The European Center for Digital Rights (noyb) filed a complaint on Friday against a German payment platform for processing sensitive personal sexual and health information without customer consent, allegedly violating the EU’s General Data Protection Regulation (GDPR).
Giropay is an integrated payment processing service that many retailers use to process customer payment. A giropay customer noticed the platform had saved data about products that she purchased, including products she ordered from a pharmacy and a sex store. When she reached out to giropay with her concerns, they told her that they were not responsible for transmitting this information as retailers had sole discretion to share shopping cart information. They explained that they stored this data so customers could confirm whether their orders were accurate.
Article 9(1) of the GDPR prohibits platforms from processing data “concerning health or data concerning a natural person’s sex life or sexual orientation” without explicit consent. Noyb claims that giropay violated this provision by transmitting and storing data about the customer’s purchase of eyedrops and sex products. The complaint also cites violations of Article 5(1)(c) which provides that platforms should only process customer data that is absolutely necessary to carry out the transaction. giropay claimed in a letter to the customer that transmission of shopping cart information is necessary because it is “normal market practice,” which noyb disputes.
The complaint argues that if customers desired to have their order data stored to their giropay account, it would be simple for the platform to ask for consent. Noyb suggests that the availability of this option negates any justification giropay may have for leaving the decision to individual retailers.
“You can’t build, use, and promote a system that illegally sucks up data and blame others for the data grab,” said Alan Dahi, an attorney at noyb. “The GDPR has clear principles on lawfulness, data minimization, and accountability.”