SEB’s new mobile banking terms of service, set to take effect on March 1, state that the bank can access contacts data in the client’s phone, including phone numbers, street and email addresses of contacts. If a client does not wish to share their contacts data with the bank, they will not be able to make payments based on mobile numbers using the bank’s application.
Public relations adviser at the Data Protection Inspectorate Maire Iro said that all manner of processing of personal information can only take place with explicit permission from the person or under the conditions and pursuant to the procedure provided by law, and that the client cannot give the bank the right to use phone numbers, street and email addresses or other personal data of third persons.
Allas emphasized that SEB does not process data in the way it is stored in the client’s phone, but treats it anonymously, without the part that would allow it to identify persons.
The usability reason why the bank wants to process the contact list is clear – the bank wants ability to show in the app which of the contacts have the app installed and hence can receive the payment. The app cannot provide such feature without the bank processing phone numbers of contacts. The current version of the app already asks technical permission to access the contact list. From March this will be written explicitly also in the terms of service. Although the wording should be improved, since there is a difference between the bank processing the contact information and application written by the bank processing the data in the user’s device.