On 19 May 2021, the European Data Protection Board (EDPB) adopted Recommendations on the legal basis for the storage of credit card data for the sole purpose of facilitating further online transactions, available here.
Scope of the recommendations
The recommendations specifically address online providers of goods and services who store credit card data to facilitate future purchases once an individual has provided their credit card data to conclude a transaction online.
The recommendations do not apply to payment institutions operating in online stores or public authorities. They also do not apply where credit card data is stored for a different purpose, for example to comply with a legal obligation or to establish a recurring payment.
Why are these recommendations needed?
As the digital economy and e-commerce continue to develop, the risks of using credit card data online also continue to increase. In addition to ever-present payment fraud risks, there is also an increased risk of credit card data security breaches where the credit card data is stored. Controllers must therefore act to reduce the risk of unlawful processing of this data.
What are the recommendations?
The EDPB have advised controllers that they should implement appropriate security measures and ensure that individuals have control over their own personal data.
The EDPB have also confirmed that the appropriate legal basis to use where credit card data is stored to facilitate future purchases is consumer’s consent. Under Article 6 of the GDPR, the controller must have a valid legal basis for any processing. The EDPB reviewed each possible legal basis. It has concluded that the storage of credit card data for future purchases is not strictly necessary for the performance of the contract for the provision of the goods or service that the individual has paid for. The legitimate interest’s basis would also not be valid in this scenario. For the controller (the online retailer) to rely on the legitimate interests basis, three conditions must be satisfied:
- The online retailer’s legitimate interest must be identified and qualified
- There must be a need to process personal data for the purposes of the legitimate interest. The EDPB held that the storage of the credit card data to facilitate future purchases is not necessary to pursue the online retailer’s legitimate interest, because whether the consumer will make use of the stored credit card data depends on the consumer’s choice and is not determined by the availability of this option
- There must be a balancing test performed between the legitimate interest of the online retailer and the interests, rights and freedoms of the individual. Financial data has been held by the Article 29 Working Party to be highly personal, since its violation would involve a serious impact on the individual’s daily life. Furthermore, the individual would not reasonably expect their credit card data to be stored for longer than necessary to pay for the requested goods or services. The rights and freedoms of the individual would therefore take precedence over the controller’s interest
The EDPB have held that consent is the only appropriate legal basis for storing credit card data for future purchases. The online retailer should ensure that the customer has given a GDPR-standard consent to store the credit card data after a purchase. Consent must be freely given, specific, informed and unambiguous. It should be requested in a “user-friendly way, such as through a checkbox, which should not be pre-ticked”. It must be distinguished from the consent given for terms of service or sales, and it cannot be a condition to the completion of the transaction.
Next steps
Online retailers should check that they are asking customers for consent before storing their credit card details for future purchases. Please also note that under Article 7(3) of the GDPR consent can be withdrawn by a customer at any time. Should a customer withdraw consent, this must lead to the deletion of the credit card data stored for the purpose of facilitating further transactions.