🇬🇧 - The use of personal banking card data as part of remote payments
Mis à jour : 25 juin 2020
The new deal
With the entry into force of the European Data Protection Regulation this 25 May, the online payment systems must also be reviewed.
It is Resolution no. 2017-222 of 20 July 2017 by the Commission Nationale de l’Informatique et des Libertés, or “CNIL” (the French Data Protection Authority), which repeals Resolution no. 2013-358 of 14 November 2013, which defines in France the procedures for processing payment card data related to the sale of goods or provision of remote services.
Like any other processing of personal data, only the appropriate, relevant not excessive data in relation to the purpose of processing of data, may be collected and its use must be limited to those purposes for which it was expressly communicated.
1. In which cases can bank card data be collected?
For the specific, explicit and legitimate purposes that are:
• paying for a good or service,
• reserving a good or service,
• settling in several regular instalments of a subscription sold online,
• subscribing to an offer of payment solutions dedicated to remote sales by payment service providers
• facilitating any future purchases on the merchant website;
• fighting against payment card fraud.
2. What are the strictly necessary data that may be collected?
By default (restricted list):
- the bank card number
- its expiration date
- the visual security code
In other words, the identity of the bank card holder which is often requested should not be collected if it is not strictly required for completion of the online transaction or if it is not justified by the pursuit of a specific and legitimate purpose such as the fight against fraud.
The CNIL specifies that the payment card number cannot be used as a commercial identifier and that the photocopy or digital copy of the front and/or back of the payment card cannot be requested, even if the visual security code and part of the numbers are faded.
3. How long can the necessary data be stored?
Necessary data should in principle not be stored beyond the transaction.
The merchant's shopping website must include a simple and free means of withdrawing the consent initially given.
If it is nevertheless possible to propose that the card holders store their data in order to facilitate future purchases, storage of the security code is, in all cases, prohibited after completion of the first transaction. For other required data, prior consent of the client is thus required and must take the form of an explicitly voluntary act. It is not presumed and cannot result from a pre-checked box by default. In the same sense, acceptance of the general terms and conditions of use or general terms and conditions of sale cannot be equated to an explicitly voluntary act.
Concerning the fight against fraud, storage of data related to the payment card beyond completion of a transaction exceeds the contract framework. Storage beyond this may only be done if it participates in the completion of a legitimate interest of the data processor and is simultaneously not disregarding the rights or interest of persons pursuant to amended Article 7 (5) of Law no 78-17 of 6 January 1978.
In summary, the duration of bank card data storage depends on the purposes pursued:
Purpose Duration of payment card data storage
• Until payment
• Until receipt of the goods or execution of the service provision knowing that the period is systematically increased by the withdrawal period proved for sales and supplies of goods and remote service provision
Subscription without or with tacit renewal
• Until the final payment deadline, if the subscription does not provide for tacit renewal
• Until cancellation of the subscription in case of tacit renewal, (subject to appropriate provisions and in particular the information of related persons prior to renewal)
• 13 months following the debit date
• 15 months in case of deferred debit card
• The data thus stored for proof of purchases must be stored in an intermediary archive and only used in the event of dispute of the corresponding transaction
Facilitating future purchases
• Until withdrawal of the consent
• and/or when payment card validity expires because the storage duration cannot exceed the required period for fulfilment of this purpose.
Fighting against fraud
• Until the end of the period necessary for the accomplishment of that purpose
Fighting against money-laundering
• In the event that payment data is collected by a body subject to anti-money laundering obligations, in order to offer a remote payment solution, it may only be stored until the account is closed and then, the case being, archived in accordance with the relevant legal requirements
Extended version of the CNIL table, see Link
4. What are the information obligations?
Any use of the payment card number, whatever its purpose, must be the subject of complete and clear information to people.
In general, the data subject is informed of the identity of the data processor, purposes of the processing, the mandatory or optional nature of the information to be provided, the possible consequences of failure to provide it, recipients of the data, the storage duration of categories of data processed, the existence and manner of exercise of their access rights, of rectification and opposition to the processing of his data, including that of defining directives related to the fate of their personal data after death and, where appropriate, on transfers of data outside the European Union.
In the event that data related to the person was sent to a third party by the merchant, he must inform this third party without delay of the exercise of the right of opposition or rectification by the person concerned.