D: Statement of complaint following data distribution

Category: Nachrichten
By: R. Olschewski - 2B Advice GmbH - the privacy benchmark

The state commissioners of North Rhine-Westphalia and Hamburg have initiated legal proceedings against the cashless payment (Electronic Cash or EC-card) service provider, Easycash. It is suspected that unpermitted data transmission took place. Purportedly, payment transaction data from Ratingen was supplemented with loyalty card data from its Hamburg subsidiary in order to provide the company with extensive transaction analysis.

According to press releases, there was a specific offer made to a chain store. This offer purportedly contained the suggestion that EC-card data would be linked with loyalty card data. This could enable the evaluation, for example, of how much money cardholders spend at competing stores. Evidently it is also possible to deduce the proportion of customers that are inactive within the loyalty card system but continue to make purchases using their EC-cards.

 

Easycash is one of the largest German networks for the processing of card-based payments. The business made headlines recently because it had saved data from around 50 million EC-cards and used it to determine a customer’s credit worthiness. In particular, EC-card data generated when customers used their cards at the registers of contracting companies (for instance supermarkets or gas stations) were saved.

 

While a company processes EC-card payments, the subsidiary has access to other details given in the customer card application such as name, address, occupation, bank account details and birth date. Easycash Loyalty Solutions would have only needed to search for identical account numbers in both databases in order to follow precisely their customers’ purchasing behavior in a broad range of commercial enterprises.

 

Such a background check had consequences for the cardholders because, depending on the outcome, either purchase via signature (direct debit) or by simple PIN entry was requested at point of sale. If the purchase required PIN entry, it meant that Easycash had assessed the risk of a direct debit payment as being too high based on the credit history. At the point of sale it can be quickly ascertained whether the customer has a good or a bad credit rating.

 

The unpermitted transmission of personal data violates privacy protection regulations and an enterprise must expect to be charged in the case of a violation, even if it is a subsidiary receiving the data.

 

www.hamburg.de/datenschutz/

www.ndr.de/regional/hamburg/easycash123.html

 

 

(1070 times viewed)