Guidelines 06/2020 on the interplay of the Second Payment Services Directive and the GDPR

Section 6.5  Profiling

79 The processing of personal data by payment service providers may entail ‘profiling’ as referred to in Article 4 (4) of the GDPR. For example, AISPs could rely on automated processing of personal data in order to evaluate certain personal aspects relating to a natural person. A data subject’s personal financial situation could be evaluated, depending on the specifics of the service. Account information services, to be provided as requested by users, may involve an extensive evaluation of personal payment account data.

80 The controller also has to be transparent to the data subject on the existence of automated decision-making, including profiling. In those cases, the controller has to provide meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject (Article 13 (2) (f) and Article 14 (2) (g) and recital 60). Likewise, under Article 15 of the GDPR the data subject has the right to request and obtain information from the controller about the existence of automated decision-making, including profiling, the logic involved and the consequences for the data subject, and, in certain circumstances, a right to object to profiling, regardless of whether solely automated individual decision-making based on profiling takes place.

81 Furthermore, what is also relevant in this context is the right of the data subject not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affecting him or her, provided for by Article 22 of GDPR. This norm also includes, in certain circumstances, the need for data controllers to implement suitable measures to safeguard the data subject’s rights such as specific information to the data subject, the right to obtain human intervention in the decision making and to express his or her point of view and contest the decision. As also stated in recital 71 of GDPR this means, inter alia, that data subjects have the right not to be subject to a decision, such as automatic refusal of an online credit application without any human intervention.

82 Automated decision-making, including profiling that involves special categories of personal data is only allowed under the cumulative conditions of Article 22 (4) GDPR:

• there is an applicable Article 22 (2) exemption;

• and paragraph (a) or (g) of Article 9 (2) GDPR applies. In both cases, the controller must put in place suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests.

83 The requirements for further processing, as stated in these guidelines, must alsobe observed. The clarifications and instructions on automated individual decision-making and profiling given by the Working Party 29 Guidelines on Automated individual decision-making and Profiling for the purposes of Regulation 2016/679, as endorsed by the EDPB, are fully relevant in the context of payment services and should therefore be duly considered.