GDPR and Payment Services Directive (PSD2)

The Payment Services Directive (PSD2) was enacted by the European Union on January 13 2018 to regulate payment services and payment service providers throughout the European Economic Area (EEA). It replaced the previous E.U. Directive 2007/64/EC.

This legislation has a similar aim to the General Data Protection Regulation in that it allows customers greater control of their personal data. Companies that process payments within the European Unions will need to be extra cautious in order to make sure that they are complaint with both pieces of legislation In particular, Financial Institutions must consider their data protection and consent management procedures and strategy to ensure that they are handling the requirements of both PSD2 and GDPR.

Financial Stability, Financial Services and Capital Markets Union Commissioner Jonathan Hill commented on the passing of the new legislation saying: “This legislation is a step towards a digital single market; it will benefit consumers and businesses, and help the economy grow.”

Focus of PSD2

PSD was introduced with several main objectives. They include the following:
• Contribute to a more integrated and efficient European payments market
• Improve the level playing field for payment service providers (including new players)
• Make payments safer and more secure
• Protect consumers
• Encourage lower prices for payments

Complying with both GDPR and PSD2

It was envisaged, by the European Union legislators, that the interaction between PSD2 and GDPR would increasing the seamless sharing of data and regulating this sharing. Now the challenge for financial organizations is how to comply with both pieces of legislation.

The most important aspect of both legislative acts is consent and how it is obtained. Both state that consumer data must only be processed once expressed permission and authorization has been given by the data subject. However, PSD2 does not outright define how this must be accomplished. This creates a challenge for financial institutions and organizations. PSD2 does not have a requirement for informing individuals as to how they can withdraw consent in relation to data management and GDPR does not carry an automatic expiration timeline for consent.

With this in minds there are a number of important steps that financials bodies should complete in order to ensure that they are compliant wit both GDPR and PSD2.

How to Comply with GDPR and PSD2

  1. Automated decisions: Where these are in place then, under GDPR, financial institutions must be able to justify every automated decision if asked by a consumer.
  2. Data protection impact reviews: Reviews should be conducted to map the dangers of processing data. This should include listing measures to deal with this. A review such as this must take place before the processing of data begins.
  3. Include data protection into all new services: Appropriate measures should be taken to achieve GDPR compliance and minimize the processing of data with the introduction of new technologies and service.
  4. Provide consumers with information: Data subjects are entitled to know whether their information is being processed and, if so, to receive a copy of this data. This must be considered with the introduction of new services or amendments to existing services.
  5. Allow for the Deletion of all consumer data on request: Consumers have the right to ask a service provider to destroy and render unusable all the personal data that it holds for them.