GDPR and Online Payments

March 24, 2022


Companies process lots of information about customers, suppliers, employees, and other individuals while conducting regular business activities.

Personal data helps businesses understand their customers’ needs, allocate resources more efficiently, and discover new avenues for growth. However, allowing organizations to gather customer information without appropriate regulatory constraints can result in data misuse.

The GDPR gives EU citizens more control over their information and establishes rules for companies that process personal data.

Learn more about GDPR and how its requirements affect online payments.

Customers giving consent for processing their data.

Disclaimer: This article provides a broad overview of the General Data Protection Regulation. It should not be considered an official guide for fulfilling GDPR requirements.

GDPR and Online Payments

The General Data Protection Regulation (GDPR) is a privacy and data security law that standardizes legal practices regarding data protection across EU member states.

GDPR treats a person’s right to decide if and how their data will be used as a fundamental freedom.

Businesses must obtain explicit consent from individuals before processing their data. The individual needs to be informed of the extent and purpose of the data processing and have the option to revoke consent.

Merchants complying with GDPR requirements.

Acquiring personally identifiable information is a prerequisite for accepting online payments and performance of contract. Merchants need to process sensitive payment data before charging a customer and collect enough personal information to deliver the requested goods and services.

Even though GDPR is an EU law, it also applies to non-EU companies. All merchants who sell products and services to individuals in the EU or process data belonging to EU citizens must comply with GDPR requirements.

What Is Considered Personal Data Under GDPR?

Under GDPR, personal data refers to information that directly or indirectly identifies an individual. This includes, but is not limited to, the customer’s:

  • Name and surname
  • ID number
  • Social media handles
  • Financial, physical, or mental status
  • Telephone number or email
  • Credit card data
  • Bank account information
  • Images that show the customer’s appearance
  • Health or biometric data
  • Cultural, political, racial, or social identity
  • Address or location information
  • IP address

Online identifiers like IPs are considered personal information if they can be used to establish someone’s identity. GDPR also considers as personal data other general information if it can be used to deduce a person’s identity.

GDPR does not apply to anonymous or pseudonymized information that cannot be traced back to the data owner.

GDPR Compliance Principles

The GDPR outlines seven core principles merchants and other data processors need to incorporate into their everyday business activities.

Lawful and Transparent Data Processing

GDPR requires businesses to plainly and accurately inform customers which data they plan to collect and how it will be utilized.

Data processing needs to be lawful, fair, and transparent.

A merchant must acquire unambiguous consent from a customer or website visitor before processing their data. The customer must make an informed decision and give their permission willingly. To this end, merchants must ensure that the consent form:

  • Is informative and stated in simple terms.
  • Specifies the data processing purpose and reiterates that data cannot be used for other reasons.
  • Contains information about automated customer profiling and its consequences.
  • Requires children under 13 to obtain parental consent before their data can be processed.
  • Is thoroughly documented and attestable.

Typically, websites require visitors to read, agree with, and accept the outlined data processing rules by checking a box or clicking a button.

Pre-checked boxes or inactivity do not represent consent under GDPR.

Purpose Limitation

At the time of the data collection, customers need to understand why and how their information will be processed.

Personal data can be used only for the purposes the customer has given their consent to. When the processing has multiple purposes, permission should be given for all of them.

Merchants that plan to use customer data to facilitate other business activities must inform the customer and obtain consent before additional data processing occurs.

For example, if a customer purchases a subscription, merchants can continue to process data for the duration of the service. However, they must acquire the customer’s permission if they plan to process data for reasons other than the subscription service.

Customers can deny or withdraw consent without preconditions or questions asked.

Respecting Customer Rights

Merchants need to implement user-friendly mechanisms that enable customers to access personal data and ask for data updates or erasures. These services need to be accessible, free of charge, and customers should not be penalized for making such requests.

A list of customer rights under GDPR.

Usually, organizations provide contact details, such as an email address, where customers can submit their requests and questions.

Under GDPR, customers have the right to:

  1. Know how the data was utilized and to whom it was disclosed.
  2. Access their information without restrictions.
  3. Ask merchants to rectify inaccurate information.
  4. Request that their data be erased.
  5. Demand that their data is no longer processed.
  6. Ask for data to be transferred to a different merchant.
  7. File a complaint and reject certain data processing practices.
  8. Refuse to be a subject of automated decision-making and profiling.

If the personal data is disclosed to a third party, the customer needs to be informed about the data disclosure.

Data Security

Merchants must implement appropriate data security measures and policies to protect sensitive information against cyber attacks, unauthorized access, or accidental damage. The GDPR calls for organizations to:

  • Protect customer data by introducing advanced technical solutions such as firewalls, anti-viruses, authentication tools, and data encryption protocols.
  • Develop data protection procedures that include response plans, employee training programs, data access restrictions, and other InfoSec policies. The procedures should be well-documented and accessible to staff while conducting work-related tasks.
  • Integrate data security considerations into the development and design of new services by default. Data security safeguards need to be included in every step of the development process and in the final product.
Personal data protection is an essential GDPR element.

From the get-go, merchants should determine what information to process and how to collect that data.

Reducing the amount of personal information that needs to be protected is an excellent way to decrease operational costs associated with data security.

Storage Limitation

Organizations may store sensitive customer information only for as long as it serves their business objectives. Merchants must not store personal data if:

  • The purpose for which it was collected is no longer relevant.
  • The person has withdrawn their consent.
  • The customer requests that the data processing stop or the data be erased.
  • The organization no longer complies with GDPR requirements.

Personal data cannot be kept indefinitely. If a child has given consent to data processing, they have the right to request that the data be erased even after becoming an adult.


All personal data the merchant processes needs to be accurate and up to date. Customers can request that the data be amended if they notice it is incorrect or if a change has occurred in the meantime.

Merchants should be proactive and take every reasonable step to ensure that the information is always correct. The merchant also needs to promptly rectify or erase data determined to be incorrect or incomplete.


Merchants need to demonstrate that appropriate data protection measures are applied, and that data processing is performed in accordance with GDPR requirements.

GDPR data protection accountablity.

To show that it is compliant, an organization must:

  • Maintain detailed documentation outlining the data collection processes, usage policies, data storage policies, data security measures, staff responsibilities, etc.
  • Create specific data protection roles and responsibilities and allocate dedicated staff.
  • Have formal and signed data processing agreements with third parties that process personal data.
  • Designate an employee tasked with assessing GDPR compliance and resolving customer complaints.
  • Display the identity and contact details of the employee (employees) responsible for upholding data protection policies.

Employing an official Data Protection Officer is usually only necessary for large-scale data processing requiring constant and systematic monitoring, public authorities, and governmental bodies.

CCBill and GDPR

CCBill is an established payment service provider with an impeccable data security record.

Visitors to CCBill’s website are not subjected to profiling, and their data is not sold to third parties. The information is used exclusively for the purposes for which the visitor gives their consent.

CCBill’s data protection policy ensures that personal information is processed lawfully, fairly, and transparently. The rights of website visitors, customers, partners, and employees are guaranteed and comply with company standards and legal requirements.

Data is securely stored and erased once it is no longer necessary. Data can be transferred outside of the EU only if the individual provides explicit consent or if it is necessary for the performance of contract. Other reasons include public interest, legal claims, or protecting a person’s vital interests when they cannot give consent.

All requests, questions, or complaints about the processing of personal data can be submitted via email at


Everyone has a right to decide what happens to their data and how it is used.

By complying with GDPR requirements, merchants show that they respect customer rights, are transparent in their business dealings, and prioritize the protection of customer data over quick profits.

Merchants who want to accept online card payments also must comply with PCI DSS.

About the author
Vladimir Kaplarevic
Vladimir is a resident Tech Writer at CCBill. He has more than 8 years of experience in implementing e-commerce and online payment solutions with various global IT services providers. His engaging writing style provides practical advice and aims to spark curiosity for innovative technologies.
Talk to a Merchant Support Specialist