For most of our customers, the answer is NO if you use our terminal ONLY for the presentation of cards ("card present"). The card number on the receipts is asterisked out so personal data is not concerned. The customer makes an active decision for payment of the business transaction (= contractual basis) by using his or her card. In addition, the card-issuing banks provide the cardholders with the information on processing and data transmission which is associated with card use.
If you use the activation for card numbers in distance selling ("MOTO"), then the answer is YES. The receipt (e.g. via booking platforms or via your website) and administration of the data until input in our terminal represents the processing of personal data on your part. In this case, you have to document these transactions in your processing directory.
Hobex offers e-Commerce solutions for accommodation companies as a secure alternative to the processing of card numbers in distance selling, meaning that you are not subject to the GDPR or the PCI DSS regulations in this respect. This is because you are threatened with two penalties if card numbers are lost in your company - one on the basis of the General Data Protection Regulation and the other via the credit card organisations pursuant to the PCI standard.
The processing of card data is not defined for the dealers as data processing by VISA and Mastercard but as standalone data processing with hobex as the data owner.
The statement of the Austrian Chamber of Commerce that banks are not processors is also valid in the general sense for licensed payment institutions like hobex: https://www.wko.at/service/unternehmensfuehrung-finanzierung-foerderungen/eu-dsgvo-auftragsverarbeiter-faq.html#25
Having said this, you are responsible for the security of the terminals within your company as a user of the terminals. The terminals may not be left unsupervised and must be visually inspected for manipulations at regular intervals.
hobex requests for address/invoice data from its dealers if reverse entry of a payment has been made. In this case, the contractual relationship between you and the cardholder has not been fulfilled (breach of contract) and you pass the data on to us to rectify the fault (similar to the case in which you give customer data to a lawyer to bring an action). If you have already received the amount from us, a legal claim of hobex to the data of the obligor as a new creditor comes into being.
If you decide not to provide the address/invoice data, we will pass the reverse entry back to you and you will have to clarify the default of payment with the obligor yourself.