During its 34th plenary session, the EDPB adopted draft Guidelines on the interplay between the second Payment Services Directive (PSD2) and the GDPR, read this press release, where they say:
The EDPB adopted Guidelines on the second Payment Services Directive (PSD2). PSD2 modernises the legal framework for the payment services market. Importantly, PSD2 introduces a legal framework for new payment initiation services (PISP) and account information services (AISP). Users can request that these new payment service providers are granted access to their payment accounts. Following a stakeholders workshop in February 2019, the EDPB developed Guidelines on the application of the GDPR to these new payment services.
The Guidelines point out that in this context the processing of special categories of personal data is generally prohibited (in line with Article 9 (1) GDPR), except when explicit consent is given by the data subject (Article 9 (2) (a) GDPR) or processing is necessary for reasons of substantial public interest (Article 9 (2) (g) GDPR).
The Guidelines also address conditions under which Account Servicing Payment Service Providers (ASPSPs) grant access to payment account information to PISPs and AISPs, especially granular access to payment accounts.
The Guidelines clarify that neither Article 66 (3) (g) nor Article 67 (2) (f) of the PSD2 allow for any further processing, unless the data subject has given consent pursuant to Article 6 (1) (a) of the GDPR or the processing is laid down by Union law or Member State law. The Guidelines will be submitted for public consultation.
All PSD2-posts on this blog.