EDPB guidelines on interplay of Second Payment Services Directive and GDPR

The Second Payment Services Directive (“PSD2”), largely applicable since January 2018, has contributed to developing a single market for payments in the European Union and has boosted consumer protection, innovation, and competition in the sector. The PSD2 was transposed into Spanish law by Royal Decree-Law 19/2018, of November 23, on payment services and other urgent financial measures.

However, the applicability of this directive and its transposition has not been without its controversy. Although the PSD2 must be interpreted as set out in the General Data Protection Regulation (“GDPR”), the interplay between the regulations has caused uncertainty because both contain provisions on data protection and security.

To resolve those doubts, on July 17, the European Data Protection Board adopted Guidelines 06/2020 on the interplay of the Second Payment Directive and the GDPR (“the Guidelines”), focused on the processing performed by payment initiation service providers (PISPs) and account information service providers (AISPs), which will be open for comments until September 16, 2020.

The Guidelines’ conclusions on the legal basis of the processing are particularly relevant. They establish that the legal basis for processing carried out in the scope of the PSD2 is performing an agreement. Only strictly essential processing is covered, and not merely useful processing. If a single agreement seeks to render several services that require different processing, each must be clearly and separately specified. 

PSD2 expressly states that PIS and AIS can only use, access and store personal data to render the expressly requested services. However, PISPs and AISPs may process personal data for purposes other than those for which they were initially requested when the following requirements are met: (i) when EU or Member State national law permits; or (ii) when the data subjects have given consent, if the data controller can prove that they can withdraw consent at any time.

Moreover, processing personal data by payment service providers or account managers, consisting of allowing PISPs and AISPs to access personal data necessary to render their services, is based on complying with a legal obligation.

The expression “explicit consent” envisaged in both the PSD2 and the GDPR must also be distinguished. Since the legal basis for processing in the scope of the PSD2 is contractual performance, explicit consent of the PSD2 cannot be considered an additional basis in the sense of the GDPR, but a contractual requirement. That is to say, the user’s consent must be obtained in the agreement constituting the basis of the processing so that the user knows its scope and purposes from the outset. This consent will not be the basis to process their personal data, however.

The Guidelines also examine the role of third parties (“silent parties”) whose financial data are processed despite being “inactive” subjects, as is the case with transfer recipients. The data of those to whom a bank transfer is made may be processed based on the legitimate interest of the data controller or the corresponding financial intermediary. However, they may not be used for purposes other than those for which they were initially collected, unless the EU’s or corresponding Member State’s regulation so permits.

The financial information circulating in the scope of the PSD2 often contains particularly sensitive data (e.g., the donations made by bank account holders can shed a light on their religious beliefs). Therefore, in this sector, sensitive data must only be processed if it is necessary for reasons of essential public interest based on EU or Member State national law—which must be proportional to the objective, essentially respect the right to data protection and establish adequate and specific measures to protect the data subject’s fundamental rights and interests—or if the data subject gives a statement of consent. Otherwise, the data controller must implement technical measures to prevent processing sensitive data, or simply not do it.

Finally, the Guidelines recall that the principles of Article 5 of the GDPR apply. They establish that data protection must always be performed by design and by default, adopting the technical and organizational measures to guarantee data minimization; that restrictions must be implemented on personal data storage periods; that it is necessary to adopt heightened security measures to protect the interested parties’ data by establishing authentication and access-restriction mechanisms; and, in relation to the principle of transparency, that it is possible to inform through different layers, and the data controller may use additional tools such as privacy dashboards.

Authors: Pedro Méndez de Vigo and Paula Conde