European Data Protection Board’s Guidelines 6/2020 on the interplay of the Second Payment Services Directive and the GDPR

 In Briefings, Data Protection, Financial Services, GDPR, Payment Services, Privacy, PSD2

European Data Protection Board’s Guidelines 06/2020 on the interplay of the Second Payment Services Directive and the GDPR

Earlier in December 2020, the European Data Protection Board (“EDPB”) adopted the Guidelines 06/2020 on the interplay of the PSD2 (EU Directive 2015/2366) and the GDPR (EU Directive2016/679), hereinafter Guidelines”).

These Guidelines came as a follow up to a letter written in February 2018 by a Member of the EU Parliament, Sophie in’t Veld MEP and addressed to the Article 29 Working Party (“WP29”) in which she requested the European Commission, the European Data Protection Supervisor (“EDPS”) and the WP29 further clarification regarding a number of issues relating to PSD2 and the protection of personal data.

The EDPB, which replaced WP29, responded to Ms. in’t Veld’s letter in July 2018 providing clarifications and its views on questions concerning the protection of personal data in relation to the PSD2. In particular, the EDPB briefly discussed (i) the processing of personal data of non-contracting parties (so called ‘silent party data’) by Account Information Service Providers (hereinafter “AISPs”) and Payment Initiation Service Providers (hereinafter “PISPs”), (ii) the procedures with regards to giving and withdrawing consent,  (iii) the Regulatory Technical Standards for strong customer authentication and common and secure open standards of communication (“RTS”), and (iv) the co-operation between the banks in establishing secure interfaces and avoiding alternative less secure methods of accessing account data.

In the Guidelines the EDPB elaborated in further detail on the above topics by providing additional guidance and explanations, and by expanding on the additional points of the interplay between the PSD2 and GDPR. They explained that for the purposes of these Guidelines the EDPB collected inputs from stakeholders, both in writing and at a stakeholder event, in order to identify the most pressing challenges.

Whilst the EDPB clarified that all payment service providers (“PSPs”) could be a “controller” or a “processor” under the GDPR, depending on specific circumstances, the main focus of the Guidelines remains the processing of personal data specifically by AISPs and PISPs. The clarification on the controller/processor status of the PSPs is also important in view of the vivid discussions and varying positions adopted by lawyers in their negotiations of PSP agreements. It is understood that the EDPB is currently working on further guidelines on this topic.

Firstly, the Guidelines discuss in general terms the processing of personal data by PISPs and AISPs highlighting the legal bases and the purposes of such processing.

For a better understanding of the EDPB Guidelines we will set out below the 6 legal bases (also referred to as the “lawful grounds” or “legal grounds”) stipulated in the GDPR in Article 6, paragraph 1, one of which must be complied with so that the processing is lawful:

  1. the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
  2. processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
  3. processing is necessary for compliance with a legal obligation to which the controller is subject;
  4. processing is necessary in order to protect the vital interests of the data subject or of another natural person;
  5. processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
  6. processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

In this context,

  • The EDPB explained in the Guidelines that performance of a contract is the main legal basis/ground (out of the 6 different legal bases, set out above) for the processing of personal data for the provision of payment services. However, the EDPB reminded the data controllers that this specific legal basis does not cover, and cannot be used, for processing that isuseful but not objectively necessary. The EDPB then refers the reader to an earlier and more generic of its guidelines, Guidelines 2/2019, issued in the context of the provision of online services, which addresses certain specific issues for example, (i) when a data controller wishes to bundle several services, and (ii) it explains that the data controller needs to be able to demonstrate that the contract cannot be performed without the personal data in question (it is not enough just to state it in the agreement).
  • The EDPB also reminded that the GDPR allows for the processing of personal data based on the compliance with a legal obligation of the service provider, and the AML legal requirements of the AISP and the PISP represents such a legal obligation.
  • A PISP or an AISP may need or wish to process personal data for a purpose other than the one for which the personal data was initially collected. The EDPB reminded in the Guidelines that in such a case they should ask for the consent from the data subject whose data they wish to process.
  • On the same topic of the legal basis for processing, the Guidelines usefully reminded that the Account Servicing Payment Service Provider’s (ASPSP) processing of personal data which consists of granting access to the personal data to the AISPs and PISPs so that the AISPs and PISPs can provide their payment services to their clients, is also based on compliance with a legal obligation, as such sharing of personal data is required by law.

This Guidelines further addressed a number of other more specific issues, namely:

  • Different notions of explicit consent under the PSD2 and the GDPR – On this point, the EDPB clarified, in line with its previous statement on this topic, that the concept of “explicit consent” referred to in the PSD2 (Article 94(2)) is not the same as the concept of “(explicit) consent” set out in the GDPR. The EDPB explained that the requirement of “explicit consent” in the PSD2 should be interpreted in the sense that when entering a contract with a PSP (i) the data subject must be fully aware of the specific categories of the personal datathat the PSP will process and the purposefor such processing, and (ii) that the data subject must agree to these clauses, which should be clearly distinguishable in the PSP’s payment service agreement. This is a topic on which the PSPs should review their standard agreements to ensure that they contain the required clauses mentioned above.
  • The processing of ‘silent party data’– The “silent party”, or a non-contracting party, is a data subject who is not a client (user) of a PSP, but his/her personal data is processed by the PSP in order that the contract between that PSP and its client (the user of its services) can be performed. The EDPB gives an example of a user of the account information payment services, who receives a number of payments from another person (silent party) on its payment account, and the EDPB explains how the processing of such silent party data should be treated. The EDPB clarifies that the legal basis for processing “silent party data” is the legitimate interest of a controller or a third party to perform the contract. Though, from a legal point of view it is a sensible approach, in a practical sense, it is not ideal, as this specific legal basis is subject to a condition that such legitimate interests are not overridden by the interests or the fundamental rights and freedoms of the data subject.

This means that further safeguards need to be implemented, and in this specific case of the silent party data, the EDPB recommends that technical measures be implemented to ensure that such data is not processed for a purpose other than the purpose for which it was collected by the AISPs and the PISP, and if feasible that the encryption be applied for security and data minimisation of such personal data. Given the growing interest of the PSPs in silent party data, it would have been helpful to have more examples in the Guidelines of situations in which the legitimate interests should be considered as overridden by the interests or fundamental rights and freedoms of the data subject.

  • The processing of special categories of personal data by PISPs and AISPs – The EDPB reminded in the Guidelines of different special categories of personal data which is likely to be processed by the PSPs in view of their access to financial transactions (e.g. political or religious affiliations through a payment of donations, trade membership through a payment of an annual memberships) and explains that most probably a Data Protection Impact Assessment will be required for PSPs to assist with the mapping and categorising of the personal data which the PSPs are processing.
  • The application of the main data protection principles set forth by the GDPR, including data minimisation, transparency, accountability and security measures – On these points, the EDPB cross-refers for further detail to one of its earlier guidelines, Guidelines 4/2019 relating to data protection by design and default, but also to the 29WP’s Guidelines on transparency of 2016, and the 29WP’s Guidelines on automated individual decision-making and profiling. The Guidelines also recommend: (i) for data minimisation that AISP do not display the IBAN of the silent party’s bank account, unless required by law; (ii) the use of digital filters in order to support AISPs in their obligation to only collect personal data that is necessary for the purposes for which it is processed, as a further data minimisation measure; (iii) the vetting of processors for security standards; (iv) layered privacy statements/notices and privacy dashboards for transparency .

If you need legal advice on these topics or assistance with reviewing your standard Terms and Conditions, mapping personal data and/or a Data Protection Impact Assessment, contact us.