On 28 October 2020, The European Banking Federation (“EBF”) announced it had sent, jointly with other industry associations representing payment service providers (“PSPs”), a letter on the first version of the EDPB Guidelines on PSD2 and GDPR interplay.
At a glance, this letter expresses the wish to ensure coherence not only between the GDPR and the PSD2, but also with the Regulatory Technical Standards on Strong Customer Authentication and Common and Secure Communication, in order to create more legal certainty for all parties involved.
The main aspects covered in this letter are the following:
- the final EDPB guidelines should clearly distinguish between the respective data protection responsibilities of the different types of existing PSPs, according to the roles described in the PSD2;
- the European PSPs disagree with the assumption that “financial transactions can reveal sensitive information about an individual data subject”;
- with regard to the silent party data, the final EDPB guidelines should clarify that it is not the responsibility of “all parties involved” to “establish the necessary safeguards for the processing in order to protect the rights of data subjects”, but that of the party that is concretely processing the data;
- with regard to data filtering and data minimization in order to prevent the processing of special categories of personal data, this would possibly lead to negative outcomes for consumers, as the legislation gives the consumer the right to access/view the same data through a TPP as when directly accessing via an ASPSP. Additionally, mandating ASPSPs to implement such filters would not only be discriminatory, as it would only apply to those ASPSPs that have already heavily invested in implementing a dedicated interface, but it would also undermine full implementation of PSD2, as it would discourage the adoption and further development of APIs, thus frustrating the objectives of PSD2.