in Clause 8.1 shall apply, as amended and supplemented by the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued by the UK Information Commissioner’s Office (the "UK Addendum"); and
(b) for transfers of Personal Data relating to you from the UK to a recipient established in a country outside the UK that does not benefit from an adequacy regulation under the UK GDPR, Toloka shall implement an appropriate transfer mechanism in accordance with Chapter V UK GDPR, which may include the UK Addendum to the SCCs or any other lawful mechanism recognised under the UK GDPR.
8.3.2. The UK Addendum, where required, shall be deemed executed between Toloka (as exporter) and you (as importer) for transfers falling within Clause 8.3.1(a), and Toloka shall complete any variable information required by the UK Addendum as exporter.
8.4. Precedence of SCCs and UK Addendum
In the event of any conflict or inconsistency between:
(a) this Addendum; and
(b) the SCCs (and, where applicable, the UK Addendum),
the SCCs (and, where applicable, the UK Addendum) shall prevail solely to the extent necessary to ensure compliance with Chapter V GDPR and/or Chapter V UK GDPR, as applicable, and without limiting any additional protections afforded to you under this Addendum or the Terms.
Attachment A – SCC Annexes (Module 3: Processor to Processor)
The Parties acknowledge that the full text of the SCCs (Module 3 – Processor to Processor) issued by the European Commission in Implementing Decision (EU) 2021/914 is incorporated by reference. The following Annexes complete those Clauses for the relationship between Toloka (as data exporter) and the User (as data importer).
Annex I – List of Parties and Description of the Transfer
Annex I.A – List of Parties
Data Exporter:
Name: The Toloka entity that, under the relevant agreement with the Customer, acts as Processor and makes Customer Material available to the User via the Toloka Platforms.
Address: As set out in the applicable agreement with the Customer or the Terms.
Contact details: As set out in the Terms or Toloka’s Privacy Notice (for example, legal@toloka.ai or other designated contact).
Role: Processor (acting on behalf of a Controller).
Data Importer:
Name: The individual User who has accepted the Terms and this Addendum and performs Tasks via the Toloka Platforms.
Address: The residential or contact address provided in the User’s Toloka profile.
Contact details: As provided in the User’s account.
Role: Processor (sub‑processor).
Annex I.B – Description of the Transfer
Categories of Data Subjects whose Personal Data is transferred: Individuals whose Personal Data forms part of the content supplied by or on behalf of Customers for Processing via the Toloka Platforms (for example, Customers' customers, employees, contractors, or other individuals appearing in text, images, audio, video, or other datasets).
Categories of Personal Data transferred: Any Personal Data contained in Customer Material made available via the Toloka Platforms that is necessary for the performance of relevant Tasks, which may include, depending on the project:
names, identifiers, and contact details;
behavioural, transactional, or usage data; and
text content, images, audio, video, or other contextual data supplied by Customers.
Sensitive data (special categories) and safeguards: Special categories of Personal Data (as defined in Article 9(1) GDPR / UK GDPR) are not generally intended but may be present in certain projects (for example, medical images, biometric identifiers in images or video, or other sensitive content).
Additional safeguards include: strict purpose limitation; restricted access; project‑specific guidelines and quality controls; prohibition on off‑platform copying or downloading; and the technical and organisational measures described in Annex II.
Frequency of the transfer: Continuous and/or batch transfers for as long as the relevant Tasks are available and active under the applicable engagement between Toloka and the Customer.
Nature of the Processing: Viewing, annotating, labelling, classifying, comparing, transcribing, evaluating, and otherwise Processing Customer Material as required by the project guidelines, solely via the Toloka Platforms and any tools expressly authorised by Toloka or Customer.
Purpose(s) of the transfer and further Processing: Enabling the User, as a sub‑processor engaged by Toloka, to perform Tasks and support Customers' labelling, annotation, evaluation, and related projects pursuant to the applicable agreement between Toloka and the Customer.
Duration of Processing / retention:
For each project, for as long as Toloka and the relevant Customer reasonably require the Customer Material to perform and evidence the project, comply with legal and contractual obligations, and handle audits, inspections, and disputes, as described in the Terms, this Addendum, and the applicable agreement between Toloka and the Customer.
For the User, only for the period during which Tasks are assigned and accessible, and any additional period reasonably necessary to investigate or remediate incidents, alleged breaches, or misconduct.
Annex I.C – Competent Supervisory Authority
The competent Supervisory Authority shall be determined in accordance with Clause 13 of the SCCs, typically the Supervisory Authority of the EU Member State in which the relevant Toloka data exporter is established, or, where applicable, the Supervisory Authority identified pursuant to Article 27 GDPR and Toloka’s Article 27 representation arrangements.
Annex II – Technical and Organisational Measures
In addition to Toloka's own technical and organisational measures (as described in Toloka's Information Security Policy and any data processing agreements with Customers), the User, acting as data importer under the SCCs, shall at a minimum:
(a) access Customer Material only via authenticated Toloka accounts protected by strong, unique passwords and, where enabled by Toloka, multi‑factor authentication;
(b) refrain from locally storing, copying, downloading, or capturing Customer Material (including through screenshots, photographs, or video recordings) outside the Toloka Platforms or other tools expressly authorised by Toloka;
(c) use devices that are reasonably secured, including up‑to‑date operating systems and browsers and, where available, native disk encryption and screen‑lock functionality;
(d) promptly notify Toloka of any suspected compromise of the User's device, account, or access credentials, or any suspected leak, loss, or unauthorised disclosure of Customer Material; and
(e) comply with all project‑specific security instructions, including the use of Toloka‑controlled virtual environments and any additional confidentiality or access‑control steps required for particular projects.
Annex III – List of Sub‑Processors
The User is not permitted to appoint further sub‑processors or to allow any third party to access Customer Material via the User's account or in connection with the Services. Accordingly, no authorised sub‑processors are listed for the User as data importer under the SCCs.
Version 1.0 - 2026.01.09