cross-posted from: https://slrpnk.net/post/2475061
I went to a cafe in Amsterdam which turned out to not only be cashless, but their payment processor was “Zettle”. Zettle is owned by #PayPal (who shares customer data with over 600 corporations).
So my question is, apart from the expected privacy consequence of your bank & the recipient’s bank recording your transaction, what does Paypal walk away with? Paypal is a data-abusing US-based company. But OTOH the shop is in a #GDPR region. Does the GDPR give any protection in this case?
IIUC, customers consent by default to their data being processed by the merchant & whoever the merchant hires (Paypal), and from there whoever paypal shares with & on down the endless chain. The only notable GDPR protection I can think of is that the data must remain in the EU. So the transaction data cannot be sent to Paypal’s servers in the USA – correct?
BTW, I asked the owner why he trusts Zettle & also why he does not accept cash. He conceded right away that he didn’t like it either. He said he’s cashless for security and that when he looked at a number of electronic payment systems, Zettle was the cheapest. For me, “cheapest” is a red flag. It’s probably cheap because the data is probably being monetized.
Concrete question: if an American feeds a US-issued credit card into a #Zettle terminal to buy a creme-filled artery-hardening pastry in Amsterdam, is there anything to stop Paypal from doing the processing on the US-side of the transaction before selling that info to a US health insurance company?
I hate that the world is going this way, I am resisting it in any way I can, but I know it’s a losing battle. Until then, unless I can pay in cash you do not get my custom.
To try and answer your question "We will not share personal data with third parties for them to use for their own marketing purposes without ensuring that there is a lawful ground to do so.’
But, ‘We process personal data obtained from selected third parties such as credit bureaus, fraud detection agencies, other financial institutions and other information providers, and from publicly available sources (such as population registers and registers held by tax authorities, company registration offices, enforcement authorities etc). Third parties from which we obtain personal data can also be e.g. social networks or similar that you have linked your Zettle account with. In connection with payments we collect information from e.g. banks, payment service providers and others.’
And ‘PayPal Group. We may share personal information with members of the PayPal Group for the purposes set out in this Privacy Policy.’
Ianal, it seems like they don’t share or sell, except when it benefits them. Whether they can send the data back to the States, seems murky. If you were linking to a US based Visa/ Bank they would obviously have to, which may then let them use a data loophole. They also say their pos system contains analytics, so they know you are clogging your arteries, and how often. And if you’re using Bluetooth/ WiFi there they know for how long, and even if you walk by the shop.
https://web.archive.org/web/20230908034734/https://www.zettle.com/gb/legal/privacy-policy
Also, this is the UK policy in English, which may differ from the policy you were subjected to.