Guidelines 06/2020 on the interplay of the Second Payment Services Directive and the GDPR

Section 6.4  Transparency and accountability

71 Transparency and accountability are two fundamental principles of the GDPR.

72 With regard to transparency (Article 5 (1) (a) of the GDPR), Article 12 of the GDPR specifies that controllers shall take appropriate measures to provide any information referred to in Articles 13 and 14 of the GDPR. Furthermore, it requires that the information or communication about the processing of personal data must be concise, transparent, intelligible and easily accessible. The information must be in clear and plain language and in writing “or by other means, including where appropriate, by electronic means”. The Article 29 Working Party ‘Guidelines on transparency under Regulation 2016/679’, as endorsed by the EDPB, offers specific guidance for compliance with the principle of transparency in digital environments.

73 For the services under the PSD2, Article 13 GDPR is applicable for the personal data collected from the data subject and Article 14 is applicable where personal data have not been obtained from the data subject.

74 In particular, the data subject has to be informed about the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period, and where applicable, the legitimate interests pursued by the controller or by a possible third party. Where processing is based on consent as referred to in Article 6(1) (a) GDPR or explicit consent as referred to in Article 9 (2) (a) GDPR, the data subject has to be informed of the existence of the right to withdraw consent at any time.

75 The controller shall provide the information to the data subject, having regard to the specific circumstances in which the personal data are processed. If the personal data are to be used for communication with the data subject, which will probably will be the case forAISPs, the information has to be provided at the latest at the time of the first communication to that data subject. If personal data are to be disclosed to another recipient, the information has to be provided at the latest when the personal data are first disclosed.

76 With regard to online payment services, the abovementioned Guidelines clarify that a layered approach may be followed by data controllers where they opt to use a combination of methods to ensure transparency. It is in particularly recommended that layered privacy statements/ notices should be used to link to the various categories of information which must be provided to the data subject, rather than displaying all such information in a single notice on a screen, in order to avoidin formation fatigue, and at the same time ensuring the effectiveness of the information.

77 The abovementioned Guidelines also clarify that controllers may choose to use additional tools to provide information to the individual data subject, such as privacy dashboards.A privacy dashboard is a single point from which data subjects can view ‘privacyinformation’ and manage their privacy preferences by allowing or preventing their data from being used in certain ways by the controller in question. A privacy dashboard could provide an overview of the TPPs that have obtained the data subjects explicit consent, and could also offer relevant information on the nature and amount of personal data that has been accessed by TPPs. In principle, an ASPSP may offer the user the possibility to withdraw a specific explicit PSD2 consent through the overview, which would result in a denial of access to their payment accounts to one or more TPPs. The user could also request an ASPSP to deny access to their payment account(s) to one or more particular TPPs, as it is the right of the user to (not) make use of an account information service. If privacy dashboards are used in order to give or withdraw an explicit consent, they should be designed and applied lawfully and in particular prevent creating obstacles to the TPPs right to provide services in accordance with the PSD2. In this respect and in accordance with the applicable provisions under the PSD2, a TPP has the possibility to obtain explicit consent from the user again after this consent has been withdrawn.

78 The accountability principle requires the controller to lay down appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with the GDPR, in particular with the main data protection principles provided for by Article 5 (1). Those measures should take into account the nature, scope, context and purposes of the processing and the risk to the rights and freedoms of natural persons, and mustbe reviewed and updated when necessary.