GDPR in Payments

Payment transactions generate and process significant volumes of personal data: cardholder name, billing and shipping address, email, phone number, IP address, device identifiers, and transaction history. Under GDPR, each piece of data that identifies or can identify a natural person is personal data and subject to the regulation's requirements.

Controllers of payment data, typically merchants and payment service providers, must have a lawful basis for each processing activity. For payment processing itself, contract performance (Article 6(1)(b)) is the typical legal basis: processing is necessary to execute the transaction the cardholder requested. For fraud prevention, legitimate interests (Article 6(1)(f)) is commonly relied upon, subject to a balancing test against cardholder interests.

Data minimization is a GDPR principle: merchants should only collect and retain the personal data necessary for the stated purpose. CVV values cannot be retained post-authorisation (already required by PCI DSS). Billing address data retained for reconciliation purposes should have a defined retention period and deletion schedule.

Cross-border data transfers of EU personal data to third countries require either an adequacy decision from the European Commission, Standard Contractual Clauses (SCCs), or another transfer mechanism. Payment providers processing EU cardholder data in non-EEA data centres must have appropriate transfer safeguards in place.

Data retention schedules must be defined and enforced: transaction data retained indefinitely creates growing GDPR exposure over time. Merchants need documented retention periods for each data category and technical controls that enforce deletion at the end of the retention period.

Processor relationships require data processing agreements: merchants using payment providers, fraud tools, and analytics platforms are data controllers sharing personal data with processors. GDPR requires a written data processing agreement (DPA) with each processor. Merchants should audit their payment stack for DPAs with each vendor.

Data subject rights apply to payment data: cardholders have rights of access, rectification, erasure, and portability. Merchants must have processes to respond to data subject requests within 30 days. Payment data systems that make erasure technically difficult (because data is embedded in transaction logs) require careful architecture to support right-to-erasure compliance.

Device fingerprinting and behavioural analytics require legal basis assessment: fraud prevention tools that profile individuals based on device data and behavioural patterns are processing personal data. The legitimate interests legal basis is commonly applied, but requires a documented legitimate interests assessment (LIA).