Storage of credit card data in the context of one-off online transactions - Legal basis -  EDPB Recommendations 02/2021

The development of the digital economy and e-commerce continuously enhances the number of online transactions and the risk of fraud related to the use of credit card data online. In relation to the storage of credit card data, the European Data Protection Board (the “EDPB”) has adopted a stringent recommendation on the topic of the appropriate legal basis for the storage of credit card data for the sole purpose of facilitating further online transactions1 (the “Recommendation”).

The Recommendation concentrates on the storing of credit card data by online providers of goods and services2 (via a website or an application) in the context of one-off transactions, for the sole and specific purpose of facilitating further purchases by the relevant data subjects. The EDPB specifies that this Recommendation does not apply to payment institutions operating in online stores nor to public authorities. Neither does the Recommendation cover the storage of credit card data for any other purpose such as compliance with a legal obligation or establishing recurring payments in the case of subscription for a long-term service.

The EDPB reminds data controllers who intend to store credit card information for the sole purpose of facilitating further online transactions of the following principles:

  • The necessity of a valid legal basis: data controllers must have a valid legal basis in compliance with Article 6 of the General Data Protection Regulation 2016/679 (the “GDPR”) to process and store the credit card data of data subjects.
  • Financial data are highly personal data: financial data have been qualified as data of a “highly personal nature3 ” due to the serious impact their illegal use could have on the data subject’s life.
  • Consent as the sole appropriate legal basis to render the processing lawful: after assessing the different legal bases available, the EDBP concludes that consent under Article 6(1)(a) of the GDPR is the sole and the most appropriate legal basis for processing of credit card information for the sole purpose of facilitating further online transactions.
  • Free, specific, informed and unambiguous consent: data controllers shall obtain the specific consent of the data subject before storing credit card data in this context. This consent must be free, specific, informed and unambiguous, delivered by a clear affirmative action, and should be requested in a user-friendly way.4  The consent must be distinguished from the consent given to the terms of service or sale and shall not be a condition attached to the conclusion of the transaction.  
  • Data subjects’ right to withdrawal: data subjects shall have the right to withdraw their consent at any time. This withdrawal must be free, simple and as easy for the data subject as it was to give consent. Data controllers must ensure effective deletion of the credit card information stored for the sole purpose of facilitating further online transactions.

For any questions, please contact the ICT, IP, media, and data protection team:

Team ICT footer

Linda Funck, Partner | Tel: +352 44 66 44 5164 | E-mail: lindafunck@elvingerhoss.lu
Gary Cywie, Partner | Tel: +352 44 66 44 5164 | E-mail: garycywie@elvingerhoss.lu
Emmanuèle de Dampierre, Counsel | Tel: +352 44 66 44 5164 | E-mail: emmanuelededampierre@elvingerhoss.lu  

This may also be of interest:

1Recommendations 02/2021 adopted on 19 May 2021
2 For example, merchants selling their goods online on a dedicated online store.
3 Article 29 Data Protection Working Party – Guidelines on Data Protection Impact Assessment (wp248rev.01 )
4 See EDPB Guidelines 05/2020 on consent under Regulation 2016/679