Processing Transaction Data and GDPR consent: always a requirement? has been saved
Processing Transaction Data and GDPR consent: always a requirement?
Navigating the PSD2 Trilemma
Since the Payment Services Directive 2 (“PSD2”) came into effect, its use and practicalities have created serious challenges. Whilst the PSD2 landscape continues to evolve, one thing is certain: PSD2 is a multifaceted topic. To shine light on this complexity and on where these different topics intertwine, Deloitte has started the blog series ‘Navigating the PSD2 Trilemma’. In the last installment of the series, we are looking into GDPR consent for Account Information Service Providers (AISPs). Is it always required? And is it always a good solution?
Written by Nina Brauchart
Go directly to
- GDPR Consent as a legal basis for processing
- GDPR Consent as a derogation for processing special category data
- GDPR Consent for the re-use of data
- GDPR consent and the importance of collaboration
GDPR Consent as a legal basis for processing
As data controllers, AISPs must have a legal basis under the GDPR to process personal (transaction) data. The data subject’s consent is one of the possible legal bases they could rely on. AISPs will also find the notion of consent in PSD2: consent of the payment service user to access the bank account.
To avoid confusion between the two notions of consent, AISPs are advised to clearly specify which legal basis they are using to process transaction data – and to make a clear distinction between consent to access the bank account and, where applicable, consent to process the data they are accessing.
PSD2 blog series overview
GDPR Consent as a derogation for processing special category data
As well as clearly specifying which legal basis they are relying on, AISPs should look carefully into the obligations that result from Article 9 GDPR. This prohibits the processing of special category data (i.e. personal data such as racial or political information that may come with a higher risk of discrimination), unless a derogation such as explicit consent applies.
It doesn’t take a data scientist or complex algorithm to identify a monthly payment to a trade union as membership fee - thereby allowing conclusions about special category data. AISPs might not know in advance whether a dataset they obtain access to will have this type of transactions. Does this mean that AISPs always have to invoke a derogation?
The position taken has often been that a derogation is not necessary if the processing of personal data is not aimed at processing special category data.1 Treating all transaction data by definition as special category data would seriously impact on the lawfulness of all ongoing processing of transaction data not based on a derogation. But supervisory authorities are increasingly scrutinizing this matter.
AISPs should therefore carefully define the purposes of their processing to show what they are aiming to achieve and whether they can invoke above-mentioned position. Technical measures should also be considered, such as excluding data fields or counterparties known to increase the risk of conclusions being drawn from special category data. These measures should also be considered since they are key to the principle of data minimization, according to which only data that is necessary to achieve a purpose must be processed. In some cases, though, this may mean processing these higher risk fields, as they could for example be necessary to correctly categorize a transaction.
GDPR Consent for the re-use of data
When mapping the purposes of their processing, AISPs may find themselves processing – or wanting to process – personal data for multiple purposes. However, the GDPR and PSD2 both impose restrictions on processing personal data other than for the purpose for which the data was initially collected.
Article 67(2)(f) PSD2 limits the use of transaction data to providing the account information service that the user has requested (subject to data protection rules). As privacy supervisory authorities are likely to interpret this restrictively, it is vital to define what the account information service consists of and which data processing is necessary to provide it. According to the EDPB’s recent guidelines,2 further processing for compatible purposes would not be allowed. Any processing going beyond the requested account information service then should either be mandated by law or based on GDPR consent.
Mandated by law means that processing is necessary to comply with a legal obligation. Proportionality is key. Nevertheless, AISPs should have enough room to find new ways to fulfil their legal obligations. The proportionality criterion could be revisited in some cases, requiring combined expertise from the data protection and the regulatory fields as shown for example by the TMNL project.
In other scenarios relating to further processing, it is advisable to examine whether aggregated or non-identifiable data could provide the same value. Nevertheless, there will be scenarios in which GDPR consent is required.
GDPR consent and the importance of collaboration
As indicated above, AISPs may be in a situation where they have to implement multiple consent requirements. This presents challenges for the validity of consent, as users may find it difficult to understand what they are consenting to, or may agree to consent notices without reading them.
To ensure that consent is truly valid AISPs should look for smarter ways to collaborate within the organization. UX designers, marketeers, communication specialists, lawyers as well as privacy officers all should have the same interest at heart: a successful user experience that helps navigate the PSD2/AMLD5/GDPR trilemma.
This call to collaboration concludes the blog series. Read all blogs in the series here and stay tuned for more PSD2 content!
1-See, for example, the Dutch Privacy Authority’s report on the Tax Office’s processing of nationality data, accessible via https://www.autoriteitpersoonsgegevens.nl/sites/default/files/atoms/files/onderzoek_belastingdienst_kinderopvangtoeslag.pdf
2-European Data Protection Board, Guidelines 06/2020 on the interplay of the Second Payment Services Directive and the GDPR, adopted on 15 December 2020