|Title:||Commission Recommendation 87/598/EEC of 8 December 1987, concerning a European code of conduct relating to electronic payments
Note: this recommendation was further elaborated in Recommendation 97/489/EC, with regard to the relationship between issuer and holder; see http://eur-lex.europa.eu/LexUriServ
|Topic:||Good practices for electronic payment systems (carried out by means of a card incorporating a magnetic strip or microcircuit used at an electronic payment terminal (EPT) or point-of-sale (POS) terminal)|
|Direct / indirect relevance||Direct. The text focuses on electronic payments, and includes specific provisions on data protection and information security.|
|Scope:||Nonbinding recommendation to issuers of electronic payment solutions, specifically card issuers|
|Legal force:||Not legally binding, neither to natural persons, legal entities or countries|
|Affected sectors:||Providers of electronic payment solutions, specifically card issuers|
|Relevant provision(s):||4. Data protection and security
(a) Electronic payments are irreversible. An order given by means of a payment card shall be irrevocable and may not be countermanded.
(b) The information transmitted, at the time of payment, to the trader's bank and subsequently to the issuer must not in any circumstances prejudice the protection of privacy. It shall be strictly limited to that normally laid down for cheques and transfers.
(c) Any problems whatsoever that arise in connection with the protection of information or with security must be openly acknowledged and cleared up at whatever stage in the contract between the parties.
(d) Contracts must not restrict trader's freedom of operation or freedom to compete.
IV. SUPPLEMENTARY PROVISIONS
2. Relations between issuers and consumers
Cardholders shall take all reasonable precautions to ensure the safety of the card issued and shall observe the special conditions (loss or theft) in the contract which they have signed. […]
|Relevance to RM/RA:||The document provides a number of general non-binding recommendations, including an obligation to ensure that privacy is respected and that the system is transparent with regard to potential security or confidentiality risks, which must obviously be mitigated by all reasonable means.
The abstract and generic character of the recommendations (many of which have been further developed in more specific norms, e.g. the Privacy Directive) imply that they are of relative use in assessing the validity of existing RM/RA practices. None the less, it is one of the few norms which contain a clear obligation to inform users of any security and/or confidentiality risks.