According to the bank, the procedure for participation is simple, but if someone wants to participate, they will realize that it is not exactly a one-click procedure.
Elena Stojanovska, personal data protection expert, with whom the editorial office of Meta.mk analyzed the campaign, says that the first information indicates that with each given consent for direct marketing, the client participates in afforestation, which in a way gives the feeling that we “trade” our data for some other purpose, not just to obtain information from the bank.
Furthermore, after the first click on the bank’s website to find out more, the next information is that we give our consent to receive personalized offers, tailored-made to us and our interests.
“This means that it is not just direct marketing but also profiling. According to the Law on Personal Data Protection, it is not allowed to perform direct marketing and profiling with one given consent. A client may want to receive news messages, but they do not want their transactions to be monitored to assess where they spend the most, with what dynamics they spend and the like,” said Stojanovska.
According to her, the next controversial moment is the information that we will receive messages on all communication channels that the bank has for us, which is also contrary to the Law on Personal Data Protection.
Stojanovska clarified that the client must have a choice on which communication channel they wish to receive messages for direct marketing (SMS, Viber, email.), and not to receive messages on all possible channels and devices they use by default.
“The method of giving consent is problematic because it leaves no room for choice, and this must not be the case when the only basis for processing personal data is the consent of the client. Namely, the data that the bank requests in the form for submitting the consent are the personal identification number, the last 4 digits of the card, the month and year of expiration, and the mobile phone number, which is a volume of data that does not correspond to the goal, if the goal is only direct marketing, Stojanovska explains.
Considering that the client can withdraw the consent at any time, and the bank is obliged immediately after the withdrawal to delete the client’s data and terminate that processing, such a set activity of the bank, according to Stojanovska, will inevitably cause inconvenience.