The GDPR anticipates that a company may process personal data as long as one (or more) of six lawful purposes applies.1 One of those lawful purposes relates to the collection of personal data about a person as part of performing a contract with that person.
The Article 29 Working Party – the predecessor to the European Data Protection Board – recognized that a company is processing data for the purposes of performing a contract when it “processes credit card details in order to facilitate payment” for a good or service.2 Arguably, the collection and maintenance of salary and payment details might also be based upon the legitimate interest of a merchant and a customer to the extent that an argument is made that the use of credit card information is not strictly necessary to complete a transaction (e.g., currency or a check could also presumably be used), but acceptance of credit card offers convenience to both parties.
This article is part of a multi-part series published by BCLP to help companies understand and implement the General Data Protection Regulation, the California Consumer Privacy Act and other privacy statutes. You can find more information on the CCPA in BCLP’s California Consumer Privacy Act Practical Guide, and more information about the GDPR in the American Bar Association’s The EU GDPR: Answers to the Most Frequently Asked Questions.
1. GDPR, Article 6(1)(a)-(f).
2. WP 259 Rev. 01 at 8