As soon as a consumer gives permission to share payment details with a third party, banks are obliged to share the payment details. In the PSD2 this is laid down in Article 67.
It concerns Article 67, 'Rules for access to and use of information on payment accounts in the case of account information services'. Paragraph 1 of this Article says:
- Member States shall ensure that a payment service user is able to use the has the right to use services which give him access to account information as referred to in point 8 of Annex I. This right is not applicable when the payment account cannot be consulted online.
It says here that account holder has the right to use account information services. In order to be able to use those services, a bank will not be allowed to prevent the account holder from using those services and will have to share the transaction data for that purpose.
This right only concerns information that is accessible online. The information you can see and download in your online banking will be shared with the account information service provider. An example: ABN AMRO offers online banking access to 18 months, after which you can download the transactions as a PDF. Only the 18-month transactions will then be used for services.
2. The account information service provider:
(a) provide the services only with the express consent of the payment service user;
Here the term express consent is used, in Article 94(2) the term express consent is used.
(b) ensure that the payment service user's personal security information is not accessible to other parties, with the exception of the user and the issuer of the personal security information, and that, if transmitted by the account information service provider, this is done through secure and efficient channels;
(c) identifies himself at each communication session with the payment service user's account-holding payment service provider(s) and communicates in a secure manner with the account holder. payment service provider(s) and the payment service user, in accordance with Article 98(1)(d);
(d) shall have access only to the information of the designated payment accounts and the payment transactions concerned;
(e) does not request sensitive payment data with with regard to the payment accounts;
Sensitive payment data (scary: sensitive payment data) are something other than 'special personal data' in Article 9 of the AVG. You can quickly be misled by the terms. The definition in Article 4(32): 'data liable to be used for fraud, including personal security data'. For the activities of payment initiation service providers and account information service providers, the name of the account holder and the account number do not constitute sensitive payment data'.
Mind you, there are risks here...
(Article 67(1)(f) PSD2)
(f) does not proceed to use, access provide or store data for purposes other than the execution of the payment service user's explicit request account information service, in accordance with the rules on data protection.
This paragraph states that the account information service provider strictly adheres to the purpose limitation: only the "account information service explicitly requested by the payment service user". This seems a strong safeguard as it describes the capabilities (purpose limitation) of the PSD2 service provider. Nevertheless, risks arise here:
- The extent to which personal data are processed depends in part on the service offered. This is determined by the provider. A provider can give a broad description of the services, including possibilities for additional services in the terms and conditions.
- The AVG enables the further processing of personal data (Article 5, paragraph 1 (b) of the AVG). This is not allowed just like that. Further processing may not be incompatible with the purposes. Where the boundary lies is often difficult to determine. If a provider wants to further process the data, then a basis for this will be necessary, such as consent or an additional contract. It may result in the protection of the PSD2 being relinquished and only the AVG being protected.
3. In connection with payment accounts, the account holding payment service provider the following obligations:
(a) communicate securely with account information service providers in accordance with Article 98(1)(d), and
(b) he shall not otherwise process requests for data sent by the services of an account information service provider, except for objective reasons.
It says here in so many words that the bank (account holding payment service provider) serves nothing with the data and treats it differently from its own services. Compare this with net neutrality. This states that banks are not allowed to filter data independently.
4. The provision of account information services should not depend on the existence of a contractual relationship between account information service providers and account payment service providers for that purpose.