Can a website keep clients’ banking information ?
X order a cooked meal online from the company Y located in Geneva, without connection to a client’s account.
When the meal is delivered, X’s spouse, tempted by the smell, decides to order one as well.
That personne goes online on the same website with her own computer. When it’s time to pay, she realizes with surprise that the banking information of her spouse are already known in the system.
She immediately calls the company and demands to speak with the manager and told him her way of thinking.
The company’s boss was not totally aware of the operation of the order process online. He admits that the data safety is not guaranteed and takes on to intervene by his webmaster.
Recommendations
During orders online, only the essential information can be collected and kept by the company. This scenario shows that data were collected via two different computers, but geographically in the same location, and they were linked thanks to the the public address of the property. The IP address is a private data, unnecessary to a transaction, in cash, the company is not allowed to keep this information.
Basic principles
art. 4 et 7 LPD ; Proportionality, Data safety
Resources