Turkish Data Protection Board Decision: Mandatory Storage of Debit/Credit Card Data in E-Commerce Platforms
In its decision dated April 11, 2023 and numbered 2023/567, the Turkish Personal Data Protection Board (“Board”) evaluated a complaint regarding an e-commerce platform that requires consumers to record their debit/credit card data (“Card Data”) in order to make a purchase.
In summary, the consumer (“Data Subject”) argued that the e-commerce platform (“Data Controller”) required them to record their Card Data to be able to complete a purchase. Moreover, the Data Subject claimed that the Data Controller did not have any valid data processing condition regulated under the Turkish Personal Data Protection Law No. 6698 (“DPL”) for the storage of Card Data and did not fulfill its obligation to provide proper notice. The Data Subject also stated that they did not provide their explicit consent for such processing.
On the other hand, in its defense, the Data Controller stated that when a customer wants to make a purchase on the platform, they must add their Card Data to their wallet before continuing for payment, and that their Card Data is used to receive the payment in accordance with the customer's request, in line with the conditions for processing personal data regulated under the DPL, namely, “the necessity for the establishment or performance of a contract”.The Data Controller further claimed that it processes the Card Data to fulfill its obligations regulated under the Law No. 6563 on the Regulation of Electronic Commerce, which corresponds to the data processing condition of “necessity for compliance with a legal obligation to which the data controller is subject” under the DPL. Additionally, the Data Controller stated that the Card Data is processed for:
Detecting fraud and abuse to protect the security of the consumers in line with the data processing condition of “the legitimate interests pursued by the data controller, provided that this processing shall not violate the fundamental rights and freedoms of the data subject” under the DPL,
In the event that the customer is a Premium customer on the platform, collecting the monthly Prime membership fee in line with the data processing condition of “the necessity for the establishment or performance of a contract” under the DPL.
Moreover, the Data Controller emphasized the following regarding the claims of the Data Subject:
Customers who have provided payment instrument information can remove their cards and change their information at any time in account settings, which demonstrates the control customers have over their accounts,
The Data Controller fulfilled its obligation to inform with the Privacy Notice which includes the data processing conditions regarding the execution of payment processes, located at the bottom of each page that customers visit on the platform, on the account creation page and on the login page.
The Board evaluated the claims of both parties by creating an account on the Data Controller’s platform and testing out the purchasing process. Accordingly, the Board determined that the purchase could not be completed without recording the Card Data in the system and that the Card Data continued to be registered in the wallet section after the purchase was completed. In this regard, the Board stated that the Data Controller shall not rely on the same data processing conditions for obtaining credit card information to complete the purchase and for storing Card Data, after the purchase is completed.
Correspondingly, the Board made a reference to the European Data Protection Board’s Recommendations 02/2021 on the Legal Basis for the Storage of Credit Card Data for the Sole Purpose of Facilitating Further Online Transactions (“Recommendations”), which underlines that data controllers may only rely upon consent of the data subjects for the continued processing of card details to facilitate purchases. In line with the Recommendations, the Board stated that continued processing of Card Data after the completion of the current purchase shall only be executed within the scope of the data subjects’ explicit consent obtained in accordance with the DPL.
The Board further evaluated that the Data Controller did not act in accordance with the principles regulated under the DPL, namely, (i) principle of legality and good faith, (ii) processing for specified, explicit and legitimate purposes and (iii) being relevant, limited and proportionate to the purposes for which the data is processed.
In the light of the explanations above, the Board decided to impose an administrative fine of TRY 500,000 (approx. EUR 15,345) to the Data Controller due to:
(i) the Data Controller’s failure to obtain explicit consent of the Data Subject for the storage of debit/credit card data after the completion of a purchase,
(ii) the Data Controller’s failure to comply with the above-mentioned general principles of data processing, regulated under the DPL.
The Board also instructed the Data Controller to develop a system that ensures obtaining active consent from data subjects to record the Card Data in membership accounts; and accordingly, to make necessary arrangements in the privacy notices and inform the Board about the outcome.