EU digital rights regulator sues German payment processing firm
The platform had saved the data of a customer who ordered products from a pharmacy
By: : Nilima Pathak
Update: 2022-02-27 05:45 GMT
EU digital rights regulator sues German payment processing firm The platform had saved the data of a customer who ordered products from a pharmacy The European Center for Digital Rights (styled as noyb, meaning 'none of your business') has filed a complaint against a German payment platform, Giropay, for processing sensitive personal sexual and health information. Done without...
EU digital rights regulator sues German payment processing firm
The platform had saved the data of a customer who ordered products from a pharmacy
The European Center for Digital Rights (styled as noyb, meaning 'none of your business') has filed a complaint against a German payment platform, Giropay, for processing sensitive personal sexual and health information. Done without the customer's consent, it allegedly violated the European Union's (EU) General Data Protection Regulation (GDPR).
(Established in 2017, with a pan-European focus, noyb is a non-profit organization based in Vienna, Austria).
Giropay is an integrated payment processing service that many retailers use to process customers' payments. A giropay customer noticed that the platform had saved the data about products that she purchased, including the ones ordered from a pharmacy and a sex store.
On reaching out to giropay with her concerns, the customer was told that the firm was not responsible for transmitting the information, as the retailers had the sole discretion to share the shopping cart information. Giropay explained that the data was stored for the customers to confirm whether their orders were accurate.
However, Article 9(1) of the GDPR prohibits platforms from processing the data "concerning the health" or "a person's sex life or sexual orientation" without his/her explicit consent.
Noyb claimed that giropay violated this provision by transmitting and storing the data about the customer's purchase of eye drops and sex products. The complaint also cited violations of Article 5(1)(c), which provides that platforms should only process customer data that is absolutely necessary to carry out the transaction.
On the other hand, Giropay claimed in a letter to the customer that the transmission of the shopping cart information was necessary because it was "a normal market practice." This was disputed by noyb.
It was argued that if the customers desired to have their order data stored in their giropay account, it would be simple for the platform to ask for their consent. Noyb suggested that the availability of this option negated any justification that giropay might have for leaving the decision to the individual retailers.
Alan Dahi, the attorney at noyb, said, "You cannot build, use, and promote a system that illegally sucks up the data and blame others for the data grab. The GDPR has clear principles on the lawfulness, data minimization, and accountability."