162 Russian Banks Violate Personal Data Law, Reveals Report

Most of Russian banks do not comply with the key requirements of Federal Law No. 152-ФЗ on Personal Data in their user agreements, according to a study by B-152 as reported by Vedomosti.

The study found that 55% of banks, or 162 out of 324 banks in Russia, do not specify the specific goals of collecting and processing personal data of customers, which has been mandatory since September 1, 2022. These goals can include informing customers about bank services, making lending decisions, issuing bank guarantees, conducting internal audits, and more.

Furthermore, 10% of banks do not have a confidentiality policy on their website, and in two banks, this document dates back to 2011.

Under the law, the policy for processing personal data should now be placed on all pages of the website where data is collected. This also includes cookies and other user identifiers, as they can theoretically be used to determine specific individuals. However, the study found that only 6.5% of banks provided appropriate information about the processing of cookies.

The B-152 emphasized the need for politicians to be updated according to amendments to the legislation and in case of changes in the processes of personal data processing in companies. The Roskomnadzor (RKN) has the authority to conduct audits in cases where there are three non-compliances of the processing policy with the requirements of the regulator.

Roskomnadzor has identified that over the past nine months, 4000 requirements were sent to companies to align their personal data processing policies with the law. While most of these requirements were fulfilled, approximately 100 cases of administrative offenses were recorded.

The Privacy Policy should be compiled in a way that is easily understandable to clients. It should state what data is required by the organization (in this case, the bank), the purpose of collecting the data, how it is collected, and the legal grounds for processing. However, many policies were found to be lengthy, complex, and contained direct quotes from legislation, making it difficult for clients to understand the document. Some of these documents had a volume of more than 180,000 characters.

The RKN emphasized that this study further highlights the need to increase the protective role of the state, establish stricter requirements for operators, and assess the necessity and conformity of data collection and processing activities.