1.
Those guidelines are primarily addressed to payment service providers (‘PSPs’ or ‘controllers’) within the meaning of the amended Law of 10 November 2009 on payment services[1] (‘the 2009 Law’).[2]
2.
Payment service providers collect and process a significant amount of personal data, at the time of entering into a relationship, throughout the duration of the relationship, and even well after the end of the relationship with the user of the service (‘the user’ or ‘data subject’). Furthermore, technological innovations have significantly increased the ability of payment service providers to collect, store, combine and analyse a wide range of data about their users.
3.
Personal data that may be processed by PSPs may include information on the personal situation of the data subject (age, nationality, marital status, etc.), his or her economic and financial situation, payment data (such as the amount of the transaction, the date and time of payment, the identity of the beneficiary of a transaction, IBAN or personalised security data), the data subject’s anti-fraud score, contextual or behavioural data (consumption preferences and habits, geolocation, characteristics of the terminal used for an online purchase, time spent prospecting, etc.).
4.
However, although they do not enjoy a special status under the General Data Protection Regulation (EU) 2016/679 (‘GDPR’), many of those data are to be regarded as ‘sensitive’ data (in the common sense of the term) in so far as their infringement could have serious implications for the daily life of the data subject.[3]
5.
Given the scale of such processing, the CNPD would like to recall some of the key principles of Article 5 GDPR as regards the processing of payment service users’ data. A PSP may process the personal data of a data subject only if the intended processing is lawful; i.e. necessary for the performance of the contract with the user, necessary for compliance with a legal obligation to which the PSP is subject, necessary for the purposes of the legitimate interests pursued by the PSP or, in rarer cases, on one of the other legal bases for the processing of data mentioned in Article 6 GDPR. In accordance with the principle of transparency, data subjects must retain control over the data concerning them. This presupposes that they are clearly informed of the use that will be made of their data as soon as they are collected and throughout the life cycle of the processing. In addition, users’ personal data may be processed only for specified, explicit and legitimate purposes and not further processed in a manner incompatible with those purposes (principle of purpose limitation ). The data must also be adequate, relevant and limited to what is necessary for the purposes for which they are processed (data minimisation principle). They must also be accurate and, if necessary, kept up to date (principle of accuracy).
6.
Finally, according to Article 5.1(e) GDPR, personal data must be ‘kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which they are processed...’ (principle of data retention limitation). These guidelines will not address in detail the issue of data necessary for the performance of contracts that are retained for the duration of the contractual relationship but rather all aspects relating to retention periods once that relationship with the data subject has ended. Indeed, PSPs generally retain the personal data of their users in order to comply with certain legal obligations or to protect themselves from certain legal actions during the periods of legal prescriptions.
7.
Without claiming to be exhaustive, the purpose of these guidelines is to provide stakeholders with information on the retention periods and arrangements for the personal data they process in the context of a highly regulated sector. The protection of personal data is increasingly anchored in the various European regulations (also those applicable specifically to the financial sector) and the CNPD would like to inform as much as possible the controllers concerned on the application of some of these provisions in relation to the requirements of the GDPR on retention periods for personal data. With the presence of numerous payment service providers acting as controllers based in Luxembourg[4] and in accordance with the recommendations of the European Data Protection Board (‘EDPB’) and the European legislator, the CNPD intends to adopt a holistic approach to the regulatory framework applicable to financial sector actors, in cooperation with the other competent authorities in Luxembourg.[5][6]
--------------------------------------------------------------------------------------------------------------------------------------------
[1] https://www.cssf.lu/fr/Document/loi-du-10-novembre-2009/
[2] While the principles set out in these guidelines may also apply to other professionals in the financial sector, the purpose of this guidance is not to set out the specificities applicable to other professionals.
[3] Article 29 Working Party Guidelines on Data Protection Impact Assessment (DPIA) and how to determine whether processing is “likely to result in a high risk” for the purposes of Regulation (EU) 2016/679, WP248 rev.01 – endorsed by the EDPB (p.11); Guidelines 6/2020 on the interaction between the Second Payment Services Directive and the GDPR, Version 2.0, Adopted on 15 December 2020 (§69)
[4] In May 2025, there are 117 credit institutions, 17 payment institutions and 12 electronic money institutions in Luxembourg (source: https://www.cssf.lu/wp-content/uploads/newsletter292.pdf)
[5] See EDPB Strategy 2024-2027: ‘The EDPB will work to strengthen cooperation with other regulatory authorities, with a view to integrating the right to data protection into the overall regulatory architecture.’
[6] See recital 130 of the Proposal for a Regulation on payment services in the internal market and amending Regulation (EU) No 1093/2010, 28.06.2023 (2023/0210 (COD)): ‘The effectiveness of the Union framework for payment services depends on cooperation between multiple competent authorities, including national authorities responsible for taxation, data protection, competition, consumer protection, audit, police and other law enforcement authorities. Member States should ensure that their legal framework allows and facilitates such cooperation as necessary to achieve the objectives of the Union framework on payment services, including through the proper application of its rules. [...]’