2018/2019 Edition of the Global Regulatory Update

Global Regulatory Update  | Corporates Edition 51 of personal data (without consent), for example, where the processing is necessary to perform a contract, or for the purposes of the legitimate interests of the data controller or for compliance with a legal obligation. If a payment service user (a consumer or a corporate) wants to carry out a payment transaction with a TPP, the TPP needs access to their payment account data in order to perform the contract, i.e., to initiate the payment. There should be no requirement for customer consent for the associated data processing operations. PSD2, however, increases the standard of protection in comparison to the GDPR by nevertheless imposing an additional consent requirement. The EC has provided some useful clarifications and we are still awaiting the Article 29 Working Party (composed of the 28 Data Protection Authorities) for further clarification which we expect to receive in the near future. In particular the EC has noted that: • PSD2 is not a lex specialis of GDPR (i.e. generally, if two laws govern the same specific area, a law governing a specific subject matter (lex specialis) overrides a law governing only general matters (lex generalis) the Commission are not of this view). In other words the provision in PSD2 on data protection which states that PSPs shall only access and retain personal data necessary for the provision of their payments service with the explicit consent of the payment service user, does not create a new legal ground but has to be interpreted in light of the GDPR. • The GDPR provides 6 distinct legal grounds for processing personal data including the performance of a contract. Payment services are to be provided, as a rule, on the basis of a contractual relationship between the PSP and the user, either in the context of framework contracts or as single payment transactions. • With respect to the requirement of explicit consent in Article 94(2) of PSD2 the EC has said that it needs to be interpreted on the one hand in coherence with the applicable GDPR and, on the other hand, in a way that preserves its useful effect. • Hence, payment service users, when requesting and contracting payment services, are to be specifically informed about and explicitly agree with the processing of their personal data necessary for the performance of the contract. • Screen scraping: TPPs have to comply with GDPR and in particular the principles of data minimisation and data protection by design and by default. • Access and use of silent party data is necessary to the provision of payment services.