Giving consent for the processing of personal data to the bank, when applying for certain banking products and services via web and mobile applications, in such a way that the client marks the provided field on the website, is in accordance with the Personal Data Protection Act. This is stated in the opinion signed by the President of the Council of the Agency for the Protection of Personal Data and Free Access to Information (AZLP). Željko Rutović.
The Association of Banks of Montenegro addressed the agency with a request seeking an opinion related to the development of digital services that allow citizens to apply online - via web and mobile applications, and in this way receive most banking products and services - from transaction services, to money orders and approval credit products, which necessarily includes the collection and processing of personal data.
As stated in the request, the bank would ensure that the client, when applying for a loan online, is previously informed of the need to give consent for the processing of his personal data, as well as for what purposes they will be processed. He would also be aware of his right to withdraw consent at any time. Consent would be given in such a way that the client would put a tick in the marked field and confirm that he accepts the proposed processing of his personal data.
"The General Regulation on Data and Personal Protection stipulates that the given consent can also include marking a field when visiting a website (crossing), which clearly shows in this context that the person to whom the data refers accepts the proposed processing of the data. Therefore, if the client, when applying for a loan online, does not take the action of filling in the provided field and does not confirm that he is informed about the processing of personal data, it cannot be considered that he has given his consent to the processing of the same", states Rutović's opinion.
In relation to the provisions of the law, banks, as handlers of personal data collections, are obliged to ensure that they are processed in a fair and legal manner, but also to notify clients in a clear and transparent manner what type of information is being processed and for what purpose. Also, it is added in the opinion, the person whose data is being processed must be informed that he has the right to revoke the given consent at any time.
"...Consent must be voluntary, unambiguous, based on information about the consequences of giving it and should not be forced. Bearing in mind that the online application for a loan is based on a voluntary basis, in which case a client who is interested in a loan can submit a request through web and mobile applications, instead of physically coming to the bank, in that way, by entering the required data, i.e. by giving consent to the data is used for the indicated purpose, the conditions for access to banking services are created," the AZLP Council document states.
When a person fills in his personal data when applying for a loan, AZLP notes that, both to protect his business and to prevent misuse of the identity of a person applying for a loan electronically, the bank has the option of conducting a double identity check. This implies that in addition to entering the unique citizen identification number (JMBG), which, based on the practice of AZLP, is one of the most compromised data, the client also enters, for example, the ID card or passport number, in order to indisputably establish the identity of the applicant.
"As an additional level of protection of the personal data of clients who apply for a loan in the above-mentioned way, the bank can enable, after the client has entered his data via the web or mobile application and confirmed that he accepts the proposed processing of his personal data, to confirm once again, in the additional provided field that he agrees with the processing of the data he filled out in the aforementioned form," the finding states.
Bonus video:
