Requesting explicit consent as a payment service provider

One of the most important privacy rules from PSD2 is that as a payment service provider, you need explicit consent from the consumer to gain access to personal data. 'Explicit' means that you must clearly and explicitly ask a consumer for consent. The consumer must actively give this consent.

On this page

Requirements for explicit consent

The same requirements for requesting explicit consent apply throughout the European Union. Explicit consent is only valid if it meets the following requirements:

  • free;
  • unambiguous;
  • informed;
  • specific;
  • withdrawable.

Free

As a payment service provider, you are not allowed to put anyone under pressure to give consent. A consumer must be free to refuse consent and must not suffer any disadvantage as a result.

Unambiguous

Giving consent must be a clear, unambiguous and active act. AN example of this is a (digital) written or oral declaration. In any case, it must be perfectly clear that the consumer has given his consent. As a payment service provider, you may not assume tacit consent. The use of pre-ticked boxes is therefore prohibited.

Informed

As a payment service provider, you must inform consumers about:

  • your identity as a controller;
  • the purpose of each processing operation for which you ask consent;
  • which personal data you collect and use;
  • the right consumers have to withdraw their consent again.
    You must offer this information in an accessible form.

You must use clear language, so consumers understand the information and can make an informed choice.

Specific

As a payment service provider, you are only allowed to request consent to access and process personal data that are necessary for offering your payment service. Consent must therefore always apply for a specific processing operation and a specific purpose.

Withdrawable

Consumers always have the right to withdraw their consent. This must be as easy as giving consent. As a payment service provider, you must inform consumers about this before they give their consent.

Tip: If a consumer withdraws previously given consent, the consumer may no longer be able to use your payment service as they may have been used to. You can, of course, inform consumers of this in advance.

How to ask for consent

You must ask for consent separately from the other parts of the payment service agreement. You must therefore organise the way in which you ask for consent accordingly. That can be achieved in different ways.

In a digital environment you can do this, for example, in the form of a separate window such as a pop-up or a checkbox in a dialogue. Consumers can indicate that they give their consent for access to their personal data.

Note: You cannot ask for consent by asking consumers to agree to the general terms and conditions of your payment service.

If you have not received explicit consent, you cannot execute the agreement with the consumer. You may of course point this out to the consumer when asking for consent.

You must be able to demonstrate that you have validly requested and received consent when requested by the Dutch Data Protection Authority (DPA). This is part of your duty of accountability.

Infographic explicit consent PSD2

The Infographic explicit consent PSD2 (in Dutch) lists the requirements for explicit consent.

Existing contracts

In the case of an existing contract, you usually do not need to request consent to access personal data. An existing contract is defined as a contract concluded before 19 February 2019. That is the date on which PSD2 came into effect in the Netherlands.

Within an existing contract, as a payment service provider you usually do not need access to personal data held by another party, such as a bank. If the existing contract requires access to personal data held by another party, you must still ask for explicit consent from the consumer.

Exception: account information service

Explicit consent for access to personal data is not required if the service solely consists of offering an account information service, such as a digital housekeeping book. The consumer does have to explicitly consent to the service. This is done via an authorisation that is valid for a maximum of 90 days.

As an account information service provider, you are not allowed to process personal data for purposes other than providing the account information service. You must comply with all rules of the General Data Protection Regulation (GDPR).

Note: If you combine your account information service with another payment service, such as a payment initiation service, you must request explicit consent to access personal data.