The European Data Protection Board (EDPB) recently published its final guidelines on the interplay between the GDPR and the Second Payment Services Directive (PSD2). Already in 2018, Member of the European Parliament Sophie in ‘t Veld asked to clarify a few aspects of the relationship between these two legal frameworks, to which the EDPB responded with a brief letter.
Particularly the access of the new types of payment service providers – the account information service providers (AISPs) and the payment initiation service providers (PISPs) – to the user’s payment account information proved to be an issue to some. In its letter, the EDPB acknowledged that more follow-up was needed and called for further dialogue between competent institutions in this matter. This has now resulted in the adoption of more elaborate guidelines.
In this blogpost, we will briefly analyse the main points of these guidelines:
It is self-evident that the provision of payment services entails a processing of personal data. As a payment service user, you will enter into an agreement with a payment service provider. This requires the payment service provider to process certain personal data – including name, account information, etc. Legal obligations – such as anti-money laundering rules – may require payment service providers to process personal data as well, for instance in the framework of know-your-customer (KYC) obligations. The service provider may additionally also want to process some personal data for marketing purposes, or to improve its services.
The PSD2 recognizes this personal data processing in article 94(1) by explicitly requiring such processing to be in line with data protection laws.
This means that, amongst others, a suitable processing ground must be found in article 6 GDPR. As already became clear from our brief overview here, some of the processing will be necessary for the performance of the agreement between the payment service user and the payment service provider (6(1)(b) GDPR).
As always, it will be important to distinguish between the different elements of the processing, and to determine which elements can be argued to be ‘necessary’ for the performance of the agreement between both parties. Elements that are not necessary will need to find a different processing ground, such as legal obligation (6(1)(c) GDPR), consent (6(1)(a) GDPR), or possibly legitimate interest (6(1)(f) GDPR). In the final guidelines, the EDBP confirms that processing for fraud prevention could constitute a legitimate interest. However, this requires a careful evaluation by the controller, in accordance with the accountability principle.
Once personal data has been collected, its further use is restricted. This is also articulated in articles 66 and 67 PSD2, which require AISPs and PISPs to use the data they obtain only for the provision of account information services or payment initiation services. Further processing is therefore restricted to cases where acting with the data subject’s consent or when acting under a legal obligation.
Users are free to use the services of AISPs and PISPs. When they do, their account servicing payment service provider – usually their bank – will be required under PSD2 to provide the necessary data to the AISP and/or PISP in order for them to provide their services. From a GDPR perspective, the account servicing payment service provider will therefore have a legal obligation to transfer this data.
Under the GDPR, explicit consent is one of the exceptions to article 9 under which sensitive personal data can be processed. Since the PSD2 also uses the term ‘explicit consent’, it can be questioned to what extent this should be considered as meaning the same as under the GDPR.
Here, the EDPB returns to the previous point, finding that most processing by payment service providers will be based on contractual necessity as the processing ground under GDPR. Explicit consent under PSD2 can therefore not be considered as an additional processing ground in the sense of the GDPR.
Rather, it should be considered as a requirement of a contractual nature. Data subjects entering into an agreement with a payment service provider must be made aware of the processing of their personal data, the purposes for which their personal data are processed, and they must agree to this. This consent allows the service provider to gain access to the necessary data when those data are held by another service provider. An AISP, for instance, can use this explicit consent to obtain the necessary data from the user’s account servicing payment service provider. Under the GDPR, the AISP will subsequently use the processing ground of contractual necessity to process that data in executing the agreement with the user. However, as under the GDPR, consent under PSD2 must be free. The user may therefore not be forced to consent to the provision of a service.
When transferring funds, a payment service provider will also need to process some personal data of the recipient, such as the amount and account number. However, this recipient may not have an agreement with the payer’s payment service provider, thus making the recipient a so-called ‘silent party’.
Given that there is no contractual relationship between the payment service provider and the silent party, the processing ground of contractual necessity cannot be used here. Neither did the silent party consent to the processing, nor will there be a clear legal obligation. As a result, the processing of the personal data of the silent party must be based on the processing ground of legitimate interest (6(1)(f) GDPR).
In using the processing ground of legitimate interest, a balancing test must be conducted between the interests of the controller or a third party and the interests of the data subject. Additional safeguards may be needed to balance these interests. These can include limiting the amount of silent party data processed, clear and strict purpose limitation, and using strong encryption as a technical measure to protect the data.
Further processing of the personal data of silent parties for other purposes than those of their collection is only possible when required by law. Consent is not feasible here, nor can the compatibility test of article 6(4) GDPR be applied.
The EDPB finds that while financial data are not considered as sensitive personal data in the sense of article 9 GDPR as such, they can contain such sensitive personal data. Church donations or trade union membership may, for instance, be derived from payment data. To use sensitive personal data in a payment context, one should look at the article 9 GDPR exceptions of explicit consent or substantial public interest. When none of the exceptions to article 9 GDPR can apply, technical measures should prevent the processing of sensitive personal data.
The PSD2 also uses the term ‘sensitive payment data’. However, this has nothing to do with sensitive personal data in the sense of the GDPR, but rather with data, including personalised credentials, that can be used to commit fraud.
Last, the EDPB applies some of the general principles regarding data protection to a payment context. In terms of data minimisation, service providers should not process more data than necessary for the provision of their services. An AISP, for instance, should then determine the data types necessary for their services, rather than asking account servicing service providers for as wide a dataset as possible. Silent party data, for instance, may be limited in most cases. Also only data of payment accounts may be shared, not data relating to other types of accounts.
In terms of security, the EDPB reiterates the high risks posed by payment data – for instance regarding fraud – when subject of a data breach. High security standards and strong customer authentication – as required by the PSD2 – are therefore pivotal.
Apart from information duties under PSD2, service providers acting as controllers under GDPR must ensure proper transparency, data minimisation, and the effectiveness of data subjects’ rights. Privacy dashboards or layered information notices are recommended. This transparency also includes informing the data subject about the presence of automated decision-making, in adherence to article 22 GDPR.
Do you still have questions about this guidance or about the GDPR compliance of your payment services? Please contact Timelex.