At a time when artificial intelligence is omnipresent, even in everyday objects and services, the collected data represent a fundamental asset for companies in all sectors. Especially in retail, where hyper-individualization has become the norm in the relationships between shoppers and brands.
With the help of third-party players such as Spaycial, brands are now able to optimize their shoppers' experience by offering them ever more innovative benefits: cashback, personalized offers and promotions, authorising a purchase with deferred payment or in instalments (buy now pay later), etc. Thanks to the analysis and aggregation of payment data, a physical store is now able to understand the behavior of shoppers by tracing the location and his purchase path for instance.
Access to such benefits obviously requires the processing of personal data. There is no point in hiding it. Therefore, their protection in compliance with the applicable texts such as PSD2 and GDPR (General Data Protection Regulation) is a key challenge. What do these rules imply for payment data specialists like Spaycial? An overview with our Data Protection Officer.
Personal data is information relating to an identified or identifiable natural person, directly or indirectly, in particular by reference to location data or an identification number (art. 4.1, GDPR). Very often, the processing of this data implies the processing of at least one personal data, thus the need to comply with the RGPD.
The type of data collected by the different actors of the payment chain, and depending on the approvals they have, can be of several kinds:
Transaction data, which is of interest to us here, has always been collected and processed by banking institutions. It is used, among other things, to detect fraudulent transactions and analyze risks. Today, it is also a complementary means to better understand purchasing behavior and to offer personalized products and benefits, thanks in particular to intermediaries authorized and certified to manage this type of data, such as Spaycial.
How can we ensure that all shoppers' data is well protected and avoid any risk of misuse? Companies must first implement a global compliance policy led by a Data Protection Officer (DPO) to raise awareness among all employees. Collaboration between the DPO and the Head of Product has become essential for payment players in order to design each product and benefit in compliance with the GDPR right from the start (by design).
"Another issue is the lawfulness of the processing", says Nurgül Sivasli, our DPO.
If the collection of consent to access the bank account is systematic, it remains that it is necessary to choose and define the appropriate legal basis when processing personal data between the contract, consent and legitimate interest.The GDPR establishes in this regard various rights, allowing the shopper to regain control of his data, the main ones being :
Finally, security is a major issue. Account information aggregators such as our company meet this daily challenge through secure IT interfaces provided by them and the respect of security standards and regular audits of their systems.
Want to know more? Contact us now!