Back to blog

GDPR and payment data: what are the main stakes?

At a time when artificial intelligence is omnipresent, even in everyday objects and services, the collected data represent a fundamental asset for companies in all sectors. Especially in retail, where hyper-individualization has become the norm in the relationships between shoppers and brands.

With the help of third-party players such as Spaycial, brands are now able to optimize their shoppers' experience by offering them ever more innovative benefits: cashback, personalized offers and promotions, authorising a purchase with deferred payment or in instalments (buy now pay later), etc. Thanks to the analysis and aggregation of payment data, a physical store is now able to understand the behavior of shoppers by tracing the location and his purchase path for instance.

Access to such benefits obviously requires the processing of personal data. There is no point in hiding it. Therefore, their protection in compliance with the applicable texts such as PSD2 and GDPR (General Data Protection Regulation) is a key challenge. What do these rules imply for payment data specialists like Spaycial? An overview with our Data Protection Officer.

Payment data and GDPR: what are we talking about?

Personal data is information relating to an identified or identifiable natural person, directly or indirectly, in particular by reference to location data or an identification number (art. 4.1, GDPR). Very often, the processing of this data implies the processing of at least one personal data, thus the need to comply with the RGPD.

The type of data collected by the different actors of the payment chain, and depending on the approvals they have, can be of several kinds:

  • the shopper's transaction data, which includes identification data (last name, first name, address, etc.) and payment data (IBAN, bank card number, etc.);
  • the merchant's transaction data;
  • additional data (location, purchase details and history, etc.).

Transaction data, which is of interest to us here, has always been collected and processed by banking institutions. It is used, among other things, to detect fraudulent transactions and analyze risks. Today, it is also a complementary means to better understand purchasing behavior and to offer personalized products and benefits, thanks in particular to intermediaries authorized and certified to manage this type of data, such as Spaycial.

Transparency, confidentiality, security: the sector's major challenges

How can we ensure that all shoppers' data is well protected and avoid any risk of misuse? Companies must first implement a global compliance policy led by a Data Protection Officer (DPO) to raise awareness among all employees. Collaboration between the DPO and the Head of Product has become essential for payment players in order to design each product and benefit in compliance with the GDPR right from the start (by design).

"Another issue is the lawfulness of the processing", says Nurgül Sivasli, our DPO.

If the collection of consent to access the bank account is systematic, it remains that it is necessary to choose and define the appropriate legal basis when processing personal data between the contract, consent and legitimate interest.
The GDPR establishes in this regard various rights, allowing the shopper to regain control of his data, the main ones being :
  • The right to transparency: the transparency of the processing is essential by informing the user with clarity and pedagogy on the processing performed.
  • The portability of data: if necessary, users can recover personal data they have provided and then transmit them to another organization processing the data, or request the transfer when possible.
  • The right to be forgotten: everyone can, at any time, expressly request the deletion of his or her data collected by the organization that manages the data.
  • Notification in case of loss or theft of data: the institutions concerned are obliged to inform the person concerned, within 72 hours, of any action that led to the leakage of personal data.

Finally, security is a major issue. Account information aggregators such as our company meet this daily challenge through secure IT interfaces provided by them and the respect of security standards and regular audits of their systems.

Want to know more? Contact us now!