Get best of the week

What does Magnet want to know about its customers?

Headlines related to various leaks of personal data are found with enviable frequency in the news:


But for the data to “leak” from somewhere, it must first appear there. And if not all people are clients of microfinance organizations, then everyone buys products in stores.

Actually, what kind of information do retail chains want to collect about their customers and I want to talk. Moreover, the reason is very good - Magnet supermarket chain has launched its loyalty program.




First approach


Last night (February 6), the wife brought the loyalty card of the Magnit trading network, and asked me to figure out how to activate it. And since recently the news of personal data leaks has often caught my eye, I decided to see what kind of information about their customers they intend to collect.

The cards are handed out free of charge on the check (a purchase must be made at the Store) and it is written directly on the packaging how the card can be activated:

  • in application Magnet
  • in your personal account on the site moy.magnit.ru
  • by sending SMS in a specific format "card number_name_date of birth" to number 9002
  • by a call to a call center to a number from a series of 8-800.

And as usual, a footnote about the complete and unconditional acceptance of the rules and conditions of this loyalty program is located in small print.



The information that Magnet asks for activation via SMS does not look excessive. Only name, phone numbers and date of birth. Even full names are not required, so this data does not look dangerous.

But I remember a comment when discussing one of the news that some retail chains are asked to present almost a passport. But this is not required for the most advanced, because in the conditions of the loyalty program, consent is written to request real subscriber data from a mobile operator.

And since Magnet binds a real phone, then we go to the site to read the program conditions in more detail.

But there was nothing to read. The site lies with a 503 error and it is impossible to find out the conditions of the loyalty program.



To be honest, at first I thought that this was from the field of conspiracy theory ;-). Hold the card, activate it via SMS, but we won’t show you the rules of the loyalty program.

Although thinking right, he suggested that the lucky holders of discount cards massively rushed to the site moy.magnit.ru and quickly put it down. Therefore, I did not make hasty conclusions and decided to wait a bit, in the hope that the site would come out of the down.

As it turned out, the decision to wait a bit turned out to be correct.

Second approach


After some time, the site moy.magnit.ru began to show signs of life and a page with conditions for participation in the loyalty program moy.magnit.ru/terms became available .

I was in such a hurry to look at them that I found the resource in a “half-dead” state when the information on the page is present , but there were still some problems with the page template or page styles.



And this is the normal appearance of the same page.



Terms, as terms. It is clear that Magnet will not drop itself on its foot, although one moment made us think. Naturally, the conditions of the program can change, only according to this text, changes in the conditions of the loyalty program can be published anywhere.
1.1. At the time of registration in the Program, the Participant accepts and unconditionally agrees with all the conditions of these Rules. The current version of the Rules is posted on the Site of the Magnit Program moy.magnit.ru, as well as in other sources at the discretion of the Operator . These Program Rules may be changed, supplemented in any part and volume. The version of the Rules posted on the Site is current and valid. All versions of the Rules published earlier are considered to be invalid.
But calmed down about the data collected. According to the current rules of the bonus program moy.magnit.ru/terms , Magnet wants everything as standard:

Processing PD for sending information (advertising)
3.5.1. / , , .. , , , , , , (, ), , , , , , , , , , , , (), .. / , , , , , , , , ;
3.6. , , , , .


And since only a name, phone numbers and date of birth are indicated for activating a card using SMS, there is nothing threatening in the data collected for the Magnet loyalty program.

And even if we assume a terrible thing and there will be a data leak, then there will be less harm from it than from publishing the data of the subscriber of the phone number, because there is not a full name, and the date of birth with the name is not checked.

Third approach


Nevertheless, anyway, some incompleteness of the information provided about the loyalty program bothered. Indeed, according to the law, the site must have a policy for processing personal data that I have not found. And although the rules of the program mention PD processing, but this is not what is needed.

And only when you try to activate the card through the site, just like in the classics of the genre, at the very end of registration in the last paragraph does a link to the entertaining document "Rules for processing personal data" appear moy.magnit.ru/gdpr



Consent to the processing of personal data
, 27.07.2006 N 152- « »:
, , «», 350072 . . , 15/5 ( – ):

  • , . . , , , , (, , ), , , , , , , , : , , , (, , ), ( ), , (e-mail), , 10 , () , , : , 07.08.2001 № 115- « () , , », , , , , , , : «», , , , , SMS (), , , .
  • () , , , , , , SMS (), , , .

, ( ), , , ( ) , , , . , , , .

( ), , , , , , , . / .

. / , .

, , .

, , () , , .


And only here it becomes clear what information Magnit plans to collect and process the trading network about its customers - the maximum possible composition of personal data:
which include, but are not limited to: name, date of birth, gender, passport information (series, number, by whom and when issued), address of registration or stay (actual address of residence), contact phone number, email address (e-mail) social media accounts for a period of 10 years
Magnit’s desire is particularly touching not only to transfer the collected personal data to third parties, but also the inclusion of this same unlimited circle of third parties at the discretion of the Magnet.
I also hereby acknowledge and confirm that this consent is considered given by me to any third parties indicated above, and any such third parties are entitled to the processing of personal data on the basis of this consent.

Conclusion


No miracle happened. Magnet's loyalty program wants to know absolutely everything about its user. And in plain text, he says that they are going to share this data with third parties.

And if another leak of personal data occurs, then the passport data may not be limited. Interestingly, in this case, the magnet can avoid responsibility? Indeed, according to the "Rules for the processing of personal data", the user of the loyalty program provides the right to transfer their data to third parties, and even to the entire Internet.

It is possible that the only acceptable way to activate the bonus card is to activate using SMS. Since, in this case, consent is expressed only to the rules of the loyalty program, according to which only a limited set of personal data (name, phone number and date of birth) is transferred for processing the PD.

Source: https://habr.com/ru/post/undefined/

More articles:


All Articles