Payment service providers beware: what does the consent requirement under the PSD 2 mean?

 May 13, 2019 | Blog

The PSD 2 is a European directive that regulates payment services provided in the EU. The directive applies to both consumers and companies and, among other things, it sets out the rights and obligations of parties to payment transactions.

The PSD 2, which recently entered into force, also gives high priority to the protection of personal data. The fact is that it provides that payment service providers may only process personal data necessary for the provision of the payment services with the explicit consent of the payment service user.

This is not, however, the explicit consent that is referred to in the General Data Protection Regulation ("GDPR"). The European Data Protection Board ("EDPB") has clarified the fact that, in this context, it is an additional requirement that applies to a contractual relationship between a payment service user and a payment service provider. The fact is that payment services are always provided on the basis of an agreement between the user and the provider. Read this blog to find out who the PSD 2 applies to and what measures, if any, need to be taken. 

What is the PSD 2?
The PSD 2 is a European directive that regulates payment services provided in the EU. The directive applies to both consumers and companies and, among other things, it sets out the rights and obligations of parties to payment transactions.

What is new in the PSD 2 is that other types of payment institutions (i.e. other than banks) may provide payment services and carry out payment operations. It has included this possibility because of the anticipated increase in the numbers of payments that will be made via these other types of payment service providers.

Which parties are payment service providers?
The following parties can be classified as payment service providers:

  1. credit institutions
  2. electronic money institutions
  3. post office giro institutions
  4. payment institutions
  5. the ECB and national central banks
  6. Member States and their regional or local authorities when not acting in their capacity as public authorities
  7. account information service providers
  8. account initiation service providers.

The difference with explicit consent under the GDPR
According to Article 94(2) PSD 2, payment service providers may only process personal data that are necessary for the provision of their payment services with the explicit consent of the payment service user. 

The GDPR refers to (explicit) consent as a basis for processing and an exception to the prohibition on processing special personal data. If a data subject has given (explicit) consent, his or her data may be processed provided that the other requirements in the GDPR have also been met.

Under the PSD 2, explicit consent should not be regarded as a basis for processing. It has to be interpreted as follows: when a data subject concludes a contract with a payment service provider for a payment service, the data subject must be sufficiently informed about the purposes for which his/her personal data are to be processed and he/she must grant specific consent as regards these provisions.

The provisions that provide this information must be clearly separate from other information. Consent therefore has to be requested clearly and explicitly, and the data subject has to actively give his or her consent.  Despite the fact that consent has to be given, the basis for processing personal data is the performance of an agreement; consent is an additional requirement of that agreement.

The EDPB has decided on this explanation because, on the one hand, the PSD 2 has to correspond to the GDPR but, on the other hand, the obligations it contains have to be workable for payment service providers.

Processing for other purposes
Consent can, however, be regarded as a basis for processing personal data that have been obtained in the context of payment services but for other purposes. This implies that these other purposes have to be communicated very clearly, and that different requests for consent cannot automatically be linked to each other. In that case it is also important for consent to be given freely, and that it is specific, unambiguous and informed. Consent must also be given actively, and the controller has to be able to demonstrate that consent has been given.

In addition, a data subject has to be able to withdraw his or her consent, even if it has been given in the context of services under the PSD 2.

Finally, irrespective of the way in which the personal data are to be processed, the GDPR always has to be complied with.

The PSD 2, which recently entered into force, also gives high priority to the protection of personal data. The fact is that it provides that payment service providers may only process personal data necessary for the provision of the payment services with the explicit consent of the payment service user.

This is not, however, the explicit consent that is referred to in the General Data Protection Regulation ("GDPR"). The European Data Protection Board ("EDPB") has clarified the fact that, in this context, it is an additional requirement that applies to a contractual relationship between a payment service user and a payment service provider. The fact is that payment services are always provided on the basis of an agreement between the user and the provider. Read this blog to find out who the PSD 2 applies to and what measures, if any, need to be taken. 

What is the PSD 2?
The PSD 2 is a European directive that regulates payment services provided in the EU. The directive applies to both consumers and companies and, among other things, it sets out the rights and obligations of parties to payment transactions.

What is new in the PSD 2 is that other types of payment institutions (i.e. other than banks) may provide payment services and carry out payment operations. It has included this possibility because of the anticipated increase in the numbers of payments that will be made via these other types of payment service providers.

Which parties are payment service providers?
The following parties can be classified as payment service providers:

  1. credit institutions
  2. electronic money institutions
  3. post office giro institutions
  4. payment institutions
  5. the ECB and national central banks
  6. Member States and their regional or local authorities when not acting in their capacity as public authorities
  7. account information service providers
  8. account initiation service providers.

The difference with explicit consent under the GDPR
According to Article 94(2) PSD 2, payment service providers may only process personal data that are necessary for the provision of their payment services with the explicit consent of the payment service user. 

The GDPR refers to (explicit) consent as a basis for processing and an exception to the prohibition on processing special personal data. If a data subject has given (explicit) consent, his or her data may be processed provided that the other requirements in the GDPR have also been met.

Under the PSD 2, explicit consent should not be regarded as a basis for processing. It has to be interpreted as follows: when a data subject concludes a contract with a payment service provider for a payment service, the data subject must be sufficiently informed about the purposes for which his/her personal data are to be processed and he/she must grant specific consent as regards these provisions.

The provisions that provide this information must be clearly separate from other information. Consent therefore has to be requested clearly and explicitly, and the data subject has to actively give his or her consent.  Despite the fact that consent has to be given, the basis for processing personal data is the performance of an agreement; consent is an additional requirement of that agreement.

The EDPB has decided on this explanation because, on the one hand, the PSD 2 has to correspond to the GDPR but, on the other hand, the obligations it contains have to be workable for payment service providers.

Processing for other purposes
Consent can, however, be regarded as a basis for processing personal data that have been obtained in the context of payment services but for other purposes. This implies that these other purposes have to be communicated very clearly, and that different requests for consent cannot automatically be linked to each other. In that case it is also important for consent to be given freely, and that it is specific, unambiguous and informed. Consent must also be given actively, and the controller has to be able to demonstrate that consent has been given.

In addition, a data subject has to be able to withdraw his or her consent, even if it has been given in the context of services under the PSD 2.

Finally, irrespective of the way in which the personal data are to be processed, the GDPR always has to be complied with.

Sign up for our newsletters
Related expertise