{"id":714,"date":"2021-01-25T17:50:41","date_gmt":"2021-01-25T16:50:41","guid":{"rendered":"https:\/\/psd2meniet.nl\/?p=714"},"modified":"2021-01-25T22:13:23","modified_gmt":"2021-01-25T21:13:23","slug":"richtlijnen-psd2-gdpr-vastgesteld","status":"publish","type":"post","link":"https:\/\/psd2meniet.nl\/en\/richtlijnen-psd2-gdpr-vastgesteld\/","title":{"rendered":"Guidelines PSD2 &amp; GDPR adopted"},"content":{"rendered":"<p>Last December 15, the European Data Protection Board (EDPB) adopted the '<a rel=\"noreferrer noopener\" href=\"https:\/\/edpb.europa.eu\/sites\/edpb\/files\/files\/file1\/edpb_guidelines_202006_psd2_afterpublicconsultation_en.pdf\" target=\"_blank\">Guidelines 06\/2020 on the interplay of the Second Payment Services Directive and the GDPR<\/a>...to. We gave <a data-type=\"URL\" data-id=\"https:\/\/psd2meniet.nl\/onze-reactie-op-de-richtlijnen-over-psd2gdpr\/\" href=\"https:\/\/psd2meniet.nl\/en\/onze-reactie-op-de-richtlijnen-over-psd2gdpr\/\">our comments <\/a>during the consultation. In 20 pages and 40 comments, we made clear how the guidelines and PSD2 can be adapted to better protect the privacy of users. We found that the first version already <a class=\"info-marker\" data-info=\"We gaven zelfs een compliment: We would like to compliment you on the comprehensive document that provides a lot of information on how account service providers should deal with their services under the PSD2. A number of concepts and principles are well elaborated so that under the PSD2 service providers cannot hide behind a poor interpretation of the PSD2.\">pretty good and concrete<span class=\"icon\"><\/span><\/a>but saw plenty of room for improvement. The better the guidelines, the better data will be protected by providers of PSD2 services.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Have the guidelines improved?<\/h3>\n\n\n\n<p>After the first read, we wondered if they had been modified at all :-). Apart from some dots, commas and minor adjustments, the guidelines remain as they were proposed. Does the EDPB fail to make use of good comments from the field? We regularly saw good comments from other respondents that were worthy of inclusion. We did not see them again. And the few adjustments that we did see, we had not seen before. We just have to assume that it has been read and taken into account ...<\/p>\n\n\n\n<p>We see the fact that the guidelines have hardly been modified as good news. The paragraphs that we consider important are fairly concrete and provide good guidelines for providers to apply better privacy by design. It would have been a pity if those paragraphs had been watered down by the lobbying violence.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Barely adjusted? That's good news...<\/h3>\n\n\n\n<p>The concrete implementation by the directives is an important aid in the complex playing field. Both laws want to set frameworks and especially give space to companies to use financial and personal data. The AVG is complex because of its 'open standards' and the PSD2 is a tricky law because AISP (account information services) and PISP (payment services) are intertwined. In addition, the PSD2 mainly points to the AVG when it comes to privacy protection and easily distances itself from the discussion with the 'explicit consent' of Article 94(2) PSD2. In such a context, any clarification is an advantage.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">...but still a bit of a shame.<\/h3>\n\n\n\n<p>The guidelines are quite clear about transparency, special personal data and 'silent third party data'. They fall short on a number of points. Examples are:<\/p>\n\n\n\n<ul><li>exercising must be as fast as the other services provided. The statutory maximum period should only occur in exceptional cases;<\/li><li>the manner of providing information, in accordance with good practices, and that the information is machine-readable<\/li><li>work out how a provider should handle data if consent is withdrawn within the 90 days<\/li><li>werk de verschillen en overeenkomsten van &#8217;toestemming&#8217; tussen AVG en PSD2, een punt van veel verwarring, nader uit<\/li><li>stress the possibility to exclude also categories of personal data, including special ones<\/li><li>deal with the handling of criminal data: the PSD2 can circumvent the existing Black Lists (AP, are you reading this?)<\/li><li>be clear about what account information services are and can quickly imply detailed profiling in addition to the digital housekeeping book<\/li><\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Conclusion<\/h3>\n\n\n\n<p>Although the EDPB misses an opportunity to produce even better guidelines, we should be pleased with what we have here. It certainly helps our PSD2 project along. The guidelines regularly leave no room for misunderstanding that measures must be taken to limit data processing. <\/p>\n\n\n\n<p>Unfortunately, even with the guidelines in hand, major risks remain for users of account information services. The saying 'once given, never given' still applies here. If you use a service and you engage other parties to do so, your profile is updated with the financial data within seconds. Reversing this will be difficult, if not impossible. All the more reason to keep on building the PSD2-me-not-filter.<\/p>","protected":false},"excerpt":{"rendered":"<p>Last December 15, the European Data Protection Board (EDPB) adopted the 'Guidelines 06\/2020 on the interplay of the Second Payment ... <\/p>\n<div><a href=\"https:\/\/psd2meniet.nl\/en\/richtlijnen-psd2-gdpr-vastgesteld\/\" class=\"more-link\">Read More<\/a><\/div>","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[8],"tags":[],"featured_image_urls_v2":{"full":"","thumbnail":"","medium":"","medium_large":"","large":"","1536x1536":"","2048x2048":"","trp-custom-language-flag":"","post-thumbnail":"","entry":"","entry-cropped":"","entry-fullwidth":"","entry-cropped-fullwidth":""},"post_excerpt_stackable_v2":"<p>Afgelopen 15 december nam de European Data Protection Board (EDPB) de &#8216;Guidelines 06\/2020 on the interplay of the Second Payment Services Directive and the GDPR&#8216; aan. We gaven ons commentaar tijdens de consultatie. In 20 pagina&#8217;s en 40 opmerkingen maakten we duidelijk hoe de richtlijnen en PSD2 aangepast kunnen worden om privacy van gebruikers beter te beschermen. We vonden dat de eerste versie al behoorlijk goed en concreet, maar zagen genoeg punten ter verbetering. Hoe beter de richtlijnen, hoe beter gegevens beschermd zullen worden door aanbieders van PSD2 diensten. Zijn de richtlijnen verbeterd? Na de eerste keer lezen vroegen we&hellip;<\/p>\n","category_list_v2":"<a href=\"https:\/\/psd2meniet.nl\/en\/category\/nieuws\/\" rel=\"category tag\">nieuws<\/a>","author_info_v2":{"name":"Martijn van der Veen","url":"https:\/\/psd2meniet.nl\/en\/author\/martijn\/"},"comments_num_v2":"0 comments","_links":{"self":[{"href":"https:\/\/psd2meniet.nl\/en\/wp-json\/wp\/v2\/posts\/714"}],"collection":[{"href":"https:\/\/psd2meniet.nl\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/psd2meniet.nl\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/psd2meniet.nl\/en\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/psd2meniet.nl\/en\/wp-json\/wp\/v2\/comments?post=714"}],"version-history":[{"count":4,"href":"https:\/\/psd2meniet.nl\/en\/wp-json\/wp\/v2\/posts\/714\/revisions"}],"predecessor-version":[{"id":718,"href":"https:\/\/psd2meniet.nl\/en\/wp-json\/wp\/v2\/posts\/714\/revisions\/718"}],"wp:attachment":[{"href":"https:\/\/psd2meniet.nl\/en\/wp-json\/wp\/v2\/media?parent=714"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/psd2meniet.nl\/en\/wp-json\/wp\/v2\/categories?post=714"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/psd2meniet.nl\/en\/wp-json\/wp\/v2\/tags?post=714"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}