most popular online payment service
PayPal is an online payment service. It is used by many websites as an additional way of payment.
- Headquarters: San José, California, United States
- Category: Payment
- Legal Basis: Consent required via Constent Management Platform (CMP)
What is PayPal?
PayPal is an online payment service with which you can offer your customers a way to pay you. Since you naturally want to make it as easy as possible for your customers to pay you, a whole range of online payment services are often used, because customers also have their preferences there. PayPal is the most popular online payment service.
Why is PayPal used?
If you offer PayPal on your website or store, you are probably pursuing several goals. The most important one is probably the simplicity of payment. If you use PayPal, the payment for the customer is completed in just a few clicks. Usually, the customer already has an account with PayPal when he chooses this payment method and therefore does not have to enter his data again.
In addition, the service offers security for the customer, as PayPal is a large and established company that many people trust and can be turned to if there are any difficulties with the delivery or fulfillment of the contract.
You might even lose customers if you don’t offer the preferred payment service. Due to the fact that PayPal is one of the most popular payment services, the pressure to offer this method may well be enormous.
However, I’ll tell you so that you can use PayPal without hesitation and what you should pay attention to when using it.
What data is processed?
The data processed by PayPal are a combination of personal data that are strictly necessary to provide the service, such as:
- Name
- Address
- Phone number
- E-Mail-Address
- Bank account number
as well as transaction data, which are incurred during the payment:
- Payment ammount
- Device information
- Geolocation data
In our service knowledge base you will find comprehensive information on individual services – clearly arranged and digital!
Expert knowledge and pro tips on top 😉
Legal foundation for the processing
The basis for the processing of the data results from the GDPR in combination with the TTDSG, whereby the GDPR takes precedence should there ever be a collision.
The GDPR regulates the processing of personal data and the TTDSG focuses on access to the end device, e.g. the use of cookies.
When is there a requirement for consent?
Personal Data
The processing of personal data is only permitted if at least one of the letters of Art. 6 (1) GDPR is fulfilled. The two important letters are the following:
- Die betroffene Person hat ihre Einwilligung erteilt (lit. a)
- The processing is necessary to protect your legitimate interest (lit. f)
Cookies
According to Art. 25 (1) TTDSG, consent is required if cookies are set that are not technically absolutely necessary.
It should be noted that this means not only the well-known small text files and pixels, but all technologies that allow to find out, link or infer a user, a user agent or device.
Thus, all information elements that enable the identification of a person are subject to consent.
The requirements for exemption from consent
To ensure consent-free use, the following conditions would need to be met:
- Conclusion of a processing contract with the processor
- No use of cookies or similar profiling techniques
- Processing of personal data exclusively in Europe
- The processor does not use the obtained data for its own purposes
- The processor does not link or enrich the data across different websites
- Possibility of opting out or revoking as well as detailed information about the collection of personal data in the privacy statement
- IP anonymization (“Privacy by Default”)
- Automatic opt-out for Do-Not-Track settings in the browser
- Proof of points 1-8 carried out by the website operator
IP address
Note that the IP address is generally a personal data. If you want to prevent personal data from being transmitted, you must always ensure that the IP address is disguised.
Server location
As long as it is not clear whether/that data is collected from a secure server location, compatibility with the GDPR is difficult.
Company headquarters
In the case of American companies or their subsidiaries, the fact that it is an American company must also be taken into account. Since the ruling on the Privacy Shield, American companies belong to an insecure third country.
Why is PayPal subject to consent?
- PayPal collects personal data which requires consent according to Art. 6 para. 1 lit. a DSGVO.
- PayPal sets cookies, which is subject to consent according to Art. 25 para. 1 TTDSG.
- It can be assumed that the service also collects the IP address of the customers, at least in the log files
- Since PayPal is a US company, no personal data may actually be transmitted
- An AVV does not need to be concluded with PayPal, as the user has a direct relationship with PayPal
Thus, there are violations of the above-mentioned points 2, 3, 7 and 9. Freedom from consent cannot be established.
DISCLAIMER: This does not mean that the points not mentioned are fulfilled.
Es braucht also eine Einwilligung der Nutzer, aber dass sollte kein Problem sein, denn der Nutzer entscheidet sich bewusst für den Dienst und muss dann, wenn er ihn nutzen will, seine Einwilligung erteilen.
Conclusion on the data protection compliant use of PayPal
Since PayPal receives personal data from your customers, you will not be able to avoid obtaining consent. Advantage: You don’t have to sign an AVV, because the customer himself has a contract with PayPal.
Since PayPal is a US service, its use is a gray area. However, it could possibly become a disadvantage for you to do without PayPal, as the service is said to be massively popular.
Cookiebox tip: However, it doesn’t hurt to provide other payment providers that are just as convenient but not based in the United States.
Any questions?
Then feel free to call us. We will help you with questions about our product and features or generally about all data protection topics: