Issues of personal data in the contactless transactions with Greek bank cards
Text for article 2
In its Decision No 48/2018, the Hellenic Data Protection Authority considered issues of processing of personal data through credit/debit cards for contactless transactions.
The case was brought to the Authority by the Consumer Protection Directorate of the Ministry of Economy, which received a complaint from a customer of the Bank against the Bank, regarding the debit card it issued to replace his old card.
This new card supports contactless transactions – i.e. transactions that can be carried out without PIN entry from the cardholder’s side, but only by showing the card, without contact or placement, in the corresponding “reader” device, provided that the financial transaction does not exceed the amount of twenty-five (25) Euros.
The complainant claims that he did not give his consent to be issued with a debit card with these features (i.e. intact) and that he does not wish to have such a card because of the security risks arising from its use.
The Bank sent the complainant a reply to his objection, in which it is stated, inter alia, that the possibility of using DebitMasterCard contactless technology for purchases of less than 25 Euros without the use of a PIN is a mandatory feature of the card in accordance with the guidelines of the international Mastercard organisation.
The Bank also states in its reply that the new card meets all the security safeguards required by international organisations, and that the replacement of the old card with the new contactless card is in accordance with the terms of the contract with the complainant as regards his debit card.
According to the background of the decision, a relevant complaint was lodged against another bank, which was forwarded to the Authority by the Consumer Ombudsman.
The Authority has taken into account a number of legal and technological parameters, as well as the international requirements that apply regarding contactless debit and / or credit cards.
Among other things, he noted that in the case of Mastercard cards, there is the possibility of saving the card of the recent transaction history, as well as the possibility of contactless reading of them.
The Authority considers that these data are clearly not absolutely necessary for the basic functionality for which a debit card is intended and should therefore not be adhered to by definition – much less without explicit information, as appears to be the case. in the case of one of the two Banks.
The Authority also notes that the observance of this data – which is not mandatory according to the specifications set by Mastercard – raises issues of personal data protection since the movements of the card can create a profile of its holder in terms of his consumer habits. Based on this, it considered that credit card issuers should take appropriate measures to ensure the following:
a) If the customer declares that he does not wish to have a card with the possibility of making contactless transactions, the possibility of deactivating the intact operation of the card or the issuance of a new, non-contact card should be provided.
b) If on a card issued to a customer the possibility of keeping a transaction history on its chip is activated without having given its specific consent, the customer should be informed about it in any appropriate way (eg via email by mail, when connecting to the personalized electronic services of the controller, by mail, etc.) regarding this processing, enabling him to stop this processing.
Furthermore, in each new card issuance / issuance, this feature should be deactivated from the beginning, and should be activated only with the specific consent of the customer, provided that he has been previously informed about this processing.
Source: https: //www.lawspot.gr