During its plenary session in May, 2021, the European Data Protection Board (EDPB) adopted the recommendations 02/2021 on the legal basis for the storage of credit card data for the sole purpose of facilitating further online transactions (Recommendations).
In the context of the COVID-19 pandemic, the digital economy and e-commerce continuously developed. Analogously the risks of using credit card data online have increased. As stated in the Recommendations’, credit card data violations “clearly involves serious impacts in the data subject’s daily life”, as financial data can be used for “payment fraud”; therefore, it is essential that data controllers put in place the appropriate safeguards for the data subjects, and to ensure them the control over their personal data, in order to decrease the risk of unlawful processing and foster trust in the digital environment. The Recommendations cover situations in which data subjects buy a product or pay for a service via a website or an application and provide their credit card data in order to conclude a unique transaction.
Consent should be considered the sole appropriate legal basis for storing credit card data after the purchase.
The data subject does not reasonably expect the credit card data to be stored for longer than what is necessary to pay the goods or services, neither is it evident that the storage of the credit card data to facilitate future purchases is necessary to pursue the legitimate interest of the controller or a third party. As such, consent in accordance with Article 6(1)(a) of the General Data Protection Regulation (GPDR) should be considered the sole appropriate legal basis for storing credit card data after the purchase.
The storage of credit card data following a transaction, in order to facilitate further purchases, cannot be considered as a) necessary for compliance with a legal obligation; b) necessary to protect the vital interest of a natural person; c) necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; d) necessary for the performance of a contract.
Moreover, when it comes to processing necessary for the purposes of the legitimate interest of the controller or a third party, the EDPB notes the ability of the controller to rely on the legitimate interest of the controller or a third party, the three conditions set forth by GDPR must be satisfied. After analysis of the use of legitimate interest, EDPB comes to the conclusion that the fundamental rights and freedoms of the person concerned by the data protection would likely take precedence over the controller’s interest in this specific context.
Requirements for consent.
It shall be noted that:
- a) the consent of the data subject is obtained before storing his or her credit card data in case of the storage of credit card data for the sole purpose of facilitating further online transactions;
- b) the consent cannot be presumed, it must be free, specific, informed and unambiguous. It must be delivered by clear affirmative action and should be requested in a user-friendly way, such as through a checkbox, which should not be pre-ticked. More information about valid consent could be found in EDPB Guidelines 05/2020 on consent under the GDPR. (The summary about these guidelines can be found in ECOVIS article here too);
- c) this specific consent has to be distinguished from the consent given for terms of service or of sales and not be a condition to the completion of the transaction;
- d) the data subject shall have the right to withdraw his or her consent for the storing of credit card data for the purposes of facilitating further purchases at any time. The withdrawal must be free, simple and as easy for the data subject, as it was to give consent.
More information about Recommendations can be found here.
If you wish to get more information or a consultation regarding data protection or fulfillment of the requirements of GDPR, we invite you to seek counsel with the ECOVIS ProventusLaw team.
Prepared by ECOVIS ProventusLaw Senior Associate Milda Šlekytė