Guidelines 06/2020 on the interplay of the Second Payment Services Directive and the GDPR

Section 6.3  Security

67 The EDPB already highlighted that the violation of financial personal data “clearly involves seriousimpacts in the data subject’s daily life” and quotes the risks of payment fraud as an example.

68 Wherea data breach involves financial data, the data subject may be exposed to consider able risks. Depending on the information that is leaked, data subjects may be exposed to a risk of identity theft, of theft of the funds in their accounts and other assets. Furthermore, there is the possibility that the exposure of transaction data is related to considerable privacy risks, as transaction data may contain references to all aspects of a data subject’s private life. At the same time, financial data are obviously valuable to criminals and therefore an attractive target.

69 Controllers are obligated to take adequate measures to protect the personal data of data subjects (Article24 (1) GDPR). The higher the risks associated with the processing activity carried out by the controller, the higher the security standards that need to be applied. As the processing of financial data is connected to a variety of severe risks, the security measures must be accordingly high.

70 Service providers should be held to high standards, including strong customer authentication mechanisms and high security standards for the technical equipment. Other procedures, such as vetting processors for security standards and implementing procedures against unauthorised access, are also important.