Where personal data stored on a credit/debit card is collected for the purpose of a transaction, unless it is clearly stated, it can be assumed that the purpose for its collection ends following completion of the payment for a product or service (which may also allow a reasonable period of time for follow-up payment related queries) and must be then securely deleted.

Where an organisation retains personal data for automatic renewal of a subscription service, we would expect the customer to have agreed in some way to this further processing. This is in line with the recommendations from the European Data Protection Board (EDPB) on the legal basis for the storage of credit card data in that consent under Article 6(1)(a) of the General Data Protection Regulation (GDPR) appears to be the sole appropriate legal basis for retaining credit card data for a subsequent purpose. However, where an organisation can point to an ongoing customer relationship and where it is using payment details in line with the terms and conditions which is outlined at the time the person signed up for the product/service, then the use of the credit card details in an auto-renewal transaction is not likely to give rise to a data protection concern.

In storing credit card information, controllers must be cognisant of their security of processing obligations under Article 32 of the GDPR.