'Legitimate interest' may permit processing of 'silent party data' under PSD2

MEP Sophie in’t Veld had asked the watchdog's predecessor about the issue, which could arise under the EU's second Payment Services Directive (PSD2).

Under PSD2, banks, building societies and other account holding institutions are obliged to enable third party 'account information service providers' (AISPs) and 'payment initiation service providers' (PISPs) to access the payment account data they hold on customers, at those customers' request, to allow the businesses to provide the customers with their services.

Sometimes, however, AISPs and PISPs could encounter the personal data of other people when seeking to deliver services to customers. The EDPB said this situation might arise where a customer has given their consent to the processing of their data to enable the transfer of funds to another person, classed as the 'silent party' in the transaction.

However, in't Veld had asked the EDPB to clarify whether data protection laws allow AISPs and PISPs to process data of silent parties so as to perform the services requested of them by customers where they have not obtained the consent of the silent parties to do so.

The EDPB said AISPs and PISPs may not require the consent of silent parties to process their data.

"A lawful basis for the processing of these silent party data by PISPs or [AISPs] – in the context of payment and account services under PSD2 – could be the legitimate interest of a controller or a third party ... to perform the contract with the service user," the EDBP said in its letter to the MEP. "This means that the legitimate interest of the controller is limited and determined by the reasonable expectations of data subjects."

The further processing of the silent party data for other purposes would not be permitted without consent, however, the EDPB said.

In its letter, the EDPB also provided its views on the nature of the 'explicit consent' requirements stipulated under PSD2.

Article 94(2) of the Directive requires all payment service providers (PSPs), which includes PISPs and AISPs, to obtain "the explicit consent of the payment service user" in order to "access, process and retain personal data necessary for the provision of their payment services".

The General Data Protection Regulation (GDPR) also contains requirements for organisations seeking to process personal data to obtain the 'explicit consent' of data subjects before doing so in certain circumstances – notably where the data concerned qualifies as a special category of data.

The EDPB said, though, that the Article 94(2) provisions are to be read as a contractual obligation on PSPs above and beyond the legal requirements that might apply under the GDPR.

"Article 94(2) of PSD2 should be interpreted in the sense that when entering a contract with a payment service provider under PSD2, data subjects must be made fully aware of the purposes for which their personal data will be processed and have to explicitly agree to these clauses," it said. "Such clauses should be clearly distinguishable from the other matters dealt with in the contract and would need to be explicitly accepted by the data subject."

"The concept of explicit consent under Article 94(2) of PSD2 is therefore an additional requirement of a contractual nature and is therefore not the same as (explicit) consent under the GDPR," the watchdog said.

The EDPB also confirmed that it is within the powers of data protection authorities across the EU to "take appropriate action" against banks and other account servicing PSPs if "there be any doubt regarding the safety" of the interfaces they provide to PISPs and AISPs for accessing payment account data in respect of the level of data security in place.