PSD2 and GDPR: An awkward match?

Similar documents
b. by a controller not established in EU, but in a place where Member State law applies by virtue of public international law.

EU General Data Protection Regulation (GDPR) A Point of View. For private circulation only. Risk Advisory

EU General Data Protection Regulation (GDPR) A Point of View for Technology Sector Organisations. For private circulation only.

EU GENERAL DATA PROTECTION REGULATION

EU General Data Protection Regulation (GDPR) Point of View for ERP and HRMS Operations. For private circulation only.

Agenda. What is the GDPR? Who does GDPR apply to? Implications of Non-Compliance The Road to GDPR Compliance

EU General Data Protection Regulation (GDPR)

How will the revision of the Posted Workers Directive impact your assignments?.

GDPR & SMART PIA. Wageningen University Feb 2017

The digital fund lifecycle

INTERNATIONAL WHAT GDPR MEANS FOR RECORDS MANAGEMENT

GDPR and Canadian organizations: Addressing key challenges GDPR and Canadian organizations: Addressing key challenges

Training Manual. DATA PROTECTION ACT 2018 (DPA18) Incorporating General Data Protection Regulations (GDPR) Data Protection Officer is Mike Bandurak

UK Research and Innovation (UKRI) Data Protection Policy

Data Protection and Privacy Statement

The EU General Data Protection Regulation (GDPR) A briefing for the digital advertising industry

GDPR journey: from ready to compliant GDPR survey results

Foundation trust membership and GDPR

GDPR: What Every MSP Needs to Know

Data Protection for Landlords. David Smith Anthony Gold Solicitors

GENERAL DATA PROTECTION REGULATION Guidance Notes

The Privacy Battlefield What does the GDPR Require?

GDPR: An Evolution, Not a Revolution

GDPR is coming soon. Are you ready. Steven Ringelberg.

Duty of Care: from must to accelerator?

The Deloitte CFO Transition TM Lab

The time is now The Deloitte General Data Protection Regulation Benchmarking Survey

Deloitte Legal Department Health Review Approach to Strategic Planning

Get ready. A Guide to the General Data Protection Regulation (GDPR) elavon.ie

PSD2 DATA FINTECH MARKETPLACE AISP CUSTOMER AWARENESS ALLIANCES MOBILE ECONOMY PISP API DIGITAL COMPLY REVENUE RTS SCORING BANKING STRATEGIC

Guidance and Example of a Privacy Notice Form

GDPR for whom it may concern

TimePlan Education Group Ltd ( the Company ) Data Protection. Date: April Version: 001. Contents

Sustainability reporting using the GRI Taxonomy

Data Protection Policy

EU General Data Protection Regulation: are you ready?

Employment law services in Kazakhstan

Introduction. Key points of the recent ODPC guidance, and the Article 29 working group guidance

Sustainability Reporting using the GRI Taxonomy Paul Hulst, Deloitte

The General Data Protection Regulation (GDPR): Getting in good shape for the deadline Copenhagen, 19 September 2017 Janus Friis Bindslev Partner,

Data Protection Policy. Data protection. Date: 28/4/2018. Version: 1. Contents

Barry Robinson. Forensic Accountant, Deloitte

PRIVACY CHALLENGES IN GLOBAL HR MANAGEMENT

EARLS HALL BAPTIST CHURCH DATA PROTECTION POLICY

SAFFRON WALDEN COMMUNITY CHURCH DATA PROTECTION POLICY. Adopted: [ ]

EMEA TMC client conference Tax Operating Model defining your tax resourcing, governance and technology approach. The Crystal, London 9-10 June 2015

PRIVACY NOTICE for Welsh St Donat s Community Council, May 2018

Brasenose College Data Protection Policy Statement v1.2

Anti Money Laundering (AML) Advisory Services Effective solutions for complex issues Deloitte Malta, 2017

Data Protection Policy

Deloitte Consolidation & Close Transform your financial consolidation and close.

Stanford University Offline Privacy Notice

Scottish Charity Number SC Dingwall Baptist Church DATA PROTECTION POLICY

How to build construction management processes

Baptist Union of Scotland DATA PROTECTION POLICY

EU Directive: disclosure of non-financial information and diversity information

The General Data Protection Regulation (GDPR)

1 Privacy by Design: The Impact of the new European Regulation on Data protection. Introduction

Dutch Banking Supervision on Conduct and Culture Deloitte Dublin 26 June 2018

Preparing for the GDPR

Breaking the myth How your marketing activities can benefit from the GDPR December 2017

General Data Protection Regulation - Explained

Section a What this Policy is for Policy Statement. 2. Why this policy is important... 3

RSD Technology Limited - Data protection policy: RSD Technology Limited ( the Company )

Preparing for the GDPR Orla O Hannaidh - Womble Bond Dickinson

EUROPEAN UNION PRIVACY NOTICE

Due for a transformation Accounts payable optimization with machine learning

FSI Governance Board effectiveness Insights & (emerging) best practices. EcoDa 25 October 2017

Compliance digitalization The impact on the Compliance function. Deloitte Risk Services April 2016

GDPR factsheet Key provisions and steps for compliance

EU General Data Protection Regulation in the digital age: Are you ready?

Grants & Incentives news Deloitte Czech Republic. May 2017

The General Data Protection Regulation (GDPR)

The General Data Protection Regulation (GDPR)

Audit committee performance evaluation

DATA PROTECTION POLICY 2018

The 2018 Deloitte Millennial Survey The Nordics May 2018

LAST UPDATED June 11, 2018 DATA PROTECTION POLICY. International Foundation for Electoral Systems

EU General Data Protection Regulation ( GDPR ) FAQs External Version - 16 March 2018

LEICESTER HIGH SCHOOL DATA PROTECTION POLICY

NEW LIFE BAPTIST CHURCH NORTHALLERTON DATA PROTECTION POLICY. Adopted: 20 June 2018 To be reviewed: June 2021

General Data Privacy Regulation: It s Coming Are You Ready?

WSGR Getting Ready for the GDPR Series

Legal news Deloitte Czech Republic. February 2018

Data Privacy, Protection and Compliance From the U.S. to Europe and Beyond

Global Trade Radar How to leverage what tax authorities and forward-looking companies are doing in customs and global trade. Global Trade Radar

Broad Run Investment Management, LLC

Skillbase People Development Ltd Data Protection Policy In compliance with the General Data Protection Regulations (EU) 2016/679 (GDPR))

General Data Protection Regulation

THE EU GENERAL DATA PROTECTION REGULATION AND INTERNATIONAL AIRLINES SPECIAL UPDATE

Discussion Paper on innovative uses of consumer data by financial institutions

P Drive_GDPR_Data Protection Policy_May18_V1. Skills Direct Ltd ( the Company ) Data protection. Date: 21 st May Version: Version 1.

Getting ready for the new data protection laws A guide for small businesses, charities and voluntary organisations

Corporate Governance Board Effectiveness Reviews

You can contact us directly at Dechert LLP, 160 Queen Victoria Street, London, EC4V 4QQ, United Kingdom or by ing

EU General Data Protection Regulation (GDPR)

The 2018 Deloitte Millennial Survey Chile May 2018

When you visit and use our website, we may collect your personal data for the following purposes:

GDPR Factsheet - Key Provisions and steps for Compliance

Transcription:

PSD2 and GDPR: An awkward match?

PSD2 and GDPR: An awkward match? In the intersection of both rules, from a Dutch perspective If your company processes personal data of European citizens and you are also (planning to) provide payment services in Europe, you have to comply with both the General Data Protection Regulation ( GDPR ) as well as the new Payment Service Directive 2 ( PSD2 ). These sets of rules are not be taken lightly, as the cost of noncompliance can lead to staggering fines such as 20 million or 4% of the worldwide turnover and in many cases also reputational damage. As the dates of effect are rapidly approaching (GDPR on May 25 2018 and PSD2 in Q2 2018), companies facing both sets of rules will need to decide on their PSD2 and GDPR strategy rather sooner than later. Unfortunately, as is often the case with various complex EU rules and regulations, obscurities and possible conflicts seem to exist between the (implementation of) PSD2 and the GDPR. In the Netherlands, the Dutch Data Protection Authority ( DPA ) has recognized these discrepancies and expressed their concern in two recommendation letters on the Draft PSD2 Implementation Act ( Implementation Act ) and, most recently, the Draft PSD2 Implementation Decree ( Implementation Decree ). In this article we would like to inform you on these concerns and provide you with practical guidance. But first, a general introduction on both regulations. PSD2 PSD2 is the successor of the first Payment Service Directive, further regulating the payment services environment. The most exciting change this second version will bring is the requirement for financial service providers to open up access to customer accounts (with permission of the customer), allowing Third-Party Providers ( TPP ) to access those. At the same time PSD2 will also introduce stricter technical controls. Consumers will benefit from safer and more innovative electronic payment services, whilst new (non-financial) market players are welcomed into the world of financial data and financial institutions are given incentive to innovate. In the Netherlands, administrative fines can be imposed by De Nederlandsche Bank ( DNB ). Since PSD2 is a directive, transposition into national law is required. In the Netherlands PSD2 is expected to be transposed into Dutch law in Q2 2018 (see previous blog post) through the Implementation Act. The Implementation Act is currently under review at the House of Representatives. The consultation on the Implementation Decree, which contains detailing on the topic of consent, has been recently closed. The Dutch Ministry of Finance is currently processing the received feedback (including of the DPA) and the final version is expected to be published soon. GDPR In essence, the GDPR is nothing new under the sun. It contains the same basic data protection principles that we have known from the Data Protection Directive of 1995. For example purpose limitation, data minimization, transparency and data subject rights are all concepts that are addressed in the current European data protection framework. However, the GDPR goes further and introduces more and stricter obligations for controllers and processors. Also, as a regulation, the GDPR aims to harmonize the various data protection laws across the EU, as no transposition into national law is required. This in contrast to directives such as PSD2 and the old Data Protection Directive. Yet what really puts this topic on the regulatory radar for many companies is the new fining power of data protection authorities. Companies who do not comply can face fines up to EUR 20.000.000 or 4% of the annual turnover of their group entity. The scope of the GDPR is, concisely stated, limited to the processing of personal data by EU based companies or, where no EU presence exists, the processing regards personal data of European citizens 1. Both processing as well as personal data are tremendously stretched umbrella terms: almost any information that can be linked to an individual is considered personal data, and practically everything you can do with personal data is considered processing. 1 Please see article 2 and 3 GDPR for the full material respective territorial scope of the GDPR. 1

The overlap of GDPR and PSD2 As TPP s will want to use (process) personal financial data of European customers for their products and services, they will be required to take the GDPR rules into account. Banks who provide these financial data are also obligated to do so in accordance with the GDPR, as sharing personal data is also a form of processing. The discrepancies: the Dutch DPA advises The intersection of PSD2 with data protection has been recognized by the EU legislature: both the preamble, a few considerations as well as the legislative text of PSD2 contain references to data protection (including one article fully dedicated to data protection). However, these references are very limited and still leave room for obscurity. The DPA acknowledges this in their recommendation on the Implementation Act and most recently in the Implementation Decree. In both recommendations the DPA concludes, in essence, that the GDPR has not been taken in consideration adequately in the course of the Dutch implementation of PSD2. DPA s Recommendation on the Implementation Act Hierarchy of rules and relevant authority The recommendation on the Implementation Act, mainly contained critique on the unclear hierarchy of rules and unclear apportionment of authority (should DNB or the DPA monitor compliance with de data protection rules of PSD2 and the affiliated laws?). In the revised Explanatory Memorandum (published last October) the legislature has taken these points into considerations but has decided that the exact discussion on applicability of rules and relevant authority should be (and is being) discussed on a European level. Therefore the DPA s request to clarify this in (the Explanatory Memorandum of) the Implementation Act is not met. However, with regard to the specific article in PSD2 on data protection, the Dutch legislature is completely clear: this article is considered a lex specialis to the general GDPR. This means this specific provision prevails the GDPR with regard to processing personal data for the purpose of payment services. The legislature therefore acknowledges DNB as the only relevant authority to supervise compliance with this article. Yet, it is to be noted that even in this case, the GDPR and DPA will play a role, as the other GDPR obligations will also have to be met (since data processing is concerned). Data protection (as prescribed by the GDPR) should therefore be fully considered in the design and implementation of all PSD2 related services. In that regard we recommend to presume that both authorities will be equally entitled to take enforcement measures in case of non-compliance of overlapping rules. We expect that this matter will either be clarified on a European level (as mentioned by the Dutch legislature), or the DPA might (informally) push for more clarification on this matter in the national parliamentary process. We are monitoring this closely. DPA s Recommendation on the Implementation Decree The Implementation Decree contains rules on the implementation of the specific data protection article of PSD2 (which includes the topic of consent). The DPA s recommendation on the Decree, published last January, shares the central theme of critique of inconsistency on the hierarchy of rules and authority as in the recommendation on the Implementation Act. In addition, the recommendation also contains specific commentary on the lack of clarity with regard to (1) the definition of sensitive payment data and (2) consent. 2

1. Sensitive payment data PSD2 indicates that sensitive payment data ought not to be stored by the Payment Service Provider ( PSP which includes TPP s). The definition of sensitive payment data in PSD2 however is rather inconsistent with the definition of sensitive personal data (or special categories of data) mentioned in the GDPR. Where PSD2 defines this as data, including personalized security credentials which can be used to carry out fraud, the GDPR refers to personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation. Regrettably, the Implementation Decree has adopted the same inconsistency. The DPA notes that this is a topic of concern and should be clarified. In this regard it is recommended to at least map out and categorize precisely what kind of data will be processed and whether this falls within the definition of sensitive data under PSD2 and/or the GDPR. Most probably a DPIA will be required, which will help in this mapping exercise. 2. Consent PSD2 states that a PSP may only access, process and retain the personal data necessary for the provision of their payment services with the explicit consent of the payment service user. This is on the whole in line with the GDPR, including the similar right of Data Portability. In addition, the GDPR contains more extensive rules on the use of explicit consent as a processing ground. For example, the consent of data subjects (customers) has to be freely given, specific and informed, the controller (PSP or TPP) has to demonstrate that this consent has been provided and the data subject has to be able to easily withdraw the consent at any time. These additional, general, rules of the GDPR supplement the specific PSD2 rules on consent. The DPA emphasizes this additional effect of the GDPR on PSD2, but explicitly states that when a TPP asks for consent to perform a service that entails more or something different than the Account Information Service, PSD2 is (or the affiliated laws are) not applicable. The processing based on this separate consent will therefore fall completely within the scope of the GDPR. The DPA recommends to specify this more clearly in the Implementation Decree. It is advised to identify (and document) the purposes for which the data will be used from the start of the design of the consent for an Account Information Service. This will help with determining whether (a separate) consent is necessary and which exact rules (PSD2 and/or GDPR) should be taken into account. Determining the purpose before processing personal data is also a strict GDPR requirement so this will be necessary in any event. Another topic of discussion is whether the consent given also covers the processing of personal data of third parties, for example the recipients of the transactions with the customer. In that regard it is noteworthy that the DPA is of the opinion that the provided consent by the customer is only pertained to the personal data of the customer that gave consent. This means that personal data of third parties, such as the personal data of the beneficiary of the transaction, cannot be processed on the basis of this consent. The DPA does not state if another lawful processing ground can be applicable for this type of processing and under which conditions. We expect that controllers (banks and TTP s) will try to base the processing of third party data on the processing ground legitimate interest. As applicability of this processing ground depends on a balancing act between the legitimate interest of the controller and the (privacy) right of the data subject, the outcome is situation-dependent. If, for example, a service drifts away from the purpose of solely providing the service to the client, it is less likely that the legitimate interest can be used as a lawful processing ground. It is highly recommended to timely perform an assessment on whether, and under which conditions, the visualized processing (including the processing of third party data) is lawful under the GDPR. 3

Conclusion and strategic guidance In the course of Dutch Implementation of PSD2, the details surrounding the overlapping PSD2 and GDPR topics are not crystallized yet. We expect the legislature to give clarity on these issues in the near future. In the meantime, if your company falls within the scope of both PSD2 and GDPR, there are a few strategic approaches to consider to tackle the overlapping, uncertain parts of PSD2/GDPR: 1. Wait and see : The first option is to wait for more guidance from the European and Dutch legislature on the discrepancies. 2 This might be most feasible for small banks with other regulatory obligations on their mind. However, do not wait too long, as this might require some serious IT changes. 2. Get prepared : There is also the proof of concept method, where you act preparatory until more clarification is given or the implementation date is reached. This approach can include testing out the infrastructure, preparing the systems/applications and outlining and drafting procedures. Such a method will (initially) take up more resources than the idle approach, but will leave less room for surprises once both GDPR and PSD2 are enforceable. For most Banks and TPP s this approach is most advisable. 3. Go live : Pro-active companies with a higher risk appetite and more direct resources can choose to fully implement both PSD2 and GDPR (based on the available knowledge and the most probable outcome) and go live as soon as possible. As still some major obscurities exist, this option is most feasible for TPP s who aim to use PSD2 commercially for new services and products. Whichever approach you choose, Deloitte can provide guidance in your PSD2/GDPR journey. Feel free to contact us via the contact details provided below. Contact us Anastasiya Milshina Email: amilshina@deloitte.nl Marloes Dankert Email: mdankert@deloitte.nl Peter Kits Email: pkits@deloitte.nl Maria van Duijvenbode Email: mvanduijvenbode@deloitte.nl 2 While already preparing for implementation of the certain parts of the PSD2/GDPR. It is not advised to use this approach with regard to all aspects of GDPR/PSD2 implementation. 4

Deloitte Legal means the legal practices of Deloitte Touche Tohmatsu Limited member firms or their affiliates that provide legal services. For regulatory, legal, and other reasons, not all member firms provide legal services. Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee ( DTTL ), its network of member firms, and their related entities. DTTL and each of its member firms are legally separate and independent entities. DTTL (also referred to as Deloitte Global ) does not provide services to clients. Please see www.deloitte.com/about to learn more about our global network of member firms. Deloitte provides audit & assurance, consulting, financial advisory, risk advisory, tax and related services to public and private clients spanning multiple industries. Deloitte serves four out of five Fortune Global 500 companies through a globally connected network of member firms in more than 150 countries and territories bringing world-class capabilities, insights, and high-quality service to address clients most complex business challenges. To learn more about how Deloitte s approximately 245,000 professionals make an impact that matters, please connect with us on Facebook, LinkedIn, or Twitter. This communication contains general information only, and none of Deloitte Touche Tohmatsu Limited, its member firms, or their related entities (collectively, the Deloitte Network ) is, by means of this communication, rendering professional advice or services. Before making any decision or taking any action that may affect your finances or your business, you should consult a qualified professional adviser. No entity in the Deloitte Network shall be responsible for any loss whatsoever sustained by any person who relies on this communication. 2018. For information, contact Deloitte Touche Tohmatsu Limited.

2024 © businessdocbox.com Privacy Policy | Terms of Service | Feedback