Chargebacks depend on evidence. Issuers want to see clear data that shows a transaction was valid. Merchants need to provide that data within strict deadlines. The challenge is that many merchants also operate under the General Data Protection Regulation. GDPR creates obligations around how personal data is collected, stored, and shared. This can lead to uncertainty about what can be included in a chargeback response and what must be withheld.
This article explains how GDPR applies in a chargeback context, what data merchants can use as evidence, and how to avoid compliance risks while still defending transactions.
GDPR Does Not Block Chargeback Evidence
GDPR allows merchants to process and share personal data when there is a lawful basis. Chargeback evidence falls under two lawful bases. The first is “contractual necessity”. The second is “legitimate interests”. Merchants must communicate with banks to complete the payment process; this includes resolving disputes.
The European Data Protection Board has confirmed that personal data may be shared with banks or payment processors when required to prevent fraud or resolve a payment dispute. Chargeback activity fits this category. The key is to ensure that the data shared is relevant, limited, and tied to a valid business purpose.
Use Only Data That Is Necessary for the Dispute
GDPR sets a core rule; you may only use personal data that is needed for the specific task at hand. This principle is known as “data minimisation”. Merchants should avoid including anything that is not essential.
Typical examples of permissible data include:
Order Information
You can use order details to show that goods or services were delivered. This may include order numbers, item descriptions, shipping methods, tracking IDs, timestamps, and customer-submitted contact information.
Billing Details
You may include the billing name, address, or the last four digits of the payment card. This helps confirm that the information entered during checkout matches what the issuer holds on file.
Delivery Records
Proof of delivery is often central to a dispute. It is acceptable to include delivery confirmation from a carrier, signature logs, or confirmed delivery scans.
Customer Communications
Merchants may share customer emails, support tickets, or chat transcripts if they help to show that the customer used the product or acknowledged the transaction. Merchants should redact unrelated personal information if it is not needed to support the case.
Login & Access Data
Fraud-related disputes often require evidence showing that a customer logged into an account, accessed digital content, or used a service. Timestamps, IP addresses, and device identifiers can be included when relevant. GDPR allows the use of these fields for fraud prevention and dispute resolution when properly safeguarded.
AVS, CVV, or 3-D Secure Data
Data tied to authentication or verification can be used when it supports a claim that the transaction was genuine. However, raw CVV values should never be stored or provided, since the Payment Card Industry Data Security Standard prohibits merchants from storing CVV codes after authorization.
Be Careful with Sensitive Data
GDPR places stricter controls on certain categories of data. Merchants should avoid including anything that qualifies as “special category” data. This includes health details, biometric identifiers, political opinions, or any information tied to protected categories.
Most chargeback scenarios do not require this type of data. If sensitive data somehow appears in customer messages or uploaded files, it should be redacted unless its inclusion is essential. In practice, almost no dispute will require the use of special category data to prove transaction validity.
Limit What You Keep and How Long You Keep It
Issuers and payment processors expect strong evidence in a dispute. GDPR expects strong documentation of how you use personal data. Merchants should maintain clear internal records that explain:
- Why each category of data is collected
- How the data supports payment processing and fraud prevention
- How long the data is retained
- Who may access the data
- How data is protected
This documentation does not need to be shared during the representment process. It simply needs to exist as part of the merchant’s compliance framework.
That said, many merchants collect more data than necessary. That can create compliance issues. GDPR requires clear retention rules. Data should only be stored as long as it is needed to fulfill a legitimate purpose. In a chargeback context, that purpose is the transaction lifecycle, including any dispute or representment.
Merchants should maintain a retention schedule that covers order records, fraud screening logs, and evidence files. Once the period during which a dispute may arise has passed, the data should be deleted or anonymized. This lowers risk and supports GDPR compliance.
Best Practices for Risk Teams
GDPR requires transparency. Merchants must tell customers how their data may be used. A privacy notice should explain that transaction data may be shared with banks and payment processors to prevent fraud, resolve disputes, and support chargeback investigations.
This helps reduce compliance risk. It also establishes a clear expectation for customers who are unfamiliar with how the dispute process works.
To stay compliant and prepared, risk teams should:
- Work with legal counsel to develop a clear data retention schedule
- Redact personal data that is not relevant to the dispute
- Avoid storing prohibited fields like CVV values
- Maintain privacy notices that explain dispute-related data use
- Use access controls to protect dispute evidence
These steps help merchants present a strong case to issuers while respecting GDPR rules.
GDPR does not prevent merchants from defending themselves in the chargeback process. It does, however, require them to be deliberate in how they collect, handle, and share personal data. By focusing on relevance, minimisation, and transparency, merchants can comply with the law and still present effective evidence.
Merchants who build strong processes around data handling are better prepared for disputes. They also reduce regulatory risk and help protect customer trust.