Since the pandemic of COVID – 19, digital trade and e-commerce have progressively developed, thus, on 19 May 2021, the European Data Protection Board (EDPB) adopted Recommendation 2/2021 on the legal basis for the storage of credit card data for the sole purpose of facilitating further online transactions. Precisely, the EDPB has advised Data Controllers that they should implement appropriate security measures and ensure that individuals have control over their data.

As the digital commerce platforms continue to develop and have much more users every day, the risks of using credit card data online, also continue to increase. Besides the risks of fraud, there is also a huge risk for the security measures of stored data, collected from the credit card. Due to mentioned, the Data Controllers must act to reduce the risk of unlawful processing of this data.

Scope of Recommendations

Under Article 6 of the GDPR, the Data Controller must have a valid legal basis for any processing. EDPB has concluded that storing credit card data for a future purchase is not necessary to conduct a contract, therefore there is no reason nor legal basis to process this data without the consent of the data-related subject.

Due to mentioned, EDPB considered a possibility for the retailer (the person who generates information from credit card) to apply the concept of legitimate interest, for the purpose of processing such information, and explored the three elements of the legitimate interest:

• identification and qualification of the interest;
• the need to process personal data for such interest;
• the performance of a balancing test, which falls in favor of the retailer.

Consequently, EDPB concluded the test failed on the second and third points.

Having in mind all the above mentioned, from the EDPB’s point of view, consent appears to be the sole appropriate legal basis for storing credit card data for the purpose of facilitating further online transactions — not only due to the increased risks to consumers in the event of a data breach but also as a matter of putting the consumers in control of their data. The EDPB, therefore, recommends that the consent of the data subject should be obtained before storing his or her credit card data after purchase for any future online transactions.

Practical advice for the retailers is to check whether they are asking customers for consent before storing their credit card data for future purposes and to create an appropriate consent box in the payment process.

This text is for informational purposes only and should not be considered legal advice. Should you require any additional information, feel free to contact us.

Contact:

Katarina Živković, Senior Associate
katarina.zivkovic@sog.rs

Miroslav Ravić, Trainee
miroslav.ravic@sog.rs