Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
SberCRM is a customer relationship management platform operated by Sber (PJSC Sberbank), the largest Russian banking group. It bundles lead management, marketing automation, web chat widgets and integrations with the wider Sber ecosystem. When deployed on a public website, the SberCRM widget sets cookies, captures form submissions and synchronises data with Sber servers in the Russian Federation. Because Russia has no GDPR adequacy decision and is currently subject to international sanctions, SberCRM is treated as a high risk vendor for European deployments.
SberCRM is the customer relationship management platform of the Sber group (PJSC Sberbank), the largest Russian bank. It is sold to small and mid sized Russian businesses as a bundle of CRM, marketing automation, lead capture, web chat and integration with other Sber services. The product is operated and hosted in the Russian Federation.
When the SberCRM widget is loaded on a website, it sets third party cookies (sber_session, sber_uid), captures the form fields submitted by visitors, the page URL, the referrer and an internal source identifier. The web push subscription token, when activated, is stored on Sber servers. The full lead profile is then available in the SberCRM back office for marketing and sales activation.
The SberCRM cookies fall under Article 5(3) ePrivacy and require prior consent. The lead capture and profile building activity falls under Article 6(1)(a) GDPR. Because data is transferred to the Russian Federation, an additional explicit consent is required under Article 49(1)(a) GDPR, with a clear warning that the transfer is to a country without adequacy.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Sber and several of its subsidiaries are listed under EU, UK and US sanctions regimes. EU established controllers must verify they are not in breach of restrictive measures when contracting Sber group services. Standard Contractual Clauses are difficult to enforce against sanctioned counterparties, and Russian authorities have wide statutory access to data under Federal Law 152-FZ and the FSB framework.
The SberCRM widget must be tag blocked until explicit, granular opt in consent is given. The consent message must clearly identify Sber as the operator, the Russian Federation as the destination and the absence of an adequacy decision. A clear refuse option must be available and the choice must be revocable at any time.
For European deployments, run a sanctions screening on Sber and any sub processor, document a transfer impact assessment, prepare an Article 49(1)(a) consent flow, list SberCRM in the privacy and cookie policies with the Russian destination, restrict the widget to non sensitive use cases and seriously consider migrating to an EU based CRM (HubSpot EU, Salesforce Hyperforce EU, Pipedrive, Brevo, Bitrix24 hosted outside Russia) instead.
Websites using SberCRM must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is required for any meaningful EU deployment of SberCRM, given the transfer to a non adequate country, the integration with the Sber advertising and identity stack, and the systematic capture of lead data. The DPIA must address the EU sanctions framework and the practical impossibility of enforcing Standard Contractual Clauses against a sanctioned counterparty.
Sample consent text
This site uses SberCRM (Sber, PJSC Sberbank, Russia) for customer support and lead management. SberCRM sets cookies, captures the data you submit and transfers it to servers in the Russian Federation, which is not covered by an EU adequacy decision. Click Accept only if you understand and agree to this transfer. You can withdraw your consent at any time.
Third-party domains contacted
sbercrm.comcdn.sbercrm.comapi.sbercrm.comsber.ruCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| sber_session | session | Session | Session cookie that maintains the SberCRM widget interaction during the visit. |
| sber_uid | persistent | 1 year | Persistent identifier that links visits and form submissions to a unique browser inside the Sber group ecosystem. |
| sber_chat | persistent | 6 months | Stores the open conversation thread of the SberCRM web chat so the visitor can resume it on a later visit. |
SberCRM places tracking cookies for advertising — comply with GDPR using FlowConsent.
The SberCRM widget sets third party cookies on its operator domains (sber_session, sber_uid, _ya_uid for Yandex integrations, sber_chat) used to identify a unique browser, persist the chat session and synchronise with Sber group analytics.
Yes. The cookies fall under Article 5(3) ePrivacy and the lead capture under Article 6(1)(a) GDPR. In addition, an explicit consent under Article 49(1)(a) GDPR is required for the transfer to the Russian Federation, which has no adequacy decision.
Consent for the cookies and the lead capture, plus explicit consent for the transfer to Russia. Legitimate interest is not admissible because the destination country is not adequate, the operator is sanctioned in several jurisdictions and the data flows feed the Sber advertising and identity stack.
Production data is transferred to the Russian Federation. Russia has no GDPR adequacy decision, no DPF equivalent, and Sber group is subject to EU, UK and US sanctions. Standard Contractual Clauses are difficult to enforce. Article 49(1)(a) explicit consent is therefore the only realistic legal basis for the transfer.
Yes for any meaningful EU deployment. The combination of lead profiling, transfer to a non adequate country, sanctions exposure, persistent cookies and integration with Sber identity systems triggers the DPIA criteria of WP248 and the EDPB threshold guidance.
Run a sanctions screening on Sber and any sub processor first. If you proceed, tag block the widget until consent, prepare a clear Article 49(1)(a) consent message, document a transfer impact assessment, restrict the widget to non sensitive use cases, list SberCRM in the privacy and cookie policies and review the configuration regularly. In most cases a migration to an EU based CRM is recommended.
EU based CRM alternatives include HubSpot EU, Salesforce Hyperforce EU, Pipedrive (Estonia), Brevo (France), Bitrix24 hosted outside Russia, Zoho EU and Odoo. These tools avoid the Russia transfer and the sanctions overlap, and several offer EU only data residency.
List SberCRM with the operator (Sber, PJSC Sberbank, Russia), the purpose (CRM, lead management, web chat), the cookies (sber_session, sber_uid, sber_chat) with their retention, the legal basis (consent and Article 49(1)(a) explicit consent), the transfer destination (Russian Federation) and the residual risks (sanctions, lack of adequacy).