PSD2 and GDPR: An awkward match?
In the intersection of both rules, from a Dutch perspective
While we wait for more clarity from the legislature, this article aims to inform you on the latest news regarding the discrepancies between PSD2 and GDPR, and provide you with practical guidance.
If your company processes personal data of European citizens and you are also (planning to) provide payment services in Europe, you have to comply with both the General Data Protection Regulation (“GDPR”) as well as the new Payment Service Directive 2 (“PSD2”). These sets of rules are not be taken lightly, as the cost of noncompliance can lead to staggering fines such as 20 million or 4% of the worldwide turnover and in many cases also reputational damage. As the implementation date of GDPR (May 25 2018) and PSD2 (Q2 2018) is rapidly approaching, companies facing both sets of rules will need to decide on their PSD2 and GDPR strategy rather sooner than later.
Unfortunately, as is often the case with various complex EU rules and regulations, obscurities and possible conflicts seem to exist between the (implementation of) PSD2 and the GDPR. In the Netherlands, the Dutch Data Protection Authority (“DPA”) has recognized these discrepancies and expressed their concern in two recommendation letters on the Dutch Draft PSD2 Implementation Act and, most recently, the Dutch Draft PSD2 Implementation Decree. The DPA addresses concerns such as the lack of clarity on the hierarchy of rules, the relevant authority and consent and incompatible terminology.
For the full article, please download the PDF.
Do you want to know more on GDPR and/or PSD2? Please contact Anastasiya Milshina