Background

Don’t-PSD2-me-register

Under the PSD2 legislation, consumers cannot filter or limit data. Not even if they want to, or if a service provider indicates in advance that it does not need all the data. But even if you do not give permission to share, your data can still be 'leaked' if another person does have permission. The PSD2-me-nots register makes it possible to filter the payment details of organisations and consumers from the data. For this we have a API developed.

Why is the Don't-PSD2-me register needed?

The Don't-PSD2-me register is a opt-out register for payment details. It is not the first opt-out register for public space. The Don't-PSD2-me Register provides a tool for PSD2 service providers to filter the received payment data. You can compare it with the don't-call-me register. There you can register your phone number and companies are no longer allowed to contact you by phone with unsolicited marketing. It offers extra protection because you are in control of the amount of data that is shared. The Don't-PSD2-me register should offer more certainty.

Account numbers with which payments are made to or from persons are personal data. The Don't-PSD2-me register provides a tool for providers to comply with legal requirements and consumers get better privacy protection. We focus on two types of account

Conceptual model: how the filter works

With the conceptual model we give a schematic representation of the Don't-PSD2-me register. The figure below shows the model. In short, the Don't-PSD2-me register is a list of account numbers, with which it must be possible to filter. These elements are further elaborated.

(a) Core of the register

The Don't-PSD2-me register is an opt-out register designed to ensure that banking data is not disclosed and processed undesirably to third parties. Banks do not offer the possibility to share only part of the data, or to make sharing entirely impossible. The question is if this is justified.

The account number plays a central role in the register. This is the unique number with which transactions to or from a party can be found. In order to be able to filter, account numbers are needed.

The first draft of the register is based on account numbers of Special Account Holders. These are account numbers of parties, where from the transaction special categories of personal data may be derived. Who these parties are can be deduced from data that are known to the Dutch Chamber of Commerce and Statistics Netherlands (CBS). A survey of the trade register of the KVK yielded 2400 legal persons whose account numbers should be included in the register. Here, account numbers from the care and the CJIB to be added.

(b) Access

The core of a filter is that certain transactions should be treated differently from others. Instead of treating the dataset as a whole, for example privacy by design strategies be applied. To make this possible, the information must be made accessible. Roughly speaking, three options are possible.

  1. the list of account numbers is published, for example as csv file or plain text and can be downloaded by anyone. This list can be used by PSD2 service providers as a reference list for their own systems.
  2. the list of account numbers is contained in a shell with some intelligence. The list is technically set up in such a way that an automatic link with the systems of the PSD2 providers is possible. It is possible to take over the list as a 'mirror' in one's own organisation where the lists are synchronised.
  3. The list is included in a solution that can apply filtering independently. This allows the filtering to be used in different places, such as internal providers, or immediately after the data has left a bank and thus before it arrives at a third provider.

c) Indicate preferences

When the model is further elaborated, personal data management becomes possible. A person indicates what information he or she shares. For example, the interval of transactions, what type (e.g. acceptance giro only), incoming or outgoing transactions and whether certain data must be filtered.

Filtering with the PSD2 Don't-Me Registry

From payment data special personal datas derived. We want this data to be filtered. This is why we have set up the PSD2 Don't-Me Register. This is an overview of account numbers, where transactions to or from this account number reveal special personal data.

We have made a list of organisations whose transactions should undoubtedly be regarded as special personal data. The list is download here. You might notice that the list does not contain any account numbers. We do this to prevent abuse of the list. The list is securely accessible through our API.

We continue to look for account numbers. What account numbers are we looking for? For example, contribution accounts and account numbers for private donations to these categories of organisations:

  • political groups
  • trade unions
  • associations active in the field of sexual behaviour or sexual orientation
  • religious institutions

Do you know the account number of a relevant organisation? First check if we already have the number on this list. Send the IBAN and BIC number in an e-mail with the account number and name of the organization to martijn@privacyfirst.nl. The account number will then be included in the next version of the register.

List of account numbers

  • All account numbers come from publicly available files or websites.
  • The political parties have been taken over from the register on the site of the Electoral Council. The official name and any abbreviation are included. In this register only parties that are registered, parties under formation or in the meantime dissolved are not listed. For an overview of these organisations, see this wikipedia page about Political parties in the Netherlands.
  • The unions have been taken over from wikipedia List of trade unions in the Netherlands on 30 March 2020 and may not be up to date.
  • The religious institutions were taken from a file obtained from the Chamber of Commerce Trade Register as part of this project and may not be complete.
  • The account numbers come from publicly accessible sources or have been provided by volunteers or persons from the supporters. Any questions? Please contact us via martijn@privacyfirst.nl.

PSD2 filter: API

For information about the PSD2-me-not-filter and the corresponding API, see this item.