DATA PROTECTION INFORMATION FOR MERCHANTS
Card payment at POS – merchants’ responsibilities
What do I as a merchant have to do with data protection?
As a merchant, you collect personal data pertaining to your customers when they pay by card. You are deemed to be a “Data Controller” as defined in the data protection legislation.
Do I need to sign an order processing contract with my network operator/acquirer?
In many of the enquiries we receive, we are asked whether it is necessary to conclude an order processing agreement (data processing on behalf) between the merchant and the network operator/acquirer. We therefore like to explain the following:
- Under the previous legal framework, the state supervisory authorities for data protection treated both merchants and network operators (as well as acquirers) as Data Controllers. This continues to be the current official assessment (please refer to DSK-Kurzpapier Nr. 13 zur Auftragsverarbeitung (Appendix B, p. 4) or Auslegungshilfe des BayLDA zur Abgrenzung Auftragsverarbeitung (p. 2) by way of example).
- It should also be noted that as a network operator or acquirer, we cannot act as Processor for you as merchant, because our services are not provided in accordance with instructions, but in a standardised manner for all our merchants and are largely prescribed by the DK (German Banking Committee), the credit card organisations/schemes and the SEPA regulations.
Do I as a merchant have obligations as a “Data Controller” according to the GDPR?
Yes. Every Data Controller is subject to certain obligations. With regard to card payments in the retail trade, these are primarily the information obligations pursuant to Articles 13 and 14 GDPR.
What do I have to do to inform my customers?
- You place a clearly visible cash desk notice entitled "Data Protection Information for Card Holders" at the POS terminal or shop cash desk. This should be used in addition to the card acceptance sticker at the shop entrance wherever possible. A stand-up notice or wall-mounted notice can also be used in place of the cash desk notice. The cash desk notice contains a QR code and/or URL. Both link to a webpage of your network operator (e.g. PAYONE) containing the information required under the GDPR.
- Please manually add your company’s name and contact details to the cash desk notice.
- Additionally, place a print version of the information required under the GDPR at the cash desk.
You will receive the cash desk notices and the print version of the information for the cash register from your network operator (e.g. PAYONE, where we are responsible for the network operations). The network operator also hosts the webpage with the information. The webpage www.payone.com/gdpr has been set up by PAYONE for this purpose. This webpage contains all necessary and useful information regarding data processing by PAYONE.
A reference to our website will also be printed on the front of the receipt if you have a terminal that offers this technical option and you use PAYONE as your network operator.
However, there are some cases in which you as a merchant need to do more:
- If you accept credit cards, you must also provide the following information at the cash desk or as a wall-mounted notice: Name and contact details of the acquirer(s), contact details of the respective data protection officer, contact details of the respective supervisory authority (e.g. PAYONE, insofar as we are (also) responsible for acquiring).
- If, for card payments, you not only follow the standard procedures we describe in the information for your customers, but also process the personal data, such as in your cash register system. We cannot assist you in this regard and you should seek legal advice in cases of doubt.
- If you want to provide the data protection information for card payments on your own website.
The PAYONE templates for the cash desk notice and print version can be downloaded from this website (please see below) for you to print out yourself. Please select the appropriate cash desk notice for you, add your details and display it near the cash desk where it can be clearly seen by card holders. Please ensure that you also provide the print version for card holders to take away with them. Alternatively, we also offer a summarised version of the information on data processing (single page), which you can also download and use.
The procedure for providing data protection information by means of a cash desk notice, print version and website has been agreed between BecN e.V. and the Committee of Independent Federal and State Data Protection Supervisory Authorities (DSK). The complete document "Datenschutz-Informationen zu kartengestützten Zahlungen gemäß Art. 13, 14 DSGVO” [German language only] is available for reference in the document centre on the BecN e.V. website.
“The supervisory authorities agree with the draft procedure proposed by the Federal Association of Electronic Cash Network Operators (Bundesverband der electronic cash-Netzbetreiber) for data protection information for card-based payments (as at: 30 January 2019).” (Communication of the Chairman of the DSK dated 9 July 2019, Rhineland-Palatinate DPA file no.: 3.03.20. 100:16, resolution no. 16/2019, passed on 4 July 2019).
Cash desk notice (network operation PAYONE): Please use this cash desk notice if PAYONE acts as network operator for you.
Cash desk notice (acquiring PAYONE): Please use this cash desk notice if PAYONE acts as credit card acquirer for you.
Cash desk notice (network operation PAYONE and acquiring through third party): Please use this cash desk notice if PAYONE acts as network operator for you and additionally a third party takes over the credit card acquiring for you.
Cash desk notice (network operation and acquiring PAYONE): Please use this cash desk notice if PAYONE acts as network operator and credit card acquirer for you.
Below you will also find the legally required information on data protection for you as merchant (where acting as a natural person):