Guidelines 06/2020 on the interplay of the Second Payment Services Directive and the GDPR

Section 5.1  Special categories of personal data

50 Article 9 (1) GDPR prohibits the processing of “personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade unionmembership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation”.

51 It should be emphasised that in some Member States, electronic payments are already ubiquitous, and are favoured by many people over cash in their day to day transactions. At the same time, financial transactions can reveal sensitive information about individual data subject, including those related to special categories of personal data. For example, political opinions and religious beliefs may be revealed by donations made to political parties or organisations, churches or parishes. Trade union membership may be revealed by the deduction of an annual membership fee from a person’s bank account. Personal data concerning health may be gathered from analysing medical bills paid by a data subject. Finally, information on certain purchases may reveal information concerning a person’s sex life or sexual orientation. As shown by these examples even single transactions can contain special categories of personal data. Moreover, through the sum of financial transactions, different kinds of behavioural patterns could be revealed, including special categories of personal data and additional services that are facilitated by account information services might rely on profiling as defined by article 4 (4) of the GDPR. Therefore, the chances are considerable that a service provider processing information on financial transactions of data subjects also processes special categories of personal data.

52 With regard to the term ‘sensitive payment data’, the EDPB notes the following.The definition ofsensitive payment data in the PSD2 differs considerably from the way the term ‘sensitive personaldata’ is commonly used within the context of the GDPR and data protection (law). Where the PSD2 defines ‘sensitive payment data’ as ‘data, including personalized security credentials which can be used to carry out fraud’, the GDPR emphasises the need for specific protection of special categories of personal data which under Article 9 of the GDPR are, by their nature, particularly sensitive in relation to fundamental rights and freedoms, such as special categories of personal data. In this regard, it is recommended to at least map out and categorize precisely what kind of personal data will be processed. Most probably, a Data Protection Impact Assessment (DPIA) will be required in accordance with article 35 GDPR, which will help in this mapping exercise.