Guidelines 06/2020 on the interplay of the Second Payment Services Directive and the GDPR

Section 4.2  The legitimate interest of the controller

45 Article 5 (1) (b) GDPR requires that personal data are only collected for specified, explicit and legitimate purposes and may not be further processed in a manner that is incompatible with those purposes. In addition, the GDPR requires that that any processing of personal data must be both necessary as well as proportional and in line with the other data protection principles, such as those of purpose limitation and data minimisation.

46 The GDPR may allow for the processing of silent party data when this processing is necessary for purposes of the legitimate interests pursued by a controller or by a third party (Article 6 (1) (f) GDPR). However, such processing can only take place when the legitimate interest of the controller is not “overridden by the interests or fundamental rights and freedoms of the data subject whichrequireprotection of personal data”.

47 A lawful basis for the processing of silent party data by PISPs and AISPs – in the context of the provision of  payment services underthe PSD2 – could thus be the legitimate interest of a controller or a third party to perform the contract with the payment service user. The necessity to process personal data of the silent party is limited and determined by the reasonable expectations of these data subjects. In the context of providing payment services that are covered by the PSD2, effective and appropriate measures have to be established by all parties involved to safeguard that the interests or fundamental rights and freedoms of the silent parties are not overridden, and to ensure that the reasonable expectations of these data subjects regarding the processing of their personal data are respected. In this respect, the controller has to establish the necessary safeguards for the processing in order to protect the rights of data subjects. This includes technical measures to ensure that silent party data are not processed for a purpose other than the purpose for which the personal data were originally collected by PISPs and AISPs. If feasible, also encryption or other techniques must be applied to achieve an appropriate level of security and data minimisation.