What means "Billing data must not include any personal data"?

[softdch]

Hello there According to the Swiss Implementation Guidelines for the QR-bill Version 2.2 chapter 4.3.3 "Billing data must not include any personal data" but a customer reference number /20/.... may contain a name of a client, especially for my customer's customers. Do you see a problem using the customer reference then? There's no way for us to detect whether this reference includes personal data or not.

Kind regards Stefan

[nicolasguillet]

Dear Stefan

If the payments the banks generate from a QR bill contain personal data, it means that a payment might be rejected due to money laundering prevention reasons.

But, the so called «Swico String» is information from the bill sender to the bill receiver only, and is not intended to be processed by banks at all (that is, except for the payment due date, which would make sense for banks to retrieve from the Swico String, but most don’t).

So, you can try to get away with this, but as soon as somebody (a bank, e.g.) complains, your customer might have to change the bill number or the customer reference. I would suggest changing this upfront, because it might generate issues sooner or later.

A good argument for the customer to change this is that he probably doesn’t want to do anything that prevents the customer’s money to get to him. :-)

Kind regards Nicolas

[softdch]

Hello Nicolas

Thank you for your appreciated reply. This made sense to me. But now, reconsidering a reply from Six and re-reading the "Additional information" section in table 3 chapter 3.5.4 of the Implementation Guidelines ("It must be ensured that all personal data is displayed.") confuses me even more.

Here the reply from Six: Die «Zusätzlichen Informationen» bestehen aus den Elementen «Unstrukturierte Mitteilungen» und den «Rechnungsinformationen». Seite 18 beschreibt, was angedruckt werden muss. Und falls der Platz nicht reicht, dürfen Daten fehlen, jedoch nicht «Personendaten». Seite 36 heisst, dass das Element «Rechnungsinformationen» keine Personendaten enthalten darf, wohl aber das Element «Unstrukturierte Mitteilungen». Ist also die Kundenreferenz etwas für die «Unstrukturierte Mitteilungen», dann ist ok, wenn eine Name drin steht, dieser muss aber auf jeden Fall auch angedruckt werden. Auf der ersten Zeile wären Personendaten erlaubt und sind zwingend anzudrucken. Auf der zweiten Zeile sind Personendaten nicht erlaubt.

Obviously, may contain personal data but not!?!? The banks do actually process the unstructured information while normally they wouldn't care about the Swico part. So, providing a customer reference in either data field I would never be able to control whether it contains personal data or not (unless I'd ask ChatGPT in advance ;) ). If I could control the content, it wouldn't be the customer's reference.

Do you know companies that are providing the customer reference on their invoices? I, personally would still risk it and provide the information.

Kind regards Stefan

[epsitec]

We definitely provide all information in the SWICO-string. We don't consider the customer reference as a personal information. And this is up to the biller to decide how she or he interprets the privacy policies. Personally, I would not consider a customer reference such as "Hans Meier" to be a personal information; a first name and a last name are certainly not sufficient to identify someone, unless you have a very infrequent name...

[nicolasguillet]

Dear Stefan

I agree with Pierre. See, the whole topic comes from a few overly anxious bank legals (sorry for that, but it's true). In a QR bill, the customer is already identified, it doesn't matter if the customers name also appears in the Swico String. So what other info could be GDPR sensitive.

Kind regards Nicolas