Guidance Note for Data Controllers on Purpose Limitation and Retention in relation to Credit/Debit/Charge card transactions
The following guidance has been prepared as an aid to data controllers who process credit/debit/charge or other relevant card payments regarding the practical application of Section 2(1)(c) of the Data Protection Acts 1988 & 2003 which requires data controllers to comply with the following provisions concerning personal data kept by them:
• the data shall have been obtained for one or more specified, explicit and lawful purpose(s),
• the data shall not be further processed in a manner incompatible with that purpose or those purposes,
• the data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they were collected or are further processed, and
• the data shall not be kept for longer than is necessary for that purpose or those purposes.
Specific, explicit and lawful purposes
Data controllers who obtain personal data from a data subject may do so for one or more specific, lawful and clearly stated purposes. Where personal data stored on a card is collected for the purposes of a transaction, it can be assumed that the purpose for its collection ends following completion of the payment for a product or service.
Data controllers who obtain personal information for one or more legitimate purposes may not use that data for any other purpose except in ways which are compatible with the original purpose(s). Personal data obtained from a card for a particular transaction cannot be used subsequently for other transactions without express consent to do so. Any use without such consent would breach the ‘fair obtaining’ rule as set out in the Data Protection Acts.
In order to meet this obligation, data controllers are advised to put in place appropriate data deletion procedures and security measures to ensure that information obtained for one purpose may not be accessed and used for another purpose as outlined above.
Prior to the termination of the customer relationship, if the customer has clearly opted in (as opposed to not having opted-out) to their data being retained for future transactions, this would permit further processing e.g. if a customer has consented to having their personal data retained for ease of retrieval for future transactions.
Adequate, relevant and not excessive.
The personal data sought and kept by data controllers should be sufficient to enable them to achieve their specified purpose(s) and no more. There is no basis for Data Controllers to collect or keep personal data that they do not need on the off-chance that a use might be found for it at a future date.
Data controllers must be clear about the length of time for which personal data will be kept and the reasons why the information is being retained. Where the purpose for which the information was obtained has ceased and the personal information is no longer required, the data must be deleted or disposed of in a secure manner. It would be the view of this Office that personal data obtained from a card would only need to be retained for a period of, at most, 13 months to allow for copy voucher requests only in cases where the customer has had to sign a receipt for their transaction to be processed. In these cases, the information should be retained separately and solely for the purpose of previous payment queries and not for use for future transactions/further purposes. In the case of card transactions processed using Chip and PIN (EMV) technology, it is not necessary for vendors (data controllers) to hold onto the receipts at all, as the electronic record is available directly from the cardholder’s card issuer.