September 15, 2019

September 13, 2019

Subscribe to Latest Legal News and Analysis

Dutch Supervisory Authority releases guidance on the interaction between the GDPR and PSD2

On October 18, 2018, the Dutch Supervisory Authority for data protection adopted guidance on the second Payment Service Directive (“PSD2”).  The PSD2 intends to open the financial services market to a larger scale of innovative online services.  To that effect, the PSD2 sets out rules for obtaining access to the financial information of bank customers.  Among other things, it provides that in most cases service providers’ access to this personal data is subject to consent.

The Supervisory Authority points out that the required consent is an additional protection imposed by the PSD2.  It is not a legal basis for the processing of personal data under the General Data Protection Regulation (“GDPR”).  In fact, under the GDPR the processing should not be based on consent, but rather on an alternative legal basis – namely, the execution of an agreement.  Interestingly, while the regulator acknowledges that PSD2 consent is not a GDPR consent, it applies the same standard to both.  As a result, according to the authority, the consent must be obtained separately from the main agreement (for example, in the form of a pop-up consent request), and customers must be able to retract their consent at any time, an action that would likely result in the end the agreement, since a provider would be unable to process any new data thereafter.

© 2019 Covington & Burling LLP

TRENDING LEGAL ANALYSIS


About this Author

Kristof Van Quathern, Covington, data privacy attorney
Special Counsel

Kristof Van Quathem advises clients on data protection, data security and cybercrime matters in various sectors, and in particular in the pharmaceutical and information technology sector. Mr. Van Quathem has been specializing in this area for over fifteen years and covers the entire spectrum of advising clients on government affairs strategies concerning the lawmaking, to compliance advice on the adopted laws regulations and guidelines, and the representation of clients in non-contentious and contentious matters before data protection authorities.

32-2-549-5236