Giropay knows what you bought last summer
A customer contacted noyb after seeing a detailed list of products she had ordered in an online pharmacy and a sex shop listed in her giropay account. Such data is specially protected under the GDPR and may not be processed without consent. noyb filed a complaint against giropay with the Hessian State Commissioner for Data Protection and Freedom of Information.
Instead of only processing the payment, the German payment service “giropay” (formerly “paydirekt”) keeps the information about each individual item purchased in online shops. This may lead to the processing of sensitive, personal data.
Transparent shopping bags or “private remains private”? The German payment service giropay advertises on its website with pithy slogans like “Private remains private” and “Data protection according to German guidelines”. A customer suddenly found a detailed account of her purchases – including a sex shop and an online pharmacy in her giropay profile. Other than normal SEPA or credit card payments, giropay does not only process the necessary personal data to ensure the payment – but keeps the entire contents of the shopping basket. As the company showed no signs of willingness to cooperate on the matter, she contacted noyb.
giropay blames it on the shops. giropay keeps and processes the data, but deflects any responsibility: transferring such data would always be the responsibility of the shops. However, their software has a specific function to forward such information and their own webshop plugin actually leaves shop operators no other choice but to transfer this data. Given that giropay clearly processes this unnecessary personal data, it is subject to the GDPR and liable under the law.
“You can’t build, use, and promote a system that illegally sucks up data and blame others for the data grab. The GDPR has clear principles on lawfulness, data minimization, and accountability.” — Alan Dahi, data protection lawyer at noyb
Particularly sensitive data. The data processed by giropay also concerns the customer’s health and sexual preferences. According to the GDPR, such sensitive data deserves particular protection. It must not be processed without the customer’s explicit consent, as stated in Article 9(2)(a) of the GDPR.
“Just because I use my debit card in the supermarket, my bank won’t get any detailed information about my grocery shopping. There is absolutely no legit reason for giropay to collect such data and store it long-term, especially when it’s that personal.” — Customer of giropay
This is not “normal market practice”. giropay collects information about the most intimate affairs of its customers and argues that this is “normal market practice”. Allegedly the information would be relevant in case of disputes between a webshop and the customer. In reality, the list of items should be readily available on bills or the payment history available in the webshop – there is no need that a third party keeps these records by default and without the user’s knowledge or consent. Although “market practice” is irrelevant in terms of data protection law, companies often use it to legitimise data protection violations. Instead, they should start taking data protection seriously and respect the privacy of their customers.
This article was first published here.
(Contribution by: EDRi member noyb)