On September 12, 2011, the Commissioner for Data Protection and Freedom of Information of the German federal state of North Rhine-Westphalia (“DPA”) imposed a fine of €60,000 on Easycash GmbH (“Easycash”), a leading German service provider for electronic payments.
The DPA fined Easycash because the company unlawfully transferred bank account information, including the location, time and amount of specific transactions, to an affiliated company to analyze for customer loyalty and bonus programs. The investigation revealed that bank account information had been transferred in approximately 400,000 instances. The DPA’s press release stated that “companies offering payment transaction services to merchants as trustees must exercise special care regarding such data. Such companies should not transfer this type of sensitive data revealing payment history and account information that may also be used for profiling individuals, to third parties for other purposes.”
According to the press release, Easycash has accepted the fine. In addition, the DPA is investigating the data processing associated with payment transactions at Easycash.