[stock-market-ticker symbols="FB;BABA;AMZN;AXP;AAPL;DBD;EEFT;GTO.AS;ING.PA;MA;MGI;NPSNY;NCR;PYPL;005930.KS;SQ;HO.PA;V;WDI.DE;WU;WP" width="100%" palette="financial-light"]

European Payments Council – what the GDPR will concretely change for payment service providers

16 februarie 2018

An interview with Gert Heynderickx, European Payments Council Legal Counsel and Company Secretary

While the European payment industry is currently trying to assess how the revised Payment Services Directive (PSD2) will concretely impact each party’s business and operational model, another critical piece of European legislation will apply in May and necessitates immediate actions from payment service providers (PSPs). The General Data Protection Regulation (GDPR) significantly revises and harmonises how consumers’ personal data shall be protected in the European Union. When it comes to data privacy, payments might be one of the most sensitive areas for consumers.

Gert from EPC

Q. As far as payments are concerned, what will the GDPR mainly change for PSPs when it will start to apply in May 2018?
The Regulation („EU”) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (GDPR), aims to protect the fundamental rights and freedoms of individuals and in particular, their right to privacy with respect to the processing of their personal data. The GDPR was adopted in April 2016. It entered into force on 24 May 2016 and shall be fully applicable from 25 May 2018.

The GDPR is not the first European legislation regarding the protection of personal data: its predecessor, the Data Protection Directive (officially ‘Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data’), exists since 1995, but it no longer suffices in the current digital era.

Pursuant to the relevant provisions of the GDPR, Payment Service Providers can process personal data:
. either with the data subject’s,
. or because processing is required to ensure the performance of a contract, or to comply with a legal obligation, or to safeguard a data subject’s vital interests or for the purposes of legitimate interests (for example to combat fraud), except where such interests are overridden by the interests, rights or freedoms of the data subject.

What’s new for PSPs? Amongst other things, the territorial scope of the GDPR is wider than that of the Data Protection Directive.

The requirements permitting the processing of personal data have also been strengthened and the rights of individuals (‘data subjects’) widened, for example in terms of data portability (i.e. the possibility for individuals to obtain and reuse their personal data for their own purposes across different services provided by other organisations).

Most important for PSPs however are the increased accountability requirements; including the introduction of so-called privacy impact assessments(‘PIAs’), broader notification duties for data breaches, the requirement to appoint a Data Protection Officer (exceptions apply) and the partially new, partially stricter requirements for ‘privacy by design’ and ‘privacy by default’, i.e. the obligation to implement appropriate technical and organisational measures to aptly protect the security of the personal data of their clients.

Lastly, the drastic increase of fines for non-compliance (up to 20,000,000 euros or four percent of worldwide group revenues) should be mentioned.

Q. What are the main specific actions PSPs should take to prepare for the GDPR’s application in May 2018?
In order to be GDPR compliant, PSPs must ensure that the personal data they process are:

. Processed legally and appropriately and with a clear view of how the information will be used;
. Collected for specified, explicit and legitimate purposes;
. Relevant and limited to the respective purposes;
. Accurate and kept up to date;
. Retained for no longer than is necessary for the relevant purposes;
. Only processed if the data are kept appropriately secure.

Furthermore, PSPs should:
. Review all of their data-processing activities and keep verifiable records of these activities;
. Ensure that they have implemented appropriate technical and organisational measures to adequately protect the security of the personal data of their clients (‘data protection by design and by default’);
. Ensure compliance with the ‘accountability principle’ and cooperate with the relevant supervisory authority where appropriate;
. Ensure that they have appropriate processes and templates in place for identifying, reviewing and promptly reporting data breaches to the relevant supervisory authority.

Q. The PSD2 is applicable since 13 January 2018. It contains a number of data protection provisions. How does PSD2 concretely interact with the GDPR? Are they complementary and consistent?

The PSD2 indeed contains certain data protection provisions, some of which might be confusing in a GDPR context.
For example, the PSD2 notion of ‘sensitive payment data’ (i.e. data, including personalised security credentials, which can be used to carry out fraud) is not to be confused with the special categories of personal data under GDPR. Furthermore, Article 94 PSD2 stipulates that PSPs shall only access/process/retain data necessary for the provision of the services, with the explicit consent of the user. Whereas under the GDPR, consent is just one of the possible grounds for processing personal data (other grounds include the necessity for performing a legal obligation or for the conclusion or performance of a contract), consent appears as a specific concept in its own right in PSD2.

In the context of account information services (AIS) and payment initiation services (PIS), explicit consent must be obtained by, and is a responsibility of, account information service providers (AISPs) and payment initiation service providers (PISPs) in order to carry out their services. Although PSD2″ does not require account servicing payment service providers (ASPSPs) to seek consent themselves in the context of AIS/PIS, they must always have a specific ground for processing the data under the GDPR. The lawful basis for such processing will in principle be the performance of a contract or a legal duty, including those imposed by the relevant provisions of the PSD2 on access to payment accounts.

Last but not least, third party payment service providers (TPPs) and ASPSPs alike should not overlook the GDPR’s strict purpose limitation/data minimisation principles when considering to further use personal data obtained in accordance with the requirements of PSD2. Under Article 5(1)(b) GDPR, personal data must be collected only for well-defined purposes, and may not be further processed for other purposes. Certain exceptions apply, for example if the purpose of the secondary processing is ‘compatible’ with the purpose of the initial collection, taking into account, notably, any link between the initial purposes and the secondary purposes, the context of the initial collection and the expectations of the individual, etc. It is to be noted that PSD2 contains similar provisions prohibiting TPPs to use, access or store any data for purposes other than for performing the account information and/or payment initiation services explicitly requested by the payment service user, in accordance with data protection rules.

To summarise, PSPs should assess on a case by case which provisions of PSD2 and GDPR apply to a concrete situation. In doing so, they should always bear in mind the basic principles set out above, assessing whether they act as data controller or data processor (decision about means and purposes of processing) whilst ensuring the legitimacy of the processing.

Source: EPC

Adauga comentariu

Noutăți
Cifra/Declaratia zilei

Anders Olofsson – former Head of Payments Finastra

Banking 4.0 – „how was the experience for you”

So many people are coming here to Bucharest, people that I see and interact on linkedin and now I get the change to meet them in person. It was like being to the Football World Cup but this was the World Cup on linkedin in payments and open banking.”

Many more interesting quotes in the video below:

Sondaj

In 23 septembrie 2019, BNR a anuntat infiintarea unui Fintech Innovation Hub pentru a sustine inovatia in domeniul serviciilor financiare si de plata. In acest sens, care credeti ca ar trebui sa fie urmatorul pas al bancii centrale?