The ESBG, together with eight other associations representing the EU payment sector, has written to the European Data Protection Board, the European Commission and the European Banking Authority about the EDPB Guidelines 06/2020 on the interplay between the reviewed Payment Services Directive (PSD2) and the General Data Protection Regulator(GDPR).
The letter highlights that while the payments sector remains fully committed to ensuring the protection of EU citizen’s data- including within the framework of PSD2 – there are concerns that the enforcement of the Guidelines will lead to an outcome that is not in line with PSD2 objectives. In the end, this would hinder innovation and competition in payments.
Although the final Guidelines help in clarifying certain aspects of the interplay, our letter emphasises and reiterates common concerns:
- Provisions on data minimization create uncertainties and are potentially in conflict with PSD2;
- There is lack of coherence with the Regulatory Technical Standards on Strong Customer Authentication and Common and Secure Communication (RTS on SCA & CSC);
- Financial transaction data should not be considered as special category of personal data (SCPD). As such, if financial transaction data is not processed in order to infer SCPD, Article 9(1) GDPR should not apply.
- There are resulting concerns that national Data Protection Authorities could start taking a differentiated approach to the interpretation of the provisions, resulting in fragmentation across the EU and adding to a growing trend when it comes to GDPR implementation.
Overall, the EU payments industry welcomes further discussion between all relevant institutions and stakeholders in the GDPR-PSD2 ecosystem to address these challenges and to provide legal certainty for all actors to enable them to meet their obligations and continue to provide top-tier services for their customers.
