EDPB’s consultation on the interplay of the PSD2 and the GDPR: EBF response
18 September 2020
EBF has responsed to the European Data Protection Board’s (EDPB) consultation on the draft guidelines on the interplay of the PSD2 and GDPR. We welcome the EDPB’s efforts to clarify uncertainties that persist between these two essential legislative frameworks for the banking sector.
there are elements which the draft Guidance clarifies, for example, the
welcome confirmation that explicit consent under Article 94 PSD2 is
different from (explicit) consent under GDPR, other elements are more
worrying (e.g. proposals on data minimisation measures). In particular,
EBF members are concerned on the lack of coherence in some cases with
the provisions of PSD2 which could lead to creating further
uncertainties instead of resolving existing ones and result, in some
cases, a breach of legal obligations on the part of banks in their role
To realize the opportunities offered by the PSD2, ensure legal
certainty for all parties and safeguard the protection of consumer data,
we encourage the EDPB to consider the following:
- The final EDPB Guidelines should ensure coherence with
existing legislation, notably the Regulatory Technical Standards on
Strong Customer Authentication and Common and Secure Communication (the
RTS on SCA and CSC). They should also not result in new
technical measures, given that the PSD2 (level 1) implementation
deadline for member states was 13 January 2018 and the compliance
deadline with the level 1 EBA RTS on SCA and CSC for market participants
was 14 September 2019.
- It is important to make a clear distinction between the
respective GDPR responsibilities of the payment service providers –
ASPSP, PISP and AISP – based on the roles described in the PSD2. We, therefore, suggest clarifying at each stage of the Guidelines the addressee(s) of the various obligations.
- On further processing under PSD2, the Guidance should be amended to clarify that
AISPs and PISPs can process personal data relating to payments on other
Article 6 bases, for example, the basis of legitimate interests, provided
this is linked to the provision of the core AIS/PIS, and subject to
meeting other GDPR requirements. The current interpretation in the
Guidelines risks preventing a range of legitimate and important data
processing activities by TPPs.
- The current proposals on data minimisation measures, particularly
the recommendation on digital filters, do not take into account that it
is the responsibility of each PSP, as the data controller, to respect
the principle of data minimisation. The Guidance also does not consider
that filtering would imply interfering with the data to be accessed by
TPPs, whereas the aim of PSD2 is allowing access to the account
information as is. For ASPSPs using digital filters could result in a
breach of legal obligations.