Guidelines 06/2020 on the interplay of the Second Payment Services Directive and the GDPR

Section 6.2  Data minimisation measures

61 The TPP accessing payment account data in order to provide the requested services must also take the principle of data minimisation into account and must only collect personal data necessary to provide the specific payment services requested by the payment service user. As a principle, the access to the personal data should be limited to what is necessary for the provision of payment services. As has been shown in Chapter 2, the PSD2 requires ASPSPs to share PSU information on request of the PSU, when the PSU wishes to use a payment initiation service or an account information service.

62 When not all payment account data are necessary for the provision of the contract, a selection of the relevant data categories must be made by the AISP before the data are collected. For instance, data categories that may not be necessary may include the identity of the silent party and the transaction characteristics. Also, unless required by Member State or EU law,  the IBAN of the silent party’s bank account may not need to be displayed.

63 In this respect, the possible application of  technical measuresthat enable or support TPPs in their obligation to access and retrieve only the personal data necessary for the provision of their services could be considered, as part of the implementation of appropriate data protection policies, in line with article 24 (2) GDPR. In this respect, the EDPB recommends the usage of digital filters in order to support AISPs in their obligation to only collect personal data that are necessary for the purposes for which they are processed. For instance, when a service provider does not need the transaction characteristics (in the description field of the transaction records) for the provision of their service, a filter could function as a tool for TPPs to exclude this field from the overall processing operations by the TPP.

64 It should also be noted in this regard that under the PSD2, ASPSPs are only allowed to provide access to payment account information. There is no legal basis under the PSD2 to provide access with regard to personal data contained in other accounts, such as savings, mortgages or investment accounts. Accordingly, under the PSD2, technical measures have to be implemented to ensure that access is limited to the necessary payment account information.

65 Besides collecting as little data as possible, the service provider also has to implement limited retention periods. Personal data should not be stored by the service provider for a period  longerthan is necessary in relation to the purposes requested by the payment service user.

66 If the contract between the data subject and the AISP requires the transmission of personal data to third parties, then only those personal data that are necessary for the execution of the contract can be transmitted. Data subjects should also be specifically informed about the transmission and the personal data that are going to be transmitted to this third party.