63.
Pursuant to Article 12 GDPR, the controller must provide data subjects with information relating to the processing carried out “in a concise, transparent, intelligible and easily accessible manner, in clear and plain language [...]”when communicating with data subjects.
a. Right to prior information
Articles 13.2(a) (Information to be provided where personal data are collected from the data subject) and 14.2(a) of the GDPR (Information to be provided where the personal data have not been collected from the data subject) require the controller to inform individuals about the period of retention of the data (or, where that is not possible, the criteria used to determine that period). Accurate information on retention periods, in so far as they help to ensure that data subjects have control over the processing of their data, is important in order to ensure fair and transparent processing.[1]
64.
In view of these provisions, the CNPD recalls that payment service providers must be transparent about the retention periods of users' personal data, in particular following the closure of their account. This also implies information on the bases of lawfulness applied for the retention of their data (the determination of these bases of lawfulness making it possible, in particular, to determine their rights provided for by the GDPR). In the case of Article 6.1(f) GDPR, the nature of the legitimate interest pursued by the controller should be included in the information brought to the attention of individuals. Moreover, the obligation of transparency is reinforced when it comes to the processing of special categories of personal data referred to in Articles 9 and 10 of the GDPR.[2]
b. Right to information when exercising rights under processing
65.
The controller must also provide clear information to data subjects when exercising their rights, such as rights of access and erasure (Article 12.1 GDPR).
66.
When a data subject contacts a payment service provider in the exercise of his or her GDPR rights and if the data subject has questions relating to the retention of his or her data (e.g. a request for erasure), the controller must then be able to provide precise information: purpose(s) of storage, basis(s) of lawfulness, event triggering the storage period, exact date(s) of erasure, data that can be erased and data to be retained (information already included in the payment service provider’s processing register).
-----------------------------------------------------------------------------------------------------------------------------------------------
[1] See Commission Nationale de l’Informatique et des Libertés, Deliberation of restricted training No SAN-2024-002 of 31 January 2024 concerning the company DE PARTICULIER A PARTICULIER – EDITIONS NERESSIS
[2] Footnote LDT EDPB Transparency
Example 6: A user (data subject) makes a request to erase all his/her data (on the basis of Article 17(1)(a) GDPR) to a payment service provider after terminating his/her contract with him/her. The payment service provider, acting as data controller, will not be able to erase a large part of the data subject's data in view of the legal obligations applicable to it (Article 17.3(b) GDPR). In its reply to the data subject, the information provided by the controller must then, in accordance with Article 12.1 of the GDPR, be more specific than in its information notice and must, in particular, contain developments relating to the applicable legal provisions and the categories of data that cannot be deleted. A mere reference to the ‘legal obligations applicable in the financial sector’ cannot be regarded as sufficient in the light of Article 12(1) of the GDPR.
Example 7: During the archiving phase, a user (data subject) objects, on the basis of Article 21(1) of the GDPR and for reasons relating to his or her particular situation, to the processing of his or her data on the basis of the legitimate interest of the PSP. After possibly restricting the processing pursuant to Article 18(1)(d) GDPR, the controller will have to either (i) erase the data pursuant to Article 17(1)(c) GDPR or (ii) demonstrate compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject, or for the establishment, exercise or defence of legal claims (Article 21(1) GDPR). It is in those circumstances that it is for the payment service provider to provide the data subject with precise information about the processing and, in particular, about the overriding legitimate grounds for the processing which override the interests, rights and freedoms of the data subject.