All those directly or indirectly involved in preparing payment instruments’ legal structures fully appreciate the sophistication and complexity of the data processing associated with these instruments’ transactions. Many participants, much data, the international character of structures – all these factors contribute to practical difficulties. It was, therefore, quite easy to anticipate that sooner or later, legal aspects of data protection in payment transactions would become the subject of court decisions. This post presents the conclusions of a key Polish court decision in the above matter (Supreme Administrative Court judgment of 1 December 2009, case file no. I OSK 227/09).
The court was requested to resolve a dispute between the Polish data protection authority (GIODO) and a Polish bank which issued pre-paid payment cards. The bank was issuing named pre-paid cards and pre-paid cards to bearers. The pre-paid card agreements were concluded with public or private entities (which were the formal cardholders). Subsequently, the cards were distributed to end-users (e.g. employees of the formal cardholder). The bank processed the personal data of end-users for the purposes of processing transactions (e.g. verification, charge-back, etc.). End-users’ data was collected by the bank from the entities which were parties to the pre-paid card issuance agreements and not from the end-users directly.
The template for the card issuance agreements, concluded by the bank with the formal cardholders (public or private entities), provided that the formal holder of the cards outsourced the processing of end-users’ data to the bank. This was intended to be a legal construction based on Article 17 item 3 of Directive 95/46 (Article 31 of the Polish Personal Data Protection Act). Therefore, according to the parties to the card issuance agreement only the cardholder should have been classified as a data controller in respect of end-users’ data. In the processing of this data, the bank acted only as a processor.
The Polish data protection authority questioned this interpretation. In its opinion, the bank also should have been classified as a data controller. Courts of different instances, including the Supreme Administrative Court, shared this view. It is worth noting at least three of the court’s points:
- The status of a data controller depends on objective circumstances and is not subject to the will of the parties. In this case, a detailed analysis of the payment card arrangements identified the bank’s decision-making role in relation to the purposes and means of processing end-users’ data. Therefore, it should also be treated as a data controller.
- Due to the above, the bank must obtain end-users’ consent for processing their personal data.
- As a consequence of classifying the bank as a data controller, the bank must fulfill a notification obligation to end-users.
In my opinion, the above case has very important implications for practice, not only in the payment instruments area. The following lessons can be derived from the court ruling:
- The nature of an arrangement and all background circumstances must be carefully analysed prior to determining which participants of the arrangements should be classified as data controllers. Obviously, this may be a challenge in the case of complex arrangements with much data flowing between significant numbers of arrangement participants but failure to carry out this exercise may have very negative consequences. An entity which has regarded itself as a processor may find itself in the role of data controller. This may mean it must obtain consents for data processing and provide relevant notifications. Needless to say, these obligations may be very burdensome when processing data of thousands of people.
- One should bear in mind that the provisions of an agreement with a data processor (Article 17 item 3 of the Directive 95/46) may be disregarded by a court and the data protection authority if they conflict with the results of an objective analysis determining data controllers.
- Some legal arrangements may provide for two or more data controllers processing the same data simultaneously within the same arrangement.
I would be more than happy to hear of your experiences or comments in this matter.