Paypal rant

BUDFORCE said:
I get it in the scheme of things this is very much first world, but they have my credit card and bank details and it'll be when not if they get hacked and all that data goes out to whoever
Click to expand...

I wouldn't say that's first world at all! It's completely understandable for you to not want this additional risk/worry!
 
I only use Paypal to buy stuff nowadays, I would never trust them when selling.

If I ever sell anything on FB I would only accept cash/BT on collection, or BT only if posting.
 
BUDFORCE said:
PayPal are *****.

So I went through the process to close my account and remove my personal data.

I did close my account but I got an email saying only "some" of my data was removed. Which amounted to not very much at all was actually removed.

I understand AML regulation (believe me) and I understand they need to keep records, but as I pointed out to them, I have not transacted with PayPal for at least 5 years, probably more like 10, they have no legitimate reason to keep my data.

I put in a complaint but they gave me quite a generic response so I'm not giving up, I'll take it to the ombudsman otherwise.

I get it in the scheme of things this is very much first world, but they have my credit card and bank details and it'll be when not if they get hacked and all that data goes out to whoever at least with your own bank you have a first party relation, where are PayPal you'll get your bank blaming PayPal and visa versa.
Click to expand...
GDPR is your friend here. Create and send them a DSAR to find out what info they have of yours. Then send them a removal request for that data, specifically stating you withdraw consent for them to store your data for any purpose, and you're exercising your right to erasure under GDPR. Remind them that they need to comply within a reasonable timeframe or you'll be going to the ICO.

Anything they are financially obligated to keep under FCA regulations won't be removed, but it will get your data with them as barren as it can be.
 
aaronyuri said:
GDPR is your friend here. Create and send them a DSAR to find out what info they have of yours. Then send them a removal request for that data, specifically stating you withdraw consent for them to store your data for any purpose, and you're exercising your right to erasure under GDPR. Remind them that they need to comply within a reasonable timeframe or you'll be going to the ICO.

Anything they are financially obligated to keep under FCA regulations won't be removed, but it will get your data with them as barren as it can be.
Click to expand...

Yup and thank you for your post.

I am well aware of GDPR, they are in breach of purpose limitation. They need to have a legitimate reason to keep my information. Yes I understand there is a need under AML (anti money laundering) regulation and had I been recently transacting through them, I would understand that.

But I have not, I have not used them for at least 5 years, more like 10. They have no right to store my information against my will.
 
Fired this off just now:

Good Morning,

Sorry but that isn't correct. I understand from AML (anti money laundering) regulation that there may be a need to keep information. However, as stated, I have not transacted via PayPal, for a good many years, at least 5, I believe over 10 years.

Keeping my personal information for a further 10 years from now, is not a reasonable amount of time, that goes against storage limitation under GDPR.

Using terms like, "our policy" and "the law" sorry but that just isn't correct, you need to have a legitimate reason if you are to hold my information against my will. A blanket "we just delete it 10 years after an account is closed" is not a good enough justification.

This is sensitive information you hold, you have my address, DOB, bank and credit card details, I do not want to you store this information.

Unless, you can clearly and specifically confirm to me, a legitimate reason for holding on to my information:
  • Specifically what information you hold (categorised into bank details, address, DOB, credit card details, transactional history)
  • The specific reason why each set of information is held
  • The specific time frame that each set of information is intended to be held, and the justification for this

If you cannot confirm the above, and do not remove my information, I will first raise the complaint via the financial ombudsman, and escalate it further if needed.

Thank you

I already know that they will not be able to confirm what they hold and justify it, but I already know they are storing it, because their email they sent to me yesterday confirmed they are storing it, so they are in a catch 22. I'll have them for this I reckon the ombusman will agree with me.
 
BUDFORCE said:
Yup and thank you for your post.

I am well aware of GDPR, they are in breach of purpose limitation. They need to have a legitimate reason to keep my information. Yes I understand there is a need under AML (anti money laundering) regulation and had I been recently transacting through them, I would understand that.

But I have not, I have not used them for at least 5 years, more like 10. They have no right to store my information against my will.
Click to expand...
BUDFORCE said:
Fired this off just now:

Good Morning,

Sorry but that isn't correct. I understand from AML (anti money laundering) regulation that there may be a need to keep information. However, as stated, I have not transacted via PayPal, for a good many years, at least 5, I believe over 10 years.

Keeping my personal information for a further 10 years from now, is not a reasonable amount of time, that goes against storage limitation under GDPR.

Using terms like, "our policy" and "the law" sorry but that just isn't correct, you need to have a legitimate reason if you are to hold my information against my will. A blanket "we just delete it 10 years after an account is closed" is not a good enough justification.

This is sensitive information you hold, you have my address, DOB, bank and credit card details, I do not want to you store this information.

Unless, you can clearly and specifically confirm to me, a legitimate reason for holding on to my information:
  • Specifically what information you hold (categorised into bank details, address, DOB, credit card details, transactional history)
  • The specific reason why each set of information is held
  • The specific time frame that each set of information is intended to be held, and the justification for this

If you cannot confirm the above, and do not remove my information, I will first raise the complaint via the financial ombudsman, and escalate it further if needed.

Thank you

I already know that they will not be able to confirm what they hold and justify it, but I already know they are storing it, because their email they sent to me yesterday confirmed they are storing it, so they are in a catch 22. I'll have them for this I reckon the ombusman will agree with me.
Click to expand...
Are you speaking to their DPA or just customer service? Their CS people won't have a clue and won't be responsible for fulfilling requests under GDPR. Their privacy policy states under section 7:

7. How long does PayPal store your Personal Data?
We retain Personal Data for as long as needed or permitted in context of the purpose for which it was collected and consistent with applicable law.

The criteria used to determine our retention period is as follows:

Personal Data used for the ongoing relationship between you and PayPal is stored for the duration of the relationship plus a period of 10 years
Personal Data in relation to a legal obligation to which we are subject is retained consistent with the applicable law, such as under applicable bankruptcy laws and AML obligations.
We retain Personal Data for the least amount of time necessary where retention is advisable in light of litigation, investigations, audit and compliance practices, or to protect against legal claims.

This would suggest their standard retention is from your last transaction plus 10 years, as you've received in their response.

However, it doesn't go into any real detail. If you had an issue with their responses, I'd go to the ICO rather than the financial ombudsman as your request relates to data and not a financial matter. The FCA won't enforce GDPR to my understanding. But then you'd need the FCA to tell you what data they are obliged to retain, I suppose.

I'd be evaluating the worth of further effort - you would expect a company as large as PayPal to have their compliance obligations rather solid. Keeping data for millions of users for 10 years is expensive. They likely wouldn't do it unless it was necessary under regulations.
 
You must log in or register to reply here.
Back
Top Bottom