The European Data Protection Board (EDPB) recently published recommendations 02/2021 on the legal basis for the storage of credit card data, in line with the strategy established by the EDPB discussed in this blog post
In the context of the pandemic, digital transactions and e-commerce have increased considerably, with the consequent and inevitable rise in the risks stemming from using credit card data online.
On the one hand, the EDPB’s recommendations seek to promote a harmonized application of data protection rules on processing credit card data in the European Economic Area (EEA), ensuring uniform protection of the data subject’s rights. On the other, they seek to reduce the risk of unlawful processing and foster trust in the digital environment, which the EDPB considers vital for the sustainable growth of the digital economy.
The recommendations refer to online suppliers of goods and service providers storing credit card details to facilitate new purchases by the data subjects. They essentially deal with the scenario in which someone buys a product or pays for a service via a website or application and provides credit card details, generally through a specific form, to complete this single transaction.
The EDPB analyzes the valid basis for the supplier or provider to store the card data and establishes that this processing cannot be based on: a legal obligation, a vital interest, performance of a contract or a legitimate interest. The EDPB reminds us that, for legitimate interest to be a legal basis, three conditions must be met: (i) a legitimate interest pursued by the controller or a third party must be identified and qualified; (ii) processing the personal data must be necessary for the purposes of the legitimate interest pursued; and (iii) a proportionality test must be performed.
Based on the recommendations, it is not clear that storing credit card data to facilitate future purchases is necessary to pursue that legitimate interest. The EDPB also envisages that the fundamental rights and freedoms of the data subject would likely take precedence over the interest of the data controller in this specific context, given that financial data have been classified by the Article 29 Working Party in its recommendations as sensitive data, as breaching them clearly has serious impacts on the data subject’s daily life. This ultimately rules out legitimate interest as a valid legal basis for processing this category of data.
That being said, the EDPB concludes that consent appears to be the only appropriate legal basis for processing to be lawful, allowing the controller to show the individual’s willingness to facilitate additional purchases through the specific website or application. Consent cannot be presumed simply because the individual has completed one or several isolated transactions. It should be remembered that this specific consent must be distinguished from the consent given to the terms of service or sale and should not be a requirement to complete the transaction. Data subjects will also be entitled to freely withdraw their consent at any time. This withdrawal must be simple and easy, and the data controller must effectively eliminate the stored credit card data.
The EDBP continues to prepare recommendations on the legal basis for storing credit card data to guide the different stakeholders in applying the right to data protection. We will continue to monitor their practical implications in this blog.
Authors: Josu Andoni Eguiluz and Mònica Ferrer