Voice of the Industry

Reconciling Consent in PSD2 and GDPR

Friday 22 March 2019 07:46 CET | Voice of the industry

Niels Vandezande from Timelex speaks about explicit consensus, stressing upon PSD2 and GDPR, as well as EDPB’s guidance over these matters

The Second Payment Services Directive (PSD2) adds third-party payment service providers – particularly account information service providers (AISP) and payment initiation service providers (PISP) – to the EU’s legal framework on payment services. This means that traditional payment service providers will need to share certain data with those third-party providers. Much of that data will be very personal in nature and may constitute personal data in the sense of the EU’s data protection framework set by the General Data Protection Regulation (GDPR). This results in friction between being required to share personal data and at the same time being required to conduct such sharing under very strict conditions, resulting in a compliance conundrum. Even after the entry into force of both legal frameworks, several uncertainties remain. In this article, we look at one particular matter, namely that of explicit consent, and the guidance provided in this matter by the European Data Protection Board (EDPB).

Data sharing under PSD2

PSD2’s article 67 provides the rules on access to and use of payment account information in the case of account information services. This article gives payment service users the right to make use of services, enabling them access to account information. Account information service providers, however, can only provide their services based on the payment service user’s explicit consent. They may only access the information from designated payment accounts and associated payment transactions, they may not request sensitive payment data linked to those accounts, and they may not use, access, or store any data for purposes other than for performing the service explicitly requested by the user.

Similarly, according to article 66, a payment initiation service provider may only provide its services on explicit consent. Also, they may not request any data other than those necessary to provide their services, and may not use, access, or store any data for purposes other than for the provision of the service as explicitly requested by the payer.

Article 94 of PSD2 provides the data protection standard of this legal framework, considering that payment service providers shall only access, process, and retain personal data necessary for the provision of their payment services, with the explicit consent of the payment service user. Moreover, all personal data processing in the context of PSD2 must be compliant with the EU’s data protection framework, now set by GDPR.

Consent under GDPR

Under the EU’s data protection framework, personal data may only be processed under a limited number of lawful grounds (article 6 GDPR). These include six types of processing:

processing under the data subject’s consent,

processing necessary for contractual obligations,

processing necessary under statutory obligations,

processing necessary for the protection of the vital interests of the data subject,

processing necessary for a task performed in the public interest, and

processing necessary in the legitimate interests of the data controller.

Regarding consent, the GDPR’s article 7 provides that the data controller must be able to demonstrate that consent was freely given. Consent for one matter must be distinguishable from other matters, and consent may be withdrawn at any time. When processing a child’s information – up to ages between 13 and 16, depending on the Member State – consent must be given or authorised by the holder of parental responsibility. When processing special categories of personal data – such as racial origin, political leanings, or health data – consent must be explicit.

This shows that both GDPR and PSD2 use a notion of consent, or even explicit consent, even though the meanings do not seem to perfectly overlap. Moreover, it can be questioned whether explicit consent is really needed if it can be argued that the processing of the payer’s personal data by a third-party payment service provider is necessary for the fulfilment of a contract between them – i.e. to provide a payment initiation or account information service. The presence of that lawful ground means that under GDPR no consent would be needed – as consent is a different lawful ground – even though PSD2 still requires explicit consent.

EDPB guidance

The EDPB provided some guidance on the matter in July 2018.

It confirms that third-party payment services provide their services based on a contract between them and the payment service user, in accordance with recital 87 PSD2. This means that for personal data processing in this relationship under GDPR, the lawful ground of contractual necessity can indeed apply. Contractual clauses – distinct from other contractual matters – should then specify the purposes for which the user’s personal data will be processed, to which the user should explicitly agree. The explicit consent mentioned in PSD2 should be seen as an additional requirement, separate from the requirements following from GDPR. Explicit consent under PSD2 is, therefore, a contractual consent, and not a data processing consent.


The EDPB’s guidance is the first assessment of some of the issues resulting from the interplay between PSD2 and GDPR. While the guidance is not exhaustive, and some issues certainly remain, it does provide a welcomed clarification that the notion of explicit consent under PSD2 must be seen as separate and different from the notion of (explicit) consent under GDPR. Moreover, it allows for the processing of personal data to be seen under GDPR’s lawful ground of contractual necessity, rather than imposing the lawful ground of consent in this matter. This makes consent under PSD2 more of a transparency requirement (what data are processed and why), rather than being bound to the stricter requirements of consent under GDPR.

For a more in-depth look into self-sovereign identity, take a read of Innovate Identitys recent whitepaper titled: Self-sovereign and shared ledges - a new dawn for digital identity?

This editorial was first published in the Web Fraud Prevention, Identity Verification & Authentication Guide 2018-2019. The Guide covers some of the security challenges encountered in the ecommerce and banking, and financial services ecosystems. Moreover, it provides payment and fraud and risk management professionals with a series of insightful perspectives on key aspects, such as fraud management, identity verification, online authentication, and regulation.

About Niels Vandezande

Niels Vandezande is a legal consultant at Timelex. He previously worked as postdoctoral researcher at the KU Leuven Centre for IT & IP Law. Niels specialises in fintech, more particularly in virtual currencies, electronic money, payment services, and blockchain.



About Timelex

Timelex is a law firm specialised in fintech, information, and technology law in the broadest sense, including privacy protection, data, and information management, e-business, intellectual property, online media, and telecommunications.

Free Headlines in your E-mail

Every day we send out a free e-mail with the most important headlines of the last 24 hours.

Subscribe now

Keywords: Niels Vandezande, Timelx, PSD2, PSP, AISP, PISP, GDPR, payment accounts, payment transactions, regulations, compliance conundrum, EDPB
Countries: World