Your customers as cardholders are data subjects, whose personal data is processed within the card service. This processing is based on the performance of a contract (terms & conditions of your service) between the Issuer and the data subject and legal obligations (e.g. obligations set out in AML legislation) of the Issuer. As the Issuer, you act as the data controller. In case a BIN sponsor is used, this party is the data controller for processing related to the card. As your service provider, Enfuce acts as a data processor while performing Card as a Service. A Data Processing Agreement is formed between the Issuer and Enfuce, defining the obligations of each party. Data processed as part of Card as a Service may include:

Data typeTypes of personal data processed
Transaction dataCardholder data, which may include name, email, SSN and/or physical address, PAN information, transaction location, and payment and transaction data.
Anti-money Laundering (AML) dataKnow-Your-Customer (KYC) data: full name, email address, passport image with Date of Birth (DOB) and Nationality, and verification of same with public registers, Politically Exposed Person (PEP) lists, sanction lists and credit agencies.
Open Banking Compliance DataCustomer authorisation information and cookies-related information; third-party developer cookies-related information and username, password and use of sandbox.
My Carbon Action dataCustomer’s nutrition, housing, mobility, consumer goods, leisure and services use and preferences-related information.