SEB bank is looking to access its clients' contacts lists in the new version of its mobile app to be released in a few months. Estonia's data protection watchdog says it will look into the legality of the move.
SEB's new mobile banking terms of service, set to take effect on March 1, state that the bank can access contacts data in the client's phone, including phone numbers, street and email addresses of contacts.
An excerpt from the new terms of service reads that the bank will process the data for the purpose of offering its mobile banking service. “Client data includes first and last name, personal identification number, bank account number, cell phone number, as well as data included in the client's contacts list, including phone numbers, street and email addresses etc. of persons on the list,” the bank's website reveals.
If a client does not wish to share their contacts data with the bank, they will not be able to make payments based on mobile numbers using the bank's application.
The terms stipulate, however, that the bank will not collect or keep records of names, addresses and other similar information found in contact lists.
Public relations adviser at the Data Protection Inspectorate Maire Iro said that all manner of processing of personal information can only take place with explicit permission from the person or under the conditions and pursuant to the procedure provided by law, and that the client cannot give the bank the right to use phone numbers, street and email addresses or other personal data of third persons.
“Therefore a service provider asking its client for access to data in their contacts list is not in accordance with the law,” Iro said.
The watchdog plans to contact the bank to ask about planned changes to online and mobile banking and how the bank processes the data. “We will clarify [to the bank] principles of protection of personal information if necessary and conduct supervisory proceedings on these grounds,” she added.
Head of communications at SEB Evelin Allas said that the bank did take data protection requirements into account when developing its application. Allas maintains that new terms of service are needed for the introduction of payments based on cell phone numbers. “Because these payments can only be made between users of the same application, the software needs to verify whether the other side has the necessary app,” she explained.
Allas emphasized that SEB does not process data in the way it is stored in the client's phone, but treats it anonymously, without the part that would allow it to identify persons.
“The bank is asking for access to contacts in the client's phone, not for the right to process corresponding personal information,” she specified. She stressed that the data is not being collected or preserved, nor is it used in the bank's activities or shared with third persons.