The European Data Protection Board has Adopted Guidelines on the Interplay between the PSD2 and the GDPR
23 July 2020
23/07/2020
Technology & Regulation in the Spotlight
The European Data Protection Board (“EDPB“) has adopted and submitted for public comments its guidelines regarding the interplay between the Second Payment Services Directive (“PSD2“) and the General Data Protection Regulation (“GDPR“).
The PSD2 and the GDPR are overlapping and could be viewed in contrast with one another: The GDPR follows the principle of minimization and provides enhanced control over personal data, including restrictions on data sharing. On the other hand, entities that are covered by the PSD2 are entitled to collect and process necessary personal data and are even required to share it to third-party providers for the purposes of, inter alia, competition and innovation. The EDPB’s guidelines aim to resolve some of the questions that this overlapping raises.
The guidelines address the following main issues: processing of special categories of data, lawful grounds for granting access to payment account information and for further processing, explicit consent, processing of silent party data and the application of data protection principles.
- Lawful ground for granting access to the account: The processing of data by account servicing payment service providers, which consists of granting access personal data as requested by payment initiation service providers and account information service providers in order to perform their payment services for a payment service user (“PSU“) is done on the basis of a legal obligation. This obligation is derived from the national law which implements the PSD2.
- Lawful grounds for further processing: Payment services are provided on the basis of a contractual relationship between the payment service providers and users. This legal basis exists in the GDPR and allows processing of data when it is necessary for the performance of a contract. However, as explained in previous guidelines of the EDPB, controllers have to assess what data is objectively necessary and processing may not expand any further beyond this scope unless it is backed-up by a different legal basis. The PSD2 restricts the possibilities processing for a purpose that is different than that for which the data has been originally collected for. Therefore, such further processing has to rely on either the data subjects’ consent or compliance with legal obligations.
- Explicit Consent: The guidelines point out that explicit consent under the PSD2 is an additional requirement of a contractual nature and therefore is it different from explicit consent under the GDPR. When a payment service provider needs to access to personal data in order to provide a payment service, explicit consent in accordance with relevant provisions of the PSD2 is required.
- Special categories of data: Financial transactions could potentially reveal sensitive personal information about data subjects. While processing of special categories of data in the context of PSD2 is generally prohibited, two derogations could be considered: explicit consent and necessity for reasons of a substantial public interest. If a service provider cannot show that one of these derogations is met, it should implement technical measures to prevent such processing. The EDPB recommends to map out and categorize the types of personal data that will be processed, preferably by conducting a data protection impact assessment.
- Processing of silent party data: ‘Silent party data’ refers to personal data concerning data subjects who are not users of a specific payment service provider (“PSP“), however their personal data is processed for the performance of a contract between the PSP and another PSU. The EDPB determines that these data cannot be used for a different purpose other than for which it has been collected for, unless it is done on the basis of an EU or Member State law. This means that PSPs cannot rely on any other legal ground, including consent, as in order to obtain it the data would have to be collected or processed beforehand under no legal ground.
- Applicability of additional data protection principles: The guidelines emphasizes that the GDPR’s core data protection principles are fully relevant and applicable in the context of the PSD2. These principles include data minimization, data protection by design and by default, security, transparency and accountability, including on profiling, and must be taken into consideration by controllers.
Please feel free to contact us if you have any further questions regarding this update and the interplay between processing personal and payment information under the PSD2 and the GDPR.
Kind regards,
Ariel Yosefi, Partner
Co-Head | Technology & Regulation Department
Herzog Fox & Neeman