Burger King app: mock personal data protection. Correct?
After Habr literally broke a series of articles about
Yes, this topic caused a serious stir; currently, in total, these articles have been viewed more than 230 thousand times and more than 1000 comments have been left.
In his article, the developer tries to refute the arguments of a young man who described how the Burger King application does not in an obvious way monitor user behavior, and argues that the processing of personal data corresponds to even the GDPRwhich is stricter than the domestic law No. 152-ФЗ “On Personal Data”.
RosKomSvoboda will show why the Burger King application does not comply with Law No. 152-FZ and will give Burger Rus LLC an hour of free legal advice based on personal data.
So let's go!
When downloading, installing and first launching an application before use, Burger Rus LLC (official legal entity) does not allow to get acquainted with the Policy of personal data processing, information about the realizable requirements for the protection of personal data, as required by art. 18.1 152-ФЗ. There is a mobile phone request, it is proposed to get acquainted with the user agreement. The mobile phone number in this case refers directly to a specific individual and is personal data.
In an attempt to find a Policy for the processing of personal data, and information about the implemented requirements for the protection of personal data, go to the website burgerking.ru
Links to the policy during a cursory inspection was not found.
Go to the feedback page.
It is proposed to leave a whole bunch of personal data, while the Policy of their processing and information about the implemented requirements for their protection also could not be found during a quick inspection.
At the same time, we find out that through the feedback page, personal data are processed on the basis of consent, which is given implicitly by filling in the fields and clicking on the send button. We did not manage to find other consent to the processing of personal data by feedback.
Processing of personal data on the basis of consent implies notification to Roskomnadzor in accordance with art. 22 152-ФЗ. We are looking for Burger Rus LLC in the register of personal data operators, we take the OGRN from the user agreement. Find also failed:
During the further installation of the application, permission to manage calls was also requested, and the company could not find a documentary reflection of this privilege on the website. It is not clear why and to what extent, there is no transparency.
The application also did not find a link to information about the Policy for the processing of personal data with the corresponding information about their protection.
Let's look at the User Agreement.
p.2.7. obliges to leave the application if you do not agree with something. This may indicate that Burger King is not ready to compromise. Remember.
Instead of the e-mail address, there is a page with contacts, which is not the essence of the condition. The agreement has not set an email address; there is also no email address on the contact page. The agreement thus does not establish the possibility of electronic interaction with the user, since feedback form is not contractual.
In clause 3.3. It seems that the company is cunning. Suppose that bank cards are not processed directly by it, but there is an obvious collection of payment identifiers, payment time (and other order data), which directly or indirectly relate to the person being identified or determined. I would like to see if this is reflected in politics.
Clause 4.10 is generally excellent. If the user deletes the application by terminating the contract, his personal data will continue to be processed in full, until written notice is given. Do not forget about p.2.7.
Explicit violation of the principles of processing according to article 5 of 152-ФЗ and the bases of processing according to article 6 of 152-ФЗ
According to paragraph 5.1. you have no alternative offered to receive advertising in unlimited amounts, even if you terminate the contract under clause 4.10
According to paragraph 5.4. terminate the agreement with you at any time, block the application. Most likely, no one will destroy personal data in violation of 152-FZ, continue to receive advertising.
In p.5.6. Agreement, consent to the transfer of personal data is given in violation of paragraph 3 of Article 6 of the 152-FZ, in particular, no third parties are indicated to whom personal data are transmitted.
Finally, we can say that according to clause 7.3. The Company is not responsible for the loss of any User data. This alone is a blatant violation of the provisions of 152-FZ (Art. 7, Art. 19)
According to RosKomSvoboda Denis Lukash, executive director of the Center for Digital Rights :
The GDPR imposes stricter requirements for the processing of personal data. If the basic principles of processing personal data on 152-FZ are violated, then it is possible not even to talk about possible violations on the GDPR (if applicable). When violations in the company are visible only through visual inspection of the site, most likely there is no (or formally present) proper organizational and administrative documentation, this is a direct consequence. External documents (those that anyone can or should be familiar with) should always be perfect, and the development of an application not only for the GDPR, but even for 152-FZ should begin with the principles of “privacy by design”.Lawyers of RosKomSvoboda believe that Burger Rus LLC has at least signs of violations according to Claim 5, Clause 6, Clause 18.1, Clause 19 of the Federal Law “On Personal Data” and we are ready to donate an hour of free consultation to the Digital Rights Center, legal service which will help ensure the safety of users at the appropriate level.
E-Legion and Burger King, knock on PM!