Background

The Don't-PSD2-me registry

Under the PSD2 legislation, consumers cannot filter or restrict data. Even if they want to, or if a service provider indicates in advance that they do not need all the data. But even if you do not give permission to share, your data can 'leak out' if another person does have permission. With the Don't-PSD2-me register, payment details of organisations and consumers can be filtered out of the data.

Why is the Don't-PSD2-me registry needed?

The Don't-PSD2-me registry is a opt-out register for payment details. It is not the first opt-out register for public space. The Don't-PSD2-me Register provides a tool for PSD2 service providers to filter the received payment data. You can compare it with the don't-call-me registry. There you can register your phone number and companies are no longer allowed to contact you by phone with unsolicited marketing. It offers extra protection because you are in control of the amount of data that is shared. The Don't-PSD2-me register should offer more certainty.

Account numbers with which payments are made to or from persons are personal data. The Don't-PSD2-me register provides a tool for providers to comply with legal requirements and consumers get better privacy protection. We focus on two types of account

Conceptual model

With the conceptual model we give a schematic representation of the Don't-PSD2-me register. The figure below shows the model. In short, the Don't-PSD2-me register is a list of account numbers, with which it must be possible to filter. These elements are further elaborated.

1. Core of the register

The Don't-PSD2-me register is an opt-out register designed to ensure that banking data is not disclosed and processed undesirably to third parties. Banks do not offer the possibility to share only part of the data, or to make sharing entirely impossible. The question is if this is justified.

The account number plays a central role in the register. This is the unique number with which transactions to or from a party can be found. In order to be able to filter, account numbers are needed.

The first draft of the register is based on account numbers of Special Account Holders. These are account numbers of parties, where from the transaction special categories of personal data may be derived. Who these parties are can be deduced from data that are known to the Dutch Chamber of Commerce and Statistics Netherlands (CBS). A survey of the trade register of the KVK yielded 2400 legal persons whose account numbers should be included in the register. Here, account numbers from the care and the CJIB to be added.

2. Access

The core of a filter is that certain transactions should be treated differently from others. Instead of treating the dataset as a whole, for example privacy by design strategies be applied. To make this possible, the information must be made accessible. Roughly speaking, three options are possible.

  1. the list of account numbers is published, for example as csv file or plain text and can be downloaded by anyone. This list can be used by PSD2 service providers as a reference list for their own systems.
  2. the list of account numbers is contained in a shell with some intelligence. The list is technically set up in such a way that an automatic link with the systems of the PSD2 providers is possible. It is possible to take over the list as a 'mirror' in one's own organisation where the lists are synchronised.
  3. The list is included in a solution that can apply filtering independently. This allows the filtering to be used in different places, such as internal providers, or immediately after the data has left a bank and thus before it arrives at a third provider.

3. Indicate preferences

When the model is further elaborated, personal data management becomes possible. A person indicates what information he or she shares. For example, the interval of transactions, what type (e.g. acceptance giro only), incoming or outgoing transactions and whether certain data must be filtered.


This article is constantly being expanded. Do you have suggestions or additions? Let us know via martijn@privacyfirst.nl.