The uncertain interplay between the Payment Services Directive 2 (PSD2) and the General Data Protection Regulation (GDPR) has made payment service providers (PSPs) question which provisions they should apply if there is an inconsistency between the two.
1. PSD2 or GDPR—which should prevail?
The PSD2 provides that PSPs are entitled to access, process and store personal data necessary for providing their services if the payment service user (PSU) has granted explicit consent for this. However, apart from consent the GDPR enables PSPs to choose another legal basis for accessing, processing and storing personal data, such as the performance of a contract, legitimate interest or compliance with legal obligations based on national or EU law.
Given this difference, it is debatable whether PSPs should limit themselves only to obtaining the PSU’s consent according to the PSD2, or whether they could also use the other legal basis provided by GDPR. According to the European Data Protection Board’s (EDPB) guidance, PSPs must comply with both the PSD2 and GDPR. This means that PSPs could also use the legal basis provided by the GDPR as PSD2 is not a special legislation.
2. Explicit consent under the PSD2 and GDPR—is there a difference?
The PSD2 also provides that a PSU’s consent must be explicit. Instead, GDPR requires explicit consent only in case of processing special categories of personal data. As financial, payment and transaction data are not considered special categories of data, under GDPR consent would be sufficient.
The EDPB clarified that ‘explicit consent’ under PSD2 is an additional contractual requirement, different than the ‘consent’ under GDPR. Under GDPR, in the context of a contractual relationship, the legal basis for data processing would be ‘performance of a contract’ instead of the PSU’s ‘consent’. This means that PSPs must build an explicit consent mechanism in line with PSD2, whilst from a GDPR perspective they must rely on a different lawful basis (i.e. contractual necessity) to process personal data.
3. Processing the data of ‘silent parties’
In the payment process, there are also ‘silent parties’ who do not have a direct contractual relationship with the PSP, such as persons who have a bank payment account to which the PSU transfers money through the PSP. As such, PSPs cannot ask ‘silent parties’ for contractual consent. The problem is that banks transfer their data (e.g. bank account numbers, name, address) to PSPs (especially to account information service providers (AISPs) and to payment initiation service providers (PISPs)) based on the legal provisions on strong customer authentication. From a GDPR point of view, AISPs/PISPs will process the data of the ‘silent parties’ based on their and the PSUs’ legitimate interest.
4. The possibility for AISPs and PISPs to recycle the data
The PSD2 states that PISPs must not use, access or store any data for purposes other than the provision of the payment initiation service explicitly requested by the payer. Consequently, a PISP is not entitled to use the data collected other than for providing payment initiation services, even if the PISP had the PSU’s consent under the GDPR.
The PSD2 contains a similar provision for AISPs, but with an additional condition: “in accordance with data protection rules”. It is unclear whether this additional obligation imposed on AISPs has any relevance from a legal perspective. The competent EU authorities have yet to issue guidance on this. Although both the Romanian and Hungarian implementation laws have kept this wording from the directive, only the Hungarian Central Bank has adopted a position on this issue, considering that an AISP cannot re-use the data collected to provide other services to the PSU, even with the PSU’s consent under the GDPR. This interpretation creates a distortion of competition because, unlike AISPs, other market players (e.g. mortgage comparators), regulated or unregulated, enjoy a more advantageous legal position as they are allowed to use the same data to provide other services to the PSU.
Given the above, PSPs must carefully analyse the provisions of the PSD2 and GDPR when starting a new activity in a particular jurisdiction, and should ask for guidance from the respective national banking and data protection authority.