Join our community for free to access exclusive whitepapers, reports, and regulatory information.
By signing up you agree to OneTrust DataGuidance's Terms and Conditions and Privacy Policy.
Already have an account? Log in
Already have an account? Log In
28 May 2021The European Data Protection Board ('EDPB') announced, on 19 May 2021, that it had adopted Recommendations 02/2021 on the legal basis for the storage of credit card data for the sole purpose of facilitating further online transactions. In particular, the recommendations advise that controllers implement appropriate safeguards for data subjects and ensure that they have control over their personal data, in order to decrease the risk of unlawful processing and foster trust in the digital environment. More specifically, the recommendations aim to encourage a harmonised application of data protection rules regarding the processing of credit card data within the European Economic Area, and to guarantee a uniform protection of data subject rights under the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR').
To this end, the recommendations indicate that the legal bases under Article 6 of the GDPR would not be applicable to the scenario where online service and goods providers store credit card data for the sole and specific purpose of facilitating further purchases by data subjects. However, the recommendations conclude that although consent appears to be the sole appropriate legal basis for such processing to be lawful, it must be free, specific, informed, unambiguous, delivered by a clear affirmative action, requested in a user-friendly way, and not be a condition to the completion of the transaction, among other things.
You can read the recommendations here.
