In December 2021, one of the three largest banks in our country conducted a campaign through which, as stated in the official announcement, for each digitally submitted statement of consent for the use of personal data for direct marketing, the bank will provide one seedling for the afforestation of the Maleshevo region, which was destroyed by fires this summer.
The announcement says that by participating in afforestation the environmental awareness of the citizens is encouraged, and with their digitally given statement of consent they avoid using paper forms.
The announcement also said that the promotional campaign is in line with the Law on Personal Data Protection.
However, the campaign through which participants allow the use of their data for the direct marketing is designed to be confusing both in terms of communication and in terms of consistent respect of the right to consent to the processing of personal data.
According to the bank, the procedure for participation is simple, but if someone wants to participate, they will realize that it is not exactly a one-click procedure.
Elena Stojanovska, personal data protection expert, with whom the editorial office of Meta.mk analyzed the campaign, says that the first information indicates that with each given consent for direct marketing, the client participates in afforestation, which in a way gives the feeling that we “trade” our data for some other purpose, not just to obtain information from the bank.
Furthermore, after the first click on the bank’s website to find out more, the next information is that we give our consent to receive personalized offers, tailored-made to us and our interests.
“This means that it is not just direct marketing but also profiling. According to the Law on Personal Data Protection, it is not allowed to perform direct marketing and profiling with one given consent. A client may want to receive news messages, but they do not want their transactions to be monitored to assess where they spend the most, with what dynamics they spend and the like,” said Stojanovska.
According to her, the next controversial moment is the information that we will receive messages on all communication channels that the bank has for us, which is also contrary to the Law on Personal Data Protection.
Stojanovska clarified that the client must have a choice on which communication channel they wish to receive messages for direct marketing (SMS, Viber, email.), and not to receive messages on all possible channels and devices they use by default.
“The method of giving consent is problematic because it leaves no room for choice, and this must not be the case when the only basis for processing personal data is the consent of the client. Namely, the data that the bank requests in the form for submitting the consent are the personal identification number, the last 4 digits of the card, the month and year of expiration, and the mobile phone number, which is a volume of data that does not correspond to the goal, if the goal is only direct marketing, Stojanovska explains.
Considering that the client can withdraw the consent at any time, and the bank is obliged immediately after the withdrawal to delete the client’s data and terminate that processing, such a set activity of the bank, according to Stojanovska, will inevitably cause inconvenience.
“The client may not want to be profiled, but they will still want to get general information from the bank. However, they will not be able to receive such information because the consent set up in this way refers to both direct marketing and profiling. The bank must regulate the consents as it is prescribed by law, and after doing so, make changes in the part of the Privacy Policy and set a template with which customers can request withdrawal of the consent,” Stojanovska concludes.
