Personal data processing in a bank

Apply for SearchInform DLP TRY NOW

Each time contacting the bank, regardless of the reason - opening a bank deposit, performing payment transactions, the client must provide a lot of personal data. The information that the bank requires to provide includes not only passport data, but also the contacts of close relatives, friends, who often have to play the role of guarantors. But not every person thinks about what happens with this information in the future, whether the banking institution will bear any responsibility for their storage and non-disclosure, as well as how personal data (PD) is processed in the bank.

What information is personal data

Federal Law No. 152 "On Personal Data" characterizes PD as any information related to a specific person or subject that can be identified by this data:

  • Date of Birth;
  • home address;
  • marital status;
  • income;
  • education;
  • social status;
  • education received;
  • profession, etc.

Almost all banks, during the execution of contractual relations with a client, ask him for personal information confirming his solvency. The standard data for banks are the full name, birth information, registration, passport data, telephone number. If the contact information of relatives and friends is requested, the bank checks the client in this way and needs contacts that will allow him to contact him if he cannot be found directly.

A bank client is entitled to refuse to provide contacts of relatives and friends. This should not in any way affect the bank's decision to satisfy the service request. It is imperative that the borrower is photographed when applying for loans. The photo is also taken when registering bank cards, which makes it possible to identify it and increase the security of the transaction (if, for example, the borrower's passport is stolen).

A photo and a completed customer questionnaire are also information related to personal information. The banking institution has the right to demand the client's personal data in order to verify its reliability and the ability to pay off the loan taken.

Processing of personal data in the bank

During the provision of data by a citizen of PD, the bank must offer him to fill out a consent to the processing of his personal data. This consent consists in granting the right to the financial institution to perform any actions with the personal information transferred by the client, but only within the framework of the legislation in force in the Russian Federation. Such a document is a guarantee of the protection of personal data from illegal actions, their use only for specifically limited purposes.

Data processing is considered to be actions related to:

  • collecting customer information;
  • their records;
  • systematization;
  • accumulation;
  • storage with updating, modification, clarification;
  • extraction;
  • application;
  • depersonalization;
  • removal;
  • complete destruction.

A banking institution can use PD if the client needs any information, both at his request and at the initiative of the bank.

The client has the right to demand that his data be deleted if he breaks off the contractual relationship with this financial institution. The bank may store personal information until the end of the period regulated by the Law on Personal Data No. 152 (Art. 5).

The law does not establish the maximum storage period for information available in the bank, but basically they must be stored for 5 years from the date of fulfillment of obligations on them or until the moment when the client himself recalls them.

Violations in the processing of personal data in the banking sector

The main violations that are committed in the banking sector are:

  • non-compliance with the requirements to ensure the safety of personal information and its confidentiality;
  • excessive processing of personal data;
  • processing of personal information that does not correspond to the stated purposes;
  • violations when registering consent to the processing of PD with the subject.

Ensuring the correct processing of personal data in banking institutions

The legislation does not contain a list of mandatory regulations that must be drawn up in a bank or in other organizations in order to regulate the PD processing process. But the basic documents for organizing the protection of personal information should be developed and implemented in banking institutions. These documents include:

  • PD processing policy.
  • Regulation on the protection of personal information of employees of the organization.
  • Regulation on the protection of personal information of consumers.

The PD processing policy is a mandatory document in a banking institution. This norm is spelled out in Article 18.1 of Law No. 152. In accordance with the recommendations of Roskomnadzor, this document should contain sections describing the purposes, legal grounds for the volume and categories of processed personal data.

It is important in the Policy to describe the procedure and conditions for processing, as well as the procedure for responding to customer requests for processing personal data. Methods of changing, deleting and blocking this information must be indicated.

Most financial institutions draw up separate regulations for the processing of personal data of borrowers, policyholders, reflecting the main controversial issues, based on banking practice.

In addition, banks must develop other internal documents:

  • job description for the person responsible for the processing of personal data in a financial institution;
  • list of information systems used to process personal information;
  • the scheme of access to the rooms in which the servers processing PD are installed, indicating the names and positions of employees who have access to these premises;
  • scheme of access to information systems that process personal data, with a list of persons who are allowed access;
  • modeling of situations with threats to personal information security during their processing in personal information information systems.

A banking organization must also have orders signed by the general director or another authorized person on the appointment of persons responsible for processing personal data in the company.

How to withdraw consent to the processing of personal data

The client can at any time submit an application to revoke his personal data from the bank. In addition, consent can be revoked in the following cases:

  • if the obligations to the bank are fully paid off, but offers and mailings from the bank continue to be actively received by e-mail, telephone;
  • if there is a loan debt that the bank is going to transfer to collectors;
  • in case of a change of place of residence and work.

An application for withdrawal of consent to the processing of personal data does not have a strict form, but there are certain requirements that it must meet:

  • the header of the form must contain the name of the banking organization and its details with the address;
  • below - information about the client on whose behalf the application is being drawn up;
  • the title of this document (statement);
  • it is advisable to supplement the text with the norms of the law (FZ-No. 152, art. 9, paragraph 2), indicating the reason for revoking the PD;
  • at the bottom of the sheet, you must indicate the contacts, the applicant's signature with its transcript and the date of filing this document.

The application can be sent in person or sent by mail to the address of the branch where the client is served, as well as to the legal address of the banking organization.
In order for the application to be processed faster, you need to attach a copy of the passport and contract pages to it. When you visit the bank on your own with an application, you must present your passport.

If the applicant has a loan from a bank, the financial institution does not have the right to disclose customer data, but is entitled to change them, process them during the validity of the loan agreement. In this case, it is impossible to revoke your personal data, but you are allowed to contact the bank and ask that PD not be transferred to collectors.

Disclosure to third parties

The Law on Personal Data, in particular its 7th article, states that persons who have gained access to personal information of citizens do not have the right to transfer it to third parties. They also do not have the right to disseminate personal information without obtaining the personal permission of the bank's client.

When transferring a debt to a collection service, the bank must also disclose the personal data of the debtor. Such actions of the creditor are illegal. In this case, responsibility for these actions comes. For example, the bank will have to compensate the client for moral damage.

If the loan agreement contains conditions for granting the bank the right to transfer the debt to third parties - a collection agency, then the bank's actions cannot be considered illegal. The consent of the debtor does not need to be obtained.

The legal transfer of information to third parties will be in the event that there is a court decision to recover the debt from the bank's client under a completed loan agreement. This requirement is set out in article 44, part 1 of the Code of Civil Procedure of the Russian Federation.

Any personal information provided by customers to banks and other official institutions is extremely valuable. Therefore, the issue of their safety, storage and transfer is very acute. In connection with the increasing frequency of fraud, mistakes of citizens in the provision of personal data when contacting banks, mistakes of operators when working with personal information, it is important for the parties to know the requirements of the law and comply with them.