Informing customers, even when paying by credit or debit card

von Nadja-Maria

You can now see them more and more often, the data protection information posted for customers. In order to fulfill the obligation of Art. 13 and Art. 14 GDPR, many retailers, but also medical practices, use the possibility of a notice in the business premises. In these documents, the basic data processing conditions of the respective company are then communicated to interested customers, sometimes more or less in detail.

Data processing for EC and credit card payments

However, one important aspect is often overlooked. Personal data is also processed when paying by debit or credit card. The payment process e.g. Information about the customer and company, date and time of the transaction and of course the amount of the payment made are processed. All this information is then at least passed on to the buyer’s bank and used for further processing of the payment process.

Responsibility for data protection information

Since the company allows the possibility to pay by debit or credit card, it is here responsible for the illustrated collection of data within the meaning of Art. 4 DSGVO.

The consequence of this is that the obligation to provide information about data processing according to Art. 13 and Art. 14 GDPR must also be carried out by the respective company. A reference of this obligation to the respective provider of the credit or debit card is not possible.

Adaptation of data protection information urgently required

Especially in smaller shops such as bakeries or the kiosk around the corner, only cash is true. Nevertheless, payment with credit or debit cards is on the rise. Currently reinforced by the need to minimize the risk of infection by means of contactless payment.

The duty to provide information in accordance with Art. 13 and Art. 14 must also be observed when adapting business processes accordingly. Failure to do this can result in severe fines.

And a quick note at the end: All of this also applies to the use of modern payment methods such as Apple Pay.

Not sure whether your business processes are GDPR compliant? We audit your company or parts of it and initiate appropriate measures for you. Call us on 08505 919 27-0 or fill out our contact form.


Nadja-Maria leitet unser Inhouse-Juristen-Team. Sie studierte an der Universität Passau Rechtswissenschaften mit anschließendem Referendariat sowie erstem und zweitem Staatsexamen. Ihr Spezialgebiet ist Datenschutzrecht. Ihr fundiertes Wissen hält sie jederzeit aktuell. Für unsere Kunden und unser Team hat sie so immer einen Rat für eine passgenaue Lösung parat.