European Data Protection Board Clarifies Application of GDPR to Payment Service Providers
On July 5, 2018, the European Data Protection Board (EDPB)1 replied to a request from a Member of the European Parliament (MEP), Dutch Democrat Sophie in ‘t Veld, for clarification on a number of issues relating to the protection of personal data under the EU General Data Protection Regulation (2016/679) (GDPR) and the revised EU Payment Services Directive (2015/2366) (PSD2). In its response, the EDPB set out its position on how the requirement to obtain explicit consent from payment service users under PSD2 interacts with the GDPR. The EDPB also provided guidance on the use of personal data relating to a payee by an account information service provider or a payment initiation service provider acting for a payer.
This post summarizes the EDPB’s stated positions on these points and explores the implications for firms providing payment services in the European Economic Area (EEA).
Explicit Consent Under PSD2 and the GDPR
MEP Sophie in t’ Veld raised the question as to whether the PSD2 legal framework is sufficiently clear regarding the process of issuing and withdrawing consent for processing personal data.
On this point, the EDPB noted that the GDPR and PSD2 have their own separate versions of explicit consent. Article 94(2) of PSD2 states that “[p]ayment service providers shall only access, process and retain personal data necessary for the provision of their payment services, with the explicit consent of the payment service user.” The EDPB confirmed that should be interpreted as a requirement to make payment service users fully aware of the purposes for which their personal data will be processed and to obtain their explicit agreement to such provisions at the time they enter into a contract with the payment service provider. Such provisions must be clearly distinguishable from other matters in the contract. The EDPB also considers the consent required under PSD2 to be “an additional requirement of a contractual nature,” which does not therefore automatically qualify as “explicit consent” to process personal data for the purposes of the GDPR. As such, the obtaining of the explicit consent required under PSD2 is not itself a legal basis to process personal data under the GDPR.
Under the GDPR, “consent” of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her. While “consent” is one of the legal grounds for a controller to process any type of personal data under the GDPR, “explicit consent” is only required in specific circumstances when special categories of personal data are being processed (e.g., health data or data revealing racial or ethnic origin, political, religious or philosophical beliefs).
As such, while a payment service provider will always need explicit consent from its payment service users pursuant to PSD2 to process personal data, it may not need it to process such data pursuant to the GDPR and may instead rely on alternative legal grounds. For example, the EDPB considers that a payment service provider may be permitted to process personal data of its payment service users where this is “necessary for the performance of a contract to which the data subject is a party” pursuant to Article 6(1)(b) of the GDPR.
Firms that provide payment services in the EEA should have regard to EDPB’s interpretation of “explicit consent” under PSD2 in their customer onboarding and documentation processes and ensure that in addition to obtaining explicit consent from a PSD2 perspective, they also consider the most relevant legal grounds to process personal data of the payment service users and other individuals under the GDPR. Such legal grounds could include, but need not necessarily be limited to, “consent.”
Third-party Providers and Payees
Another question addressed by the EDPB relates to the processing of personal data relating to a payee by a payment initiation service provider (PISP) or an account information service provider (AISP) that has a contract with the payer but not the payee.2
In response, the EDPB confirmed that the legal basis for such processing of personal data could be the PISP or AISP’s legitimate interests to perform the contract with the payer. However, the EDPB noted that such processing can occur only when the legitimate interests of the controller are not “overridden by the interests or fundamental rights and freedoms of the data subject.” The EDPB also stated that such personal data cannot be used for a purpose other than that for which the personal data has been collected.
Further, the EDPB indicated that personal data of individuals must be collected and processed in accordance with the data protection principles under Article 5 of the GDPR – lawfulness, fairness and transparency, purpose limitation, data minimization, accuracy, storage limitation, integrity and confidentiality.
Firms that are considering providing account information or payment initiation services under PSD2 should therefore consider whether their processing of personal data relating to payees fulfils these GDPR requirements. Firms considering partnering with such third-party providers or using their services should consider whether the third-party provider is able to demonstrate that its processing of personal data will not undermine the firm’s own GDPR policies and procedures.
1 The EDPB replaced the Article 29 Working Party when the General Data Protection Regulation came into force on May 25, 2018.
2 See further on the PISPs and AISPs in Sidley Update “EU Payment Services Directive II Introduces Broader, More Stringent Regulation of Payment Services.”