What the GDPR will concretely change for payment service providers

What the GDPR will concretely change for payment service providers

An interview with Gert Heynderickx, EPC Legal Counsel and Company Secretary

14 February 18

Share This

While the European payment industry is currently trying to assess how the revised Payment Services Directive ( ) will concretely impact each party’s business and operational model, another critical piece of European legislation will apply in May and necessitates immediate actions from payment service providers ( ). The General Data Protection Regulation ( ) significantly revises and harmonises how consumers’ personal data shall be protected in the European Union. When it comes to data privacy, payments might be one of the most sensitive areas for consumers. For the readers, Gert Heynderickx, Legal Counsel and Company Secretary, sheds some light on how the will concretely impact .

The vocabulary of the GDPR

Q. As far as payments are concerned, what will the mainly change for when it will start to apply in May 2018?

The Regulation ( ) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation, hereafter ‘ ’), aims to protect the fundamental rights and freedoms of individuals and in particular, their right to privacy with respect to the processing of their personal data. The was adopted in April 2016. It entered into force on 24 May 2016 and shall be fully applicable from 25 May 2018.

The is not the first European legislation regarding the protection of personal data: its predecessor, the Data Protection Directive (officially ‘Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data’), exists since 1995, but it no longer suffices in the current digital era.

Pursuant to the relevant provisions of the , can process personal data:

  • either with the data subject’s consent,
  • or because processing is required to ensure the performance of a contract, or to comply with a legal obligation, or to safeguard a data subject’s vital interests or for the purposes of legitimate interests (for example to combat fraud), except where such interests are overridden by the interests, rights or freedoms of the data subject.

What’s new for ? Amongst other things, the territorial scope of the is wider than that of the Data Protection Directive.

The requirements permitting the processing of personal data have also been strengthened and the rights of individuals (‘data subjects’) widened, for example in terms of data portability (i.e. the possibility for individuals to obtain and reuse their personal data for their own purposes across different services provided by other organisations).

Most important for however are the increased accountability requirements; including the introduction of so-called privacy impact assessments (‘PIAs’), broader notification duties for data breaches, the requirement to appoint a Data Protection Officer (exceptions apply) and the partially new, partially stricter requirements for ‘privacy by design’ and ‘privacy by default’, i.e. the obligation to implement appropriate technical and organisational measures to aptly protect the security of the personal data of their clients.

Lastly, the drastic increase of fines for non-compliance (up to 20,000,000 euros or four percent of worldwide group revenues) should be mentioned.

Q. What are the main specific actions should take to prepare for the ’s application in May 2018?  

In order to be compliant, must ensure that the personal data they process are:

  • Processed legally and appropriately and with a clear view of how the information will be used;
  • Collected for specified, explicit and legitimate purposes;
  • Relevant and limited to the respective purposes;
  • Accurate and kept up to date;
  • Retained for no longer than is necessary for the relevant purposes;
  • Only processed if the data are kept appropriately secure.

Furthermore, should:

  • Review all of their data-processing activities and keep verifiable records of these activities;
  • Ensure that they have implemented appropriate technical and organisational measures to adequately protect the security of the personal data of their clients (‘data protection by design and by default’);
  • Ensure compliance with the ‘accountability principle’ and cooperate with the relevant supervisory authority where appropriate;
  • Ensure that they have appropriate processes and templates in place for identifying, reviewing and promptly reporting data breaches to the relevant supervisory authority.

Q. The is applicable since 13 January 2018. It contains a number of data protection provisions. How does concretely interact with the ? Are they complementary and consistent?

The indeed contains certain data protection provisions, some of which might be confusing in a context.

For example, the notion of ‘sensitive payment data’ (i.e. data, including personalised security credentials, which can be used to carry out fraud) is not to be confused with the special categories of personal data under .

Furthermore, Article 94 stipulates that shall only access/process/retain data necessary for the provision of the services, with the explicit consent of the user. Whereas under the , consent is just one of the possible grounds for processing personal data (other grounds include the necessity for performing a legal obligation or for the conclusion or performance of a contract), consent appears as a specific concept in its own right in . In the context of account information services ( ) and payment initiation services ( ), explicit consent must be obtained by, and is a responsibility of, account information service providers (AISPs) and payment initiation service providers ( ) in order to carry out their services. Although does not require account servicing payment service providers ( ) to seek consent themselves in the context of / , they must always have a specific ground for processing the data under the . The lawful basis for such processing will in principle be the performance of a contract or a legal duty, including those imposed by the relevant provisions of the on access to payment accounts.

Last but not least, third party payment service providers ( ) and alike should not overlook the ’s strict purpose limitation/data minimisation principles when considering to further use personal data obtained in accordance with the requirements of . Under Article 5(1)(b) , personal data must be collected only for well-defined purposes, and may not be further processed for other purposes. Certain exceptions apply, for example if the purpose of the secondary processing is ‘compatible’ with the purpose of the initial collection, taking into account, notably, any link between the initial purposes and the secondary purposes, the context of the initial collection and the expectations of the individual, etc. It is to be noted that contains similar provisions prohibiting to use, access or store any data for purposes other than for performing the account information and/or payment initiation services explicitly requested by the payment service user, in accordance with data protection rules.

To summarise, should assess on a case by case which provisions of and apply to a concrete situation.

In doing so, they should always bear in mind the basic principles set out above, assessing whether they act as data controller or data processor (decision about means and purposes of processing) whilst ensuring the legitimacy of the processing.

Your reactions

If you would like to comment on this article, please identify yourself with your first and last name. Your name will appear next to your comment. Email addresses will not be published. Please note that by accessing or contributing to the discussion you agree to abide by the EPC website conditions of use.