The second payment services directive and the amended Finnish payments act strive to increase competition in the online payments market by opening access to payment account data and laying down ground rules for new payment services. How do the new access rules interplay with consumers’ right to data protection?
With new rules on open banking, consumers can request payment account information services from new types of service providers. The business model of account information services revolves around access to regulated payment account data: service providers may only access and use account data for the provision of their services if they have obtained the customer’s explicit consent to do so.
But the provision of account information services inevitably also involves processing of another kind of regulated data, namely, that of personal data. Consequently, account information service providers need to pay close attention to the requirements of data protection law when designing their services.
A design flaw in terms of the legal structure of the service will impact the contractual structure and liabilities of the company, and is likely to be awkward to rectify afterwards.
One of the most important questions account information service providers will have to define is the reason they need access to their customers’ payment account and personal data. Service providers must be able to describe the nature and scope of their services and define the purposes of personal data processing that their service entails.
Indeed, the purpose of personal data processing forms the cornerstone of data protection compliance and sets the boundaries for further data use. The purpose must be clear from a customer perspective but it must also reflect the needs and ambitions of the service provider. Establishing the right balance between the two requires a well-rounded review of the requirements of data protection law.
Defining the purpose of processing is closely related to the key data protection requirement of ensuring a valid and appropriate legal basis for each processing activity of the service. In this regard, a customer’s acceptance of terms of service and their explicit consent to grant access to payment account data should not be confused with a user’s consent to processing of personal data.
Although PSD2 requires service providers to obtain a customer’s explicit consent to provide them their service, consent is not necessarily the most appropriate legal basis for processing personal data. These two notions, easily mistaken one for another, have very different implications for the rights and expectations of customers.
Identifying the purpose and legal basis for personal data processing are just two key elements account information service providers must consider when navigating the new requirements of PSD2 and GDPR. KPMG’s data protection and finance lawyers advise our clients on all matters regarding the requirements of GDPR and PSD2. If you are developing a payment service or are considering investing in one, don’t hesitate to get in touch with us.
+358 20 760 3065
© 2020 KPMG Oy Ab, a Finnish limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
KPMG International Cooperative (“KPMG International”) is a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis-à-vis third parties, nor does KPMG International have any such authority to obligate or bind any member firm.