How SberBank processes your data and why

The protection of clients' personal data  is our priority. Find out why and on what  grounds SberBank collects and processes personal data.
How SberBank processes your data and why

Confidentiality policy (privacy notice)

SberBank takes confidentiality and security of information very seriously. Protection of your personal data1 is among our key priorities.

In order to respect your rights and freedom related to the protection of your personal data, we developed this Confidentiality Policy, which describes grounds and purposes of personal data processing.

General information
SberBank (Russia, Moscow, 117997, 19 Vavilova Street) (hereinafter, the Bank/SberBank) hereby informs individuals located in the European Union or whose personal data have been obtained from the European Union in relation to the goods or services offered to them by the Bank, or whose behavior in the European Union may be monitored by the Bank (hereinafter, the “Data Subjects”), about their rights, as well as the terms and conditions of personal data processing in accordance with the requirements of  the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (GDPR).
Terms and conditions of personal data processing in SberBank
As part of its activities, the Bank processes various categories of personal data. This section is about how and on what grounds SberBank processes your personal data, and the rights you have in relation thereto. 
Lawfulness of personal data processing

SberBank processes your personal data in strict compliance with the legislation. Personal data may be processed in the following cases:

1. The data subject has given an explicit consent to the processing of his/her personal data for one or more specific purposes*;

2. The processing is required for the carrying out of a contract to which the data subject is a party to or in order to take steps at the request of the data subject prior to entering into a contract;

3. The processing is required for the Bank’s meeting of its legal obligations;

4. The processing is required for protecting the vital interests of the data subject or another natural person;

5. The processing is required for performing tasks in the interests of the state;

6. The processing is required for the purpose of securing legitimate interests of the Bank or of a third party, except for the cases where such interests contradict the interests or basic rights and freedom of the data subject, which require personal data protection, for instance, if the data subject is a minor.

*With the written consent of the data subject, the Bank can use the personal data obtained to make decisions based on automated data processing only (for example, to make decisions of granting loans)

What personal data we process and what for?

As part of its activities, the Bank processes personal data of various categories. The list of personal data being processed contains, amongst others, the following data categories / the following information:

1. General information about the subject (e.g. full name, contact details, passport data, citizenship, etc.);

2. Financial standing (e.g. credit history, income, assets possessed, etc.);

3. Social status (profession, time in employment, education, family status, etc.);

4. The information collected and accumulated by the Bank during the provision of services to the data subject, including the information about the history of using the Bank’s products and services;

5. Photos and/or videos;

6. Information on the actions on websites and in mobile applications of the Bank, as well as data about the devices used (such as geolocation, IP addresses, Cookies, information on transactions, etc.);

7. Special categories1  of personal data (health-related data), and biometrics2

We collect and process personal data for explicit purposes, including the following:

1. Conclusion of any agreements and their further performance with natural persons 

(e.g. the provision of banking services);

2. Performance of bank operations and transactions;

3. The Bank’s holding of promotions, surveys, studies;

4. Provision of information on the services rendered by the Bank, the Bank’s development of new products and services;

5. Notification of clients about offers of the Bank’s products and services;

6. Formation of statistical reports;

7. Attraction and selection of candidates for employment with the Bank;

8. Regulation of employment relations and other directly related relations;

9. The Bank’s performance of obligations stipulated by employment legislation, social welfare and security laws; 

10.     Detection of fraud, stealing money from accounts and other unlawful acts, and prevention of such unlawful acts in future;

11. Interaction with clients, counterparties and state / supervisory authorities. 

1. The Bank may only process special categories of personal data and biometrics with the written consent from the data subject to processing of their personal data.

2. Biometrics mean personal data obtained through special technical processing which relate to physical, physiological or behavioristic specifics of the natural person, and which also make it possible to unambiguously identify this natural person or confirm, for example, the image of their face or dactyloscopic data (Article 4(14) GDPR). Biometrics is the process when the processing is required for the purposes of complying with labor law, social welfare and safety law, in order to ensure the safety of the Bank’s employees and visitors, and in other cases stipulated by the law

How do we collect personal data?

The Bank obtains personal data of the subjects strictly for achieving the predefined purposes or legal requirements compliance in various ways, including:

  • directly from potential or current clients of the Bank (their representatives, intermediaries, sureties) or via third parties;
  • directly from employees from Sberbank’s Group of Companies, their close relatives, natural persons who have concluded civil contracts with the Bank or who are members of the Bank’s management bodies;
  • directly from candidates to positions or from external recruiting firms;
  • from state authorities and organizations;
  • by means of collection and accumulation of new personal data during interaction with the data subject (products, transactions, recurrence history), during the use of the websites and mobile applications of the Bank by the personal data subjects (geolocation data, IP addresses, actions on the websites and applications) or by lawfully obtaining the above-mentioned data from third parties;
  • from publicly available sources.
How long do we keep your personal data?
SberBank retains personal data of data subjects for no longer that it is required in accordance with the purposes of personal data processing. The storage period may be established by the law or set forth by the consent provided to the Bank by the personal data subject. Upon the expiration of the storage period, the personal data must be destroyed or anonymized. 
Your rights
We respect your rights and aim to make sure that you are aware of your rights. Every data subject whose personal data is being processed by the Bank has the following rights:

Access to personal data

The data subject has the right to request the confirmation of his or her personal data processing. In case of such processing the data subject has the right to familiarize himself or herself with the personal data being processed, as well as with information about the purposes of processing, the categories of data being processed, the actions with the data, the receivers of the data and the guarantees when the data is transferred to third parties, the period of processing, the sources of the data, and whether decision-making is fully automated. The data subject also has the right to obtain the list of the personal data being processed.   

Form of consent to personal data processing

In those cases when the Bank uses the consent of a data subject as a basis for processing their personal data, the data subject has the right to revoke the consent at any time. Each consent to personal data processing granted by a data subject to the Bank stipulates for its revocation procedure: if they want to revoke any of the consents granted to the Bank, the data subject has the right to apply the procedure stipulated in the relevant consent.

Changes in the personal data

The data subject has the right to demand changes in their personal data if there are inaccuracies in the personal data being processed by the Bank. Taking into account the purposes of data processing, the data subject has the right to supplement the personal data, including by submitting an additional application. 

Personal data processing limitations

The data subject has the right to initiate limitations on processing of all or a part of their personal data if one of the following conditions is met:

  • the accuracy of personal data is being contested by the data subject (limitation for the period necessary for the Bank to confirm the accuracy of the personal data);
  • unlawful personal data processing has been revealed, the data subject opposes deleting the personal data and demand limiting the use thereof instead;
  • the Bank does not need the personal data for the purposes of processing any more, but the data subject needs the personal data for the purpose of substantiation, performance or as part of legal proceedings;
  • the data subject opposes their personal data processing (limitation for a period necessary for the Bank to confirm whether the Bank’s legal grounds for personal data processing prevail over the lawful claims of the data subject).

Deletion of personal data

The data subject has the right to demand the deletion of their personal data from the Bank’s systems and/or other existing tangible media, if one of the following conditions is met:

  • the personal data is no longer required for the purposes for which they have been obtained;
  • the data subject withholds the consent on the basis of which the processing has been carried out, if there are no other legal grounds for processing;
  • the data subject opposes their personal data processing (if there are no prevailing legal grounds for the personal data processing);
  • the personal data is being processed unlawfully;
  • the personal data must be deleted to ensure compliance with a legal obligation in accordance with legislative requirements;
  • at the moment of personal data collection the data subject is a minor citizen, and the data has been obtained with the consent from their legal representative for the provision of services using remote service channels (information society services) directly for the minor person. 

Data portability

The data subject has the right to demand the list of their personal data provided to the Bank for the processing thereof in a structured, uniform and machine-readable format, and to instruct the Bank to transfer their personal data to a third party if the Bank has the technical possibility to do so. In this case the Bank shall not be responsible for further actions of a third party related to the personal data.

Opposing personal data processing

The data subject has the right to oppose processing of all or a part of the list of their personal data for the purposes indicated when the personal data was provided for the Bank, except for the cases where the legal grounds for personal data processing prevail over the interests, rights and freedoms of the data subject or where the processing of the personal data is necessary for substantiation, execution or defense in legal proceedings.

Refusal to carry out marketing activities

The data subject has the right to demand to limit their personal data processing for the purpose of marketing activities carried out by the Bank.  

Filing complaints with a national supervisory authority

The data subject has the right to file a with a supervisory authority in case the Bank somehow violates their rights in relation to personal data processing.
The complaint may be filed to the supervisory authority of a country of the subject’s permanent residence in the EU, the country of their work, or the country in which the subject believes their rights have been violated. 
In order to find the relevant supervisory authority to file the complaint with, you can use the list on the website of the European Data Protection Board at link.

Do we transfer your personal data to anyone?

In accordance with the predefined purposes and legislative requirements, the Bank can transfer personal data to the following categories of third parties:

  • subsidiary banks and companies within the Bank’s group of companies;
  • external counterparties;
  • public authorities or other bodies to ensure compliance with legislative requirements.
Security guarantee in case of crossborder transfer of data

To transfer personal data to third parties located in the countries that do not ensure an adequate protection of personal data as defined in GDPR, agreements are concluded with relevant third parties containing Standard Contractual Clauses (SCC) adopted by the European Commission or the supervisory authority and approved by the European Commission, which guarantee the observance of the rights and freedoms of personal data subjects. 

The list of third parties and the personal data transferred to them, and copies of the applied SCCs in such agreements may be requested from the manager responsible for the organization of processing and protection of the Bank’s personal data.

How to contact us

If you have any questions related to the processing of your personal data or the exercise of the rights of the subject of personal data, please contact us using one of the methods indicated at the bottom of the page . The term for responding to requests from subjects of personal data is 1 month.

Responsible for organizing the processing and protection of personal data (Data Protection Officer)

Email: pdn-org@sberbank.ru

Phone: +7 495 665-56-00 ext. 48-133

1. Personal data means any information related to a physical person allowing to establish their identity. Personal data may include surname, name, patronymic, telephone number, postal address, passport data, information about education, income, previous workplaces, an online identifier, cookies, location, and other information.

​​​​​​​

Cookies usage policy

This section provides information on how SberBank processes the data collected during the visitors’ usage of our website. By continuing to use this website, you grant your consent to the processing of your Cookies. You can reject the processing of your Cookies, but your rejection may influence the correct functioning of our website.

What are Cookies?
Cookies are a small fragment of data which a website requests from the browser used on your PC or mobile device. Cookies reflect your preferences or actions on the website. Cookies are stored locally on your PC or mobile device. If you wish, you can delete the stored Cookies in the settings of your browser. 
How do we use your Cookies?

Cookies (information about the user’s actions on the website and about the user’s device, date and time of the session) are used by the Bank to improve the functioning of the website. 

Information on the actions of the website users are processed in order to perfect the Bank’s products and services, identify user preferences, provide target information on the products and services of the Bank and the Bank’s partners.

How do we process your Cookies?
Our website processes the obtained data, amongst others, by using metrics programs Yandex.Metrika, Analytics, Firebase Google, Tune, Amplitude, Segmento.
What types of Cookies do we use?

Session

They only exist in the temporary memory during the time while the user stays on any page of the website. The browsers usually delete session Cookies after you close the browser window. Session Cookies allow the website to remember your choice on the previous site in order to avoid the re-entering of information.

Permanent

These are the Cookies which are stored on you PC and which are not deleted after closing the browser. Permanent Cookies save information about user settings for a particular website, allowing the use of these preferences in further sessions.
Such Cookies identify you as a unique user of the website, and when you return, they help recall information about you and the previous actions you have taken.

Statistical

Include information about how you use this website. For example, what pages you go to and what links you use. The main purpose of these Cookies is to improve the website functions. 

How to reject the processing of Cookies?
You can opt out of the processing of cookies in your browser settings. In this case, our site will only use those cookies that are strictly necessary for the functioning of the site and the services it offers.

How to contact us

If you have any questions related to the processing of your personal data or the exercise of the rights of the subject of personal data, please contact us using one of the methods indicated at the bottom of the page . The term for responding to requests from subjects of personal data is 1 month.

Responsible for organizing the processing and protection of personal data (Data Protection Officer)

Email: pdn-org@sberbank.ru

Phone: +7 495 665-56-00 ext. 48-133

Dear Customers,

Sberbank provides the necessary level of security for transactions in remote banking channels. The security of our systems is continuously improved, dealing with current risks and threats. However, any protection methods will be powerless if you do not observe the basic rules of security:

Measures of Information Security for Sberbank Online

1. Do not enter your password to cancel or annul transactions. Passwords for cancellation or annulment of operations may be requested only by fraudsters. Sberbank employees never call clients and ask them to cancel or annul operations.

2. Do not enter your phone number, passport number or other data to confirm operations or to log on to Sberbank Online.

3. Read text messages carefully and always verify the details of operations. If you receive a message with an operation that you have not made, under no circumstances enter your password.

Security Measures for ATMs and Self-Service Terminals

1. When performing transactions with your PIN code, ALWAYS cover the keyboard, for example, with your other hand. This will prevent fraudsters from seeing your PIN code or recording it with a video camera.

2. Card locks to special premises with ATMs installed should not require your PIN code.

3. Before conducting any transaction with an ATM, inspect the surface over the PIN keyboard and the card slot. These places should not have any objects attached or advertising brochures.

Security Measures for Mobile Application

1. Use only the official applications of the Bank available on the AppStore. Make sure the developer is Sberbank of Russia.

2. Do not crack your phone (e.g., via Jailbreaking) as this disables protection mechanisms installed by the mobile platform manufacturer. As a result, your phone becomes vulnerable to software viruses.

3. Do not use your mobile phone to access the full version of online banking, as there are other applications specifically designed by the bank for this purpose.

Security Measures for Mobile Bank

1. If you lose your mobile phone (device) with the Sberbank Online application installed or with Mobile Bank service enabled, immediately contact your mobile operator to lock the SIM card and the Bank's Contact Centre to suspend the Mobile Bank service and/or Sberbank Online.

2. If you change your phone number with Mobile Bank enabled, contact any internal unit of the Bank to disable the Mobile Bank service.

3. Install antivirus software on your phone and update it regularly. For the Android platform, we recommend such free applications as DrWeb for Android Light (available for download from Google Play) and Kaspersky Internet Security for Android (trial version available on the company website and also will be available for download from Google Play).

Security Measures for Bank Cards

1. To avoid other people using your card, keep your PIN code separately from the card, do not write the PIN code on the card, do not communicate the PIN code to others (including your relatives), and do not enter the PIN code when using the Internet.

2. Never communicate any details on your card if someone calls you and says that he/she is the representative of a well-known commercial firm, bank, hotel, etc. Such a call may result in unauthorized transactions with your card.

3. Do not follow the advice of third parties and do not accept their assistance when making transactions. If necessary, contact employees at a branch of the bank or call the phone numbers indicated on the back of your card.

Protection from SMS-text and E-mail Fraud

1. When sending any card-related text messages, Sberbank always refers to the customer by name and the message sent on behalf of Sberbank always indicates the last digits of the holder's card number. If you need to contact the Bank, use the phone numbers of its Contact Centre specified on the card, not in the message.

2. Sberbank card-related text messages are sent from a short 900 number (for some regions, they may be sent from such numbers as 9000, 9001, 8632, 6470, SBERBANK). The official phone numbers of the Contact Centre 8-495-500-5550 and 8-800-5555550 are used only for incoming calls to the bank. No text messages are sent from these numbers.

3. In case of any doubt or concern raised by a text message you may have received, please call the Contact Centre of Sberbank immediately, using its official phone numbers specified on the back of the Sberbank card or on the Sberbank website.

More Information on Protection from SMS-text and E-mail Fraud

Examples of Fraudulent Websites

Precautions for Loan Repayment

Sberbank of Russia would like to inform you about the activities of a number of companies that are assuming obligations to repay loans received by the customers of the banks (personal loans, car loans, mortgages).

These organisations agree for a fee (usually determined as a percentage of the loan received) to repay for the person who obtained the bank loan (borrower) the outstanding balance under the loan agreement. Such organisations have no liability to repay the loan and can stop the repayment at any time. In the event of any overdue debt under the loan, the claims to return it and pay the penalties will be brought by the banks against the borrower.

Sberbank of Russia urges you to exercise caution and does not recommend that you cooperate with such organisations because, instead of receiving questionable benefits, you may incur financial and property losses, as well as see your credit history deteriorate.

Security Measures for Phone Conversations on Sberbank Products and Services

Please note that you can receive calls from contact centres with offers of products and services of the Bank only from the following numbers identified on your phone.

+7 (499) 215-23-98, +7 (499) 681-38-14, +7 (499) 753-30-81, +7 (499) 270-38-77, +7 (499) 951-08-82, +7 (495) 755-51-38, +7 (495) 988-15-69, +7 (499) 652-90-19, +7 (499) 652-90-18, +7 (495) 665-04-37, +7 (495) 665-04-25, +7 (499) 705-79-15, +7 (499) 429-08-18

Want to stop fraudsters tricking people out of their money online?

Participate in Sberbank's social campaign "Sberbank Against Fraudsters".

The fraudulent activities involving unlawful use of Sberbank's name on the Internet have recently reached colossal proportions. In the past month alone, we have identified more than 50 websites that offer to conduct financial transactions allegedly under the brand of the country's most reliable bank. To fight the fraudsters, we have created a special section on our website. Now we'll know who these fraudsters are!

If you find a suspicious website with dubious financial offers, where fraudsters are hiding under the brand of Sberbank, and therefore, unlawfully and illegally using it, and most importantly, misleading consumers, write to us at media@sberbank.ru. And please specify the address of the website: we will include it in the list of fraudulent websites and, thus, help to protect many people from deception.