On 19 May 2021, the European Data Protection Board (EDPB) adopted Recommendations on the legal basis for the storage of credit card data for the sole purpose of facilitating further online transactions, available here.
Scope of the recommendations
The recommendations specifically address online providers of goods and services who store credit card data to facilitate future purchases once an individual has provided their credit card data to conclude a transaction online.
The recommendations do not apply to payment institutions operating in online stores or public authorities. They also do not apply where credit card data is stored for a different purpose, for example to comply with a legal obligation or to establish a recurring payment.
Why are these recommendations needed?
As the digital economy and e-commerce continue to develop, the risks of using credit card data online also continue to increase. In addition to ever-present payment fraud risks, there is also an increased risk of credit card data security breaches where the credit card data is stored. Controllers must therefore act to reduce the risk of unlawful processing of this data.