At a time when artificial intelligence is omnipresent, even in everyday objects and services, the collected data represent a fundamental asset for companies in all sectors. Especially in retail, where hyper-individualization has become the norm in the relationship between shoppers and brands.
With the help of third-party players such as Spaycial, brands are now able to optimize their customers' experience by offering them ever more innovative services: cashback, personalized offers and promotions, authorizing a purchase with deferred payment or in installments (buy now pay later), etc. Thanks to the analysis and aggregation of payment data, a physical store is now able to understand the behavior of customers by tracing the location and purchase path of a shopper, for example.
Access to such services obviously requires the processing of personal data. There is no point in hiding it. Therefore, their protection in compliance with the applicable texts such as the PSD2 and the GDPR (General Data Protection Regulation) is a key issue. What do these rules imply for payment data specialists like Spaycial? An overview with our DPO.
Payment data and GDPR: what are we talking about?
Personal data is information relating to an identified or identifiable natural person, directly or indirectly, in particular by reference to location data or an identification number (art. 4.1, GDPR). Very often, the processing of this data implies the processing of at least one personal data, thus the need to comply with the RGPD.
The type of data collected by the different actors of the payment chain, and depending on the approvals they have, can be of several kinds:
- the customer's transaction data, which includes identification data (last name, first name, address, etc.) and payment data (IBAN, bank card number, etc.);
- the merchant's transaction data;
- additional data (location, purchase details and history, etc.).
Transaction data, which is of interest to us here, has always been collected and processed by banking institutions. It is used, among other things, to detect fraudulent transactions and analyze risks. Today, it is also a complementary means to better understand purchasing behavior and to offer personalized products and services, thanks in particular to intermediaries authorized and certified to manage this type of data, such as Spaycial.
Transparency, confidentiality, security: the sector's major challenges
How can we ensure that all shoppers' data is well protected and avoid any risk of misuse?
Companies must first implement a global compliance policy led by a Data Protection Officer (DPO) to raise awareness among all employees. Collaboration between the DPO and the Head of Product has become essential for payment players in order to design each product and service in compliance with the GDPR right from the start (by design).
"Another issue is the lawfulness of the processing," says Nurgül Sivasli, DPO of Spaycial.
If the collection of consent to access the bank account is systematic, it remains that it is necessary to choose and define the appropriate legal basis when processing personal data between the contract, consent and legitimate interest.The GDPR establishes in this regard various rights, allowing the consumer to regain control of his data, the main ones being :
- The right to transparency: the transparency of the processing is essential by informing the user with clarity and pedagogy on the processing performed.
- The portability of data: if necessary, users can recover personal data they have provided and then transmit them to another organization processing the data, or request the transfer when possible.
- The right to be forgotten: everyone can, at any time, expressly request the deletion of his or her data collected by the organization that manages the data.
- Notification in case of loss or theft of data: the institutions concerned are obliged to inform the person concerned, within 72 hours, of any action that led to the leakage of personal data.