Merchants & Acquirers: Data Protection Roles

GDPR. I bet you may have heard this abbreviation previously. Two years in, this European data protection regulation has become well-known for its hefty fines, new obligations and a broad geographical scope not limited to the EU. But is the GDPR applied correctly? In practice to date, there are still lots of questions and pitfalls.

One of the first steps towards GDPR compliance is assessing your data protection role – a controller or a processor. As a Legal Counsel with an online payments company, I assist merchants with reviewing and negotiating acquirers’ contracts. The analysis of more than a dozen contracts showed that half of the acquirers declare themselves to be data controllers, while the other half will become data processors. As you may have already guessed, this may not always be in line with the GDPR. At the same time, most merchants might not pay much attention to the data protection role granted to them by acquirers in a contract.

This article will provide both acquirers and merchants with insights on why their data protection role matters, which role to choose for the situation, and the consequences of making the wrong choice.

Let’s start with some basic definitions:

Merchant – a company that sells goods or services online;

Acquirer – a financial institution authorised to accept payments on behalf of Merchants;

Merchant Service Agreement – a contract between Merchant and Acquirer for the acceptance of online payments by the Acquirer on behalf of the Merchant;

General Data Protection Regulation (GDPR) - the European data protection regulation that sets forth the rules for customer data processing by Merchants and Acquirers among other things;

Data controller – an entity which, alone or jointly with others, determines the purposes and means of personal data processing. Some practical aspects of the implementation might be delegated to a data processor;

Data processor – an organisation that processes personal data on behalf of the data controller, for the purposes determined by the data controller.

Why is it important?

The role you take will influence: 

- The scope of your obligations (e.g., a controller should respond to requests for exercising the customers’ rights, carry out data protection impact assessments, and notify state authorities of cases of data breaches); 

- Financial and reputational consequences in case of a data breach (such as fines, claims from data subjects, etc.). 

The burden is undoubtedly much heavier for the data controller, responsible for assuring GDPR [1] compliance, as well as the compliance of all its processors.

Here are two Case Studies:

We have analysed a handful of merchant service agreements, including those of leading acquirers, and identified two widely used scenarios that contradict each other.

1. Merchant as a controller and Acquirer as a processor

Most data protection obligations are passed along to Merchant, including: 

- the obligation to respond to data subject requests; 

- the responsibility to communicate a privacy notice to data subjects;

- the responsibility to assume potential liability in case of a data breach. 

2. Both Acquirer and Merchant acting as data controllers 

In this case, Merchant is the sole controller in the context of selling goods or services, while Acquirer is the sole controller within the independent process of the acceptance of payments. Even though these two processes go hand in hand, Merchant controls its sales but does not have much influence on the acceptance of payments and vice versa. 

The first option is the easiest one for Acquirer because they have fewer obligations and liabilities, which are generally included and defined by Acquirer in the written agreement (this is a minimum requirement according to the GDPR). It is complicated to consider Acquirer to be a processor due to the following reasons:

a. Decisive influence over why and how of the processing. Usually, Acquirer will decide by themselves, considering the local legislation and the card schemes rules: 

- What data to process, and for how long the data should be kept in order to process payments correctly; 

- What technical means to use for the processing; 

- Who to share the data with.

As a result, Merchant cannot be viewed as a data controller. 

For more insights on this, consider the example of a bank and an employer relationship outlined in recent guidelines of the European Data Protection Board [2], and another example of an online retailer and a payment company mentioned in the UK Information Commissioner’s Office guidelines [3].

b. The use of customer data for other purposes. Merchant typically does not understand how Acquirer processes the transaction data, or if it is being used for any other purposes. In practice, Acquirers use personal data to develop new added-value products, for marketing purposes, the prevention of fraud, risk management, information security, and for compliance with legal obligations (e.g., payment laws and regulations, card scheme rules). 

c. Interaction with data subjects. The mere fact that Merchant collects data from its customers and transfers it to Acquirer does not mean that Merchant is a data controller. 

Due to the reasons described above, the option where Acquirer and Merchant are sole data controllers in their respective areas is certainly more feasible than the first option, which some acquirers might be tempted to choose.

Bad news for self-appointed Acquirers/Processors

The contractual power of acquirers may lead to cases where Merchants are formally (by a contract) designated as controllers, but are not in the position to determine the purposes and means of the processing. The contract is not a panacea. According to the GDPR, a processor infringes upon the GDPR by going beyond the controller’s instructions and determining the purposes and means of processing. In this case, the processor will be considered a controller and may be subject to sanctions.  

Tips for Acquirers and Merchants 

1. Do not rely only on the contractual provisions. Companies that determine the purposes and means of processing will be controllers regardless of how they are described in any contract. 

2. Acquirer and Merchant being independent controllers seems to be the most reasonable approach. However, there is no one-size-fits-all approach to Acquirer-Merchant relationships. The correct determination of roles requires a case-by-case analysis of each processing at stake and the decision power of both parties.

3a. For Acquirers: 

If you are making decisions over the purposes and essential means of the processing, do not try to mask yourself as a processor to avoid some additional obligations, as this may lead to “lose-lose” scenarios, such as: 

- breaches of the GDPR;

- your re-qualification as a data controller;

- a situation where nobody ensures that individuals can exercise their rights.

3b. For Merchants: 

When there is a reason to believe that the Merchant Service Agreement does not correspond with the actual data control, try to negotiate the contract. This might help you to be on the safe side in case of a data breach.

[1] Articles 4, 28, 29 and Recitals 81, 82 and 83 of the General Data Protection Regulation (GDPR)

[2] European Data Protection Board (EDPB) guidelines 07/2020 on the concepts of controller and processor in the GDPR

[3] Information Commissioner’s Office GDPR guidance: Contracts and liabilities between controllers and processors