Storing Credit Card Data – Legal Basis for Processing in Scope of EDPB

August 10, 2021

Storing Credit Card Data – Legal Basis for Processing in Scope of EDPB

August 10, 2021

Katarina Živković

Katarina Živković

Senior Associate

Miroslav Ravić

Miroslav Ravić

Trainee

Since the pandemic of COVID – 19, digital trade and e-commerce have progressively developed, thus, on 19 May 2021, the European Data Protection Board (EDPB) adopted Recommendation 2/2021 on the legal basis for the storage of credit card data for the sole purpose of facilitating further online transactions. Precisely, the EDPB has advised Data Controllers that they should implement appropriate security measures and ensure that individuals have control over their data.

As the digital commerce platforms continue to develop and have much more users every day, the risks of using credit card data online, also continue to increase. Besides the risks of fraud, there is also a huge risk for the security measures of stored data, collected from the credit card. Due to mentioned, the Data Controllers must act to reduce the risk of unlawful processing of this data.

 

Scope of Recommendations

Under Article 6 of the GDPR, the Data Controller must have a valid legal basis for any processing. EDPB has concluded that storing credit card data for a future purchase is not necessary to conduct a contract, therefore there is no reason nor legal basis to process this data without the consent of the data-related subject.

Due to mentioned, EDPB considered a possibility for the retailer (the person who generates information from credit card) to apply the concept of legitimate interest, for the purpose of processing such information, and explored the three elements of the legitimate interest:

  • identification and qualification of the interest;
  • the need to process personal data for such interest;
  • the performance of a balancing test, which falls in favor of the retailer.

Consequently, EDPB concluded the test failed on the second and third points.

Having in mind all the above mentioned, from the EDPB’s point of view, consent appears to be the sole appropriate legal basis for storing credit card data for the purpose of facilitating further online transactions — not only due to the increased risks to consumers in the event of a data breach but also as a matter of putting the consumers in control of their data. The EDPB, therefore, recommends that the consent of the data subject should be obtained before storing his or her credit card data after purchase for any future online transactions.

Practical advice for the retailers is to check whether they are asking customers for consent before storing their credit card data for future purposes and to create an appropriate consent box in the payment process.

 

This text is for informational purposes only and should not be considered legal advice. Should you require any additional information, feel free to contact us.

Contact:

Katarina Živković, Senior Associate
katarina.zivkovic@sog.rs

Miroslav Ravić, Trainee
miroslav.ravic@sog.rs

OTHER NEWS

The New Serbian Legal Framework for Internships to Be Adopted

The New Serbian Legal Framework for Internships to Be Adopted

 At the end of 2021, a public debate was held in the National Assembly on the Draft Law on Work Practice. The Draft itself is a reaction to relatively unfavourable basic labour market indicators, which predict that young people in Serbia lag behind their peers in...

read more
NFTs in the Light of Trademark Law

NFTs in the Light of Trademark Law

 Recently, non-fungible tokens (“NFTs”) have become the subject of significant public attention, primarily due to the high amounts of money allocated for their purchase. For example, it is estimated that the worth of the global NFT market in 2021 was about 41...

read more
What Is a Data Protection Officer (DPO)?

What Is a Data Protection Officer (DPO)?

 Data Protection Officer (“DPO”) is a person overseeing a company’s data protection strategy and implementation in order to ensure compliance with General Data Protection Regulation (“GDPR”) requirements. Any company that processes or stores personal data is...

read more

Let's connect

Let us know how we can help you and your business.