17 Sep 2020

DIGITALEUROPE response to the European Data Protection Board’s consultation on the Guidelines 6/2020 on the interplay of the PSD2 and the GDPR

Executive summary

DIGITALEUROPE welcomes the European Data Protection Board (EDPB) draft guidelines on the Interplay of the Second Payment Services Directive (PSD2) and the GDPR and the opportunity to respond to this consultation.

The PSD2 encourages the creation of innovative and competitive services, such as open banking, that enable broader access to payment services and boost financial inclusion. We fully endorse the EDPB’s emphasis on accountability and the need to embed privacy safeguards into the design of all payment services, products and technologies. At the same time, we also encourage a more pragmatic approach to interpreting the PSD2 to ensure its aims and potential are fully exploited.

In particular, we encourage the EDPB to:

  • Revisit its approach to further data processing in the context of open Banking and clarify that legitimate interest is not excluded by default as a legal basis as long as necessary legal requirements are met. A restrictive interpretation of the notion of legitimate interest will exclude processing operations that are legitimately expected by the consumers, such as fraud detection and prevention as well as product development and improvement. It will ultimately undermine innovation in payment services.
  • Provide a more nuanced approach to the processing of silent party data. The guidelines should allow data controllers to make their own independent assessment of the relevant legal basis, as well as consideration to balance data subjects’ fundamental rights and freedoms with their own or third parties’ interest. It is the responsibility of data controllers to define if and what appropriate risk mitigation measures are needed.
  • Clarify in the guidelines that it is the responsibility of each data controller to undertake its own assessment and determine the scope of data minimisation in relation to the intended purposes and the risks involved. This is without prejudice to our support to the EDPB’s emphasis on privacy-enhancing measures necessary to ensure data processing complies with legal requirements.
Click here to read the full policy paper

DIGITALEUROPE response to the European Data Protection Board’s consultation on the Guidelines 6/2020 on the interplay of the PSD2 and the GDPR

Back to Data privacy
View the complete Policy Paper
PDF
Our resources on Data privacy
Policy Paper 27 Oct 2020
Response to EDPB consultation on draft Guidelines on the concepts of controller and processor
Policy Paper 18 Sep 2020
DIGITALEUROPE comments to the Proposed Revision of Commercial Cryptography Administrative Regulation
Policy Paper 31 Aug 2020
An early analysis of Schrems II – key questions and possible ways forward
Hit enter to search or ESC to close
This website uses cookies
We use cookies and similar techonologies to adjust your preferences, analyze traffic and measure the effectiveness of campaigns. You consent to the use of our cookies by continuing to browse this website.
Decline
Accept