Guidelines 06/2020 on the interplay of the Second Payment Services Directive and the GDPR

Section 1.2   Services under the PSD2

5 The PSD2 introduces two new kinds of payment service (providers): PISPs and AISPs (see section 1.1. definitions) . Annex 1 of the PSD2 contains the eight payment services that are covered by the PSD2.

6 PISPs provide services to initiate payment orders at the request of a payment service user with respect to the user’s payment account held at another payment service provider. A PISP can request an ASPSP (usually a bank) to initiate a transaction on behalf of the payment service user. The (payment service) user can be a natural person (data subject) or a legal person.

7 AISPs provide online services for consolidated information on one or more payment accounts held by the payment service user either with another payment service provider or with more than one payment service provider. According to recital 28 PSD2, the payment service user is able to have an overall view of its financial situation immediately at any given moment.

8 When it comes to account information services, there could be several different types of services offered, with the emphasis on different features and purposes. For example, some providers may offer users services such as budget planning and monitoring spending. The processing of personal data in the context of these services is covered by the PSD2. Services that entail creditworthiness assessments of the PSU or audit services performed on the basis of the collection of information via an account information service fall outside of the scope of the PSD2 and therefore fall under the GDPR. However, accounts other than payment accounts (e.g. savings, investments) are not covered by the PSD2.

• Example:

• Happy Payments is a company that offers an online service consisting of the provision of information on one or more payment accounts through a mobile app in order to provide financial oversight (an Account Information Service). With this service, the payment service user can see at a glance the balances and recent transactions in two or more payment accounts at different banks. It also offers, when apayment service user chooses to do so, a categorisation of spending and income according to different typologies (salary, leisure, energy, mortgage, etc.), thus helping the payment service user with financial planning. Within this app, Happy Payments also offers a service to initiate payments directly from the users designated payment account(s) (a Payment Initiation Service).

9 In order to provide those services, the PSD2 regulates the legal conditions under which PISPs and AISPs can access payment accounts to provide a service to the payment service user.

10 Articles 66 (1) and 67 (1) PSD2 determine that the access and the use of payment and account information services are rights of the payment service user. This means that the payment service user should remain entirely free with regard to the exercise of such right and cannot be forced to make use of this right.

11 Access to payment accounts and the use of payment account information is partly regulated in Articles 66 and 67 PSD2, which contain safeguards regarding the protection of (personal) data. Article 66 (3) (f) PSD2 states that the PISP shall not request from the payment service user any data other than those necessary to provide the payment initiation service, and Article 66 (3) (g) PSD2 provides that PISPs shall not use, access or store any data for purposes other than for performing the payment initiation service explicitly requested by the payment service user. Furthermore, Article 67 (2) (d) PSD2 limits the access of AISPs to the information from designated payment accounts and associated payment transactions, whereas Article 67 (2) (f) PSD2 states that AISPs shall not use, access or store any data for purposes other than for performing the account information service explicitly requested by the payment service user, in accordance with data protection rules. The latter emphasises that, within the context of the account information services, personal data can only be collected for specified, explicit and legitimate purposes. An AISP should therefore make explicit in the contract for what specific purposes personal account information data are going to be processed for, in the context of the account information serviceit provides. The contract should be lawful, fair and transparent under Article 5 of the GDPR and also comply with other consumer protection laws.

12 Depending on specific circumstances, payment service providers could be a controller or processor under the GDPR.