Good day, Habr!
This article was born completely spontaneously from such a story.
Since I am also a co-founder of the organization in which I work, from time to time I have to sign various documents from the banks with which we work, then we take a loan, then I need to provide an application for tendering and so on. The ordinary life of an ordinary LLC.
And so, yesterday they brought me another document for signature - consent to the processing of personal data from one local bank. I first signed it on the machine, and then still decided to read it.
Under the cut, we will understand what is wrong with consent and why it is illegal.
The consent text begins with the words:
My consent is given for the purpose of concluding any agreements with the Bank and their further execution, making decisions or taking other actions that give rise to legal consequences for me or other persons, providing me with information about the services provided by the Bank and applies to the following information: surname, name, patronymic ... and any other information related to my personality that is available or known at any given moment in time to the Bank (hereinafter referred to as “Personal Information”)Everything is fine here. I give my consent to the processing of any personal data for any purpose. Yeah, right now. Here is what federal law No. 152- On Personal Data tells us about this:
Part 2 of Article 5:I will not chew. On Habré, people are smart, you yourself understand what kind of conflicts there are in the wording of consent and the law. And the phrase “any particular moment in time” made the blunt little. Although it may be ok with this design, if there are philologists, welcome to comment.
2. The processing of personal data should be limited to the achievement of specific , predetermined and legitimate goals . Processing of personal data that is incompatible with the purposes of collecting personal data is not allowed .
We are going further. Consent text (spelling and punctuation saved):
This consent is valid for 5 (five) years after the expiration of the storage period for the relevant information or documents containing the above information, determined in accordance with the legislation of the Russian Federation and contractual relations, after which it can be revoked by sending me a written notice to the Bank at least 3 (three) months prior to the withdrawal of consent.I am sorry to upset the Bank, but consent in accordance with subsection 9 (2) of the same Law on Personal Data may be revoked at any time. And in general, what kind of nonsense - consent can be revoked only after the expiration of the consent?
The following is a paragraph on the actions that can be performed with my personal data. I will not even quote from there. I think it’s clear that any action can be taken.
Well, the last paragraph is also a masterpiece (spelling and punctuation saved):
I hereby acknowledge and confirm that, if it is necessary to provide Personal data to achieve the above objectives to a third party ( including a non-credit and non-banking organization ), as well as when involving third parties in the provision of services for these purposes, the Bank transfers its functions and authority to another person, the Bank is entitled to disclose the extent necessary to carry out the above actions information about me personally (including my personal data), such third parties, their agents or other authorized and and persons, as well as to provide such persons, the documents containing such information. I hereby also acknowledge and confirm that this consent is considered to be given by me to any third parties indicated above, subject to relevant changes, and any such third parties are entitled to process Personal data on the basis of this consent.Just awesome. Not only can the Bank do what it wants with my ANY personal data, it also has the right to transfer it to anyone, any way, in any amount.
What does the law say?
Part 1 of Article 9 :Sorry, but IT doesn’t turn “informed and specific”.
Consent to the processing of personal data must be specific, informed and conscious.
At the same time, the regulators at the inspections in our experience for such "consent" immediately write out a fine. In general, I started signing without looking, thinking that such texts had disappeared somewhere in 2012, or even earlier. It’s sad to see this from a financial organization, in which a bunch of lawyers are probably sitting.
What should you do as an organization? Make truly specific and informed consent. Clearly and not ambiguously formulate the purposes of processing and specific categories of personal data that are not redundant upon application to these purposes. If you plan to transfer personal data to third parties, you will have to sweat and indicate specific third parties, the specific personal data to be transferred and the specific goals of such a transfer (it is important to remember that you do not need to indicate here what you must transfer in accordance with any federal laws) .
What should you do as a subject of personal data if you see such consent? It all depends on the specific situation. If you refuse to sign the consent, then you will most likely be informed that in this case they will not be able to provide you a service. If you really need the service, sign the consent, get the service, but then you can complain about the violation of the law "On personal data" for example here .
And remember that if you signed something somewhere, this does not mean that the Bank or anyone else after that can do whatever it wants with your personal data. Any contracts, consents and other documents that directly contradict the current legislation are illegal.
With regard to a specific story, then "where necessary" I reported. We are waiting for the development of the situation. Actually, therefore, so far we have not divulged the name of the Bank, it will suddenly change its mind and recover. If not, then, apparently, there will be a second part - a continuation, including with the announcement of the names of “heroes” and the reaction of regulators.