The European Data Protection Board (‘EDPB’) has adopted a Recommendation[1] on the legal basis for the storage of credit card data. The Recommendation concerns situations where data subjects buy a product or pay for a service online, via websites or apps, and provide their credit card data in addition to their personal data in order to conclude a transaction.

The EDBP recommends that website operators who store their customers’ credit card data in order to facilitate further purchases choose the consent of the data subjects – the customers – as the legal basis for the processing of personal data as this appears to be the sole appropriate legal basis.

This consent must be free and must be given before the data from the customer’s credit card is stored. The data subject must be able to deliver consent by a clear affirmative action, e.g. by ticking the appropriate checkbox on a form. This consent must also be separate and clearly distinguished from the consent given for the terms of service or other actions. At the same time, the consent cannot be a condition to the completion of the transaction.

In this context, it is essential that, as with any consent given for the processing of personal data, the data subject has the right to withdraw his or her consent at any time and, once withdrawn, the controller must delete the credit card data immediately.

The Recommendation aims to strengthen a harmonised application of personal data protection rules regarding the processing of credit card data within the entire European Economic Area. Finally, we would like to bring to your attention the fact that the Slovak Data Protection Authority, within the meaning of the published inspection plan for 2021[2], plans to focus, among others, on online stores, which means that the protection of personal data is still a relevant topic.

We hope that you find this information helpful. If you are interested in additional details, please do not hesitate to contact us.


Viktória Poliaková, Zuzana Krajčovičová