Privacy and data protection
The European Union’s General Data Protection Regulation (Regulation (EU) 2016/679) regulates the processing of personal data, which applies to financial data processed by Issuers of payment instruments.
Your customers as cardholders are data subjects, whose personal data is processed within the card service. This processing is based on the performance of a contract (terms & conditions of your service) between the Issuer and the data subject and legal obligations (e.g. obligations set out in AML legislation) of the Issuer. As the Issuer, you act as the data controller. In case a BIN sponsor is used, this party is the data controller for processing related to the card. As your service provider, Enfuce acts as a data processor while performing Card as a Service. A Data Processing Agreement is formed between the Issuer and Enfuce, defining the obligations of each party.
Data processed as part of Card as a Service may include:
| Data type | Types of personal data processed |
|---|---|
| Transaction data | Cardholder data, which may include name, email, SSN and/or physical address, PAN information, transaction location, and payment and transaction data. |
| Anti-money Laundering (AML) data | Know-Your-Customer (KYC) data: full name, email address, passport image with Date of Birth (DOB) and Nationality, and verification of same with public registers, Politically Exposed Person (PEP) lists, sanction lists and credit agencies. |
| Open Banking Compliance Data | Customer authorisation information and cookies-related information; third-party developer cookies-related information and username, password and use of sandbox. |
| My Carbon Action data | Customer’s nutrition, housing, mobility, consumer goods, leisure and services use and preferences-related information. |