The European Data Protection Authority (EDPB) recently adopted a document of current importance – a recommendation on a legal basis to retain credit card data for the sole purpose of facilitating further transactions.
In connection with the COVID-19 pandemic, the digital economy and e-commerce are evolving. This corresponds to the increased risks associated with the use of credit cards in the online space. It is therefore important that data controllers put in place adequate safeguards to protect customer data.
Do you support the battle of Svyatlana Sichanowska against Lukashenko?
Been voted: 553 people
The recommendation aims to promote the harmonized application of personal data protection rules when credit card data is used throughout the European Economic Area. Specifically, this document deals with storing this type of data with providers of goods and services on the Internet to facilitate further purchases. Thus, it is a case where the customer – the data subject – buys products or services through a website or mobile application and at the same time provides his credit card details to complete the transaction.
As with any processing of personal data, in this case the controller must have a valid legal basis in accordance with Article 6 of the General Data Protection Regulation (GDPR). The document states that not all of the legal grounds mentioned in Article 6 of the GDPR are applicable in this case. The processing of data related to the customer’s credit card is necessary to make the payment and fulfill the contract [článek 6 odst. 1 písm. b) GDPR], but their additional storage is only useful for facilitating more possible transactions and sales. This purpose cannot be considered necessary for the performance of a contract for the supply of goods or services that have already been paid for.
The document gradually discusses the other legal bases mentioned in Article 6 of the GDPR. In particular, it analyzes in detail the circumstances under which an official can rely on Article 6(1)(a). f) GDP, i.e. the pursuit of a legitimate interest for itself or a third party. The EDPB concludes that the only legal basis for the type of processing involved is the consent of the customer and the cardholderحامل [článek 6 odst. 1 písm. a) GDPR].
Such consent must be given by the data subject freely, specifically, and in an unambiguously informed manner, before storing the data on his credit card. The administrator should not expect consent and the client should be able to give it by doing a clear confirmation, for example by selecting the appropriate field on the form. Consent must also be distinguished from consent given to the Terms and Conditions and cannot be a condition of completing a transaction.
In accordance with Article 7(3) GDPR, the data subject has the right to freely and simply withdraw his consent to the storage of credit card data in order to facilitate further transactions at any time. Withdrawal of consent should effectively erase the data by the controller.
The full text of the recommendation is currently only available in the original English language. However, an official Czech translation will be available in the near future.
are you a politician Post whatever you want without editing. Register here.
Are you a reader and want to connect with your representatives? Register here.
author: press release