Privacy rules for payment service providers
As a payment service provider, you must comply with PSD2. This means you must first ask consumers for explicit consent to gain access to their personal data. In addition, you have to comply with the General Data Protection Regulation (GDPR).
On this page
Financial personal data
An important part of your business model is based on the processing of personal data, including financial data. These are sensitive personal data. This means that their processing poses increased risks for the person concerned. It is therefore important that you handle financial personal data with due care.
Legal basis under the GDPR
The fact that you must comply with the GDPR means, among other things, that you need a legal basis for processing personal data. This legal basis applies in addition to the explicit consent of the consumer.
The GDPR states that organisations must be able to rely on one of the six legal bases under the GDPR for processing personal data. For you as a payment service provider, this will often be the legal basis of agreement.
Note: One of the legal bases for processing personal data is consent. However, this is not the same as the explicit consent referred to in PSD2.
Other rules from the GDPR
In addition to the required legal basis, some important rules from the GDPR are:
- You may be obliged to appoint a Data Protection Officer (DPO).
- You may be obliged to carry out a data protection impact assessment (DPIA).
- You must work according to the principles of privacy by design and default.
- You must take measures to properly secure personal data.
- You may need to set up a processing register.
- You are obliged to properly inform consumers.
- Your systems, procedures and internal organisation must be designed to accommodate privacy rights of consumers.
Do you want to know more? Please read the PSD2 information letter for payment service providers (in Dutch) of the Dutch Data Protection Authority (Dutch DPA).
Interplay PSD2 and GDPR
The European Data Protection Board (EDPB) has drawn up guidelines on the interplay between PSD2 and the GDPR:
- EDPB guidelines on the interplay of the Second Payment Services Directive and the GDPR;
- Dutch translation: EDPB-guidelines wisselwerking PSD2 en AVG.
Supervision of PSD2 and GDPR
There are four supervisory authorities who are involved in the supervision of payment transactions. In addition to the Dutch Data Protection Authority (DPA), De Nederlandsche Bank (DNB), the Netherlands Authority for Consumers and Markets (ACM) and the Dutch Authority for the Financial Markets (AFM) also have a role.
- The Dutch Data Protection Authority (DPA) monitors the protection of personal data. In addition, it looks at the requirements in the GDPR and the requirements included in PSD2.
- DNB grants licences to providers of payment services.
- The ACM looks at the competition between providers in the payment market and at the bank's granting of access to account information.
- The AFM monitors the provision of information by payment service providers.
Naturally, these supervisory authorities work closely together. This is important for both consumers (privacy protection) and companies (legal certainty).