Logo
Media Centre

The European Data Protection Board has Adopted Guidelines on the Interplay between the PSD2 and the GDPR

Ariel Yosefi

23 July 2020

23/07/2020
Technology & Regulation in the Spotlight

The European Data Protection Board (“EDPB“) has adopted and submitted for public comments its guidelines regarding the interplay between the Second Payment Services Directive (“PSD2“) and the General Data Protection Regulation (“GDPR“).

The PSD2 and the GDPR are overlapping and could be viewed in contrast with one another: The GDPR follows the principle of minimization and provides enhanced control over personal data, including restrictions on data sharing. On the other hand, entities that are covered by the PSD2 are entitled to collect and process necessary personal data and are even required to share it to third-party providers for the purposes of, inter alia, competition and innovation. The EDPB’s guidelines aim to resolve some of the questions that this overlapping raises.

The guidelines address the following main issues: processing of special categories of data, lawful grounds for granting access to payment account information and for further processing, explicit consent, processing of silent party data and the application of data protection principles.

  • Lawful ground for granting access to the account: The processing of data by account servicing payment service providers, which consists of granting access personal data as requested by payment initiation service providers and account information service providers in order to perform their payment services for a payment service user (“PSU“) is done on the basis of a legal obligation. This obligation is derived from the national law which implements the PSD2.

 

  • Lawful grounds for further processing: Payment services are provided on the basis of a contractual relationship between the payment service providers and users. This legal basis exists in the GDPR and allows processing of data when it is necessary for the performance of a contract. However, as explained in previous guidelines of the EDPB, controllers have to assess what data is objectively necessary and processing may not expand any further beyond this scope unless it is backed-up by a different legal basis. The PSD2 restricts the possibilities processing for a purpose that is different than that for which the data has been originally collected for. Therefore, such further processing has to rely on either the data subjects’ consent or compliance with legal obligations.

 

  • Explicit Consent: The guidelines point out that explicit consent under the PSD2 is an additional requirement of a contractual nature and therefore is it different from explicit consent under the GDPR. When a payment service provider needs to access to personal data in order to provide a payment service, explicit consent in accordance with relevant provisions of the PSD2 is required.

 

  • Special categories of data: Financial transactions could potentially reveal sensitive personal information about data subjects. While processing of special categories of data in the context of PSD2 is generally prohibited, two derogations could be considered: explicit consent and necessity for reasons of a substantial public interest. If a service provider cannot show that one of these derogations is met, it should implement technical measures to prevent such processing. The EDPB recommends to map out and categorize the types of personal data that will be processed, preferably by conducting a data protection impact assessment.

 

  • Processing of silent party data: ‘Silent party data’ refers to personal data concerning data subjects who are not users of a specific payment service provider (“PSP“), however their personal data is processed for the performance of a contract between the PSP and another PSU. The EDPB determines that these data cannot be used for a different purpose other than for which it has been collected for, unless it is done on the basis of an EU or Member State law. This means that PSPs cannot rely on any other legal ground, including consent, as in order to obtain it the data would have to be collected or processed beforehand under no legal ground.

 

  • Applicability of additional data protection principles: The guidelines emphasizes that the GDPR’s core data protection principles are fully relevant and applicable in the context of the PSD2. These principles include data minimization, data protection by design and by default, security, transparency and accountability, including on profiling, and must be taken into consideration by controllers.

 

Please feel free to contact us if you have any further questions regarding this update and the interplay between processing personal and payment information under the PSD2 and the GDPR.

Kind regards,

Ariel Yosefi, Partner

Co-Head | Technology & Regulation Department

Herzog Fox & Neeman

 

Related Practice Areas

Related Lawyers

More news

Nebraska is the 17th US State to Adopt Comprehensive Data Protection Legislation
Maryland is the 16th US State to Pass Comprehensive Consumer Privacy Legislation
Kentucky is the 15th US State to Adopt Comprehensive Data Protection Legislation
JOIN OUR
Newsletter

    © 2020, All rights reserved, Herzog Law
    Site by Gootte

    The information contained in this web site is provided for informational purposes only and should not be construed as legal advice on any subject matter and should not be relied upon as such. Herzog accepts no responsibility for any consequences whatsoever arising from use of the information contained in this web site. The accessing of information contained in this web site shall under no circumstances be considered as creating an attorney-client relationship between Herzog and any party accessing this web site. Contacting through email any lawyer named in this web site or sending information without prior agreement of Herzog shall not be construed as automatically creating an attorney-client relationship between Herzog and the party sending an email or information. The material contained in this web site has been created by and remains the property of Herzog. No reproduction, transmission, publication or any other form of dissemination shall be permitted unless the prior written consent of Herzog has been obtained. This web site may contain links to other web sites operated by third parties. Herzog does not sponsor, approve or endorse the content of any such web site and is not responsible for the materials appearing in such sites.

    Search by
    Search by +

    Search