How you do not have to agree to the processing of personal data

And what kind of consent is not worth signing.

Good day, Habr!

This article was born completely spontaneously from such a story.

Since I am also a co-founder of the organization in which I work, from time to time I have to sign various documents from the banks with which we work, then we take a loan, then I need to provide an application for tendering and so on. The ordinary life of an ordinary LLC.

And so, yesterday they brought me another document for signature – consent to the processing of personal data from one local bank. I first signed it on the machine, and then still decided to read it. Izhprogrammer I’m still a specialist, including the protection of personal data. Read threw me into a sickly shock.

Under the cut, we will understand what is wrong with consent and why it is illegal.

The consent text begins with the words:

I give consent for the purpose of concluding with the Bank any contracts and their further execution, decision-making or commission other actionsthat give rise to legal consequences regarding whether I am of other persons, providing me with information about the services provided by the Bank and applies to the following information: last name, first name, middle name … and any other information related to my personality, accessible or known at any particular moment in time to the Bank (hereinafter referred to as “Personal Data”)

Everything is fine here. I give my consent to the processing of any personal data for any purpose. Yeah, right now. Here is what federal law No. 152-ФЗ On Personal Data tells us about this:

Part 2 of Article 5:
2. The processing of personal data should be limited to achieving specificpredefined and legal goals. Personal data processing incompatible with the purposes of collecting personal data is not allowed.

I will not chew. On Habré, people are smart, you yourself understand what kind of conflicts there are in the wording of consent and the law. And the phrase “any particular moment in time” made the blunt little. Although it may be ok with this design, if there are philologists, welcome to comment.

We are going further. Consent text (spelling and punctuation saved):

This consent is valid for 5 (five) years after the expiration of the storage period for the relevant information or documents containing the above information, determined in accordance with the legislation of the Russian Federation and contractual relations, after which it can be recalled by sending me the corresponding written notice to the Bank at least 3 (three) months before the withdrawal of consent.

I am sorry to upset the Bank, but consent in accordance with subsection 9 (2) of the same Law on Personal Data may be revoked at any time. And in general, what kind of nonsense – consent can be revoked only after the expiration of the consent?

The following is a paragraph on the actions that can be performed with my personal data. I will not even quote from there. I think it’s clear that any action can be taken.

Well, the last paragraph is also a masterpiece (spelling and punctuation saved):

I hereby acknowledge and confirm that if it is necessary to provide Personal Data to achieve the above objectives to a third party (including non-credit and non-banking organizations), as well as when attracting third parties to provide services for these purposes, transferring the Bank's functions and powers to another person, The Bank is entitled to the necessary amount to disclose information about me personally (including my Personal Data) for such actions to third parties, their agents and other persons authorized by them, as well as provide such persons with relevant documents containing such information. I hereby also acknowledge and confirm that this consent is considered as given by me to any third partiesabove, subject to relevant changes, and any such third parties are entitled to the processing of Personal Data on the basis of this consent.

Just awesome. Not only can the Bank do what it wants with my ANY personal data, it also has the right to transfer it to anyone, any way, in any amount.

What does the law say?

Part 1 of Article 9:
Consent to the processing of personal data must be specific, informed and conscious.

Sorry, but IT doesn’t turn “informed and specific”.

At the same time, the regulators at the inspections in our experience for such "consent" immediately write out a fine. In general, I started signing without looking, thinking that such texts had disappeared somewhere in 2012, or even earlier. It’s sad to see this from a financial organization, in which a bunch of lawyers are probably sitting.

What should you do as an organization? Make truly specific and informed consent. Clearly and not ambiguously formulate the purposes of processing and specific categories of personal data that are not redundant upon application to these purposes. If you plan to transfer personal data to third parties, you will have to sweat and indicate specific third parties, the specific personal data to be transferred and the specific goals of such a transfer (it is important to remember that you do not need to indicate here what you must transfer in accordance with any federal laws) .

What should you do as a subject of personal data if you see such consent? It all depends on the specific situation. If you refuse to sign the consent, then you will most likely be informed that in this case they will not be able to provide you a service. If you really need the service, sign the consent, get the service, but then you can complain about the violation of the law "On personal data" for example here.

And remember that if you signed something somewhere, this does not mean that the Bank or anyone else after that can do whatever it wants with your personal data. Any contracts, consents and other documents that directly contradict the current legislation are illegal.

With regard to a specific story, then "where necessary" I reported. We are waiting for the development of the situation. Actually, therefore, so far we have not divulged the name of the Bank, it will suddenly change its mind and recover. If not, then, apparently, there will be a second part – a continuation, including with the announcement of the names of “heroes” and the reaction of regulators.

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *