Sensitive data requested for refund processing
A company owes me a refund and in order for this to happen they are requesting the following:
"send a copy of the front of your debit card plus either a copy of your passport, driving license or Utility bill dated within the last 3 months.
Unfortunately our accounts team are unable to process the refund without these."
I am not happy providing any of this and do not think this is needed for a refund. Can you please advise?
Assign topic to the user
Article 5 (c) GDPR requires processing personal data according to the principle of data minimization which means that organization shall require as few as possible personal data. However, you should check the privacy notice of the company and their refund policy. Sometimes additional data may be required by antifraud company process or required by law.
Here you can find some information:
- GDPR Article 5 – Principles relating to processing of personal data: https://advisera.com/gdpr/principles-relating-to-processing-of-personal-data/
- Four main questions for obtaining and managing data subjects’ consent under GDPR: https://advisera.com/eugdpracademy/knowledgebase/four-main-questions-for-obtaining-and-managing-data-subjects-consent-under-gdpr/
- Is consent needed? Six legal bases to process data according to GDPR: https://advisera.com/eugdpracademy/knowledgebase/is-consent-needed-six-legal-bases-to-process-data-according-to-gdpr/
You may also consider enrolling in this online EU GDPR Foundations Course:
- EU GDPR Foundations Course: https://advisera.com/training/eu-gdpr-foundations-course//
Comment as guest or Sign in
Jun 12, 2020