Guidelines 06/2020 on the interplay of the Second Payment Services Directive and the GDPR

Section 1.1  Definitions

‘Account Information Service Provider’(‘AISP’)’ refers to the provider of an online service to provide consolidated information on one or more payment accounts held by the payment service user with either another payment service provider or with more than one payment service provider;

‘Account Servicing Payment Service Provider’ (‘ASPSP’) refers to a payment service provider providing and maintaining a payment account for a payer;

‘Data minimisation’ is a principle of data protection, according to which personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;

‘Payer’ refers to a natural or legal person who holds a payment account and allows a payment order from that payment account, or, where there is no payment account, a natural or legal person who gives a payment order;

‘Payee’ refers to a natural or legal person who is the intended recipient of funds, which have been the subject of a payment transaction;

‘Payment account’ means an account held in the name of one or more payment service users, which is used for the execution of payment transactions;

‘Payment Initiation Service Provider’ (‘PISP’) refers to the provider of a service to initiate a payment order at the request of the payment service user with respect to a payment account held at another payment service provider;

‘Payment service provider’ refers to a means a body referred to in Article1 (1) of the PSD2 or a natural or legal person benefiting from an exemption pursuant to Article 32 or 33 of the PSD2;

‘Data protectionby design’ refers to technical and organizational measures embedded into a productor service, which are designed to implement data-protection principles, in an effective manner and to integrate the necessary safeguards into the processing in order to meet the requirements of the GDPR and protect the rights of data subjects;

‘Data protectionby default’ refers to appropriate technical and organisational measures implemented in a product or service which ensure that, by default, only personal data which are necessary for each specific purpose of the processing are processed;

‘RTS’ refers to the Commission Delegated Regulation (EU) 2018/389 of 27 November 2017 supplementing Directive (EU) 2015/2366 of the European Parliament and of the Council with regard to regulatory technical standards for strong customer authentication and common and secure open standards of communication;

‘Third Party Providers’ (‘TPP’) refers to both PISPs and AISPs.