Guidelines 06/2020 on the interplay of the Second Payment Services Directive and the GDPR

Paragraph 3.2.1  Explicit consent under Article 94 (2) PSD2

34 The PSD2 includes a number of specific rules concerning the processing of personal data, in particular in Article 94 (1) of the PSD2, which determines that the processing of personal data for the purposes of thePSD2 must comply with EU data protection law. Further more,  Article94 (2) of the PSD2 sets out that payment service providers shall only access, process and retain personal data necessary for the provision of their payment services, with the explicit consent of the payment service user. Pursuant to Article 33 (2) of the PSD2, this requirement of the explicit consent of the payment service user does not apply to AISPs. However, Article 67 (2) (a) of thePSD2 still provides for explicit consent for AISPs for the provision of the service.

35 As mentioned above, the list of lawful bases for processing under the GDPR is exhaustive. As mentioned in paragraph 14 (see section 2.2.) , the legal basis for the processing of personal data for the provision of payment services is, in principle, Article 6 (1) (b) of the GDPR, meaning that the processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract. From that, it follows that Article 94 (2) of thePSD2 cannot be regarded as an additional legal basis for processing of personal data. The EDPB considers that, in view of the foregoing, this paragraph should be interpreted, on the one hand, in coherence with the applicable data protection legal framework and, on the other hand, in a way that preserves its useful effect. Explicit consent under Article 94 (2) PSD2 should therefore be regarded as an additional requirement of a contractual nature in relation to the access to and subsequently processing and storage of personal data for the purpose of providing payment services and is therefore not the same as (explicit) consent under the GDPR.

36 “Explicit consent” referred to in Article 94 (2) PSD2 is a contractual consent. This implies that Article94 (2) PSD2 should be interpreted in the sense that when entering a contract with a payment service provider under the PSD2, data subjects must be made fully aware of the specific categoriesof personal data that will be processed. Further, they have to be made aware of the specific (payment service) purpose for which their personal data will be processed and have to explicitly agree to these clauses. Such clauses should be clearly distinguishable from the other matters dealt with in the contract and would need to be explicitly accepted by the data subject.

37 Central to the notion of “explicit consent” under Article 94 (2) of the PSD2is the gaining of access to personal data to subsequently process and store these data for the purpose of providing payment services. This implies that the payment service provider is not yet processing the personal data, but needs access to personal data that have been processed under the responsibility of anyother controller. If a payment service user enters into a contract with, for example, a payment initiation service provider, this provider needs to obtain access to personal data of the payment service user that is being processed under the responsibility of the account servicing payment service provider. The object of the explicit consent under Article 94 (2) PSD2 is the permission to obtain access to those personal data, to be able to process and store these personal data that are necessary for the purpose of providing the payment service. If explicit consent is given by the data subject, the account servicing payment service provider is obliged to give access to the indicated personal data.

38 Although the consent of Article 94 (2)of the PSD2 is not a legal ground for the processing of personal data, this consent is specifically related to personal data and data protection, and ensures transparency and a degree of control for the payment service user. While the PSD2 does not specify the substantive conditions for consent under Article 94 (2) PSD2, it should, as stated above, be understood in coherence with the applicable data protection legal framework and in a way that preserves its useful effect.

39 With regard to the information to be provided by controllers and the requirement of transparency, Article 29 Working Party Guidelines on Transparency specifies that a “A central consideration ofthe principle of transparency outlined in these provisions isthatthe data subject should be able todetermine in advance what the scope and consequences of the processing entails and that theyshould not be taken by surprise at a later point about the ways in which their personal data hasbeen used”.

40 Furthermore, as required by the principle of purpose limitation, personal data must be collected for specified, explicit and legitimate purposes (Article 5 (1) (b) of the GDPR). Where personal data are collected for more than one purpose, “controllers should avoid identifying only one broad purpose in order to justify various further processing activities which are in fact only remotely related to the actual initial purpose”. The EDPB has highlighted, most recently in the context of contracts for online services, the risk of inclusion of general processing terms in contracts and has stated that the purpose of the collection must be clearly and specifically identified: it must be detailed enough to determine what kind of processing is and is not included within the specified purpose, and to allow that compliance with the law can be assessed and data protection safeguards applied.

41 When considered in the context of the additional requirement of explicit consent pursuant to Article 94 (2) of the PSD2, this entails that controllers must provide data subjects with specific and explicit information about the specific purposes identified by the controller for which their personal data are accessed, processed and retained. In line with Article 94 (2) of the PSD2, the data subjects must explicitly accept these specific purposes.

42 Furthermore, as set out above in paragraph 9, the EDPB highlights that the payment service user must be able to choose whether or not to use the service and cannot be forced to do so. Therefore, the consent under Article 94 (2) of the PSD2 also has to be a freely given consent.