Guidelines 06/2020 on the interplay of the Second Payment Services Directive and the GDPR
Section 2.3 Further processing
20 Article 6 (4) of the GDPR determines the conditions for the processing of personal data for a purpose other than that for which the personal data have been collected. More specifically, such further processing may take place, where it is based on a Union or Member State law, which constitutes a necessary and proportionate measure in a democratic society to safeguard the objectives referred to in Article 23 (1), where the data subject has given their consent or where the processing for a purpose other than that for which the personal data were collected is compatible with the initial purpose.
21 Articles 66 (3) (g) and 67 (2) (f) of the PSD2 have to be taken into careful consideration. As mentioned above, Article 66 (3) (g) of the PSD2 states that the PISP shall not use, access or store any data for purposes other than for the provision of the payment initiation service as explicitly requested by the payer. Article 67 (2) (f) of the PSD2 states that the AISP shall not use, access or store any data for purposes other than for performing the account information service explicitly requested by the payment service user, in accordance with data protection rules.
22 Consequently, Article 66 (3) (g) and Article 67 (2) (f) of the PSD2 considerably restrict the possibilities for processing for other purposes, meaning that the processing for another purpose is not allowed, unless the data subject has given consent pursuant to Article 6 (1) (a) of the GDPR or the processing is laid down by Union law or Member State law to which the controller is subject, pursuant to Article 6 (4) of the GDPR. Where the processing for a purpose other than that for which the personal data have been collected is not based on the data subject’s consent or on a Union or Member State law, the restrictions laid down in Article 66 (3) (g) and Article 67 (2) (f) of the PSD2 make clear that any other purpose is not compatible with the purpose for which the personal data are initially collected. The compatibility test of Article 6 (4) of the GDPR cannot result in a legal basis for processing.
23 Article 6 (4) of the GDPR allows for further processing based on Union or Member State law. Forexample, all PISPs and AISPs are obliged entities under Article 3 (2) (a) Directive (EU) 2015/849 of the European Parliament and of the Council of 20 May 2015 on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing of the anti-money laundering directive. These obliged entities are therefore compelled to apply the customer due diligence measures as specified in the directive. The personal data processed in connection with a PSD2 service are, therefore, further processed based on at least one legal obligation resting on the service provider
24 As mentioned in paragraph 20, Article 6 (4) of the GDPR indicates that the processing for a purpose other than that for which the personal data have been collected could be based on the data subject’s consent, if all the conditions for consent under the GDPR are met. As set out above, the controller needs to demonstrate that it is possible to refuse or withdraw consent without detriment (recital 42 of the GDPR).