Guidelines 06/2020 on the interplay of the Second Payment Services Directive and the GDPR
Section 2.4 Lawful ground for granting access to the Account (ASPSPs)
25 As mentioned in paragraph 10 (see section 1.2), payment service users can exercise their right to make use of payment initiation and account information services. The obligations imposed on the Member States in Articles 66 (1) and 67 (1) of the PSD2 should be implemented in national law in order to guarantee the effective application of the right of the payment service user to benefit from the aforementioned payment services. The effective application of such rights would not be possible without the existence of a corresponding obligation on the ASPSP, typically a bank, to grant the payment service provider access to the account under the condition that it has fulfilled all requirements to get access to the account of the payment service user. Furthermore, Articles 66 (5) and 67 (4) of the PSD2 state clearly that the provision of payment initiation services and of accountin formation services shall not be dependent on the existence of a contractual relationship between the PISP/AISP and the ASPSP.
26 The processing of personal data by the ASPSP consisting of granting access to the personal data requested by the PISP and AISP in order to perform their payment service to the payment service user is based on a legal obligation. In order to achieve the objectives of the PSD2, ASPSPs must provide the personal data for the PISPs ́ and AISPs ́ services, which is a necessary condition for PISPs and AISPs to provide their services and thus ensure the rights provided for in Articles 66 (1) and 67 (1) of the PSD2. Therefore, the applicable legal ground in this case is Article 6 (1) (c) of the GDPR.
27 As the GDPR has specified that processing based on a legal obligation should be clearly laid down by Union or Member State law (see Article 6 (3) of the GDPR), the obligation for ASPSPs to grant access should stem from the national law transposing the PSD2.