Reasons for retaining customer credit card data explained
PIPEDA findings #2017-010
December 27, 2017
Description
A retail store refused to delete records of credit card transactions following the complainant’s request. Initially, the retail store told the complainant that it was contractually obliged to retain information by credit card companies. The retail company later explained to our Office that it was also legally obliged to retain transactional data under the Excise Tax Act. Our Office relayed this information to the complainant, who was satisfied with the explanation.
Takeaways
- Under the consent principle of PIPEDA, an individual may withdraw consent at any time, but this right may be limited by legal or contractual restrictions.
Case Summary
A complaint was lodged against a retail company regarding consent; more specifically, the withdrawal of consent. The complainant objected to the retail store keeping records of her credit card transactions and its refusal to delete the information upon her request. She was dissatisfied with the explanation provided to her by the company, which was that the retail store is contractually required to retain the information for a certain period by credit card companies.
The retail company provided our Office with a more detailed explanation about the company’s retention practices and noted its legal obligations under the Excise Tax Act to retain transactional data. Our Office relayed this additional information to the complainant, who accepted the explanation.
Update
The complainant was satisfied with the intervention of our Office and considered the matter resolved. The complainant commented that had the respondent provided the information to her when she had questioned the practice initially, she would not have needed to complain to our Office.
- Date modified: