Rec. 47 (6) GDPR clarifies that fraud prevention is a legitimate interest of the controller:
“The processing of personal data strictly necessary for the purposes of preventing fraud also constitutes a legitimate interest of the data controller concerned.”
However, fraud prevention can also be an interest of the data subject. The GDPR explicitly mentions identity fraud as a possible risk of data processing [Tile DS.12].
Finally, the monitoring and prevention of fraud and tax-evasion can also be a public interest, as Rec. 71 (3) GDPR clarifies in the context of profiling and credit scoring.
The multidimensionality of data processing is thus again reflected in the fact that fraud prevention can be an interest of the controller, an interest of the data subject and a public interest.
Art. 94 I 1 Payment Services Directive 2015/2366 says:
"Member States shall permit processing of personal data by payment systems and payment service providers when necessary to safeguard the prevention, investigation and detection of payment fraud."