The new DPC website is currently under construction. Our latest guidance in relation to GDPR, which comes into effect on 25th May, 2018, can be found at gdprandyou.ie and via pages on this website starting with "NEW" as per the navigation pane on the left. All other material on this site relates to the previous legislative regime under the Data Protection Acts 1988-2003 ("the Acts"). While the Acts may continue to apply in some circumstances, as of 25th May, 2018 the GDPR is the primary piece of legislation governing data protection.

Data Protection Commission


Credit card transaction – use of details from a previous transaction without consent – fair obtaining – transparency - retention period

A customer of a car rental company alleged that the company had used his credit card data – obtained in a previous transaction – to process a disputed charge without his consent, and in spite of his objections to the charge.

The facts were that a motor car, purchased by the complainant, had given trouble and the garage had arranged a courtesy car with a car rental firm while his own car was being repaired. Prior to taking the car, he inspected it and agreed that it was not in any way damaged. One week after returning the car, the complainant was asked by the rental firm to sign a damage report on the car, and he was informed that he was liable for payment of a ?250 charge. He denied all knowledge of damage to the rental car. The rental firm informed the complainant that they would collect the charge of ?250 via his credit card. He maintained that he had not given his account details to the rental firm on this occasion, although he had in the past hired numerous vehicles from them which he had paid for by credit card.

The specific data protection issue in this case was whether the rental firm obtained and processed the complainant's credit card details fairly, with the appropriate level of consent from the individual.

When I raised the matter with the car rental firm, they maintained that the complainant was liable for the cost of repair of the vehicle under the terms of the agreement which he had signed. They also stated that the complainant's credit card details had been obtained and processed fairly; were kept for a specified and lawful purpose; and were not used in any manner incompatible with that purpose. Furthermore, the use of the credit card details in this instance was specifically for the purpose envisaged in the rental agreement.

I asked the firm to provide evidence of the circumstances in which the complainant had given them his credit card details. They replied that staff did not recall whether the complainant had provided his credit card details specifically for the purpose of the rental in question, or whether the complainant had consented to the use of his credit card details, which he provided on a previous occasion. However, they also stated that the clearing bank had confirmed that the complainant's credit card details had been manually keyed into the credit card machine when the car was being rented. On further investigation I found that there was no record of any credit card details on the copy of the rental agreement supplied for that date by the rental firm. Taken together, these facts strongly suggested to me that the rental firm's sales staff had used details provided and noted on a previous rental agreement. If it was standard practice to use the data previously obtained, as the firm claimed, this should have been made known to the data subject at the time of first obtaining the data, and consent obtained for this practice. It should also have been noted on the rental agreement in this instance that the customer had consented to the use of details provided on a previous occasion.

As regards the retention period of credit card details that had been obtained in the past, the rental firm argued that retention was necessary for audit and legal purposes. While I was prepared to accept this line of argument to a certain extent, I observed that – in general –details of a contract, which is no longer in dispute, should be deleted once the contractual relationship has ceased. In addition, there is no need to retain such data beyond the end of a particular audit period. Furthermore, in the interim – i.e. while the data are being retained for necessary legal or audit purposes – the data should not be used for any other purposes without the express consent of the data subject.

I was satisfied that in the present case, given the manner in which the credit card details were obtained, the data controller had failed to achieve transparency and informed consent and that the necessary prerequisites for fair obtaining had therefore not been met. Accordingly, I found that the rental firm had contravened the Act and I upheld the complaint against them. In response to my decision, the rental firm stated that, in order to avoid a recurrence of the situation leading to this dispute, they were ceasing the practice of using previously-obtained credit card details, and that customers would in future be required to provide their details whenever they entered into a new rental agreement. This is an outcome which I welcome, and which is likely to avert similar data protection complaints in future.

More generally, I consider it to be a sound and proper principle that credit card data obtained for a particular transaction cannot be used subsequently for other transactions without express consent, without violating the 'fair obtaining' rule. The principle of transparency and fairness, which are key tenets of data protection law and practice, apply in this area just as in any other.