Taking into the account that PSD2 touches the subject of data protection, European Data Protection Board (hereinafter – Board) published the Guidelines 06/2020 for public consultation about the interplay between the General Data Protection Regulation (hereinafter – GDPR) and Directive (EU) 2015/2366 of the European Parliament and of the Council on payment services in the internal market (hereinafter – PSD2). The main goal of these guidelines is to provide more detailed explanations to payment initiation and account information service providers on the aspects of data processing and the main focus of these guidelines are:
- Conditions for granting access to payment account information and processing of personal data;
- Requirements and safeguards for data processing for purposes other than the initial purposes for which the data have been collected;
- Different notion of explicit consent;
- Data processing of “silent party”;
- Application of the main data protection principles.
Firstly, the guidelines explain the difference of use of term “consent” between GDPR and PSD2. Explicit consent under PSD2 is different from (explicit) consent under GDPR.
Consent under the PSD2 and GDPR are fundamentally different, as under the PSD2 personal data are not processed on the basis of consent but on the basis of the performance of a contract.
“Explicit consent” referred to in Article 94 (2) PSD2 is a contractual consent. This implies that Article 94 (2) PSD2 should be interpreted in the sense that when entering a contract with a payment service provider, data subjects must be made fully aware of the specific categories of personal data that will be processed. Further, they have to be made aware of the specific (payment service) purpose for which their personal data will be processed and have to explicitly agree to these clauses. Such clauses should be clearly distinguishable from the other matters dealt with in the contract and would need to be explicitly accepted by the data subject.
Under the GDPR, consent serves as one of the six legal grounds for the lawfulness of processing of personal data. Article 4 (11) of the GDPR defines consent as “any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”.
From that, it follows that Article 94 (2) of the PSD2 cannot be regarded as an additional legal basis for processing of personal data. Explicit consent under Article 94(2) PSD2 should therefore be regarded as an additional requirement of a contractual nature in relation to the access to and subsequently processing and storage of personal data for the purpose of providing payment services and is therefore not the same as (explicit) consent under the GDPR. In this case the legal basis for the processing of personal data for the provision of payment services is, in principle, Article 6(1)(b) of the GDPR, meaning that the processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.
Data processing of “silent party”
Another aspect depicted in the guidelines is the data processing of a “silent party“. The guidelines refer to the “silent party” as a subject who is not a client of a particular payment services provider, but a party whose data is being processed on the contract basis with the payment services provider. For example, subject “A” uses the services of a payment service provider and a third party “B” executes several payments for subject “A”. In this instance, third party “B” shall be considered as a “silent party” since the payment service provider shall be able to see some data of the third party “B” such as the amount of money that was involved in the mentioned transactions, payment order and other data necessary to successfully execute the payment operation.
When processing the personal data of a “silent party”, the Board states that data controllers should take into account the Article 5 (1) point (b) of the GDPR that specifies that personal data must be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes. In the opinion of the Board, such processing of “silent party” data is lawful under Article 6 (1) (f) GDPR if the processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data.
However, it is important to note that the payment service provider cannot automatically apply the basis referred to in Article 6 (1) (f) of the GDPR to the processing of “silent party” personal data. Payment service providers relying on this basis must always assess whether their legitimate interests exceed / do not exceed the interests and freedoms of the “silent party” and set up a safeguard mechanism that can always demonstrate that the payment service provider has a real legitimate interest. In order to do so, payment service providers need to take into account a number of factors, such as the type of personal data collected, the circumstances in which the data is collected, the risk to “silent parties”, and so on.
What is more, the guidelines draw the attention to the legitimate interest aspect specified in the PSD2 and indicate that the necessity to process the data of the “silent party” is limited and driven by the legitimate expectations of data subjects. The “silent party” must and can understand that for example in the cases funds are being transferred to a payment service user, certain of “silent party’s” data shall be disclosed to the payment service provider and therefore the payment service provider must take effective and appropriate measures to adequately protect the data and rights of “silent parties” in accordance with PSD2. As a result, payment service providers are advised to ensure such system of their service provision that collects as little “silent party” data as possible.
The processing of special categories of personal data
The Board emphasizes that the definition of special categories of personal data in the context of PSD2 is significantly different from the GDPR special categories of personal data requirements, that emphasize the importance of the protection of such personal data.
According to the Article 9 (1) of GDPR processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation is prohibited. However, in the cases when payment services are being provided, both the payment order’s content and the name of the recipient may disclose a lot of information about special categories of personal data to its users when making an order: for example, when money transfer is being executed to a medical institution, personal health data is disclosed when the payment’s order specifies the kind of medical service the money was intended for. Or for example, in the cases when a payment is being executed to a particular political party – the payment may potentially reveal the political opinions of the person and etc. Therefore, since the payment service providers process special categories of personal data, the PSD2 Directive defines the term of sensitive payment data – it is such data, that includes personalized security credentials which can be used to carry out fraud.
Therefore, taking into the account the scope of this term in the PSD2, the Board recommends that payment service providers accurately predict and categorize the data to be processed, the categories of data to be processed and their data protection aspects. This aspect is most likely to be best implemented through a data protection impact assessment (DPIA) under the Article 35 of the GDPR, which would assess whether the payment service provider may have a legitimate basis to process specific personal data under grounds a to j of Article 9 of the GDPR.
In addition to the aspects mentioned above, the guidelines refer to the obligation under Article 25 of the GDPR to implement the principle of data minimization and to integrate the appropriate technical and organizational measures, which are designed to implement data protection principles in an effective manner and to integrate the necessary safeguards into the processing in order to meet the requirements of the GDPR and protect the rights of data subjects. Considering this legal obligation, the Board states that the controller should implement appropriate technical and organizational measures for ensuring that, by default, only personal data which is necessary for each specific purpose of the processing is processed. In those cases where not all the client’s data is usually necessary for the provision of certain services, in the opinion of the Board, the payment service provider must draw up a list of the personal data that shall be required to execute specific services, before starting to collect the data.
Also, the guidelines remind about the obligation of the payment service providers to take appropriate technical and organizational measures to ensure and to provide the ability to demonstrate that the data is processed in accordance with the provisions of the GDPR and PSD2 and of the obligation to comply with the principle of transparency.
You can read the full text of the guidelines in the following link: https://edpb.europa.eu/sites/edpb/files/consultation/edpb_guidelines_202006_interplaypsd2andgdpr.pdf
For more information or legal advice on data protection or the provision of payment services, please contact the ECOVIS ProventusLaw team.
Prepared by: ECOVIS ProventusLaw attorney at law Loreta Andziulytė and ECOVIS ProventusLaw associate Andrius Karmonas