The European Data Protection Board has issued recommendations on the legal basis for the storage of credit card data for the sole purpose of facilitating further online transactions. According to EDPB, it is very important for data controllers to put in place appropriate safeguards for data subjects and to provide them with control over their own personal data in order to reduce the risk of illegal processing and to promote trust in the digital environment.
The recommendations address the storage of credit card data by online providers of goods and services for the sole and specific purpose of facilitating further purchases by data subjects. They cover the situation in which an individual buys a product or pays for a service through a website or application and generally provides their credit card details in a special form to perform this single transaction.
How to choose the right ground for processing credit card data?
The approach may be based on the principle of excluding grounds that cannot be applied. Several of the grounds out in Article 6 of the GDPR would not be applicable in this situation and should be excluded. The storage of credit card data following a transaction, in order to facilitate further purchases, cannot be considered necessary for compliance with a legal obligation (Art. 6(1)(c) GDPR) nor to protect the vital interest of a natural person (Art. 6(1)(d) GDPR). The performance of a task carried out in the public interest or in the exercise of official authority vested in the controller (Art. 6(1)(e) GDPR) cannot be considered as an adequate legal basis either.
The storage of the credit card data after the payment for goods or services is not, as such, necessary for the performance of a contract (Art. 6(1)(b) GDPR). Whereas, in the first place, the processing of the data related to the credit card used by the client to pay is necessary to fulfil the contract, thereby triggering Article 6 (1)(b) GDPR, the storage of these data is only useful in order to facilitate the potential next transaction and facilitate the sales. Such purpose cannot be considered as strictly necessary for the performance of the contract for the provision of the good or service that the data subject has already paid.
With regard to processing necessary for the legitimate interests of the controller or of a third party, the European Data Protection Board notes that in order for the controller to invoke Article 6 (1) (f) of the GDPR, the three conditions laid down by this article must be satisfied. This legal basis requires, first, the identification and qualification of a legitimate interest pursued by the controller or by a third party. The interest of the controller or third party may be broader than the purpose of the processing and must be present and effective at the date of the data processing.
Second – the need to process personal data for the purposes of the legitimate interest pursued. The third condition requires the performance of a balancing test: the legitimate interest of the controller or third party must be balanced against the interests or fundamental rights and freedoms of the data subject, including data subject rights to data protection and privacy. The balancing test requires taking into consideration the particular circumstances of the processing.
Financial data have been qualified by the Article 29 Working Party as data of a highly personal nature because their violation clearly involves serious impacts in on the data subject’s daily life. Hence, notwithstanding the controller’s obligation to implement technical and organizational measures to ensure appropriate security of the credit card data pursuant to Article 5(1)(f) GDPR and the fact that those data may be stored for other purposes, their processing to facilitate further purchases may involve an increasing risk of credit card data security breaches as it implies processing in other systems. The reasonable expectations of data subjects based on their relationship with the data controller, the context and the purpose of personal data collection should also be taken into consideration during the test. At the time of purchase, while providing credit card data for the payment, the data subject does not reasonably expect his or her credit card data to be stored for longer than what is necessary to pay the goods or services he/she is buying. Consequently, the fundamental rights and freedoms of the person concerned by the data protection would likely take precedence over the controller’s interest in this specific context.
In conclusion, the consent (Art. 6(1)(a) GDPR) appears to be the sole appropriate legal basis for the processing to be lawful. Before storing credit card data, the data subject’s explicit consent must be obtained, taking into account the security risks, the ability of the individual to exercise control over them and to make active decisions about the use of his or her credit card data.
This consent cannot be presumed, it must be free, specific, informed and unambiguous. It must be delivered by a clear affirmative action, and should be requested in a user-friendly way, such as through a checkbox, which should not be pre-ticked, directly on the form used for the data collection. This specific consent must be distinguished from the consent given for terms of service or of sales and not be a condition to the completion of the transaction.
The data subject shall have the right to withdraw his or her consent for the storing of credit card data for the purposes of facilitating further purchases at any time. The withdrawal must be free, simple and as easy for the data subject, as it was to give consent. It must result in the actual deletion of the credit card data stored by the data controller for the sole purpose of facilitating further purchases.