While the second Payment Services Directive (‘PSD2’) has created a number of novelties for payment services, the application of the PSD2 in turn brings to light certain issues and concerns on the applicability and interpretation between the Payment Services Directive 2 (PSD2) and the General Data Protection Regulation (GDPR) in certain instances, such as the use of explicit consent under PSD2 & GDPR, processing of data, of so called ‘silent parties’ under PSD2, possibility of account information service providers (AISPs) and to payment initiation service providers (PISPs) to recycle the data under PSD2. These issues have made payment service providers (PSPs) question which provisions they should apply if there is an inconsistency between the two, and if the GDPR should prevail over the PSD 2.
On the 17th of July 2020, the European Data Protection Board (‘EDPB’) issued a guidance dealing with such matters and, furthermore, clarified the relationship between the GDPR and the PSD2 and the lawful grounds and further grounds of processing under PSD2. The Gridlines clarify that controllers, under the GDPR, are to have a lawful basis to process personal data. Article 6(1) of the GDPR sets out an exhaustive list comprising six legal basis for the processing of personal data. The controller is, in turn, under the obligation to define the appropriate legal basis and ensure that all conditions for such a legal basis are met.
Nonetheless, Article 6(1)(b) of the GDPR is of particular importance for payment services providers which provide services to users on a contractual basis. Here, the main legal basis for the processing of personal data is the fact that such data is crucial for the performance of a contract. Controllers must also assess what data from such a data subject is objectively required to perform the contract. Where no such objective grounds exist, Article 6(1)(b) of the GDPR is not an applicable legal ground. Justification of the necessity, therefore, is dependent on the nature of the service, the rationale of the contract, the crucial elements of the contract as well as the intentions of the parties to the contract.
In light of Article 7(4) of the GDPR, a further distinction should be made between the processing activities needed for the fulfilment of the contract, and the terms which make the service conditional on particular processing activities that would, in actual fact, not be required for the performance of the contract. Moreover, contracts cannot widen the scope for which categories of data need processing.
The EDPB also outlined that the Guidelines address the application of the GDPR to PISPs and AISPs , as introduced by PSD2. Specifically, the EDPB noted that the processing of special categories of personal data in the above circumstances is generally prohibited, in line with Article 9(1) of the GDPR, except when explicit consent is given by the data subject or when the processing is necessary for reasons of substantial public interest.
Explicit consent under the PSD2 is equal to contractual consent, implying that data subjects must be made aware of the specific categories of data to be processed when entering a contract with a payment service provider. Moreover, data subjects will also have to be made aware of the specific payment service purpose for which their personal data will be processed and shall have to explicitly agree with such clauses. Central to the idea of explicit consent, under the PSD2, is the garnering of access to personal data to go on to process and store such data to provide payment services.
Therefore, explicit consent under the PSD2 is an additional requirement of a contractual nature. Thus, if a payment service provider requires access to personal data to carry out a payment service, explicit consent in line with said Directive is necessary.
The EDPB also distinguishes between ‘sensitive payment data’ as defined under the GDPR and the PSD2. The latter considers such data to be data which comprises personalised security credentials which can be used to carry out fraud. The GDPR, on the other hand, underlines the need for specific protection of special categories of personal data which are intrinsically particularly sensitive vis-à-vis fundamental rights and freedoms. The EDPB recommends that controllers precisely determine and categories the type of personal data to be processed. A Data Protection Impact Assessment (‘DPIA’) will probably be required.
Nonetheless, it is to be noted that the prohibition under Article 9 is not absolute. The prohibition is not applicable if the data subject has given explicit consent to the processing of those personal data for one or more specified purposes. Moreover, the prohibition does not apply if the processing is required for reasons of substantial public interest, on the basis of Union or Member State law which must be proportionate to the aim.
Where the service provider is unable to show that one of the derogations is present, the grounds under Article 9(1) apply and thus, obtaining explicit consent is necessary to process special categories of data.
The rights of the data subjects under the GDPR apply in full to the PSD2.
Article written by Dr Ian Gauci and Legal Trainee Ms Emma-Marie Sammut.
For further information you may contact Dr Ian Gauci on email@example.com
This article is not intended to impart legal advice and readers are asked to seek verification of statements made, from an advocate or law firm, before acting on them.
Recital 10 of the GDPR.
Article 35 of the GDPR.