RGPD and e-commerce: what about banking data?

As a reminder, the General Data Protection Regulation (GDPR) has set up a very strict framework concerning the processing of personal data, especially in the context of commercial relations between professionals and individuals.

In principle, e-commerce websites are supposed to collect their customers’ banking data only for a single transaction. Therefore, they are forbidden to keep these data and to use them for other transactions.

The “Commission nationale de l’informatique et des libertés de France” (CNIL) is regularly contacted by e-commerce companies regarding the rules applicable to the processing and storage of bank data. These companies invoke a “legitimate interest” and consider that this storage is necessary for the execution of their missions.

More about the CNIL

In order to provide a legal framework applicable throughout the territory, the CNIL has just recalled some rules applicable to the conservation of this type of data.

It confirms that “legitimate interest” is one of the 6 legal bases provided for by the regulation to authorize the processing of personal data. However, this basis can only be granted if the interest pursued by the company does not lead to an imbalance to the detriment of the fundamental rights and freedoms of individuals. In this case, the CNIL considers that there is a significant risk for customers in case of misappropriation and fraudulent use of their banking data.

Finally, the CNIL considers that the company can keep this type of data in two cases

– in case of prior and explicit consent of the customers.

– in case of subscription, which establishes a regular commercial relationship between the company and its customer

More about the General Data Protection Regulation (GDPR)