We use cookies to collect and analyse information on site performance and usage to improve and customise your experience, where applicable. View our Cookies Policy. Click Accept and continue to use our website or Manage to review and update your preferences.

Payment directive and GDPR interplay sparks concern

21 Dec 2020 / data law Print

Payment directive and GDPR interplay worries

Lawyers at McCann FitzGerald have said the e-commerce landscape, which has already changed significantly during 2020, will shift again on 1 January 2021.

On this date, new requirements for strong customer authentication under the second Payment Services Directive (PSD2) come into effect.

These measures will require banks to request additional information from customers — such as a one-time pass code or a fingerprint — to authorise a payment.

'Seemingly contradictory'

In an analysis, McCann FitzGerald’s lawyers say a consistent issue in the application of PSD2 has been its interplay with the General Data Protection Regulation (GDPR), which ensures that entities holding personal data keep that personal data secure.

PSD2, on the other hand, requires financial institutions that maintain payment accounts to open up their infrastructure and give access to data to third-party providers.

McCann FitzGerald says these “seemingly contradictory” legislative objectives have been causing compliance concerns among organisations.

The European Data Protection Board (EDPB) issued guidelines on this issue in July, which covered areas such as lawful grounds and further processing, explicit consent, special categories of data, and principles of data minimisation, security, transparency and profiling.


The lawyers note that the primary legal basis for the processing of personal data in a PSD2 context is Article 6(1)(b) of the GDPR, that the processing is necessary for the performance of a contract. The EDPB guidelines say data controllers must assess what level of processing of data is objectively necessary to perform the contract.

The guidelines also recommend that controllers categorise precisely what type of personal data will be processed under PSD2, as GDPR rules emphasise the need for specific protection for certain types of personal data.

“A Data Protection Impact Assessment will likely be required in accordance with Article 35 of the GDPR,” the McCann FitzGerald analysis says.

The lawyers say the EDPB received numerous submissions seeking clarification of some points, but it has not yet published an update version of the guidelines.

Gazette Desk
Gazette.ie is the daily legal news site of the Law Society of Ireland