Payment service provider as a processor? – What must be observed in terms of data protection law for payment service providers

Characteristic of an order processing is that the processor may only process personal data on and within the scope of the ordering party’s instructions. This does not apply to payment service providers. Although they may be instructed to transfer a certain amount of money, they are not subject to any data protection instructions vis-à-vis the client. Furthermore, it should be noted that the customer also has a contractual relationship with the payment service provider – a unilateral obligation to the seller would therefore not do justice to reality. Rather, the payment service provider also acts on the basis of a contract with the customer who orders the payment. The payment service provider thus represents itself as an independent third party, which does not act on the instructions of the selling company, but processes data under its own responsibility. Also according to BayLDA, banks for money transfers and payment service providers are

If there is no order processing, then the question arises whether this is a joint responsibility within the meaning of Art. 26 GDPR. Typically, this is characterised by the fact that several controllers determine the means and purposes of data processing. However, a payment service provider provides a third-party specialist service and thus acts as an independent controller. The selling company and the payment service provider do not jointly determine the means and purposes of the processing, but as a rule each processes the data as an independent controller for itself, with its means and for its purposes.

The GDPR foresees extensive information obligations in Art. 13 and 14 GDPR, which responsible companies must fulfil towards their customers. Customers must be informed about the processing of their data transparently and in understandable language. This must be done, if possible, before, or at least at the time of the collection of
This requirement of the GDPR presents many challenges, but can usually be met by two-stage information.
If payment is made on site at the cash desk, a short, but clearly visible and legible notice should be posted to the customer about the data processing. This notice should at least indicate who is responsible for the data processing and the purpose of the processing. In addition, the notice should include a reference to further information. This can be, for example, a link to the homepage or a QR code, through which customers can access the detailed and complete information.

Payment is made online on the website. You can also set up a short notice text on the payment page, which contains a link to the data protection information.
The step-down approach was intended to achieve a situation-specific fulfilment of the information obligations, which on the one hand effectively informs the customer, but also does not overburden with information in the specific situation. This procedure is also being followed by EDSA in its working Paper No. 260 is considered permissible.

As with most processing activities, it is crucial that employees are adequately trained and know what is going on. Due to the accountability in the GDPR, it is also useful to write a work instruction according to which the above data protection information is to be made available to the customers. This serves as proof to supervisory authorities should checks be carried out. However, since written instructions alone are not sufficient, employees should also be regularly trained and instructed.

If you are still unsure what you need to consider when using payment service providers – please contact us! Together we will find a solution that suits you individually. Here you will find our website.