Detailed information on the terms and conditions of personal data processing in accordance with GDPR*
1. General information
Sberbank (Russia, Moscow, 117997, 19 Vavilova Street) (hereinafter, the Bank/Sberbank) hereby informs personal data subjects located in the European Union or whose personal data have been obtained from the European Union in relation to the goods or services offered to them by the Bank, or whose behavior in the European Union may be monitored by the Bank (hereinafter referred to as the “Data subjects”), about their rights, as well as the terms and conditions of personal data processing applied by Sberbank in accordance with the requirements of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (hereinafter referred to as “GDPR”).
2. What personal data we process
As part of providing banking services, interaction with customers, counterparties and public authorities of the Russian Federation, as well as employment, the Bank can process various categories of personal data of individuals if the legislative requirements for their processing are met. Categories of personal data to be processed may include the following:
- General information about the subject (such as full name, contact details, passport data, etc.)
- Financial standing (such as credit history, income, assets possessed, etc.)
- Social standing (such as job, education, family, etc.)
- The information collected and accumulated by the Bank during provision of services for the data subject, including the information about the history of using the Bank’s products and services
- Photos and/or videos
- Information on the actions on websites and in mobile applications of the Bank, as well as data about the devices used (such as geolocation, IP addresses, cookies, information on transactions, etc.)
- Special categories1 of personal data (race, nationality, political views, religious or philosophical belief, health) and biometric data.
2. Our sources of personal data and the purpose of personal data processing
The Bank obtains personal data of data subjects strictly for achieving the predefined purposes or meeting legislative requirements in various ways, including:
- Directly from potential or existing customers of the Bank, their representatives, intermediaries, associated persons, sureties or via third parties in order to conclude contracts, for further communication, information and provision of banking services
- Directly from the employees of the Sberbank Group, their close relatives, individuals who have concluded a civil law contract with the Bank or who are members of the management bodies of the Bank, for the purpose of personnel record keeping and/or for the purpose of recruitment and selection of job seekers for vacant positions and/or for corporate phonebook keeping and/or for administration and business activity
- Directly from the candidates for the vacant positions or from external employment agencies for the purpose of recruitment and selection of candidates for vacant positions
- From public authorities and organizations to meet legislative requirements
- By means of collection and accumulation of new personal data during interaction with the data subject (products, transactions, recurrence history), during the use of the websites and mobile applications of the Bank by the personal data subjects (geolocation data, IP addresses, actions on the websites and applications) or by lawfully obtaining the above-mentioned data from third parties in order to improve the quality of services, advise given to potential and existing customers and forming marketing offers
- From freely accessible sources to gain knowledge about the data subject in order to form personalized offers.
The Bank processes the data subject’s personal data only if one of the following conditions is met:
- The data subject has given consent to the processing of his or her personal data for one or more specific purposes
- The processing is necessary for carrying out a contract to which the data subject is a party or in order to take steps at the request of the data subject prior to entering into a contract
- The processing is necessary for meeting the Bank’s legal obligations
- The processing is necessary in order to protect the vital interests of the data subject or of another natural person;
- The processing is necessary to perform the tasks in the interests of the state
- The processing is necessary for the purpose of securing legitimate interests of the Bank or of a third party, except for the cases where such interests contradict the interests or basic rights and freedoms of the data subject, which require personal data protection, for instance, if the data subject is a child.
With the written consent of the data subject, the Bank can use the personal data obtained to make decisions based on automated data processing only.
4. How long we store your data
Personal data shall be stored no longer than it is necessary for the personal data processing purposes unless the storage period is stipulated by a federal law, an agreement to which the personal data subject is a party, a beneficiary or a surety.
5. Which rights you have
Each subject whose personal data is processed by the Bank has rights and freedoms regarding his or her personal data.
Table 1. Rights of a personal data subject
Access to personal data
The data subject has a right to request the confirmation of his or her personal data processing. In case of such processing the data subject has a right to familiarize himself or herself with the personal data being processed, as well as with information about the purposes of processing, the categories of data being processed, the actions with the data, the receivers of the data and the guarantees when the data is transferred to third parties, the period of processing, the sources of the data, and whether decision-making is fully automated. The data subject also has a right to obtain the list of the personal data being processed.
Changes in the personal data
The data subject has a right to demand changes in his or her personal data if there are inaccuracies in personal data processed by the Bank. Taking into account the purposes of data processing, the data subject has a right to supplement the personal data, including by submitting an additional application.
Personal data processing limitations
The data subject has a right to initiate limitations on processing of all or a part of his or her personal data if one of the following conditions is met:
- the accuracy of personal data is being contested by the data subject (limitation for the period necessary for the Bank to confirm the accuracy of the personal data)
- unlawful personal data processing has been revealed, the data subject opposes deleting the personal data and demand limiting the use thereof instead
- The Bank does not need the personal data for the purposes of processing any more, but the data subject needs the personal data for the purpose of substantiation, performance or as part of legal proceedings
- the data subject opposes his or her personal data processing (limitation for a period necessary for the Bank to confirm whether the Bank’s legal grounds for personal data processing prevail over the lawful claims of the data subject).
Deletion of personal data
The data subject has a right to demand deletion of his or her personal data from the systems of the Bank and/or other existing tangible media, if one of the following conditions is met:
- the personal data is no longer required for the purposes for which they have been obtained
- the data subject withholds the consent on the basis of which the processing has been carried out, if there are no other legal grounds for processing
- the data subject opposes his or her personal data processing (if there are no prevailing legal grounds for the personal data processing)
- the personal data is being processed unlawfully
- the personal data must be deleted to ensure compliance with a legal obligation in accordance with legislative requirements
- at the moment of personal data collection the personal data subject is a juvenile citizen, and the data has been obtained with the consent from his or her legal representative for the provision of services using remote service channels (information society services) directly for the juvenile person.
The data subject has a right to demand the list of his or her personal data provided to the Bank for the processing thereof in a structured, uniform and machine-readable format, and to instruct the Bank to transfer his or her personal data to a third party if the Bank has the technical possibility to do so. In this case the Bank shall not be responsible for further actions of a third party related to the personal data.
Opposing personal data processing
The data subject has a right to oppose processing of all or a part of the list of his or her personal data for the purposes indicated when the personal data was provided for the Bank, except for the cases where the legal grounds for personal data processing prevail over the interests, rights and freedoms of the data subject or where the processing of the personal data is necessary for substantiation, execution or defense in legal proceedings.
Refusal to carry out marketing activities
The data subject has a right to demand to limit his or her personal data processing for the purpose of marketing activities carried out by the Bank.
Bringing a complaint to the national supervisory authority, at the address of permanent residence in the EU.
The data subject has a right to bring a complaint to the supervisory authority if the Bank in any way violates his or her rights in relation to personal data processing.
If a request for limitation of personal data processing, for deleting the personal data or opposing the processing thereof is submitted to the Bank by the data subject being a potential customer of the Bank, the Bank has a right to refuse to provide banking services to the personal data subject.
If the data subject being a party to the contract with the Bank or being a beneficiary/surety thereunder, submits a request for limitation or deletion of the personal data, or opposes the use thereof or withholds the consent given earlier, the Bank has a right to continue to process his or her personal data until compliance with the terms and conditions of the existing agreements and compliance with the legislative requirements is ensured.
6. To whom we can transfer your personal data (including transfer across the border)
In accordance with the predefined purposes and legislative requirements the Bank can transfer personal data to the following categories of third parties:
- Subsidiary banks and companies within the Bank’s group of companies
- external counterparties
- public authorities or other bodies to ensure compliance with legislative requirements.
Transfer of personal data across the border to the states that do not ensure adequate protection of personal data subjects’ rights shall be carried out strictly with the consent from the data subject and/or for the purpose of performance of a contract and/or for the purpose of compliance with legislative requirements.
For the purpose of transfer of personal data to third parties located outside the countries that are parties to the Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, as well as outside the countries which ensure adequate personal data protection, contracts are concluded with the corresponding third parties (where applicable in accordance with applicable legislation on personal data protection), containing “Standard contractual clauses” (SCC), which guarantee the compliance with the rights and freedoms of personal data subjects The list of third parties and of the personal data transferred to them may be requested from the Responsible manager for the organization of processing and protection of personal data in the Bank.
Terms and definition
A cookie is a small fragment of data which the website requests from the browser used on your PC or mobile device. Cookies reflect your actions or preferences. Cookies are stored locally on your PC or on a mobile device. The users can delete saved cookie files at their own wish.
Table 2. Description of cookies.
Types of cookies
The data about interaction of the user with the website: usually the session identifier is stored, which allows the user to move from page to page without reauthentication on the website. The browsers usually delete session cookies after the user closes the browser window.
Session cookies help us to improve our products and to make your work on our website more convenient.
The cookies which are stored on a user’s PC and which are not deleted after closing a browser. Permanent cookies can save information about the user’s settings for a particular website, allowing the use of these preferences in further sessions.
Permanent cookies can be used by a website to analyze users’ behavior on the website, as well as to provide information on the number of visitors, on the average time spent on a particular page, and usually on the performance of the website.
Purposes of cookies collection
Cookies, information about actions of users on the website, information about the user’s equipment, the date and time of the session are processed by the Bank (including by using Yandex.Metrika, Google Analytics, Firebas Google, Tune, Amplitude, Segmento) in order to improve the functioning of the website, the data on users’ actions is processed to improve the products and services of the Bank, determine a user’s preferences, providing target information on the products and services of the Bank and the Bank partners.
After switching off the option of using cookies in a browser a user can find out that some sections of the Bank’s website do not work properly.
The instructions on managing cookies can usually be found in the query service of the browser (Help option).
8. How to contact us if you have questions related to personal data processing
If a data subject has any questions, suggestions or intends to exercise one or more rights of the data subject with regard to personal data processing, the data subject can contact the Bank using the following contact details:
- Address: Russia, Moscow, 117997, 19 Vavilova Street
- Email: firstname.lastname@example.org;
- Tel.: +7 (495) 665-56-00 ext. 48-133.
THE BANK’S REPRESENTATIVE in the European Union
- Name: Sberbank Europe AG
- Address: Vienna, Austria, 1010, 3 Schwarzenbergplatz
- Email: email@example.com
- Phone number: +43 (0)1 22732-0.
THE RESPONSIBLE MANAGER FOR THE ORGANIZATION OF PERSONAL DATA PROCESSING AND PROTECTION
(Data Protection Officer)
- Email: firstname.lastname@example.org
- Tel.: +7 (495) 665-56-00 ext. 48-133.
You can find more detailed information on the contact details on the website of the Bank: www.sberbank.ru.
1 The Bank may process special categories of personal data only with a written consent from the data subject to processing of the personal data.