GDPR (General Data Protection Regulation)
What is the GDPR and how does it protect us?
GDPR (General Data Protection Regulation, Regulation EU 2016/679) is the European law that governs the processing of personal data of individuals within the European Economic Area. It came into force on 25 May 2018 and replaced Directive 95/46/EC. In Spain, Organic Law 3/2018 (LOPDGDD) complements and adapts it to national legislation.
For any entity involved in the payments chain, the GDPR determines what data can be collected at checkout, how long it can be retained and under which legal basis the cardholder’s information may be processed.
How the GDPR works in the acquiring chain
In a PayFac (payment facilitator) model, several actors process personal data simultaneously. The GDPR assigns different responsibilities to each:
- Data controller: the entity that determines the purposes and means of processing. The PayFac acts as controller for its sub‑merchant data (KYB/KYC) and as processor in certain transactional flows.
- Data processor: the regulated acquirer that processes data on behalf of the controller and connects the PayFac to the card schemes.
- Data subject: the cardholder whose data (name, tokenized PAN, IP address, 3DS authentication data) flows through the entire chain.
Each actor may only process the data strictly necessary to execute the transaction, in accordance with the principle of data minimization (Article 5.1.c GDPR).
Article 94 of PSD2 and Article 65 of Royal Decree‑Law 19/2018 require that all data processing in payment services comply with the GDPR, except for data used for fraud prevention, which may be processed without the data subject’s consent.
Regulatory impact and applicable security
The GDPR does not operate in isolation within the payments ecosystem. It converges with other regulations that a PayFac or payment institution must comply with simultaneously:
| Regulation | Scope | Relationship with GDPR |
|---|---|---|
| PSD2 (Directive 2015/2366) | Payment services and SCA | Article 94 refers directly to GDPR for data processing rules |
| PCI DSS v4.0 | Card data security | Provides technical protection for PAN and sensitive data |
| LOPDGDD (LO 3/2018) | National adaptation | Develops digital rights and DPO requirements in Spain |
| Law 10/2010 (AML/CFT) | Anti‑money laundering | Allows processing without consent for AML obligations, aligned with Article 6.1.c GDPR |
Penalties for non‑compliance can reach up to €20,000,000 or 4% of global annual turnover, whichever is higher.
Operational advantages and disadvantages
Advantages:
- Greater buyer trust. A transparent checkout regarding data use reduces abandonment. 87% of consumers avoid buying if they doubt the merchant’s security.
- Privacy at the gateway. Minimizing collected data reduces PCI DSS scope and attack surface.
- Legal basis for fraud prevention. Article 6.1.f GDPR and PSD2 Article 94 allow fraud‑scoring without explicit consent.
Disadvantages:
- Contractual complexity. Each PayFac–acquirer–sub‑merchant relationship requires a data processing agreement with breach‑notification and audit clauses.
- Data subject rights. Individuals may exercise access, rectification, erasure, objection, portability and restriction within a 30‑day deadline.
- 72‑hour breach notification. Any incident must be reported to the AEPD, requiring tested incident‑response protocols.
Was this term useful?
Leave a Comment