HomeInsightsEuropean Data Protection Board adopts Statement on Data Governance Act and Recommendations on the legal basis for the storage of credit card data


At its 49th plenary session on 19 May 2021 the EDPB adopted a Statement on the Data Governance Act (DGA) in light of developments in the legislative process. The Statement is a follow-up to the joint EDPB-EDPS Opinion on the DGA and reinforces its main points. The EDPB reiterates that without robust data protection safeguards, there is a risk that trust in the digital economy would not be sustainable. The Statement also highlights the need to ensure consistency of the DGA with EU data protection acquis and urges co-legislators to carefully consider certain aspects, such as the interplay between the DGA and the GDPR, and the importance of ensuring that the new definitions and concepts are not incompatible with the GDPR.

The EDPB also adopted Recommendations on the legal basis for the storage of credit card data for the sole purpose of facilitating further online transactions. The Recommendations cover situations where data subjects buy a product or pay for a service via a website or app and provide their credit card data in order to conclude the transaction. In those situations, the data subject does not reasonably expect the credit card data to be stored for longer than is necessary to pay for the goods or services, neither is it evident that the storage of the credit card data to facilitate future purchases is necessary to pursue the legitimate interest of the controller or a third party. As such, consent in accordance with Article 6(1)(a) GPDR is the sole appropriate legal basis for storing credit card data after the purchase. To access the Statement and the Recommendations, click here.